ExamTopics Logo
Mail Us[email protected]
Menu
Cisco Discussions
exam questions

Exam 200-201 All Questions

View all questions & answers for the 200-201 exam
Go to Exam

Exam 200-201 topic 1 question 186 discussion

Actual exam question from Cisco's 200-201
Question #: 186
Topic #: 1
[All 200-201 Questions]

The SOC team has confirmed a potential indicator of compromise on an endpoint. The team has narrowed the executable file's type to a new trojan family.
According to the NIST Computer Security Incident Handling Guide, what is the next step in handling this event?

  • A. Perform forensics analysis on the infected endpoint
  • B. Isolate the infected endpoint from the network
  • C. Prioritize incident handling based on the impact
  • D. Collect public information on the malware behavior
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by ItsBananass at July 22, 2022, 3:46 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Entivo
Highly Voted 2 years, 2 months ago
Selected Answer: B
Personally I would isolate before doing ANYTHING else!
upvoted 6 times
MartinRB
1 year, 8 months ago
that does not work in practice, it might be a production server so isolation would be an extreme case.
upvoted 1 times
CrazyD1337
1 year, 4 months ago
So you'd let a trojan just sit there and propagate itself?
upvoted 3 times
...
...
...
RoBery
Most Recent 9 months, 2 weeks ago
B " narrowed the executable file's type to a new trojan family" means it is investigated and proved it is a trojan. Action is needed here.
upvoted 1 times
...
SecurityGuy
1 year, 2 months ago
Selected Answer: D
From a SOCs point of view, I would research first the malware behavior on what parts of the network or system it would likely target first since malwares tend to have "variations", at least know how the malware behaves first before performing intrusive actions. Determine first the impact before you isolate an endpoint since in the real world scenario, you're currently running an AV, EDR or XDR and you'll mostly do non-intrusive activities.
upvoted 1 times
...
weganos
1 year, 9 months ago
Selected Answer: D
When reading appendix G in the NIST 800-61 (r2) document I would say it's step 3 "Analyze the evidence to confirm that an incident has occurred." which would be D. I would think removing it from the network would be step 6 "Stop the incident if it is still in progress" TBH I would disconnect it isolate it first so it can't spread further but I think the correct answer is D. Tricky question...
upvoted 2 times
...
trigger4848
1 year, 11 months ago
Isolating the PC may cause damage to the PC. It could set off another attack which encrypts the host. You should 1st analyze the malware I believe, but not with these questions I can't say for sure
upvoted 2 times
...
[Removed]
2 years, 2 months ago
Selected Answer: C
Prioritize incident handling based on the impact
upvoted 1 times
...
Zeehlatse
2 years, 3 months ago
The answer is B
upvoted 1 times
...
ItsBananass
2 years, 3 months ago
You found a new trojan on your network on an endpoint. What do you do next? I think you should isolate. Answer B
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago