Exam SY0-601 topic 1 question 64 discussion

A is correct. this training can help CSIRT to know whether to trigger IR mechanisms and reduce instances of false alert. With B - I don't really see why giving the IT team access can be beneficial, as this could very likely violate least privilege principle.

B according to me

People who answered B B. Modify access so the IT team has full access to the compromised assets.----> how do you know which are the compromised before they are compromised? The answer is A

A is correct

Why do so many put so much faith in a human fed machine that learns by our own code that we teach it to learn from? The data sets used to educate an AI are literally fed by humans. Why would we put all faith in such a concept? It is cool and all and can help with my sports bets, but I cannot bargain my 380$ for ChatGPT, BARD or any other AI's opinions. Because in essence, AI, as a Deep/Machine Learning model only knows what we 'INSTRUCT' it too. From that instruction comes opinion and argument. Try it, they will argue with you. We can feed it all the data in the world but the MACHINE that LEARNS (which is coded by humans) has limits. https://fortune.com/2023/07/19/chatgpt-accuracy-stanford-study/

The correct answer is A. Train the team to identify the difference between events and incidents. Explanation: - A well-prepared incident response process involves properly identifying and handling security events and incidents. Training the team to distinguish between events (normal activities that do not pose a security threat) and incidents (actual security breaches or potential threats) is crucial. This helps ensure that the team can focus on the real security incidents and respond effectively. Why it's not B according to ChatGPT: - Option B, modifying access so the IT team has full access to the compromised assets, is not a recommended action as it may lead to a conflict of interest and hinder proper investigation and containment. It is important to maintain the principle of least privilege and involve specialized incident response personnel.

Improving the incident response process involves various actions, but one recommended step is to train the team to differentiate between events and incidents. This training helps the team understand that not every event is necessarily an incident that requires immediate response and investigation. By being able to identify and classify events correctly, the team can focus their efforts on addressing actual incidents that pose a threat to the organization's security.

A. Training team to differentiate between incidents and events,

A is correct since it helps create more response efficiency.

Training the team makes sense, I don't see how giving the whole IT team full access to zombie computers is going to do anything...

An event is defined as an attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System. An incident is defined as a breach of a system's security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems

The Preparation (initial phase) involves correct data events are being logged, the reporting of potential incidents is happening and personnel training. Nothing in B, C and D is referring to that.

Of course the answer is "A", logically speaking, if the "CSIRT" and not "IT" team is trained to differentiate between events and incidents, that would drastically improve their IR process. 🐱‍🚀🐱‍💻

A - I believe is the best choice.

I’m leaning towards training so A for me