Performing CyberOps Using Cisco Security Technologies (CBRCOR) — Question 5

A payroll administrator noticed unexpected changes within a piece of software and reported the incident to the incident response team. Which actions should be taken at this step in the incident response workflow?

Answer options

• A. Classify the criticality of the information, research the attacker's motives, and identify missing patches
• B. Determine the damage to the business, extract reports, and save evidence according to a chain of custody
• C. Classify the attack vector, understand the scope of the event, and identify the vulnerabilities being exploited
• D. Determine the attack surface, evaluate the risks involved, and communicate the incident according to the escalation plan

Correct answer: C

Explanation

Option C is correct as it involves classifying the attack vector and understanding the scope, which are crucial for addressing the incident effectively. Options A and B focus on different aspects such as motives and evidence preservation, which are not immediate steps in this phase. Option D discusses evaluating risks and communication, which is also not the primary concern at this stage.