PrepAway - Latest Free Exam Questions & Answers

During an incident response, what stage involves mitigating the damage caused by an incident?

During an incident response, what stage involves mitigating the damage caused by an incident?

PrepAway - Latest Free Exam Questions & Answers

A.
Investigation

B.
Containment

C.
Triage

D.
Analysis

Explanation:
B: A proper containment strategy buys the incident response team time to properly investigate and determine the incident’s root cause. The containment
strategy should be based on the category of the attack (i.e., whether it was internal or external), the assets affected by the incident, and the criticality of
those assets. Containment strategies can be proactive or reactive. Which is best depends on the environment and the category of the attack. In some
cases, the best action might be to disconnect the affected system from the network. Disconnecting the affected system from the network is a reactive
strategy, not a proactive strategy. The system is taken offline after it is attacked. If it was taken offline before it was attacked (you’d need some indication
that the system was going to be attacked), then the strategy would be proactive.
A is incorrect because the investigation stage involves the proper collection of relevant data and includes analysis, interpretation, reaction, and recovery.
The goals of this stage are to reduce the impact of the incident, identify the cause of the incident, resume operations as soon as possible, and apply what
was learned to prevent the incident from recurring. It is also at this stage where computer forensics comes into play. Management must decide if law
enforcement should be brought in to carry out the investigation, if evidence should be collected for the purposes of prosecution, or if the hole should just be
patched.
C is incorrect because triage involves taking information about the incident, investigating the incident’s severity, and setting priorities on how to deal with
it. This begins with an initial screening of the reported event to determine whether it is indeed an incident and whether the incident handling process should
be initiated. If the event is determined to be a real incident, it is identified and classified. Incidents should be categorized according to their level of potential
risk, which is influenced by the type of incident, the source, its rate of growth, and the ability to contain the damage. This, in turn, determines what
notifications are required during the escalation process, and sets the scope and procedures for the investigation.
D is incorrect because the analysis stage involves gathering data such as audit logs, video captures, human accounts of activities, etc., to try and figure
out the root cause of the incident. The goals are to figure out who did this, how they did it, when they did it, and why. Management must be continually kept
abreast of these activities because they will be the ones making the big decisions on how the incident is to be handled.

One Comment on “During an incident response, what stage involves mitigating the damage caused by an incident?


Leave a Reply