FCSS – SOC Analyst 7.4 — Question 5

According to the National Institute of Standards and Technology (NIST) cybersecurity framework, incident handling activities can be divided into phases.
In which incident handling phase do you quarantine a compromised host in order to prevent an adversary from using it as a stepping stone to the next phase of an attack?

Answer options

• A. Containment
• B. Recovery
• C. Analysis
• D. Eradication

Correct answer: A

Explanation

The correct answer is A, Containment, as this phase focuses on limiting the impact of an incident by isolating affected systems. Recovery (B) involves restoring systems to normal operations, Analysis (C) is about understanding the incident, and Eradication (D) refers to removing the threat from the environment.