During the post-incident activity phase, which of the following actions should a security analyst take to uncover why the incident occurred and to help prevent similar incidents in the future?
Perform a root cause analysis to determine the underlying factors that allowed the incident to happen.
Erase all logs related to the incident so that sensitive details cannot be disclosed.
Re-image affected hosts and return them to production without further review.
Conduct a penetration test against unrelated systems to demonstrate overall security posture.
A structured root cause analysis is a key element of post-incident activities recommended by NIST and other industry frameworks. It looks for underlying technical, process, or human factors that enabled the attack, enabling the team to implement preventive controls. Simply rebooting systems, deleting logs, or running unrelated penetration tests do not satisfy this objective and can actually hinder future improvements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.