Exam CS0-002 topic 1 question 73 discussion

"As part of the detection and analysis procedures", means still under detection & analysis phase. So, D.

D. Even though having out of date signatures is detected here. I would confirm first and then move on. This could be a false positive, the device may not be compromised so why jump to isolation until we know what is going on.

Dears .. As cyber security analyst, I can tell you the FIRST STEP I will take after finding vulnaravity with 10 as CVSS Score, to Isolate the reason first then do any other steps..

Given the high Quality of Detection (QoD) of 97%, it's reasonable to assume that the signature is indeed out of date. In such a case, the most appropriate next step for the security analyst should be Isolating the host from the network. It is a prudent step to prevent potential threats from exploiting the vulnerability caused by the outdated antivirus signature. Once isolated, the analyst can then work on updating the antivirus signatures to address the root cause of the issue. The analyst is clearly at the step “Detection and analysis” in a Incident Response procedure, the next step in an IR procedure is “Containment”.

I was thinking C also but Its a Vulnerability not a Compromise so you might not need to Isolate right away and as midouban86 stated "As part of the detection and analysis procedures"

This question looks so confusing, but it is clear now. The questions says " As part of the detection and analysis procedures" - That means , we should analyses those step under IR - detection and Analysis step . Then answer D coming to be the right answer. Note - that answer " C" is part of the next step of IR - Eradication and Containment

The answer is defo C. When you find a host on the network that has little or no AV protection your first action is to isolate and then next resolve, so D would be the second action.

C is correct, because next step after detection is containment.

As part of the detection and analysis procedures, which of the following should the analyst do NEXT? Detection and analysis procedures, means verifying the threat. D.Confirm the workstation's signatures against the most current signatures.

C for the reasons i previously stated

I agree you are still in the "detection and analysis" phase, but for me it's still C. Why? Because the Severity is 10.0 and a QoD score is 97%!!!! for those unaware 10 is as high as severity goes and i won't patronize you with how high the % can go Do you really think you're taking chances with that? Not for me. Get that laptop isolated ASAP

D: if you isolate a system every time (C:) just because the antivirus data is out of date, which is not even 100% certain, you have nothing else to do on your job. Confirm the problem and then restart the update procedure.

You have to confirm the scan results to see if this is a true positive or a false positive.

guys look up NIST Frame work of Incident response plan step 2 is analysis and detection, means verifying the threat step 3 is eradication and CONTAMINATION which would would be C if we are talking about isolation this is D

Detection and analysis The detection and analysis phase is where the action begins to happen in our incident response process. In this phase, we will detect the occurrence of an issue and decide whether or not it is actually an incident so that we can respond to it appropriately. https://www.sciencedirect.com/topics/computer-science/incident-response-process#:~:text=The%20detection%20and%20analysis%20phase%20is%20where%20the,so%20that%20we%20can%20respond%20to%20it%20appropriately.

D states Workstation signature and not Antivirus Signature!

d it is