Conducting Forensic Analysis and Incident Response Using Cisco Technologies (CBRFIR) — Question 5

An incident response team is recommending changes after analyzing a recent compromise in which:
✑ a large number of events and logs were involved;
✑ team members were not able to identify the anomalous behavior and escalate it in a timely manner;
✑ several network systems were affected as a result of the latency in detection;
✑ security engineers were able to mitigate the threat and bring systems back to a stable state; and
✑ the issue reoccurred shortly after and systems became unstable again because the correct information was not gathered during the initial identification phase.
Which two recommendations should be made for improving the incident response process? (Choose two.)

Answer options

• A. Formalize reporting requirements and responsibilities to update management and internal stakeholders throughout the incident-handling process effectively.
• B. Improve the mitigation phase to ensure causes can be quickly identified, and systems returned to a functioning state.
• C. Implement an automated operation to pull systems events/logs and bring them into an organizational context.
• D. Allocate additional resources for the containment phase to stabilize systems in a timely manner and reduce an attack's breadth.
• E. Modify the incident handling playbook and checklist to ensure alignment and agreement on roles, responsibilities, and steps before an incident occurs.

Correct answer: C, E

Explanation

The correct answers, C and E, focus on gathering relevant data and ensuring clear protocols are in place, which addresses the identified issues of ineffective detection and lack of structured response. Options A, B, and D do not directly tackle the root causes of the incident, such as proper logging and role clarity, making them less effective in improving the overall incident response process.