Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
A security analyst notices anomalous activity coming from several workstations in the organizations. Upon identifying and containing the issue, which of the following should the security analyst do NEXT?
A.
Document and lock the workstations in a secure area to establish chain of custody
B.
Notify the IT department that the workstations are to be reimaged and the data restored for reuse
C.
Notify the IT department that the workstations may be reconnected to the network for the users to continue working
D.
Document findings and processes in the after-action and lessons learned report
D is correct, the key term here is "A security analyst notices anomalous activity ". pls note not every anomalous activity needs recovery, its all depends on the impact. since the issue is already Contained, what next is simply Documentation
The third phase is "Containment, Eradication, and RECOVERY" - we should not ASSUME that recovery may not be needed. It's not indicated at all by the question.
This whole exam is literally the worst thing to ever happen to me. I read one thing then the answers another. Its asking what the next step is after identifying and containing but expects me to know recovery isnt needed because of “anomalous activity” like cmon man give me a break
What is "Anomalous" activity were loops from a switch plugged wrong, or a broadcast storm of arp requests? Gonna re-image then machines then, after calling FBI and capturing images? you will be fired! Obvious answer is to document.....
I asked Messer if there were any trick questions on the exam and he said no, but this dump has so many dumb "read the exam writer's mind" questions smh
Questions like this are unfair , containment means you did something , you isolated or did something to take care of the situation , the next step after doing something is recovery on restoring the data , lessons learned comes at the very end. Unfair question , Comptia simply ask what is the next stage after recovery or what happens after containment stop giving stories or stop putting answers that could be correct based on what someone is interpreting some test writer.
The security analyst wouldn't need to notify the IT department to do anything, since they know what to do, so the next step for that person WOULD be D.
So with this and any other question, can anyone confirm what CompTIA accepts as the correct answer? We all have opinions. I came to this site to.validate mine but was unsuccessfull.
The question says that the issue was contained, if this was not an incident, then it would not be a containment. This eliminates C and D.
Because this is managed by an analyst, not a forensics investigator, I will incline that the next steps will be those from IR: eradication and recovery = answer B
I have found explanation in NIST 800-61: ("after action" is crucial here, I think)
3.2.5 Incident Documentation
An incident response team that suspects that an incident has occurred should immediately start recording all facts regarding the incident. A logbook is an effective and simple medium for this, but laptops,
audio recorders, and digital cameras can also serve this purpose. Documenting system events, conversations, and observed changes in files can lead to a more efficient, more systematic, and less error-prone handling of the problem. Every step taken from the time the incident was detected to its final resolution should be documented and timestamped.
I think the answer is A, everyone may think im crazy but the last thing they did was contain which is get the computer off the network, so then what you need to eradicate and document and form a chain of custody so you can try to replay the event to see what happened to the device and until that happens you can not do a recovery or you wont know how to prevent it from happening again.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Stefanvangent
Highly Voted 4 years, 7 months agoJovo
Highly Voted 4 years, 3 months agoMelvinJohn
4 years, 1 month agoMagicianRecon
3 years, 10 months agoMohammadQ
Most Recent 2 years, 9 months agoBrittle
2 years, 10 months agonakres64
3 years, 2 months agoMiltduhilt
3 years, 2 months agowho__cares123456789___
3 years, 3 months agoexiledwl
3 years, 4 months agoWillGTechDaily
3 years, 5 months agohellyerc
3 years, 5 months agoRongupta
3 years, 6 months agoShinyBluePen
3 years, 7 months agoevolver
3 years, 7 months agoKudojikuto
3 years, 9 months agoLukaszL
3 years, 9 months agoTeeTime87
3 years, 10 months agomichaelcook80
3 years, 10 months ago