CompTIA Security+ (SY0-601) — Question 670
Which of the following incident response phases should the proper collection of the detected IoCs and establishment of a chain of custody be performed before?
Answer options
- A. Containment
- B. Identification
- C. Preparation
- D. Recovery
Correct answer: A
Explanation
The correct answer is A, Containment, because it is essential to collect IoCs and establish a chain of custody before taking actions to limit the spread of an incident. The other phases, such as Identification, Preparation, and Recovery, occur either during or after containment, making them unsuitable for the initial collection of evidence.