Which of the following best describes the goal of containment during an incident?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

Which of the following best describes the goal of containment during an incident?

Explanation:
Containment aims to stop the incident from spreading while preserving evidence for investigation. In practice, this means isolating affected systems, blocking suspicious traffic, and segmenting networks to prevent lateral movement, all done in a way that keeps logs, memory captures, and other forensic data intact. The goal is to reduce damage quickly without destroying data that will help understand how the incident occurred and how to prevent recurrence. Choosing a path that tries to eradicate all artifacts immediately can destroy valuable evidence and hinder later analysis. Replacing affected hardware is a recovery action, not containment. Disabling all user accounts is disruptive and not a containment objective; it may be necessary in some scenarios, but it’s not about stopping spread or preserving evidence.

Containment aims to stop the incident from spreading while preserving evidence for investigation. In practice, this means isolating affected systems, blocking suspicious traffic, and segmenting networks to prevent lateral movement, all done in a way that keeps logs, memory captures, and other forensic data intact. The goal is to reduce damage quickly without destroying data that will help understand how the incident occurred and how to prevent recurrence.

Choosing a path that tries to eradicate all artifacts immediately can destroy valuable evidence and hinder later analysis. Replacing affected hardware is a recovery action, not containment. Disabling all user accounts is disruptive and not a containment objective; it may be necessary in some scenarios, but it’s not about stopping spread or preserving evidence.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy