An organization had a breach due to a phishing attack.
An engineer leads a team through the recovery phase of the incident response process.
Which action should be taken during this phase?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
During the recovery phase of an incident response process following a phishing attack, the primary goal is to restore the organization's systems to a normal state of operation while minimizing the potential for future attacks. In this phase, the engineer should take the following actions:
C. Identify the systems that have been affected and tools used to detect the attack During this phase, it is important to identify the systems that have been compromised in the attack and the tools that were used by the attacker. This information can help determine the scope of the attack and identify any potential vulnerabilities that need to be addressed to prevent future attacks.
A. Host a discovery meeting and define configuration and policy updates Once the affected systems and tools have been identified, the engineer should host a discovery meeting with relevant stakeholders to identify any necessary configuration and policy updates. These updates should aim to prevent similar attacks from happening in the future. This can include changes to email filters, firewall rules, and user training programs.
B. Update the IDS/IPS signatures and reimage the affected hosts To prevent future attacks, it is important to update the signatures on any intrusion detection and prevention systems (IDS/IPS). This can help identify similar attacks and prevent them from causing further damage. Additionally, the affected hosts should be reimaged to ensure that any malware or other malicious software has been removed.
D. Identify the traffic with data capture using Wireshark and review email filters. It may be helpful to identify and analyze the traffic associated with the attack using packet capture tools such as Wireshark. This can help determine the attack vector used by the attacker and identify any unusual traffic patterns. Additionally, the engineer should review and update email filters to prevent similar attacks in the future.
In conclusion, during the recovery phase of the incident response process following a phishing attack, the engineer should take a range of actions including identifying the systems that have been affected and the tools used in the attack, hosting a discovery meeting to define configuration and policy updates, updating IDS/IPS signatures and reimaging affected hosts, and identifying traffic with data capture using tools like Wireshark and reviewing email filters.