CompTIA CASP+ (CAS-004) — Question 403

An incident response team completed recovery from offline backup for several workstations. The workstations were subjected to a ransomware attack after users fell victim to a spear-phishing campaign, despite a robust training program. Which of the following questions should be considered during the lessons-learned phase to most likely reduce the risk of reoccurrence? (Choose two.)

Answer options

• A. Are there opportunities for legal recourse against the originators of the spear-phishing campaign?
• B. What internal and external stakeholders need to be notified of the breach?
• C. Which methods can be implemented to increase speed of offline backup recovery?
• D. What measurable user behaviors were exhibited that contributed to the compromise?
• E. Which technical controls, if implemented, would provide defense when user training fails?
• F. Which user roles are most often targeted by spear phishing attacks?

Correct answer: D, E

Explanation

The correct answers, D and E, focus on understanding user behavior that led to the breach and implementing technical controls to strengthen defenses when training is insufficient. Options A and B, while important for legal and communication aspects, do not directly address the root causes of the incident. Option C is less relevant as it pertains to backup recovery speed rather than preventing future attacks.