My Story Partners Podcasts Blog Resources Contact CISSP Training Program
Academy Login

Weekly CISSP Practice

Exam Questions

Week 30 - Question 2

Which of the following is NOT a typical objective of Incident Response?

A. Eradication of Threats
B. Root Cause Analysis
C. Financial Forecasting
D. Containment of the Incident

Answer: C
 

Explanation:

A. Eradication of Threats

Eradication is the phase where the actual "clean-up" happens after the threat has been stopped.

  •  The Goal: To remove the components of the incident from the environment.  This includes deleting malware, disabling compromised user accounts, and identifying all affected hosts.  

  • The Distinction: While Containment stops the bleeding, Eradication removes the cause of the wound.

B. Root Cause Analysis (RCA)

RCA is a critical component of the Post-Incident Activity (Lessons Learned) phase.  

  •  The Goal: To move beyond the symptoms and find the underlying vulnerability.  If a server was infected with ransomware, the RCA determines how—was it an unpatched vulnerability, a phishing email, or a misconfigured firewall? 

  • The Benefit: Without RCA, the organization is doomed to repeat the same incident because the "hole" in the defense remains open.

C. Financial Forecasting

Financial forecasting is a Business/Strategic Management function.  

  • Why it's the Answer: While an incident certainly has financial implications (fines, recovery costs, lost revenue), the Incident Response Team (IRT) is not responsible for predicting the company's future quarterly earnings or market trends.

  • The Nuance: The IR team will track the costs of the incident (total hours spent, hardware replaced), but "forecasting" is an executive-level activity unrelated to the tactical management of a security breach.

D. Containment of the Incident

Containment is often the most time-sensitive phase of IR.

  • The Goal: To limit the "blast radius" or scope of an incident.

  • The Strategy: * Short-term: Isolating a network segment or blocking a malicious IP.

    • Long-term: Patching systems or implementing new filters while the investigation continues.

  • The Benefit: It prevents an incident on one workstation from becoming a company-wide disaster.

Key Takeaway for the CISSP Exam

The NIST SP 800-61 standard is the primary reference for IR on the exam. Remember the logical flow:

  1.  Preparation: Training, tools, and policy (happens before the incident).  

  2. Detection & Analysis: Identifying that a "bad thing" is happening.

  3. Containment, Eradication, & Recovery: Stopping the threat, removing it, and getting back to normal business.

  4. Post-Incident Activity: Lessons learned and Root Cause Analysis.

Podcasts

Check out my weekly podcasts that delve deep into the relevant topics related to each of CISSP domains. In addition, I will go over specific questions and they can be interpreted and answered.

Listen Podcasts

CISSP Cyber Training Academy

Tired of not knowing how to study for the CISSP Exam? 

Check out the CISSP Cyber Training Academy to help you on your journey!

Learn about the Academy!

CISSP Cyber Training - YouTube

Check out my video collection on YouTube discussing all the details needed to help you pass the CISSP exam.   

Check out channel