GIAC
GCIH · Question #420
GCIH Question #420: Real Exam Question with Answer & Explanation
The correct answer is B. Create an IPS rule to block traffic from an ongoing denial-of-service attack. Incident containment focuses on limiting the spread and impact of an active incident, which includes deploying technical controls like IPS rules to stop ongoing malicious traffic.
Incident Response & Cyber Kill Chain
Question
Which of the following tasks would take place during the incident containment phase?
Options
- AReview server operating system logs for unusual or malicious behavior
- BCreate an IPS rule to block traffic from an ongoing denial-of-service attack
- CRebuild a server with a clean copy of the operating system and apply all relevant patches
- DBegin documenting the incident and response actions
Explanation
Incident containment focuses on limiting the spread and impact of an active incident, which includes deploying technical controls like IPS rules to stop ongoing malicious traffic.
Common mistakes.
- A. Reviewing server OS logs for unusual behavior is part of the detection and analysis phase, which occurs before containment.
- C. Rebuilding a server with a clean OS and applying patches is a recovery and eradication action, occurring after containment.
- D. Documenting the incident and response actions begins during detection and analysis, prior to the containment phase.
Concept tested. NIST incident response containment phase actions
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
#incident containment#IPS rules#incident response phases#DoS mitigation
Community Discussion
No community discussion yet for this question.