Exam SY0-501 topic 1 question 121 discussion

6 STEPS OF INCIDENT RESPONSE Preparation Detection & Identification Containment Remediation Recovery Lessons Learned (Documentation) Ergo, from available options being presented, Recovery is the next step...

So, in Gibson's book it says this: "Identification is the first step after hearing about a potential incident to verify it is an incident." page 144

Anther case of COMPTIA's moronic wording of questions. Seriously, after identifying the problem, we need to identify it? I get that its the first step but the way they have worded this deliberately implies that the identification phase is already complete. This is why I am always nervous to take COMPTIA exams. It's not the content, its the trick questions.

Identification is correct. The phases of of incident response are: Prepare, Identification, Containment, Eradicate, Recovery and Lessons Learned. The process was to be initiated, Preparation is as straightforward as having a trained team/someone to respond which is the analyst in this case. so the next phase will be Identification which may include identifying the depth of the breach.

Identification has been done, next step considering the other options given would be Recovery. I hope people read these discussions.

These questions are so idiotically worded. It specifically says this should be the next step AFTER IDENTIFICATION of a problem, and then the answer is identification and not recovery?!? C'mon man

After an identified security breach. I think RECOVERY because indentification is already done

Why B since the security breach has already been identified?

I don't really like that way that this question formulated. "After an identified security breach," is stated in the beginning, which implies to me that the identify step has already occurred. However, the answer is A. because they want you to show that you understand the steps. I think its not clear what they want, and selecting A. is redundant even if it is correct.

my gibson book is on page 493 ... the first step in the incident response process is preparation. After identifying incident, personnel attempt to contain or isolate the problem.

You have A breach...now determine the EXACT type of Breach!! IS it APT? Is it Malware...you MUST determine the EXACT type of breach....if I am arrested for a felony, dont you need to identify exactly what I done? Probably took Twisted Tea to the head of some exam prepper for missing obvious easy questions...

This is exactly what the test is all about. word salad to trip u up and doubt yourself. IR process hasn’t been initiated yet, on the test it’ll be identification. Rlly wish these questions went thru more scrutiny.

keyword is "initiate" which means start or begin ,

Analyst has yet to initialize IR process so identification is correct.

Although the question might seem to be worded terribly, it is a typical Comptia question whose aim is to confuse. However, the question stated clearly that the analyst was tasked to INITIATE the IR process. The keyword here is INITIATE. It never said the analyst identified the breach. Someone else might have identified the breach but when the task is assigned to the analyst, following the IR process, the next step for the Analyst would be IDENTIFICATION - From the moment you become aware that an incident has occurred, it’s important to answer a few crucial questions before doing anything else. What kind of incident has occurred? Has any data been leaked or lost? What is the level of severity? This will help you choose the best course of action according to your incident response process. The main emphasis of this phase is on detecting and reporting any potential security threats. So the answer is correct! https://resources.infosecinstitute.com/category/certifications-training/securityplus/sec-domains/risk-management-in-security/incident-response-procedures/#:~:text=Incident%20response%20is%20not%20a,cover%20the%20following%20six%20steps.

In an organization, when an incident is suspected or even identified and then an analyst is asked to carry out the IR process. He will have to start all over by himself to confirm that truly there is an incident and what to do next after receiving the information is to get prepared. This question simply indicates that an information was passed across to him to act on. So getting prepared is the next step to take.

The fact that it say "initiate the IR plan", should mean that it is starting it. Identifying a breach doesn't mean you have identified the issue, just that you know something happened.