Exam 200-201 topic 1 question 182 discussion

Per: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf 3.3.3 Identifying the Attacking Hosts 3.3.4 Eradication and Recovery If it were me, I would select A

Should b A

C ** Containment:** According to the NIST SP 800-61 Incident Handling Guide, the incident response process consists of the following phases: ** Preparation:** This phase involves establishing incident response policies and procedures, training personnel, and developing communication plans. ** Identification:** This phase involves detecting and acknowledging an incident. ** Containment:** This phase involves limiting the spread of the incident and preventing further damage. ** Eradication:** This phase involves removing the threat actor from the system and restoring the system to normal operations. ** Recovery:** This phase involves restoring data and applications that were lost or damaged during the incident. ** Lessons learned:** This phase involves identifying what went wrong and how to prevent similar incidents from happening in the future.

CORRECT ANS= A

Option A, "Recover from the threat," refers to the containment, eradication, and recovery phase of incident response, which is already completed in the given scenario since the engineer was able to identify the threat's entry point and remove access. Option D, "Reduce the probability of similar threats," is a proactive measure that should be taken before an incident occurs, rather than a step in the incident handling process. The next step according to the NIST SP 800-61 Incident handling guide is to analyze the threat, which involves gathering and analyzing information about the incident to determine the cause, scope, and extent of the damage. So the best answer is B.

the engineer 'identify the .... application the threat actor targeted', means that the 'application' has not been 'fixed/repaired'. Engineer should get that application recovered.

i think D is the correct answer - the Engineer identified the threat's entry point ==> so he Analyze the threat. - the engineer removed access ==> so he Recover from the threat. the next step is to =====> **** D. Reduce the probability of similar threats.****

According to NIST 800-61 incident handling life cycle----> After an incident has been contained, eradication may be necessary to eliminate components of the incident, : Correct answer is A (Eradication and Recovery)

A. Recover from the threat. B. Analyze the threat. C. Identify lessons learned from the threat. D. Reduce the probability of similar threats. I have just read 800-61r2 and in my opinion the detection and analysis phase is over because the breach has been detected and the threat actor and vector identified. Also, the containment is complete because th engineer removed access, however in the same phase we have "recovery" which has not yet been completed. C & D are both done in the "Post Incident Activity" phase, but as we have not yet recovered from the breach, these cannot be the correct answer. Just my opinion.

COMPUTER SECURITY INCIDENT HANDLING GUIDE - NIST SP 800-61 3. Handling an Incident: 3.1. Preparation (2 items) 3.2. Detectiona and Analisys (7 items) 3.2.4 Incident Analysis 3.3 Containment, Eradication, and Recovery (4 items) 3.3.4 Eradication and Recovery 3.4 Post-Incident Activity 3.4.1 Lessons Learned <---- 3.4.2 Using Collected Incident Data 3.4.3 Evidence Retention To answer the question you must know in which fase of the Handling an Incident the case is. The engineer did 3.1, 3.2 and 3.3, so it is now time to 3.4. So the correct answer is "C" Ref: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

"A" is correct

Check for similar breaches right away

D - Reduce the probability of similar threats, could possibly be categorised under 'Eradication' 800.61r2 states the following for Eradication: "During eradication, it is important to identify all affected hosts within the organization so that they can be remediated." And in the checklist under the Eradication section - Identify and mitigate all vulnerabilities that were exploited - If more affected hosts are discovered (e.g., new malware infections), repeat the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then contain (5) and eradicate (6) the incident for them Assuming the Detection and Analysis phase has been conducted, and none of the answers fall into the Containment category... Answer (D) might be warranted. The 'similar' wording in the question makes it difficult to confirm if the aforementioned threats pertain to the impacted network or 'just in general'

I think the correct answer is D.

b is correct

so what is the correct answer. please stop confusing me

For me "B" is correct What is in the document: incident response life cycle: Preparation --> Detection (Attack Vectors) & Analysis --> Containment, Erradication & Recovery --> Post-Incident (Lessons Learned) The challenge is to discover in what phase of the cycle we are now. I beleive it is Detection. So, the next step is Analysis.