The incident response process typically includes the following phases: preparation, detection and analysis, containment, eradication, and recovery. The detection and analysis phase is focused on identifying and assessing the scope and severity of the incident, and this includes analyzing logs and other data to identify the source and nature of the attack.
these questions are tricky but the key here " researches an attacking host through logs in a SIEM?" -- This should be done in Detection and Analysis -- A
It is done during Containment, eradication and recovery which is considered a single phase.
As per the course guide
"Containment, Eradication, and Recovery
The containment, eradication, and recovery phase includes the following activities:
■ Gathering and handling evidence
■ Identifying the attacking hosts
■ Choosing a containment strategy to effectively contain and eradicate the attack, as
well as to successfully recover from it"
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf section 3.3.3 shows "Identifiing the Attacking Hosts" under "Containment, Eradication, and Recovery"
From Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide
chapter 8 page 303
The containment, eradication, and recovery phase includes the following activities:
■ Gathering and handling evidence
■ Identifying the attacking hosts
■ Choosing a containment strategy to effectively contain and eradicate the attack, as
well as to successfully recover from it
for me, i think the right answer is A, because in eradication process you identify the attacked hosts not the attacking hosts, meanwhile in detection analysis you profile the network and system, so you can get a clue for the attacking hosts
Preparation --> Detection and Analysis --> Containment, Erradicaion and Recovery --> Post-Incident Activity
Detection and Analysis --> Profile networks and systems, Understand normal behaviors, Create a log retention policy, Perform event correlation. Maintain and use a knowledge base of information.Use Internet search engines for research. Run packet sniffers to collect additional data. Filter the data. Seek assistance from others. Keep all host clocks synchronized. Know the different types of attacks and attack vectors. Develop processes and procedures to recognize the signs of an incident. Understand the sources of precursors and indicators. Create appropriate incident documentation capabilities and processes. Create processes to effectively prioritize security incidents. Create processes to effectively communicate incident information (internal and external communications).
Ref: Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide
This section is not available anymore. Please use the main Exam Page.200-201 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
drdecker100
Highly Voted 11 months, 1 week agohansamaru
Most Recent 1 year, 2 months agoMaliDong
1 year, 2 months agotrigger4848
1 year, 2 months agoEng_ahmedyoussef
1 year, 3 months agoadodoccletus
1 year, 7 months agoDunky
1 year, 10 months agobn1234
1 year, 10 months agoalocin
2 years, 3 months agoivlis_27
2 years, 2 months agoaplicacion101
1 year, 6 months agoanonymous1966
2 years, 4 months agoanonymous1966
2 years, 4 months ago