The incident response process typically includes the following phases: preparation, detection and analysis, containment, eradication, and recovery. The detection and analysis phase is focused on identifying and assessing the scope and severity of the incident, and this includes analyzing logs and other data to identify the source and nature of the attack.
these questions are tricky but the key here " researches an attacking host through logs in a SIEM?" -- This should be done in Detection and Analysis -- A
According to NIST SP 800-31 3.3 Identifying the Attacking Hosts - incident handlers should generally stay focused on containment, eradication, and recovery. Could be C and D
It is done during Containment, eradication and recovery which is considered a single phase.
As per the course guide
"Containment, Eradication, and Recovery
The containment, eradication, and recovery phase includes the following activities:
■ Gathering and handling evidence
■ Identifying the attacking hosts
■ Choosing a containment strategy to effectively contain and eradicate the attack, as
well as to successfully recover from it"
page 303 in cyberops book, states Containment, eridacation and recovery, - identify the attacking host,,, which is bad wording because that means answer could be containment or eradication since they are both possible answers. horrible test writing for cisco here .
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf section 3.3.3 shows "Identifiing the Attacking Hosts" under "Containment, Eradication, and Recovery"
From Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide
chapter 8 page 303
The containment, eradication, and recovery phase includes the following activities:
■ Gathering and handling evidence
■ Identifying the attacking hosts
■ Choosing a containment strategy to effectively contain and eradicate the attack, as
well as to successfully recover from it
for me, i think the right answer is A, because in eradication process you identify the attacked hosts not the attacking hosts, meanwhile in detection analysis you profile the network and system, so you can get a clue for the attacking hosts
Preparation --> Detection and Analysis --> Containment, Erradicaion and Recovery --> Post-Incident Activity
Detection and Analysis --> Profile networks and systems, Understand normal behaviors, Create a log retention policy, Perform event correlation. Maintain and use a knowledge base of information.Use Internet search engines for research. Run packet sniffers to collect additional data. Filter the data. Seek assistance from others. Keep all host clocks synchronized. Know the different types of attacks and attack vectors. Develop processes and procedures to recognize the signs of an incident. Understand the sources of precursors and indicators. Create appropriate incident documentation capabilities and processes. Create processes to effectively prioritize security incidents. Create processes to effectively communicate incident information (internal and external communications).
Ref: Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide
This section is not available anymore. Please use the main Exam Page.200-201 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
drdecker100
Highly Voted 9 months, 3 weeks agohansamaru
Most Recent 1 year agoMaliDong
1 year, 1 month agotrigger4848
1 year, 1 month agoEng_ahmedyoussef
1 year, 2 months ago[Removed]
1 year, 4 months ago[Removed]
1 year, 4 months agoadodoccletus
1 year, 5 months agoDunky
1 year, 8 months agoarchbbo
1 year, 8 months agobn1234
1 year, 8 months agoalocin
2 years, 2 months agoivlis_27
2 years agoaplicacion101
1 year, 5 months agoanonymous1966
2 years, 3 months agoanonymous1966
2 years, 3 months ago