WGU C845 Task 2: Evaluating Incident Response Operations & Defending Network Security | Latest 2026 Update with complete solutions.

WGU C845 Task 2: Evaluating Incident Response
Operations & Defending Network Security | Latest 2026
Update with complete solutions.

A. Evaluate the organization's response to f f f f




the security incident.
f f f




A1. Three Actions the Organization Took in Response to the
f f f f f f f f f




Incident.
f




1. Containment: The affected machine (10.1.1.45) was isolated from the network by f f f f f f f f f f




disabling its network port at 10:07.
f f f f f f




2. Eradication & Recovery: The endpoint was restored from a backup at 13:45, and f f f f f f f f f f f f




antivirus (AV) scans were initiated on the HR subnet.
f f f f f f f f f




3. Post-Incident Improvement: Antivirus definitions were updated across all endpoints on f f f f f f f f f




the following day (06/25 at 08:30).
f f f f f f




A2. Evaluation of Effectiveness Using a Recognized
f f f f f f




Framework.
f




Using the NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide) framework, the
f f f f f f f f f f f f f




effectiveness of these actions is evaluated as follows:
f f f f f f f f




• Action 1 (Containment via Port Disable): Partially Effective. According to NIST,
f f f f f f f f f f




containment strategies should be chosen based on the potential for damage and the need
f f f f f f f f f f f f f f




to preserve evidence. Disabling the switch port was a fast and effective way to
f f f f f f f f f f f f f f




immediately stop ongoing data exfiltration or command-and-control (C2) traffic, aligning
f f f f f f f f f f




with the goal of minimizing immediate impact. However, the IDS log shows lateral
f f f f f f f f f f f f f




movement via SMB from the infected host (10.1.1.45 to 10.1.2.10) at 10:45, which
f f f f f f f f f f f f f




occurred after the initial containment at 10:07. This indicates the containment was either
f f f f f f f f f f f f f




not fully effective on the first attempt or that a second, compromised host existed. A more
f f f f f f f f f f f f f f f f




robust containment strategy is needed.
f f f f f




• Action 2 (Restoration from Backup & Subnet AV Scan): Effective for Recovery, Inadequate
f f f f f f f f f f f f




for Eradication. NIST emphasizes that eradication must ensure the malicious content is
f f f f f f f f f f f f




completely removed. Restoring from a clean backup is a valid and effective recovery tactic.
f f f f f f f f f f f f f f




Initiating AV scans on the HR subnet is a good eradication step to find other potential
f f f f f f f f f f f f f f f f




infections. However, the procedure relies on "removing known threats," which may not
f f f f f f f f f f f f




catch polymorphic malware or new variants. The focus on the HR subnet, while logical, may
f f f f f f f f f f f f f f f




have missed the lateral movement to the Finance subnet (10.1.2.10), as shown in the IDS
f f f f f f f f f f f f f f f




log.
f




• Action 3 (Organization-wide AV Update): Effective. This is a clear and effective post-
f f f f f f f f f f f f




incident activity that aligns with the NIST "Post-Incident Activity" phase. By updating
f f f f f f f f f f f f

, f definitions across all endpoints, the organization improves its defensive posture against a
f f f f f f f f f f f




f recurrence of the same threat, strengthening its preparedness for future incidents.
f f f f f f f f f f