nerdexam
(ISC)2

CISSP-ISSAP · Question #181

You work as an Incident handler in Mariotrixt.Inc. You have followed the Incident handling process to handle the events and incidents. You identify Denial of Service attack (DOS) from a network linked

The correct answer is A. Containment. Containment (A) is correct because the scenario states the DoS attack has already been identified, meaning the Identification phase is complete. The next logical step in the incident handling lifecycle is to contain the threat - limiting its spread and minimizing damage to the en

Security Operations Architecture

Question

You work as an Incident handler in Mariotrixt.Inc. You have followed the Incident handling process to handle the events and incidents. You identify Denial of Service attack (DOS) from a network linked to your internal enterprise network. Which of the following phases of the Incident handling process should you follow next to handle this incident?

Options

  • AContainment
  • BPreparation
  • CRecovery
  • DIdentification

How the community answered

(49 responses)
  • A
    84% (41)
  • B
    2% (1)
  • C
    10% (5)
  • D
    4% (2)

Explanation

Containment (A) is correct because the scenario states the DoS attack has already been identified, meaning the Identification phase is complete. The next logical step in the incident handling lifecycle is to contain the threat - limiting its spread and minimizing damage to the enterprise network before eradication and recovery begin.

Why the distractors are wrong:

  • B. Preparation is the first phase, completed before any incident occurs - it covers policies, tools, and training. You don't return to it mid-incident.
  • C. Recovery comes after Containment and Eradication; restoring systems before containing the attack would be futile and dangerous.
  • D. Identification is already done - the question explicitly states the DoS attack has been identified, so revisiting this phase would be going backwards.

Memory tip: Use the acronym PICERL - Preparation → Identification → Containment → Eradication → Recovery → Lessons Learned. Whenever a question tells you an incident has been identified, your answer will almost always be the next letter: Containment.

Topics

#Incident Handling#DOS Attack#Containment#Incident Response

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSAP Practice