WGU C845 Task 2: Evaluating Incident
Response Operations & Defending Network
Security | Latest 2026 Update with complete
solutions.
Task 2: Evaluating Incident Response Operations & Defending Network Security
Information Systems Security - C845
A. Evaluate the organization's response to
the security incident.
A1. Three Actions the Organization Took in Response to
the Incident.
1. Containment: The affected machine (10.1.1.45) was isolated from the network by
disabling its network port at 10:07.
2. Eradication & Recovery: The endpoint was restored from a backup at 13:45, and
antivirus (AV) scans were initiated on the HR subnet.
3. Post-Incident Improvement: Antivirus definitions were updated across all endpoints on
the following day (06/25 at 08:30).
A2. Evaluation of Effectiveness Using a Recognized
Framework.
Using the NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide) framework, the
effectiveness of these actions is evaluated as follows:
• Action 1 (Containment via Port Disable): Partially Effective. According to NIST,
containment strategies should be chosen based on the potential for damage and the
need to preserve evidence. Disabling the switch port was a fast and effective way to
, immediately stop ongoing data exfiltration or command-and-control (C2) traffic, aligning
with the goal of minimizing immediate impact. However, the IDS log shows lateral
movement via SMB from the infected host (10.1.1.45 to 10.1.2.10) at 10:45, which
occurred after the initial containment at 10:07. This indicates the containment was
either not fully effective on the first attempt or that a second, compromised host
existed. A more robust containment strategy is needed.
• Action 2 (Restoration from Backup & Subnet AV Scan): Effective for Recovery,
Inadequate for Eradication. NIST emphasizes that eradication must ensure the malicious
content is completely removed. Restoring from a clean backup is a valid and effective
recovery tactic. Initiating AV scans on the HR subnet is a good eradication step to find
other potential infections. However, the procedure relies on "removing known threats,"
which may not catch polymorphic malware or new variants. The focus on the HR subnet,
while logical, may have missed the lateral movement to the Finance subnet (10.1.2.10),
as shown in the IDS log.
• Action 3 (Organization-wide AV Update): Effective. This is a clear and effective post-
incident activity that aligns with the NIST "Post-Incident Activity" phase. By updating
definitions across all endpoints, the organization improves its defensive posture against
a recurrence of the same threat, strengthening its preparedness for future incidents.
Response Operations & Defending Network
Security | Latest 2026 Update with complete
solutions.
Task 2: Evaluating Incident Response Operations & Defending Network Security
Information Systems Security - C845
A. Evaluate the organization's response to
the security incident.
A1. Three Actions the Organization Took in Response to
the Incident.
1. Containment: The affected machine (10.1.1.45) was isolated from the network by
disabling its network port at 10:07.
2. Eradication & Recovery: The endpoint was restored from a backup at 13:45, and
antivirus (AV) scans were initiated on the HR subnet.
3. Post-Incident Improvement: Antivirus definitions were updated across all endpoints on
the following day (06/25 at 08:30).
A2. Evaluation of Effectiveness Using a Recognized
Framework.
Using the NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide) framework, the
effectiveness of these actions is evaluated as follows:
• Action 1 (Containment via Port Disable): Partially Effective. According to NIST,
containment strategies should be chosen based on the potential for damage and the
need to preserve evidence. Disabling the switch port was a fast and effective way to
, immediately stop ongoing data exfiltration or command-and-control (C2) traffic, aligning
with the goal of minimizing immediate impact. However, the IDS log shows lateral
movement via SMB from the infected host (10.1.1.45 to 10.1.2.10) at 10:45, which
occurred after the initial containment at 10:07. This indicates the containment was
either not fully effective on the first attempt or that a second, compromised host
existed. A more robust containment strategy is needed.
• Action 2 (Restoration from Backup & Subnet AV Scan): Effective for Recovery,
Inadequate for Eradication. NIST emphasizes that eradication must ensure the malicious
content is completely removed. Restoring from a clean backup is a valid and effective
recovery tactic. Initiating AV scans on the HR subnet is a good eradication step to find
other potential infections. However, the procedure relies on "removing known threats,"
which may not catch polymorphic malware or new variants. The focus on the HR subnet,
while logical, may have missed the lateral movement to the Finance subnet (10.1.2.10),
as shown in the IDS log.
• Action 3 (Organization-wide AV Update): Effective. This is a clear and effective post-
incident activity that aligns with the NIST "Post-Incident Activity" phase. By updating
definitions across all endpoints, the organization improves its defensive posture against
a recurrence of the same threat, strengthening its preparedness for future incidents.
