An organization had a breach due to a phishing attack. An engineer leads a team through the recovery phase of the incident response process. Which action should be taken during this phase?
A.
Host a discovery meeting and define configuration and policy updates
B.
Update the IDS/IPS signatures and reimage the affected hosts
C.
Identify the systems that have been affected and tools used to detect the attack
D.
Identify the traffic with data capture using Wireshark and review email filters
B. Update the IDS/IPS signatures and reimage the affected hosts.
The recovery phase is focused on restoring the organization's systems and services to a normal state. After a phishing attack, it is essential to address any vulnerabilities that the attackers exploited to prevent future attacks. Updating the IDS/IPS signatures can help to identify similar attacks in the future. Reimaging the affected hosts can help to ensure that any malware or other malicious software that may have been installed during the attack is removed.
A. Hosting a discovery meeting and defining configuration and policy updates, C. Identifying the systems that have been affected and tools used to detect the attack, and D. Identifying the traffic with data capture using Wireshark and reviewing email filters are all important steps in the incident response process after a phishing attack, but they are not specifically related to the recovery phase of the process. These steps are typically taken during the investigation phase of the incident response process, which precedes the recovery phase.
When the team believes that an incident has occurred,
the team should rapidly perform an initial analysis to determine the incident’s scope, such as which
networks, systems, or applications are affected; who or what originated the incident; and how the incident
is occurring (e.g., what tools or attack methods are being used, what vulnerabilities are being exploited).
The initial analysis should provide enough information for the team to prioritize subsequent activities,
such as containment of the incident and deeper analysis of the effects of the incident.
Although reimaging is done in recovery, updating IPS has littlte to no affect on phishing. Phishing is detected in emails and very few times through IPS. IPS = Containment. To recover you will need to identy affected hosts, how, with tools like CES you can see who receive the phishing attack and even identify who clicked a link.
During ERADICATION, it is important to IDENTIFY ALL AFFECTED HOSTS within the organization so that they can be remediated. For some incidents, ERADICATION is either not necessary or is performed DURING recovery.
I think C is correct
This section is not available anymore. Please use the main Exam Page.350-201 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
DrVoIP
9 months, 3 weeks agokyle942
11 months, 3 weeks agoTOLU1985
1 year, 2 months agojaciro11
1 year, 3 months agoCiscoTester
2 years agoBobster02
2 years, 3 months agokou
2 years, 4 months ago