What is accomplished in the identification phase of incident handling?
A. determining the responsible user
B. identifying source and destination IP addresses
C. defining the limits of your authority related to a security event
D. determining that a security event has occurred
Correct Answer = D
I think the answer is D.
C is looks like it’s Analysis as per this text from SECOPS: “Analysis: The incident response team should work quickly to analyze and validate each incident, following a predefined process and documenting each step that is taken. When the team believes that an incident has occurred, the team should rapidly perform an initial analysis to determine the scope of the incident”
The answer is most certainly D
D:
Identification: This is the step where you determine if an incident has occurred. Based on events observation, indicators, you look for deviations from normal operations. You look for malicious acts or attempts to do harm.
Reference NIST 800-61R2
I think D is done during the Phase and C is accomplished
so fro this case the answer is C
From Cisco SECOPS Elearning course Identification phase is referenced as
‘Identification: The SOC analyst performs continuous monitoring, and active cyber threat hunting. When a true positive incident has been detected, the incident response team is activated. During the investigation process, the SOC analyst or the incident response team may also contact the CERT/CC (or other security intelligence sources), which tracks Internet security activity and has the most current threat information.’
I think ‘D’ – ans C is not referenced within the section, only that an analyst may contact another source to track/verify an incident
Is this answer correct? I think it’s D