GIAC
GCFA · Question #25
GCFA Question #25: Real Exam Question with Answer & Explanation
The correct answer is D. Containment. Adam has already identified the incident and is now isolating the network and collecting volatile evidence, which are core containment activities.
Question
Adam works as an Incident Handler for Umbrella Inc. He is informed by the senior authorities that the server of the marketing department has been affected by a malicious hacking attack. Supervisors are also claiming that some sensitive data are also stolen. Adam immediately arrived to the server room of the marketing department and identified the event as an incident. He isolated the infected network from the remaining part of the network and started preparing to image the entire system. He captures volatile data, such as running process, ram, and network connections. Which of the following steps of the incident handling process is being performed by Adam?
Options
- ARecovery
- BEradication
- CIdentification
- DContainment
Explanation
Adam has already identified the incident and is now isolating the network and collecting volatile evidence, which are core containment activities.
Common mistakes.
- A. Recovery involves restoring systems to normal operations after eradication has been completed, which has not yet occurred.
- B. Eradication involves removing the root cause of the incident such as deleting malware or patching vulnerabilities, which Adam has not yet begun.
- C. Identification was already completed - Adam confirmed the event as an incident before taking the actions described in the question.
Concept tested. Incident handling containment phase activities
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Community Discussion
No community discussion yet for this question.