WGU C845 Task 2: Evaluating Incident Response Operations & Defending Network Security | Latest 2026 Update with complete solutions.

WGU C845 Task 2: Evaluating Incident 68 68 68 68 68 68




Response Operations & Defending Network
68 68 68 68 68




Security | Latest 2026 Update with complete
68 68 68 68 68 68 68




solutions.
68




Task 2: Evaluating Incident Response Operations & Defending Network Security
68 68 68 68 68 68 68 68 68




Information Systems Security - C845
68 68 68 68 68




A. Evaluate the organization's response to 68 68 68 68




the security incident.
68 68 68




A1. Three Actions the Organization Took in Response to the
68 68 68 68 68 68 68 68 68




Incident.
68




1. Containment: The affected machine (10.1.1.45) was isolated from the network by 68 68 68 68 68 68 68 68 68 68




disabling its network port at 10:07.
68 68 68 68 68 68




2. Eradication & Recovery: The endpoint was restored from a backup at 13:45, and
68 68 68 68 68 68 68 68 68 68 68 68




antivirus (AV) scans were initiated on the HR subnet.
68 68 68 68 68 68 68 68 68




3. Post-Incident Improvement: Antivirus definitions were updatedacross allendpoints on 68 68 68 68 68 68 68 68 68




the following day (06/25 at 08:30).
68 68 68 68 68 68




A2. Evaluation of Effectiveness Using a Recognized
68 68 68 68 68 68




Framework.
68




Using the NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide) framework, the
68 68 68 68 68 68 68 68 68 68 68 68 68




effectiveness of these actions is evaluated as follows:
68 68 68 68 68 68 68 68




• Action 1 (Containment via Port Disable): Partially Effective. According to NIST,
68 68 68 68 68 68 68 68 68 68




containment strategies should be chosen based on the potential for damage and the
68 68 68 68 68 68 68 68 68 68 68 68 68




need to preserve evidence. Disabling the switch port was a fast and effective way to
68 68 68 68 68 68 68 68 68 68 68 68 68 68 68

, immediately stopongoing dataexfiltration or command-and-control (C2) traffic, aligning
68 68 68 68 68 68 68 68 68




with the goal of minimizing immediate impact. However, the IDS log shows lateral
68 68 68 68 68 68 68 68 68 68 68 68 68




movement via SMB from the infected host (10.1.1.45 to 10.1.2.10) at 10:45, which
68 68 68 68 68 68 68 68 68 68 68 68 68




occurred after the initial containment at 10:07. This indicates the containment was
68 68 68 68 68 68 68 68 68 68 68 68




either not fully effective on the first attempt or that a second, compromised host
68 68 68 68 68 68 68 68 68 68 68 68 68 68




existed. A more robust containment strategy is needed.
68 68 68 68 68 68 68 68




• Action 2 (Restoration from Backup & Subnet AV Scan): Effective for Recovery,
68 68 68 68 68 68 68 68 68 68 68




Inadequate for Eradication. NIST emphasizes that eradication must ensure the malicious
68 68 68 68 68 68 68 68 68 68 68




content is completely removed. Restoring from a clean backup is a valid and effective
68 68 68 68 68 68 68 68 68 68 68 68 68 68




recovery tactic. Initiating AV scans on the HR subnet is a good eradication step to find
68 68 68 68 68 68 68 68 68 68 68 68 68 68 68 68




other potential infections. However, the procedure relies on "removing known threats,"
68 68 68 68 68 68 68 68 68 68 68




which may not catch polymorphic malware or new variants. The focus on the HR subnet,
68 68 68 68 68 68 68 68 68 68 68 68 68 68 68




while logical, may have missed the lateral movement to the Finance subnet (10.1.2.10),
68 68 68 68 68 68 68 68 68 68 68 68 68




as shown in the IDS log.
68 68 68 68 68 68




• Action 3 (Organization-wide AV Update): Effective. This is a clear and effective post-
68 68 68 68 68 68 68 68 68 68 68 68




incident activity that aligns with the NIST "Post-Incident Activity" phase. By updating
68 68 68 68 68 68 68 68 68 68 68 68




definitions acrossall endpoints,the organization improves itsdefensive postureagainst a
68 68 68 68 68 68 68 68 68 68 68 68




recurrence of the same threat, strengthening its preparedness for future incidents.
68 68 68 68 68 68 68 68 68 68 68