During the post-incident activity phase, an organization has finished restoring affected servers after a ransomware event. The incident response team is now performing a root cause analysis. Which outcome best captures the goal of this activity?
Validate the integrity of digital evidence collected during the response
Identify the chain of events and underlying vulnerabilities that enabled the incident so they can be eliminated or mitigated
Determine which employees should be held individually accountable for the breach
Assess how well tabletop exercises prepared staff for the incident
Root cause analysis digs beneath the visible symptoms of an incident to uncover the fundamental technical or process failures-such as unpatched vulnerabilities, misconfigurations, or policy gaps-that allowed the attack path to succeed. By understanding and documenting these underlying causes, the organization can implement targeted corrective actions to eliminate or mitigate them, reducing the likelihood of the same type of incident happening again. The other options describe useful post-incident tasks, but they are not the primary purpose of root cause analysis.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What techniques are commonly used in root cause analysis?
Open an interactive chat with Bash
How can root cause analysis improve incident response in the future?
Open an interactive chat with Bash
What role does documentation play in root cause analysis?