Exam 200-201 topic 1 question 168 discussion

D. Eradication From NIST SP 800-61r2, Section 3.3.4 "During eradication, it is important to identify all affected hosts within the organization so that they can be remediated."

"D" is correct 3.3.3 Identifying the Attacking Hosts During incident handling, system owners and others sometimes want to or need to identify the attacking host or hosts. Although this information can be important, incident handlers should generally stay focused on containment, eradication, and recovery. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

A. detection and analysis In the incident response process, the step that includes identifying all hosts affected by an attack is typically part of the "detection and analysis" phase. During this phase, security teams analyze the detected incident, assess the scope of the attack, and work to identify all systems and hosts that may have been affected. This step is crucial for understanding the extent of the incident and planning the appropriate response actions.

As siriously5000 mentioned, this question is literally taken from the NIST document: "During eradication, it is important to identify all affected hosts within the organization so that they can be remediated"

The answer is A. detection and analysis.

Detection and Analysis - An incident response analyst is responsible for collecting and analyzing data to find any clues to help identify the source of an attack. - In this step, analysts identify the nature of the attack and its impact on systems. - The business and the security professionals it works with utilize the tools and indicators of compromise (IOCs) that have been developed to track the attacked systems. https://eccouncil.org/cybersecurity-exchange/incident-handling/what-is-incident-response-life-cycle/ From a SOC Analyst's POV, when IOCs are detected, you'll naturally want to know how many endpoints are affected and "what are the affected endpoints or hosts".

Incident handling is the process of detecting and analyzing incidents and limiting the incident’s effect. For example, if an attacker breaks into a system through the Internet, the incident handling process should detect the security breach. Incident handlers will then analyze the data and determine how serious the attack is. The incident will be prioritized, and the incident handlers will take action to ensure that the progress of the incident is halted and that the affected systems return to normal operation as soon as possible.

The correct answer is A, detection and analysis. The detection and analysis phase of an incident response process involves identifying and confirming the presence of a security incident. This includes identifying all hosts that may have been affected by the attack. During this phase, incident responders collect and analyze information about the incident, such as network traffic, system logs, and other data, to determine the nature and scope of the incident. This information is used to develop an initial understanding of the incident, including which hosts have been affected.

D. containment, eradication, and recovery is correct. Module 28.4.7 After containment, the first step to eradication is identifying all of the hosts that need remediation. All of the effects of the security incident must be eliminated.

A. detection and analysis identifying all hosts affected (not affecting)

Its A. Detection and analysis --> and have in mind this is before CONTAINMENT you have to analize first what happend before even know how to contain .... Analysis: The incident response team should work quickly to analyze and validate each incident, following a predefined process and documenting each step that is taken. When the team believes that an incident has occurred, the team should rapidly perform an initial analysis to determine the scope of the incident. The initial analysis may include: Which networks, systems, or applications are affected? Who or what originated the incident? Which tools or attack methods are being used? Which vulnerabilities are being exploited?

The correct answer is D The response phase, or containment, of incident response, is the point at which the incident response team begins interacting with affected systems and attempts to keep further damage from occurring as a result of the incident.

a is correct

The correct answer is A. detection and analysis. Based on https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf 3.2 Detection and Analysis > 3.2.4 Incident Analysis "When the team believes that an incident has occurred, the team should rapidly perform an initial analysis to determine the incident’s scope, such as which networks, systems, or applications are affected..."