SY0-301 · Question #330
The helpdesk reports increased calls from clients reporting spikes in malware infections on their systems. Which of the following phases of incident response is MOST appropriate as a FIRST response?
The correct answer is D. Identification. Identification is the correct first active phase of incident response - an incident must be detected and confirmed before any containment, eradication, or recovery actions can begin.
Question
The helpdesk reports increased calls from clients reporting spikes in malware infections on their systems. Which of the following phases of incident response is MOST appropriate as a FIRST response?
Options
- ARecovery
- BFollow-up
- CValidation
- DIdentification
- EEradication
- FContainment
How the community answered
(32 responses)- A3% (1)
- B6% (2)
- D91% (29)
Why each option
Identification is the correct first active phase of incident response - an incident must be detected and confirmed before any containment, eradication, or recovery actions can begin.
Recovery restores systems to normal operation and occurs only after containment and eradication have been completed, not as an initial response step.
Follow-up, also called lessons learned, is the final phase conducted after the incident is fully resolved to improve future response capabilities.
Validation is not a standard named phase in the NIST SP 800-61 incident response lifecycle.
The identification phase involves detecting, analyzing, and validating that a security incident has actually occurred and determining its initial scope, which is the prerequisite before any other response action can be taken. In this scenario, the spike in malware infections must first be confirmed as a coordinated incident, affected systems catalogued, and the threat characterized before responders can act. Proceeding to containment or eradication without proper identification risks missing affected systems or mischaracterizing the threat type.
Eradication removes the malware or attacker presence from affected systems but can only be executed effectively after the incident has been identified and its scope determined.
Containment limits the spread of an incident but requires prior identification to know which systems to isolate and what vectors to block.
Concept tested: Incident response identification phase as the first step
Source: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
Topics
Community Discussion
No community discussion yet for this question.