Cisco
350-201 · Question #60
350-201 Question #60: Real Exam Question with Answer & Explanation
The correct answer is A: Determine the systems involved and deploy available patches. The recovery stage of incident response focuses on restoring affected systems to a secure operational state, primarily through patching and system validation.
Question
A threat actor used a phishing email to deliver a file with an embedded macro. The file was opened, and a remote code execution attack occurred in a company's infrastructure. Which steps should an engineer take at the recovery stage?
Options
- ADetermine the systems involved and deploy available patches
- BAnalyze event logs and restrict network access
- CReview access lists and require users to increase password complexity
- DIdentify the attack vector and update the IDS signature list
Explanation
The recovery stage of incident response focuses on restoring affected systems to a secure operational state, primarily through patching and system validation.
Common mistakes.
- B. Analyzing event logs and restricting network access are detection and containment activities that occur earlier in the incident response lifecycle, not during recovery.
- C. Reviewing access lists and requiring password complexity changes are post-incident hardening actions belonging to the lessons-learned phase, not the recovery phase.
- D. Identifying the attack vector and updating IDS signatures are analysis and improvement steps belonging to the detection and post-incident phases, not the recovery phase.
Concept tested. Incident response recovery phase procedures
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Community Discussion
No community discussion yet for this question.