A security analyst has identified malware spreading through the corporate network and has activated the CSIRT. Which of the following should the analyst do NEXT?
A.
Review how the malware was introduced to the network.
B.
Attempt to quarantine all infected hosts to limit further spread.
C.
Create help desk tickets to get infected systems reimaged.
D.
Update all endpoint antivirus solutions with the latest updates.
Answer: Attempt to quarantine all infected hosts to limit further spread.
As soon as the malware was identified, the incident response begins. The steps for incident response are:
1. Preparation - Preparing for an attack and how to respond
2. Identification - Identifying the threat
3. Containment - Containing the threat
4. Eradication - Removing the threat
5. Recovery - Recovering affected systems
6. Lessons Learned - Evaluating the incident response, see where there can be improvements for a future incident.
In the scenario, the malware has already been identified, which means that we are past the Identification step. The next step would be to begin containment as to limit the amount of damage the malware can cause, so, quarantining infected hosts would be the best option here.
When a security analyst identifies malware spreading through the corporate network and activates the Computer Security Incident Response Team (CSIRT), the immediate next step should be to attempt to quarantine all infected hosts to limit further spread of the malware. Quarantining infected hosts can help contain the malware and prevent it from infecting other systems on the network.
When a security analyst has identified malware spreading through the corporate network and activated the Computer Security Incident Response Team (CSIRT), the next step would be to attempt to quarantine all infected hosts to limit further spread. This is crucial to prevent the malware from infecting more systems and potentially causing additional damage.
Could be C because the plan was already activated and one phase included in the IRP states that the threat must be identified and contained which means trying to avoid spreading the virus to the entire company. Then the next logical step must be to reimage the infected PCs.
Nope, all that has happened is that the malware was identified and CSIRT was notified:
1. Preparation - Preparing for an attack and how to respond
2. Identification - Identifying the threat << You are here
3. Containment - Containing the threat << Need to go here
4. Eradication - Removing the threat
5. Recovery - Recovering affected systems << Too far into the future
6. Lessons Learned - Evaluating the incident response, see where there can be improvements for a future incident.
Phases in the Incident Response Plan
1. Preparation: The organization plans out how they will respond to attack, this can involve:
2. Identification: Detecting and determining whether an incident has occurred.
3. Containment: Once a threat has been identified, the organization must limit or prevent any further damage. 4. Eradication: The removal of the threat
5. Recovery: Restoring systems affected by the incident
6. Lessons Learned: Where the organization reviews their incident response and prepare for a future attack
This question is free for interpretation again :-( A is my bet, whereas B (containment)/C (recovery) could be right, too. By activating the CSIRT his duties regarding containment and recovery could be fullfilled/handed over and the analyst goes to "lessons learnt".
This section is not available anymore. Please use the main Exam Page.SY0-601 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
rodwave
Highly Voted 2 years, 6 months agovarun0
Highly Voted 2 years, 8 months agoBmoremike71
Most Recent 1 year, 1 month agoRoosey
1 year, 9 months agoProtract8593
1 year, 10 months agoApplebeesWaiter1122
1 year, 10 months agoRileyG
2 years agoJacs
2 years, 1 month agoRevolutionaryAct
1 year, 8 months agoDALLASCOWBOYS
2 years, 3 months agoJarnBarn
1 year, 5 months agosauna28
2 years, 5 months agolordguck
2 years, 6 months agoJossie_C
2 years, 6 months agoRonWonkers
2 years, 8 months ago