What is the main purpose of the eradication phase in a cybersecurity incident response?
Think about what must be done after detecting an intrusion to prevent it from happening again.
The eradication phase focuses on completely removing the attackerβs presence and any malicious software or backdoors to ensure the system is clean before recovery.
Which of the following activities is typically performed during the recovery phase of incident response?
Consider what is necessary to bring systems back to normal operation after an attack.
The recovery phase involves restoring systems and data to a trusted state, often using backups, so normal operations can resume safely.
What is the most likely consequence if an organization skips the eradication phase and moves directly to recovery after detecting a cyberattack?
Think about what happens if malicious elements remain in the system after recovery.
Without eradication, attackers or malware may remain, causing further damage or repeated breaches even after recovery.
Which statement best distinguishes the eradication phase from the recovery phase in incident response?
Focus on the main goal of each phase in the incident response process.
Eradication focuses on removing the attacker and malicious elements, while recovery focuses on bringing systems back to normal working condition.
An organization has detected a ransomware attack affecting multiple servers. Which sequence of actions best represents the correct order during eradication and recovery?
Consider the logical order to stop the attack, clean systems, restore data, and confirm safety.
First, isolate infected servers to prevent spread. Then remove ransomware (eradication). Next, restore data (recovery). Finally, verify integrity and monitor to ensure no reinfection.