nerdexam
GIAC

GCIH · Question #431

During the eradication phase, what information should be analyzed to determine the cause and symptoms of an incident?

The correct answer is B. The information gathered during the identification and containment phases. During eradication, analysts rely on data collected in the identification and containment phases to fully understand the attack vector, scope, and artifacts that must be removed.

Incident Response & Cyber Kill Chain

Question

During the eradication phase, what information should be analyzed to determine the cause and symptoms of an incident?

Options

  • AThe information gathered during the preparation and recovery phases
  • BThe information gathered during the identification and containment phases
  • CThe results of a vulnerability scan conducted during the recovery phase
  • DThe interviews conducted with the system owners

How the community answered

(30 responses)
  • A
    7% (2)
  • B
    90% (27)
  • D
    3% (1)

Why each option

During eradication, analysts rely on data collected in the identification and containment phases to fully understand the attack vector, scope, and artifacts that must be removed.

AThe information gathered during the preparation and recovery phases

The preparation phase occurs before an incident and establishes policies and tools; the recovery phase occurs after eradication, so neither provides the cause-and-symptom data needed at this stage.

BThe information gathered during the identification and containment phasesCorrect

The identification phase produces evidence about how the incident was discovered, what indicators of compromise exist, and which systems are affected. The containment phase adds further forensic detail gathered while limiting the attack. Together these two phases provide the complete picture of cause and symptoms needed to perform thorough eradication without leaving residual threats.

CThe results of a vulnerability scan conducted during the recovery phase

A vulnerability scan performed during recovery is used to verify remediation completeness, not to determine the initial cause and symptoms of the incident.

DThe interviews conducted with the system owners

Interviews with system owners can supplement analysis but alone are insufficient; the primary data source is the technical evidence collected during identification and containment.

Concept tested: Eradication phase data sources in incident handling

Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Topics

#eradication phase#identification phase#containment phase#incident analysis

Community Discussion

No community discussion yet for this question.

Full GCIH Practice