Page |1
SANS FOR508 Questions and Correct
Answers/ Latest Update / Already Graded
Dwell Time
Ans: The time an attacker has remained undetected within a
network. An important metric to track as it directly correlates
with the ability of an attacker to accomplish their objectives.
Breakout Time
Ans: Time is takes an intruder to begin moving laterally once
they have an initial foothold in the network.
Main Threat Actors
Ans: APT (Nation State Actors)
Organized Crime
Hacktivists
NIST
Ans: US National Institute for Standards and Technology
Six-Step Incident Response Process
All rights reserved © 2025/ 2026 |
, Page |2
Ans: 1: Preparation
2: Identification
3: Containment and Intelligence Development
4: Eradication and Remediation
5: Recovery
6: Follow-up
Six-Step - Preparation
Ans: Incident response methodologies emphasize preparation -
not only establishing a response capability so the organization
is ready to respond to incidents but also preventing incidents by
ensuring that systems, networks, and applications are
sufficiently secure.
Six-Step - Identificatoin
Ans: Identification is triggered by a suspicious event. This
could be from a security appliance, a call to the help -desk, or
the result of something discovered via threat hunting. Event
validation should occur and a decision made as to the severity
of the finding (not valid events lead to a full incident response).
Once an incident response has begun, this phase is used to
better understand the findings and begin scoping the network
for additional compromise.
All rights reserved © 2025/ 2026 |
, Page |3
Six Step - Containment and Intelligence development
Ans: In this phase, the goal is to rapidly understand the
adversary and begin crafting a containment strateg y.
Responders must identify the initial vulnerability or exploit,
how the attackers are maintaining persistence and laterally
moving in the network, and how command and control is being
accomplished. in conjunction with the previous scoping phase,
responders will work to have a complete picture of the attack
and often implement changes to the environment to increase
host and network visibility. Threat intelligence is one of the key
products of the IP team during this phase.
Six Step - Eradication and Remediation
Ans: Arguably the most important phase of the process,
eradication aims to remove the threat and restore business
operations to a normal state. However, successful eradication
cannot occur until the full scop of the intrusion is understood. A
rush to this phase usually results in failure. Remediation plans
are developed, and recommendations are implemented in a
planned and controlled manner. Ex. Include
-Block malicious IP addresses
-Blackhole malicious domain names
-Rebuild compromised systems
-Coordinate with cloud and service providers
All rights reserved © 2025/ 2026 |
SANS FOR508 Questions and Correct
Answers/ Latest Update / Already Graded
Dwell Time
Ans: The time an attacker has remained undetected within a
network. An important metric to track as it directly correlates
with the ability of an attacker to accomplish their objectives.
Breakout Time
Ans: Time is takes an intruder to begin moving laterally once
they have an initial foothold in the network.
Main Threat Actors
Ans: APT (Nation State Actors)
Organized Crime
Hacktivists
NIST
Ans: US National Institute for Standards and Technology
Six-Step Incident Response Process
All rights reserved © 2025/ 2026 |
, Page |2
Ans: 1: Preparation
2: Identification
3: Containment and Intelligence Development
4: Eradication and Remediation
5: Recovery
6: Follow-up
Six-Step - Preparation
Ans: Incident response methodologies emphasize preparation -
not only establishing a response capability so the organization
is ready to respond to incidents but also preventing incidents by
ensuring that systems, networks, and applications are
sufficiently secure.
Six-Step - Identificatoin
Ans: Identification is triggered by a suspicious event. This
could be from a security appliance, a call to the help -desk, or
the result of something discovered via threat hunting. Event
validation should occur and a decision made as to the severity
of the finding (not valid events lead to a full incident response).
Once an incident response has begun, this phase is used to
better understand the findings and begin scoping the network
for additional compromise.
All rights reserved © 2025/ 2026 |
, Page |3
Six Step - Containment and Intelligence development
Ans: In this phase, the goal is to rapidly understand the
adversary and begin crafting a containment strateg y.
Responders must identify the initial vulnerability or exploit,
how the attackers are maintaining persistence and laterally
moving in the network, and how command and control is being
accomplished. in conjunction with the previous scoping phase,
responders will work to have a complete picture of the attack
and often implement changes to the environment to increase
host and network visibility. Threat intelligence is one of the key
products of the IP team during this phase.
Six Step - Eradication and Remediation
Ans: Arguably the most important phase of the process,
eradication aims to remove the threat and restore business
operations to a normal state. However, successful eradication
cannot occur until the full scop of the intrusion is understood. A
rush to this phase usually results in failure. Remediation plans
are developed, and recommendations are implemented in a
planned and controlled manner. Ex. Include
-Block malicious IP addresses
-Blackhole malicious domain names
-Rebuild compromised systems
-Coordinate with cloud and service providers
All rights reserved © 2025/ 2026 |
