Whack-a-mole in incident response describes which scenario?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the SANS FOR508 Exam. Use flashcards and multiple-choice questions, each with hints and explanations. Maximize your readiness for the test!

Multiple Choice

Whack-a-mole in incident response describes which scenario?

Explanation:
Whack-a-mole describes a pattern where incident responders chase one indicator or symptom after another across the environment, removing one malicious instance only to see another appear elsewhere. This leads to reactive firefighting that doesn’t address the attacker’s footholds or persistence, so despite lots of activity there’s little overall progress. You’re effectively reacting to alerts, isolating or removing things in isolation, and never closing the underlying access paths the attacker uses, which allows them to re-enter or re‑establish footholds. In practice, you see scattered containment actions without a coordinated eradication plan, missed persistence mechanisms, and repeated cycles of reinfection or reoccurring access. To avoid this, focus shifts to targeted containment and eradication tied to a deliberate plan that closes persistence paths and neutralizes the attacker across the kill chain. The other descriptions don’t fit because attackers leaving no traces is unrealistic, rigorous threat hunting before investigation describes a proactive approach rather than episodic chasing, and a diligent, methodical containment strategy implies structured, preventive work rather than repetitive, reactive firefighting.

Whack-a-mole describes a pattern where incident responders chase one indicator or symptom after another across the environment, removing one malicious instance only to see another appear elsewhere. This leads to reactive firefighting that doesn’t address the attacker’s footholds or persistence, so despite lots of activity there’s little overall progress. You’re effectively reacting to alerts, isolating or removing things in isolation, and never closing the underlying access paths the attacker uses, which allows them to re-enter or re‑establish footholds.

In practice, you see scattered containment actions without a coordinated eradication plan, missed persistence mechanisms, and repeated cycles of reinfection or reoccurring access. To avoid this, focus shifts to targeted containment and eradication tied to a deliberate plan that closes persistence paths and neutralizes the attacker across the kill chain.

The other descriptions don’t fit because attackers leaving no traces is unrealistic, rigorous threat hunting before investigation describes a proactive approach rather than episodic chasing, and a diligent, methodical containment strategy implies structured, preventive work rather than repetitive, reactive firefighting.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy