Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) — Question 222

An engineer is working on a ticket for an incident from the incident management team. A week ago, an external web application was targeted by a DDoS attack. Server resources were exhausted and after two hours, it crashed. An engineer was able to identify the attacker and technique used. Three hours after the attack, the server was restored and the engineer recommended implementing mitigation by Blackhole filtering and transferred the incident ticket back to the IR team. According to NIST.SP800-61, at which phase of the incident response did the engineer finish work?

Answer options

• A. post-incident activity
• B. preparation
• C. detection and analysis
• D. containment, eradication, and recovery

Correct answer: D

Explanation

The correct answer is D because the engineer's actions of restoring the server and recommending mitigation techniques fall under the containment, eradication, and recovery phase. Options A, B, and C do not apply as they refer to different stages of incident response where either preparation, initial detection, or post-incident evaluations occur, which were not the focus of the engineer's completed work.