Exam SC-100 topic 4 question 21 discussion

looks ok. https://learn.microsoft.com/en-us/security/compass/incident-response-playbook-dart-ransomware-approach

got this in exam 6oct23. passed with 896 marks. I answered AS PER GIVEN ANSWER

looks logical

1. Assess the current situation and identify the scope. 2. Identify which LOB apps are unavailable due to a ransomware incident. 3. Identify the compromise recovery process. https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-dart-ransomware-approach#the-dart-approach-to-conducting-ransomware-incident-investigations The following are three key steps in DART ransomware investigations: 1. Assess the current situation 2. Identify the affected line-of-business (LOB) apps 3. Determine the compromise recovery (CR) process

I prefer 4 , 1 , 3 also. Regarding the alternative sequence of 4, 1, and 2, while identifying the compromise recovery process is an important step, it may not be the most urgent or critical one, especially if the scope of the incident and the impacted LOB applications are not yet known. Therefore, it is more effective to prioritize identifying the scope and impacted LOB applications first, and then move on to identifying the compromise recovery process and implementing measures to reduce the risk of privileged access compromise. A comprehensive and proactive approach to cybersecurity is essential to prevent and mitigate the impact of cyber incidents. This includes adopting best practices and following established incident response procedures, continuously monitoring systems and networks for potential threats, and regularly reviewing and updating security policies and procedures to adapt to changing threats and circumstances

ChatGTP: The recommended plan to investigate ransomware incidents based on the Microsoft Detection and Response Team (DART) approach, in the correct sequence, is as follows: Assess the current situation and identify the scope: This step involves identifying which systems have been impacted and the extent of the damage caused by the ransomware attack. Identify which line-of-business (LOB) apps are unavailable due to a ransomware process: This step involves identifying which LOB apps are affected by the ransomware attack and determining the impact on business operations. Implement a comprehensive strategy to reduce the risk of privileged access compromise: This step involves implementing security best practices to prevent future ransomware attacks, such as limiting privileged access and enforcing multi-factor authentication.

correct, https://learn.microsoft.com/en-us/security/compass/incident-response-playbook-dart-ransomware-approach#the-dart-approach-to-conducting-ransomware-incident-investigations