Which is the FIRST action the Incident Response team should take when an incident is suspected?
Which is the FIRST action the Incident Response team should take when an incident is suspected?
When an incident is suspected, the first action the Incident Response team should take is to record all facts regarding the suspected incident. This step is crucial for documentation and helps in assessing and confirming the incident. Accurate records ensure that appropriate and systematic steps can be taken afterward, such as containment, analysis, and further response actions. Proper documentation also facilitates future reference and learning from the incident.
B. Record all facts regarding the incident. When the incident is suspected, you want to record all facts to help confirm if it becomes and actual incident. Once it becomes confirmed as an actual incident then containment is the next course of action.
The incident is suspected. It needs confirmation (B), and no action yet (C).
Containment is the first priority when responding to an incident. The incident response team must act quickly to contain incident, limit the damage and prevent further spread. After the incident is contained, the team can begin to gather information and assess the situation. They can then identify the attacker, record all facts, and notify management as appropriate. But the immediate priority is to contain the incident.
B. An incident response team that suspects that an incident has occurred should immediately start recording all facts regarding the incident. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
First step is to validate the incident
B is correct
B seems a bit off because of the "record all facts", it should say "record all known facts". So it almost seems like it would be at the end when you know "all" facts. When you get an incident call you log it in the ticketing system first, so that's the start. I did some research and verified, step 2 "Detection & Analysis" states "ncident documentation: If the signal proves valid, the IR team must begin documenting all facts in relation to the incident and continue logging all actions taken throughout the process." Containment is step #3. https://www.crowdstrike.com/cybersecurity-101/incident-response/incident-response-steps/
First B then D. they are belongs to respons stage . next stage- Mitigation which is A.
haha soo many people blindly picking B and not reading the question. Its NOT b and its NOT validate the incident. If the IR team has been activated, its already been decided that its an incident. Incident Response is Detect --> response --> mitgate(contain) --> report --> remediate --> etc
Answer is B. The Incident is suspected and IR Team is engaged, which mean its major and next step would be Response, which is not the choice here. Then Mitigate (or Containment Strategy), which is B.