nerdexam
CompTIA

SY0-301 · Question #330

The helpdesk reports increased calls from clients reporting spikes in malware infections on their systems. Which of the following phases of incident response is MOST appropriate as a FIRST response?

The correct answer is D. Identification. Identification is the correct first active phase of incident response - an incident must be detected and confirmed before any containment, eradication, or recovery actions can begin.

Security operations

Question

The helpdesk reports increased calls from clients reporting spikes in malware infections on their systems. Which of the following phases of incident response is MOST appropriate as a FIRST response?

Options

  • ARecovery
  • BFollow-up
  • CValidation
  • DIdentification
  • EEradication
  • FContainment

How the community answered

(32 responses)
  • A
    3% (1)
  • B
    6% (2)
  • D
    91% (29)

Why each option

Identification is the correct first active phase of incident response - an incident must be detected and confirmed before any containment, eradication, or recovery actions can begin.

ARecovery

Recovery restores systems to normal operation and occurs only after containment and eradication have been completed, not as an initial response step.

BFollow-up

Follow-up, also called lessons learned, is the final phase conducted after the incident is fully resolved to improve future response capabilities.

CValidation

Validation is not a standard named phase in the NIST SP 800-61 incident response lifecycle.

DIdentificationCorrect

The identification phase involves detecting, analyzing, and validating that a security incident has actually occurred and determining its initial scope, which is the prerequisite before any other response action can be taken. In this scenario, the spike in malware infections must first be confirmed as a coordinated incident, affected systems catalogued, and the threat characterized before responders can act. Proceeding to containment or eradication without proper identification risks missing affected systems or mischaracterizing the threat type.

EEradication

Eradication removes the malware or attacker presence from affected systems but can only be executed effectively after the incident has been identified and its scope determined.

FContainment

Containment limits the spread of an incident but requires prior identification to know which systems to isolate and what vectors to block.

Concept tested: Incident response identification phase as the first step

Source: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

Topics

#incident response#identification phase#malware#incident handling

Community Discussion

No community discussion yet for this question.

Full SY0-301 Practice