A SIEM tool fires an alert about a VPN connection attempt from an unusual location.
The incident response team validates that an attacker has installed a remote access tool on a user's laptop while traveling.
The attacker has the user's credentials and is attempting to connect to the network.
What is the next step in handling the incident?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The next step in handling the incident described would be to identify systems or services at risk (option C).
Once the incident response team has confirmed that an attacker has installed a remote access tool on a user's laptop while traveling and is attempting to connect to the network using the user's credentials, the focus should shift to identifying the potential impact on the organization's systems and services. This is critical in order to determine the appropriate course of action to mitigate the risk.
Identifying systems or services at risk involves analyzing the potential impact of the incident on the organization's infrastructure, data, and services. This includes identifying any sensitive information that may be at risk of compromise, as well as any critical systems or services that could be impacted by the attack. Once the systems and services at risk have been identified, the incident response team can develop a plan for containing and mitigating the incident.
Option A (Block the source IP from the firewall) could be a possible response, but it is not the most effective in this scenario. Blocking the source IP from the firewall may prevent the attacker from accessing the network, but it does not address the root cause of the incident, which is the compromised laptop. Additionally, the attacker may have already established other points of access to the network, making this response ineffective in the long term.
Option B (Perform an antivirus scan on the laptop) is also a possible response, but it should be considered a secondary step. The primary focus should be on identifying the potential impact on the organization's systems and services. Performing an antivirus scan on the laptop may help identify and remove any malware that the attacker has installed, but it does not address the root cause of the incident or the potential impact on the organization.
Option D (Identify lateral movement) is also important but is not the immediate next step in handling the incident. Identifying lateral movement is important to understand the scope of the incident and prevent further spread of the attack, but it should come after the incident response team has identified the systems or services at risk and developed a plan for containing and mitigating the incident.