A malware outbreak is detected by the SIEM and is confirmed as a true positive.
The incident response team follows the playbook to mitigate the threat.
What is the first action for the incident response team?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
When a malware outbreak is detected by the SIEM and confirmed as a true positive, it means that the network is under attack and it is essential to take immediate action to mitigate the threat. The incident response team should follow the incident response plan (IRP) to contain the malware and prevent it from spreading further.
The first action for the incident response team is to isolate critical hosts from the network. This is necessary to prevent the malware from spreading to other hosts and to limit the damage it can cause. By isolating the critical hosts, the incident response team can perform further analysis on the affected systems without the risk of spreading the malware.
Assessing the network for unexpected behavior is an important step in the incident response process, but it should come after isolating the critical hosts. Once the critical hosts are isolated, the incident response team can assess the network for unexpected behavior and identify the scope and impact of the malware outbreak.
Patching detected vulnerabilities from critical hosts is another important step in the incident response process, but it should come after isolating the critical hosts and assessing the network for unexpected behavior. Once the incident response team has identified the scope and impact of the malware outbreak, they can prioritize patching vulnerabilities on critical hosts based on the severity of the vulnerabilities and the level of risk they pose to the organization.
Performing analysis based on the established risk factors is also an important step in the incident response process, but it should come after isolating the critical hosts and assessing the network for unexpected behavior. Once the incident response team has identified the scope and impact of the malware outbreak, they can perform further analysis on the affected systems to determine the source and nature of the malware and to develop strategies for preventing similar incidents in the future.
In summary, the first action for the incident response team when a malware outbreak is detected by the SIEM and confirmed as a true positive is to isolate critical hosts from the network. This is essential to prevent the malware from spreading further and to limit the damage it can cause.