Which of the following incident response phases should the proper collection of the detected IoCs and establishment of a chain of custody be performed before?
Yeah, even as a native English speaker this was hard, I can't imagine for others. I actually switched it around mentally to say "Which phase is after {all that stuff}". Made it a little easier
Question rephrased to comprehend it: Which of the following incident response phases should be performed after properly collecting the detected IoCs and establishing a chain of custody?
Proper collection of IOCs(indicators of compromise) and a chain of custody is done in the 3rd step of an Incident response.
These are the phases in order:
Prepare > Identify > Contain > Eradicate > Recover > Review
The answer is A. The next step after identifying a security incident is to contain the attack and prevent it from spreading!
Before containment (the answer), the identification phase should establish the collection of indicators of compromise along with chain of custody. I'm going with A because of the fact that they said "BEFORE" collection. Comptia is really terrible for trying to trick people instead of allowing them to show knowledge of the study.
The proper collection of Indicators of Compromise (IoCs) and the establishment of a chain of custody typically occur during the identification phase of incident response. During this phase, security teams detect and verify potential security incidents, gather evidence, and classify the incident based on its severity and impact. Containment, on the other hand, focuses on preventing further spread of the incident and minimizing its impact on the organization's systems and data.
Tricky question. I thought it was (B) Identification initially, but was wrong. Read carefully and you will get it.
You cannot collect and establish anything before Identifying it, can you?
Identify -> *collection and establishment Happens Here* -> Containment -> Eradication -> Recovery -> Lessons Learned.
The collection of IOCs (Indicators of Compromise) and establishment of chain of custody are part of the Detection and Analysis phase of the incident response process. In this phase, an organization detects and analyzes the incident to determine its scope, impact, and root cause. The collection of IOCs is a critical step in identifying the nature of the incident and determining the appropriate response. The establishment of chain of custody is also important to ensure that evidence is properly preserved and can be used in legal proceedings if necessary.
Collecting IoCs and establishing a chain of custody is an essential step in the “Identification” phase of incident response. It involves gathering evidence and information about the incident, which is crucial for understanding the nature and scope of the security breach. Once this data has been collected and properly handled, the “Containment” phase follows to prevent further damage and mitigate the incident.
Kinda dumb because it happens before recovery as well. The way I thought about the question is obviously the latest step happens after this so might as well choose that. And I'm pretty sure it's correct but comp tia wants you to pick the step that happens immediately after yet they are too lazy to properly specify that in their wording.
Establishing a proper chain of custody for the collected evidence is crucial for the preservation of its integrity and admissibility in potential legal proceedings. Therefore, it is necessary to collect and maintain the evidence in a controlled and secure environment, ensuring that it remains unaltered and tamper-proof. This process should occur before the containment phase, where the security team isolates and limits the scope of the incident to prevent further damage or compromise to the systems or data.
The keyword here is the word before, the collection of IoCs and establishment of chain of custody typically occurs during the identification phase, which is before the containment phase.
The proper collection of the detected IoCs and establishment of a chain of custody should be performed before the Containment phase of the incident response process. During the Containment phase, the goal is to prevent further damage or loss by isolating affected systems and preventing the spread of the incident. Proper collection of evidence and establishment of a chain of custody are important steps to ensure that any evidence collected during the incident response process is admissible in legal proceedings.
The wording is vicious on this one,
-A containment
The proper collection of the detected IoCs and establishment of a chain of custody should be performed before the Containment phase in incident response.
upvoted 3 times
...
This section is not available anymore. Please use the main Exam Page.SY0-601 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
[Removed]
Highly Voted 1 year, 6 months agoNetTech
Highly Voted 1 year, 10 months agozits88
1 year, 9 months agoCS3000
1 year, 9 months agoLongfellowDeeds
1 year, 3 months agoAbdullahMohammad251
Most Recent 1 year, 1 month agoAbdullahMohammad251
1 year, 1 month agoMortG7
1 year, 1 month ago_deleteme_
1 year, 2 months agoalicia2024
1 year, 4 months agomemodrums
1 year, 3 months agocyberPunk28
1 year, 6 months agobzona
1 year, 8 months agoJames_Tye
1 year, 8 months agosujon_london
1 year, 8 months agorline63
1 year, 9 months agoAbdullahMohammad251
1 year, 1 month agoAmesCB
1 year, 10 months agoApplebeesWaiter1122
2 years agochocopiess
2 years, 1 month agostaoic
2 years, 1 month agofouserd
2 years, 1 month agomouettespaghetti
2 years, 1 month ago