WGU C845Task 2: Evaluating Incident ,x. ,x. ,x. ,x. ,x. ,x.
Response Operations & Defending Network
,x. ,x. ,x. ,x. ,x.
Security | Latest 2026 Update with complete
,x. ,x. ,x. ,x. ,x. ,x. ,x.
solutions.
,x.
Task 2: Evaluating Incident Response Operations & Defending Network Security
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
Information Systems Security - C845
,x. ,x. ,x. ,x. ,x.
A. Evaluate the organization's response to ,x. ,x. ,x. ,x.
the security incident.
,x. , x. ,x.
A1. Three Actions the Organization Took in Response to the
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. , x.
Incident.
,x.
1. Containment:Theaffectedmachine(10.1.1.45)wasisolatedfromthenetworkby ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
disabling its network port at 10:07.
,x. ,x. ,x. ,x. ,x. ,x.
2. Eradication &Recovery:Theendpoint wasrestored fromabackupat13:45, and ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
antivirus (AV) scans were initiated on the HR subnet.
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
3. Post-IncidentImprovement: Antivirusdefinitionswereupdatedacrossallendpointson ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
the following day (06/25 at 08:30).
,x. ,x. ,x. ,x. ,x. ,x.
A2. Evaluation of Effectiveness Using a Recognized
,x. ,x. ,x. ,x. ,x. ,x.
Framework.
,x.
Using the NIST SP800-61Rev. 2 (ComputerSecurityIncident Handling Guide)framework,the
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
effectiveness of these actions is evaluated as follows:
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
• Action 1 (Containment via Port Disable): Partially Effective. According to NIST,
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
containment strategies should be chosen based on the potential for damage and the
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
need to preserve evidence. Disabling the switch port was a fast and effective way to
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
, immediatelystopongoingdataexfiltrationorcommand-and-control(C2)traffic,aligning ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
with the goal of minimizing immediate impact. However, the IDS log shows lateral
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
movement via SMB from the infected host (10.1.1.45 to 10.1.2.10) at 10:45, which
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
occurred after the initial containment at 10:07. This indicates the containment was
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
either not fully effective on the first attempt or that a second, compromised host
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
existed. A more robust containment strategy is needed.
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
• Action 2 (Restoration from Backup & Subnet AV Scan): Effective for Recovery,
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
Inadequate for Eradication. NIST emphasizesthat eradication must ensurethe malicious
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
content is completely removed. Restoring from a clean backup is a valid and effective
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
recovery tactic. Initiating AV scans on the HR subnet is a good eradication step to find
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
other potential infections. However, the procedure relies on "removing known threats,"
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
which maynot catch polymorphic malware ornew variants. The focus onthe HR subnet,
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
while logical, may have missed the lateral movement to the Finance subnet (10.1.2.10),
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
as shown in the IDS log.
,x. ,x. ,x. ,x. ,x. ,x.
• Action 3 (Organization-wide AV Update): Effective. This is a clear and effective post-
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
incident activity that aligns with the NIST "Post-Incident Activity" phase. By updating
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
definitionsacrossallendpoints,theorganizationimprovesitsdefensivepostureagainst a
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
recurrence of the same threat, strengthening its preparedness for future incidents.
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
Response Operations & Defending Network
,x. ,x. ,x. ,x. ,x.
Security | Latest 2026 Update with complete
,x. ,x. ,x. ,x. ,x. ,x. ,x.
solutions.
,x.
Task 2: Evaluating Incident Response Operations & Defending Network Security
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
Information Systems Security - C845
,x. ,x. ,x. ,x. ,x.
A. Evaluate the organization's response to ,x. ,x. ,x. ,x.
the security incident.
,x. , x. ,x.
A1. Three Actions the Organization Took in Response to the
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. , x.
Incident.
,x.
1. Containment:Theaffectedmachine(10.1.1.45)wasisolatedfromthenetworkby ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
disabling its network port at 10:07.
,x. ,x. ,x. ,x. ,x. ,x.
2. Eradication &Recovery:Theendpoint wasrestored fromabackupat13:45, and ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
antivirus (AV) scans were initiated on the HR subnet.
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
3. Post-IncidentImprovement: Antivirusdefinitionswereupdatedacrossallendpointson ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
the following day (06/25 at 08:30).
,x. ,x. ,x. ,x. ,x. ,x.
A2. Evaluation of Effectiveness Using a Recognized
,x. ,x. ,x. ,x. ,x. ,x.
Framework.
,x.
Using the NIST SP800-61Rev. 2 (ComputerSecurityIncident Handling Guide)framework,the
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
effectiveness of these actions is evaluated as follows:
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
• Action 1 (Containment via Port Disable): Partially Effective. According to NIST,
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
containment strategies should be chosen based on the potential for damage and the
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
need to preserve evidence. Disabling the switch port was a fast and effective way to
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
, immediatelystopongoingdataexfiltrationorcommand-and-control(C2)traffic,aligning ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
with the goal of minimizing immediate impact. However, the IDS log shows lateral
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
movement via SMB from the infected host (10.1.1.45 to 10.1.2.10) at 10:45, which
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
occurred after the initial containment at 10:07. This indicates the containment was
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
either not fully effective on the first attempt or that a second, compromised host
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
existed. A more robust containment strategy is needed.
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
• Action 2 (Restoration from Backup & Subnet AV Scan): Effective for Recovery,
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
Inadequate for Eradication. NIST emphasizesthat eradication must ensurethe malicious
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
content is completely removed. Restoring from a clean backup is a valid and effective
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
recovery tactic. Initiating AV scans on the HR subnet is a good eradication step to find
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
other potential infections. However, the procedure relies on "removing known threats,"
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
which maynot catch polymorphic malware ornew variants. The focus onthe HR subnet,
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
while logical, may have missed the lateral movement to the Finance subnet (10.1.2.10),
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
as shown in the IDS log.
,x. ,x. ,x. ,x. ,x. ,x.
• Action 3 (Organization-wide AV Update): Effective. This is a clear and effective post-
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
incident activity that aligns with the NIST "Post-Incident Activity" phase. By updating
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
definitionsacrossallendpoints,theorganizationimprovesitsdefensivepostureagainst a
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
recurrence of the same threat, strengthening its preparedness for future incidents.
,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x. ,x.
