Eradication Phase
Question
A security team detected an above-average amount of inbound tcp/135 connection attempts from unidentified senders.
The security team is responding based on their incident response playbook.
Which two elements are part of the eradication phase for this incident? (Choose two.)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.CD.
The incident response playbook is a documented plan that outlines the steps to take in the event of a security incident. The playbook is designed to ensure that the incident response team follows a consistent and structured process for responding to the incident.
The eradication phase is the phase in the incident response process where the goal is to remove the threat from the environment. The two elements that are part of the eradication phase for this incident are:
A. Anti-malware software: The inbound tcp/135 connection attempts could be a sign of a malware infection or a malware attempting to establish a backdoor connection to a command and control server. Therefore, anti-malware software can be used to scan the affected systems and remove any malware that is detected. The anti-malware software can also be used to prevent the spread of the malware by isolating the infected systems.
B. Data and workload isolation: Isolating the affected systems from the network can be used to prevent the spread of the threat. Workload isolation can be used to restrict the execution of processes and services on the affected systems to prevent any malicious activity from executing. Data isolation can be used to protect sensitive data on the affected systems from unauthorized access.
C. Centralized user management: Centralized user management is not a part of the eradication phase of the incident response process. It is typically a part of the preparation and detection phases of the incident response process. Centralized user management can be used to manage user accounts and access control policies centrally.
D. Intrusion prevention system: Intrusion prevention system (IPS) is a security technology that can be used to detect and prevent network-based attacks. It can be used to block inbound tcp/135 connection attempts from unidentified senders. However, it is not a part of the eradication phase of the incident response process.
E. Enterprise block listing solution: Enterprise block listing solution is a security technology that can be used to prevent known malicious IP addresses and domains from accessing the network. It is not a part of the eradication phase of the incident response process.
