Where is the bulk of the incident response time spent?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the SANS FOR508 Exam. Use flashcards and multiple-choice questions, each with hints and explanations. Maximize your readiness for the test!

Multiple Choice

Where is the bulk of the incident response time spent?

Explanation:
The most time is spent during containment paired with building the attacker profile (intelligence development). Once an incident is detected, the priority is to stop the attacker from moving laterally or exfiltrating data, which requires rapid, coordinated actions across networks and systems—isolating affected hosts, cutting off C2 channels, revoking compromised credentials, and tightening segmentation. This work is often large in scope and highly collaboration-intensive, meaning it can span many systems and teams, driving a substantial portion of the response timeline. At the same time, intelligence development—collecting artifacts, logs, IOCs, and attacker techniques to understand scope and methods—must proceed to guide containment and to prevent re-entry, and this analysis is iterative and time-consuming as you validate findings across the environment. After containment and a solid understanding of the attack, eradication and recovery steps follow, but they typically hinge on the groundwork already laid during the containment/intelligence phase. Discovery starts the process but, in complex incidents, the heavy lifting occurs in containment and intelligence work.

The most time is spent during containment paired with building the attacker profile (intelligence development). Once an incident is detected, the priority is to stop the attacker from moving laterally or exfiltrating data, which requires rapid, coordinated actions across networks and systems—isolating affected hosts, cutting off C2 channels, revoking compromised credentials, and tightening segmentation. This work is often large in scope and highly collaboration-intensive, meaning it can span many systems and teams, driving a substantial portion of the response timeline. At the same time, intelligence development—collecting artifacts, logs, IOCs, and attacker techniques to understand scope and methods—must proceed to guide containment and to prevent re-entry, and this analysis is iterative and time-consuming as you validate findings across the environment. After containment and a solid understanding of the attack, eradication and recovery steps follow, but they typically hinge on the groundwork already laid during the containment/intelligence phase. Discovery starts the process but, in complex incidents, the heavy lifting occurs in containment and intelligence work.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy