GCIH · Question #431
During the eradication phase, what information should be analyzed to determine the cause and symptoms of an incident?
The correct answer is B. The information gathered during the identification and containment phases. During eradication, analysts rely on data collected in the identification and containment phases to fully understand the attack vector, scope, and artifacts that must be removed.
Question
During the eradication phase, what information should be analyzed to determine the cause and symptoms of an incident?
Options
- AThe information gathered during the preparation and recovery phases
- BThe information gathered during the identification and containment phases
- CThe results of a vulnerability scan conducted during the recovery phase
- DThe interviews conducted with the system owners
How the community answered
(30 responses)- A7% (2)
- B90% (27)
- D3% (1)
Why each option
During eradication, analysts rely on data collected in the identification and containment phases to fully understand the attack vector, scope, and artifacts that must be removed.
The preparation phase occurs before an incident and establishes policies and tools; the recovery phase occurs after eradication, so neither provides the cause-and-symptom data needed at this stage.
The identification phase produces evidence about how the incident was discovered, what indicators of compromise exist, and which systems are affected. The containment phase adds further forensic detail gathered while limiting the attack. Together these two phases provide the complete picture of cause and symptoms needed to perform thorough eradication without leaving residual threats.
A vulnerability scan performed during recovery is used to verify remediation completeness, not to determine the initial cause and symptoms of the incident.
Interviews with system owners can supplement analysis but alone are insufficient; the primary data source is the technical evidence collected during identification and containment.
Concept tested: Eradication phase data sources in incident handling
Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
Community Discussion
No community discussion yet for this question.