CompTIA CASP+ (CAS-003) — Question 145

The SOC is reviewing processes and procedures after a recent incident. The review indicates it took more than 30 minutes to determine that quarantining an infected host was the best course of action. This allowed the malware to spread to additional hosts before it was contained. Which of the following would BEST to improve the incident response process?

Answer options

• A. Updating the playbook with better decision points
• B. Dividing the network into trusted and untrusted zones
• C. Providing additional end-user training on acceptable use
• D. Implementing manual quarantining of infected hosts

Correct answer: C

Explanation

Providing additional end-user training on acceptable use is crucial because it empowers users to recognize and report potential threats quickly, thereby reducing response times. Updating the playbook, while beneficial, does not directly involve user awareness. Dividing the network into trusted and untrusted zones enhances security but does not address immediate incident response times. Implementing manual quarantining is less efficient and could prolong response times compared to trained users actively preventing incidents.