Root Cause Analysis in Incident Response

D.

In this step, your main objective is to examine and analyze what has occurred and focus on determining the root cause of the incident.

Recovery is incorrect as recovery is about resuming operations or bringing affected systems back into production Containment is incorrect as containment is about reducing the potential impact of an incident.

Triage is incorrect as triage is about determining the seriousness of the incident and filtering out false positives Reference: Official Guide to the CISSP CBK, pages 700-704

The step in which you work on determining the root cause of an incident is the "Analysis and tracking" step.

During an incident response, the analysis and tracking phase is the process of identifying the scope and nature of the incident, as well as determining the root cause(s) of the problem. This step is crucial because it helps to prevent future incidents from occurring by addressing the underlying cause(s) of the issue.

In the analysis and tracking phase, the security team investigates the incident by collecting and analyzing data, such as system logs, network traffic, and other relevant information. This information is used to determine the root cause of the incident, identify the affected systems, and assess the damage caused.

Once the root cause(s) of the incident have been identified, the security team can develop a plan to remediate the issue and prevent similar incidents from occurring in the future. This may involve patching vulnerabilities, reconfiguring systems, implementing new security controls, or providing additional security awareness training to employees.

It's important to note that the analysis and tracking phase occurs after the containment phase, in which the security team has already taken steps to limit the damage caused by the incident. Once containment has been achieved, the team can focus on the analysis and tracking phase to determine the root cause(s) of the incident and develop a plan for recovery.