This is wrong, the answer should be B. The incident has been contained, so eradication and recovery are next.

D is correct, the key term here is "A security analyst notices anomalous activity ". pls note not every anomalous activity needs recovery, its all depends on the impact. since the issue is already Contained, what next is simply Documentation

This whole exam is literally the worst thing to ever happen to me. I read one thing then the answers another. Its asking what the next step is after identifying and containing but expects me to know recovery isnt needed because of “anomalous activity” like cmon man give me a break

I go for B

I think D is correct because this is a "Anomaly". We dont need to recover or reimage smt.

A. Document and lock the workstations in a secure area to establish chain of custody. from my CompTia Security+ SY0-501 book See pages 615 and 616.

What is "Anomalous" activity were loops from a switch plugged wrong, or a broadcast storm of arp requests? Gonna re-image then machines then, after calling FBI and capturing images? you will be fired! Obvious answer is to document.....

I asked Messer if there were any trick questions on the exam and he said no, but this dump has so many dumb "read the exam writer's mind" questions smh

Questions like this are unfair , containment means you did something , you isolated or did something to take care of the situation , the next step after doing something is recovery on restoring the data , lessons learned comes at the very end. Unfair question , Comptia simply ask what is the next stage after recovery or what happens after containment stop giving stories or stop putting answers that could be correct based on what someone is interpreting some test writer.

The security analyst wouldn't need to notify the IT department to do anything, since they know what to do, so the next step for that person WOULD be D.

containment is already done as per ques

I guess it's not the analysts job to work with the IT department. lol, straight ice them out and submit his report.

So with this and any other question, can anyone confirm what CompTIA accepts as the correct answer? We all have opinions. I came to this site to.validate mine but was unsuccessfull.

The question says that the issue was contained, if this was not an incident, then it would not be a containment. This eliminates C and D. Because this is managed by an analyst, not a forensics investigator, I will incline that the next steps will be those from IR: eradication and recovery = answer B

I have found explanation in NIST 800-61: ("after action" is crucial here, I think) 3.2.5 Incident Documentation An incident response team that suspects that an incident has occurred should immediately start recording all facts regarding the incident. A logbook is an effective and simple medium for this, but laptops, audio recorders, and digital cameras can also serve this purpose. Documenting system events, conversations, and observed changes in files can lead to a more efficient, more systematic, and less error-prone handling of the problem. Every step taken from the time the incident was detected to its final resolution should be documented and timestamped.

I think the answer is A, everyone may think im crazy but the last thing they did was contain which is get the computer off the network, so then what you need to eradicate and document and form a chain of custody so you can try to replay the event to see what happened to the device and until that happens you can not do a recovery or you wont know how to prevent it from happening again.

No it is D I learned that in the CERTBOLT program I am also using