Which action is a typical step in incident response runbook?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $25.99Unlock all

Enhance your cyber defense skills with the Security Blue Team Level 1 Test. Prepare with flashcards, multiple choice questions, and detailed explanations to ace your exam!

Multiple Choice

Which action is a typical step in incident response runbook?

Explanation:
The main concept being tested is how a runbook handles containment and evidence collection during an incident. In incident response, you first aim to limit the damage and stop the attacker from moving laterally, while also preserving data that helps you understand what happened. Isolating the affected host from the network is a classic containment step. It prevents the threat from spreading to other systems and gives responders space to investigate without interference. Capturing a memory dump is crucial because memory contains volatile data—running processes, network connections, loaded modules, and possibly encryption keys—that doesn’t survive a reboot or simple disk imaging. Collecting this memory dump before taking further actions ensures you have essential forensic data to analyze the attack, identify the initial foothold, and map the attacker’s techniques. Other options don’t fit as well in this typical runbook step. Restarting services can disrupt evidence collection and may allow malware to hide or reinitialize in ways that obscure what happened. Deleting logs destroys critical forensic traces that are needed to reconstruct the incident. Notifying users alone is a communication task and does not contain the threat or preserve evidence, which are core parts of a runbook’s immediate response actions.

The main concept being tested is how a runbook handles containment and evidence collection during an incident. In incident response, you first aim to limit the damage and stop the attacker from moving laterally, while also preserving data that helps you understand what happened.

Isolating the affected host from the network is a classic containment step. It prevents the threat from spreading to other systems and gives responders space to investigate without interference. Capturing a memory dump is crucial because memory contains volatile data—running processes, network connections, loaded modules, and possibly encryption keys—that doesn’t survive a reboot or simple disk imaging. Collecting this memory dump before taking further actions ensures you have essential forensic data to analyze the attack, identify the initial foothold, and map the attacker’s techniques.

Other options don’t fit as well in this typical runbook step. Restarting services can disrupt evidence collection and may allow malware to hide or reinitialize in ways that obscure what happened. Deleting logs destroys critical forensic traces that are needed to reconstruct the incident. Notifying users alone is a communication task and does not contain the threat or preserve evidence, which are core parts of a runbook’s immediate response actions.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy