Exam CISM topic 1 question 361 discussion

See the first sentence of CISM Exam Guide regarding Eradication " The eradication phase of security incident response is concerned with the removal of the agent or factors that caused or aided the incident." . Doing a root cause is part of the activities but the overall goal is removal/ wiping.

During the Eradication phase root cause analysis should be done

4.12.1 CISM REVIEW 16: A,B and D are correct anwers.

Once you’ve contained the issue, you need to find and eliminate the root cause of the breach

It talks about 'Eradication' phase which means all the other work (root cause etc.) are complete hence answer D.

A - identify the root cause

A. identify the root cause Identifying the root cause of the incident is crucial because it allows you to understand how the incident occurred in the first place. By identifying the root cause, you can take steps to prevent similar incidents from happening in the future. This knowledge is essential for effective incident response and long-term security improvement.

Why to WIPE an entire system without a certain root-cause?!? The identification of a root cause is a fundamental part of eradication

from RSISecurity.com see the *** part How to Remove Threats During the Eradication Phase of Incident Response After identifying and analyzing the threats during the other incident phases, complete removal of those threats from your systems and periphery is the critical goal of the eradication phase. To do so, choose the eradication approach that is most appropriate for the threat, such as: Automated removal – If any minor threats can be removed by anti-malware tools, let the software remove them and focus on higher priority threats. ***Reimaging systems – Wipe systems and reimage them to ensure any malware is removed. Applying patches – Patch vulnerabilities that may have facilitated attacks or been introduced by threats detected within the environment. Migrating resources – Consider removing resources that weren’t affected during the incident to new systems to ensure they remain unaffected throughout the rest of the incident response process.

• Preparation: No organization can spin up an effective incident response on a moment’s notice. A plan must be in place to both prevent and respond to events. • Detection and analysis: The second phase of IR is to determine whether an incident occurred, its severity, and its type. • Containment and eradication: The purpose of the containment phase is to halt the effects of an incident before it can cause further damage. • Post-incident recovery: A lessons learned meeting involving all relevant parties should be mandatory after a major incident and desirable after less severe incidents with the goal of improving security as a whole and incident handling in particular.

D. wipe the affected system

During the eradication phase, the incident response team investigates the extent of the compromise, identifies the root cause of the incident, and takes necessary actions to remove any malicious presence, unauthorized access, or compromised components from the affected systems or network. So the correct answer is Option A

Gonna go with D here - the root cause analysis should have been completed during the analysis phase, prior to containment. Hard to contain what you do not understand.

Option D- Since eradication step has to ensure the threat has been eliminated. All other options are not part of the eradication step. A - Post-Op step, never seen anyone perform root cause in the middle of an active incident. B - Recovery step. If performed without proper eradication then the incident can surface again. C - Notifying the affected users would've already happened. Probably one of the first steps in Incident response.

Restoring from a backup, notifying affected users, and wiping the affected system are typically considered part of the containment and recovery phases of incident response, whereas identifying the root cause is a critical step in eradicating the incident and preventing its recurrence.

The correct answer is (A) identifying the root cause. This is cause you have to know what the root cause is in order to truly eliminate the threat. If it is not properly scoped then the attacker may still be able to log in or use another system to move throughout the environment. Rationale: (B) Restoring a system from a backup does nothing to address other potential points an attacker may hop from. (C) notifying affected users without understanding the true scope of the incident may mislead users (D) wiping the affected system only stops the attacker at this particular system, but not all the other systems that haven't been identified cause the root cause hasn't been identified yet.

ISACA: The eradication step of incident response involves direct actions (usually on the part of incident responders) to remove the source of the incident. This may include removing malware, blocking incoming and/or outgoing command and control messages, or removing an intruder.