A payroll administrator noticed unexpected changes within a piece of software and reported the incident to the incident response team. Which actions should be taken at this step in the incident response workflow?
A.
Classify the criticality of the information, research the attacker's motives, and identify missing patches
B.
Determine the damage to the business, extract reports, and save evidence according to a chain of custody
C.
Classify the attack vector, understand the scope of the event, and identify the vulnerabilities being exploited
D.
Determine the attack surface, evaluate the risks involved, and communicate the incident according to the escalation plan
I think its B. The only thing we know is the user noticed a change. Gathering evidence and logs would be my move, escalating too soon migth not be good.
ChatGPT: At this stage in the incident response workflow, it is essential to determine how the attack occurred, assess its impact, and identify vulnerabilities to mitigate further damage.
When an incident response team receives a report of unexpected changes within software, the immediate steps involve classifying the attack vector, understanding the scope of the event, and identifying the vulnerabilities being exploited. This is a critical part of the incident response workflow as it helps in determining the nature of the attack and the appropriate containment and eradication strategies3.
I think could be option D. Person that detected the anomaly is a payroll administrator don't think He could have an idea on how to classify the attack vector.
At this step in the incident response workflow, the following actions should be taken:
C. Classify the attack vector, understand the scope of the event, and identify the vulnerabilities being exploited.
The first priority of the incident response team should be to gain a full understanding of the incident. This includes identifying the attack vector, understanding the scope of the event, and identifying the vulnerabilities being exploited. By classifying the attack vector and determining the scope of the event, the incident response team can begin to determine the level of response needed and whether additional resources or expertise may be necessary to address the incident. Then A followed by B
ITs C for sure. Read the NIST handbook before you assume things..
The incident response team should work quickly to analyze and validate each incident, following a predefined process and documenting each step taken. When the team believes that an incident has occurred,
the team should rapidly perform an initial analysis to determine the incident’s scope, such as which
networks, systems, or applications are affected; who or what originated the incident; and how the incident
is occurring (e.g., what tools or attack methods are being used, what vulnerabilities are being exploited).
The initial analysis should provide enough information for the team to prioritize subsequent activities,
such as containment of the incident and deeper analysis of the effects of the incident.
D. Determine the attack surface, evaluate the risks involved, and communicate the incident according to the escalation plan - makes more sense.
upvoted 1 times
...
This section is not available anymore. Please use the main Exam Page.350-201 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
CiscoTester
Highly Voted 3 years, 5 months agomarceus
Most Recent 2 months, 3 weeks agoTrainingTeam
6 months, 2 weeks agoVic25H
1 year, 10 months agojay_c_an
2 years, 2 months agoDrVoIP
2 years, 2 months agoMedjai89
2 years, 4 months agocbr01
2 years, 6 months agoTOLU1985
2 years, 7 months agojaciro11
2 years, 8 months agogallifrean
3 years, 2 months agoBobster02
3 years, 6 months ago