Exam CS0-002 topic 1 question 32 discussion

I think initiating an IR plan will be the best, because the employee might be an insider threat or maybe he might be using it for other reasons. Approaching him without first knowing his intent will be a bad idea.

Read the question everyone. There’s been a security breach, there’s already an ongoing investigation, the only correct option is A. The activity is being conducted during non-business hours, that alone is a policy violation. Not D. Not B either because there’s already an ongoing investigation. The next step is to contain.

B. Initiate the incident response plan.

As someone who works in a SOC environment, the first thing you do after seeing a user related suspicious behavior is reach out to the user first. Answer is D.

FOLLOWING a recent security breach, meaning that breach has already been dealt with. They are investigating potential issues after already resolving the incident, finding a suspicious privileged account should initiate the incident response process. It's absolutely NOT D since it could be an insider threat. A could also be a bad choice since you would immediately alert the attacker.

I spent too much time reviewing this question but hear me out.... It sounds like D is the answer. Its a tricky worded question. "FOLLOWING a recent security breach (it doesnt say during) ...a company decides to INVESTIGATE account usage... " IRP should not be implemented because there is no proof this is a actual breach thus it should be investigated (as said in the question) "Review the activity with the user." to find out more information before going in to IRP. The account should not be disabled before investigating.

Probably answer will be disabling the account but at first I will review logs to get more info about this activity then I will disable it

what sucks is that it doesn't say a PRIV account was consistently accessed in the middle of the night...

initiate incident repose plan. it might include reviewing with the account user or disabling the account.

best option

B seems to be the best answer. Follow the IRP/SOP and get more eyes on this.

Passed CS0-003 last week (757), this question was on it! 69 questions, 3 PBQ/SIMs. 25 questions that are in the first 200 questions of this board.

Read Below - An Incident Response Plan is a written document, formally approved by the senior leadership team, that helps your organization before, during, and after a confirmed or suspected security incident. Your IRP will clarify roles and responsibilities and will provide guidance on key activities. It should also include a cybersecurity list of key people who may be needed during a crisis.

I won't do any action without conducting further investigation.

Reviewing the activity with the user is part of the incident response, disabling the account is not a good option as the activity might have been legitimate. HR is not an option at this point.

D - Disabling the privileged account or initiating the incident response plan without further investigation could be an overreaction and may cause unnecessary disruption to business processes. Reporting the discrepancy to human resources may be necessary at some point, but it should not be the first immediate action. The next step should be to review the activity with the user to determine if there is a legitimate reason for accessing the account during non-business hours. This conversation can provide further insight into the situation and help the security analyst determine if any malicious activity or policy violations have occurred. Based on the outcome of the conversation, the analyst can then take appropriate actions such as escalating the issue or disabling the account.

I believe the answer is A because the company has a recent security breach, it make sense here that incident response is still on-going. We tend to isolate or contain it first for checking.