In the NIST incident response lifecycle, what phase follows Detection & Analysis?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $25.99Unlock all

Enhance your cyber defense skills with the Security Blue Team Level 1 Test. Prepare with flashcards, multiple choice questions, and detailed explanations to ace your exam!

Multiple Choice

In the NIST incident response lifecycle, what phase follows Detection & Analysis?

Explanation:
In incident response, the next step after Detection & Analysis is containment. This phase focuses on stopping the attacker from doing more harm and limiting the incident’s spread while you figure out the scope. Practically, containment means isolating affected systems, blocking attacker commands, applying temporary fixes, and preserving evidence so you can investigate later. The goal is to keep the business running as smoothly as possible while you prevent further damage. After containment, the next steps move toward eradication (removing the attacker’s access and artifacts), followed by recovery (restoring systems and services to normal operations), and finally post-incident activity (lessons learned and improvements). If you’re thinking about why the others don’t fit here: eradication would come after containment, recovery after eradication, and post-incident activity after recovery.

In incident response, the next step after Detection & Analysis is containment. This phase focuses on stopping the attacker from doing more harm and limiting the incident’s spread while you figure out the scope. Practically, containment means isolating affected systems, blocking attacker commands, applying temporary fixes, and preserving evidence so you can investigate later. The goal is to keep the business running as smoothly as possible while you prevent further damage.

After containment, the next steps move toward eradication (removing the attacker’s access and artifacts), followed by recovery (restoring systems and services to normal operations), and finally post-incident activity (lessons learned and improvements). If you’re thinking about why the others don’t fit here: eradication would come after containment, recovery after eradication, and post-incident activity after recovery.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy