The helpdesk reports increased calls from clients reporting spikes in malware infections on their systems.
Which of the following phases of incident response is MOST appropriate as a FIRST response?

A.
Recovery

B.
Follow-up

C.
Validation

D.
Identification

E.
Eradication

F.
Containment

Explanation:
To be able to respond to the incident of malware infection you need to know what type of malware was
used since there are many types of malware around. This makes identification critical in this case.
Incorrect Answers:
A: Recovering from the malware incident can only happen after you identified the type of malware
involved.
B: Follow-up is exactly that – following the incident and not a first response.
C: Validation is not an appropriate first response when dealing with a malware infection. Validation only
comes into effect as a prevention measure to LDAP Injection attacks.
E: Eradication of malware infections can only be done successfully after the malware involved has been
identified. Thus the best first response would be identification and not eradication.
F: Containment if akin to quarantine and is usually a last resort when one cannot eradicate the malware
from the systems.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 301-309, 338, 429
http://www.certiguide.com/secplus/cg_sp_SixStepIncidentResponseProcess.htm