CompTIA Security+ (SY0-501) — Question 139

Multiple employees receive an email with a malicious attachment that begins to encrypt their hard drives and mapped shares on their devices when it is opened.
The network and security teams perform the following actions:
✑ Shut down all network shares.
✑ Run an email search identifying all employees who received the malicious message.
✑ Reimage all devices belonging to users who opened the attachment.
Next, the teams want to re-enable the network shares. Which of the following BEST describes this phase of the incident response process?

Answer options

• A. Eradication
• B. Containment
• C. Recovery
• D. Lessons learned

Correct answer: C

Explanation

The correct answer is 'Recovery' because this phase involves restoring systems and services after they have been secured and cleaned. The other options do not fit because 'Eradication' refers to removing the threat, 'Containment' involves limiting the spread of the issue, and 'Lessons learned' is about reviewing the incident after recovery.