Question 13 - CertNexus CFR-410 Real Exam Questions [Jan 2026 Update]

Q: 13

A company help desk is flooded with calls regarding systems experiencing slow performance and certain Internet sites taking a long time to load or not loading at all. The security operations center (SOC) analysts who receive these calls take the following actions: - Running antivirus scans on the affected user machines - Checking department membership of affected users - Checking the host-based intrusion prevention system (HIPS) console for affected user machine alerts - Checking network monitoring tools for anomalous activities Which of the following phases of the incident response process match the actions taken?

Options

Correct Answer:

Explanation

The actions taken by the SOC analysts—running antivirus scans, checking HIPS alerts, and analyzing network monitoring tools—are all methods for gathering data to determine if a security incident has occurred. This process of detecting potential incidents, analyzing precursors and indicators, and assessing the scope of the event falls squarely within the Identification phase of the incident response lifecycle. The analysts are trying to identify the nature and extent of the problem based on the reported symptoms, which is the primary goal of this phase.

Why Incorrect

B. Preparation: This phase involves activities performed before an incident, such as establishing policies, training staff, and deploying security tools, not using them to investigate an active event.

C. Recovery: This phase focuses on restoring systems and services to normal operation after an incident has been contained and eradicated, which has not yet happened.

D. Containment: This phase involves taking active steps to limit the spread and impact of an identified incident, such as isolating affected systems, which is not described in the scenario.

References

1. NIST Special Publication 800-61 Rev. 2

"Computer Security Incident Handling Guide":

Section 3.2.2

Detection and Analysis (p. 25): This section details the process of analyzing data to determine if an incident has occurred. It states

"The most common sources of precursors and indicators are alerts from security devices and software... Examples of sources include... antivirus software

host-based intrusion detection systems (HIDS)

and network intrusion detection systems (NIDS)." The actions in the question directly align with analyzing these sources.

2. Carnegie Mellon University

Software Engineering Institute

"The CERT Guide to Insider Threats":

Chapter 11

Incident Response (p. 238): The guide outlines the incident response process

describing the "Detection and Analysis" phase as the point where the team "analyzes all available information to determine whether an incident has occurred." The activities of checking logs

alerts

and other monitoring data are central to this phase.

3. SANS Institute

"The Six Steps of Incident Response":

Step 2: Identification: This step is described as the process of confirming a breach and understanding its severity. It involves "gathering more evidence

trying to figure out the scope of the compromise

and identifying the attackers’ goals." The SOC analysts' actions are a direct implementation of this step. (Reference: SANS Security Awareness

"Incident Response" Infographic and associated materials).

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE