During which phase of the NIST SP 800-61 incident response lifecycle are incident response plan updates and lessons learned typically documented?
Trap 1: Preparation
Preparation involves planning and training, not post-incident review.
Trap 2: Containment, Eradication, and Recovery
This phase deals with isolating and removing threats, not updating plans.
Trap 3: Detection and Analysis
Detection and Analysis focuses on identifying and classifying incidents.
- A
Preparation
Why wrong: Preparation involves planning and training, not post-incident review.
- B
Containment, Eradication, and Recovery
Why wrong: This phase deals with isolating and removing threats, not updating plans.
- C
Detection and Analysis
Why wrong: Detection and Analysis focuses on identifying and classifying incidents.
- D
Post-Incident Activity
Correct. This phase is dedicated to learning from the incident and improving future response.