GIAC
GCIH · Question #431
GCIH Question #431: Real Exam Question with Answer & Explanation
The correct answer is B: The information gathered during the identification and containment phases. During eradication, analysts rely on data collected in the identification and containment phases to fully understand the attack vector, scope, and artifacts that must be removed.
Incident Response & Cyber Kill Chain
Question
During the eradication phase, what information should be analyzed to determine the cause and symptoms of an incident?
Options
- AThe information gathered during the preparation and recovery phases
- BThe information gathered during the identification and containment phases
- CThe results of a vulnerability scan conducted during the recovery phase
- DThe interviews conducted with the system owners
Explanation
During eradication, analysts rely on data collected in the identification and containment phases to fully understand the attack vector, scope, and artifacts that must be removed.
Common mistakes.
- A. The preparation phase occurs before an incident and establishes policies and tools; the recovery phase occurs after eradication, so neither provides the cause-and-symptom data needed at this stage.
- C. A vulnerability scan performed during recovery is used to verify remediation completeness, not to determine the initial cause and symptoms of the incident.
- D. Interviews with system owners can supplement analysis but alone are insufficient; the primary data source is the technical evidence collected during identification and containment.
Concept tested. Eradication phase data sources in incident handling
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
#eradication phase#identification phase#containment phase#incident analysis
Community Discussion
No community discussion yet for this question.