WGU C845 Task 2: Evaluating Incident Response Operations & Defending Network Security | Latest 2026 Update with complete solutions.

WGU C845 Task 2: Evaluating Incident
Response Operations & Defending Network
Security | Latest 2026 Update with complete
solutions.
A. Evaluate the organization's response to d d d d




the security incident.
d d d




A1. Three Actions the Organization Took in Response to the
d d d d d d d d d




Incident.
d




1. Containment: The affected machine (10.1.1.45) was isolated from the network by d d d d d d d d d d




disabling its network port at 10:07.
d d d d d d




2. Eradication & Recovery: The endpoint was restored from a backup at 13:45, and d d d d d d d d d d d d




antivirus (AV) scans were initiated on the HR subnet.
d d d d d d d d d




3. Post-Incident Improvement: Antivirus definitions were updated across all endpoints on d d d d d d d d d




the following day (06/25 at 08:30).
d d d d d d




A2. Evaluation of Effectiveness Using a Recognized
d d d d d d




Framework.
d




Using the NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide) framework, the
d d d d d d d d d d d d d




effectiveness of these actions is evaluated as follows:
d d d d d d d d




• Action 1 (Containment via Port Disable): Partially Effective. According to NIST,
d d d d d d d d d d




containment strategies should be chosen based on the potential for damage and the need
d d d d d d d d d d d d d d




to preserve evidence. Disabling the switch port was a fast and effective way to
d d d d d d d d d d d d d d




immediatelystop ongoing data exfiltration or command-and-control (C2) traffic, aligning
d d d d d d d d d d




with the goal of minimizing immediate impact. However, the IDS log shows lateral
d d d d d d d d d d d d d




movement via SMB from the infected host (10.1.1.45 to 10.1.2.10) at 10:45, which
d d d d d d d d d d d d d




occurred after the initial containment at 10:07. This indicates the containment was either
d d d d d d d d d d d d d




not fully effective on the first attempt or that a second, compromised host existed. A more
d d d d d d d d d d d d d d d d




robust containment strategy is needed.
d d d d d




• Action 2 (Restoration from Backup & Subnet AV Scan): Effective for Recovery, Inadequate
d d d d d d d d d d d d




for Eradication. NIST emphasizes that eradication must ensure the malicious content is
d d d d d d d d d d d d




completely removed. Restoring from a clean backup is a valid and effective recovery tactic.
d d d d d d d d d d d d d d




Initiating AV scans on the HR subnet is a good eradication step to find other potential
d d d d d d d d d d d d d d d d




infections. However, the procedure relies on "removing known threats," which may not
d d d d d d d d d d d d




catch polymorphic malware or new variants. The focus on the HR subnet, while logical, may
d d d d d d d d d d d d d d d




have missed the lateral movement to the Finance subnet (10.1.2.10), as shown in the IDS
d d d d d d d d d d d d d d d

, log.
d




• Action 3 (Organization-wide AV Update): Effective. This is a clear and effective post-
d d d d d d d d d d d d




incident activity that aligns with the NIST "Post-Incident Activity" phase. By updating
d d d d d d d d d d d d




definitions across all endpoints, the organization improves its defensive posture against a
d d d d d d d d d d d d




recurrence of the same threat, strengthening its preparedness for future incidents.
d d d d d d d d d d d