During what stage of incident response is it determined if the source of the incident was internal or external, and how the offender penetrated and gained access to the asset?

A.
Analysis

B.
Containment

C.
Tracking

D.
Follow-up

Explanation:
C: Incident response begins with triage. During triage, the scope and severity of the incident is assessed. If it is determined that an incident has indeed
occurred, then the incident response team moves to the investigation stage. This stage involves the collection of data, as well as analysis, interpretation,
reaction, and recovery. The next stage is containment. The team isolates the systems involved in the incident to buy time to conduct a full investigation.
During analysis, more data is collected and analyzed to determine the root cause of the incident. Once we have as much information as we can get in the
analysis stage and answered as many questions as we can, we then move to the tracking stage. We determine if the source of the incident was internal or
external and how the offender penetrated and gained access to the asset.
A is incorrect because during analysis data is gathered (audit logs, video captures, human accounts of activities, system activities) to try to figure out the
root cause of the incident.
B is incorrect because the purpose of containment is to isolate the incident to prevent further damage and buy the incident response team time to
conduct their investigation.
D is incorrect because the follow-up or recovery stage occurs after the incident is understood. It involves implementing the necessary fix to ensure this
type of incident cannot happen again. This may require blocking certain ports, deactivating vulnerable services or functionalities, switching over to another
processing facility, or applying a patch. This is properly called “following recovery procedures,” because just arbitrarily making a change to the environment
may introduce more problems. The recovery procedures may state that a new image needs to be installed, backup data needs to be restored, the system
needs to be tested, and all configurations are properly set.