A payroll administrator noticed unexpected changes within a piece of software and reported the incident to the incident response team.
Which actions should be taken at this step in the incident response workflow?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The first step in the incident response workflow when a payroll administrator notices unexpected changes within a piece of software and reports the incident to the incident response team is to gather information about the incident.
This information can be used to determine the scope of the event, the attack vector, the vulnerabilities being exploited, and the damage caused to the business. Based on this information, the incident response team can then take the appropriate steps to mitigate the incident and prevent it from happening again in the future.
Option A suggests that the incident response team should classify the criticality of the information, research the attacker's motives, and identify missing patches. While these are all important steps in the incident response workflow, they are not the first steps that should be taken when a payroll administrator reports an incident.
Option B suggests that the incident response team should determine the damage to the business, extract reports, and save evidence according to a chain of custody. While these are important steps in the incident response workflow, they should not be the first steps taken.
Option C suggests that the incident response team should classify the attack vector, understand the scope of the event, and identify the vulnerabilities being exploited. These are all important first steps in the incident response workflow and are therefore the correct answer to this question. By classifying the attack vector, the incident response team can determine how the attacker gained access to the software. By understanding the scope of the event, they can determine how far the attack has spread and what systems are affected. By identifying the vulnerabilities being exploited, they can determine how the attacker was able to exploit the system and take steps to patch these vulnerabilities to prevent future attacks.
Option D suggests that the incident response team should determine the attack surface, evaluate the risks involved, and communicate the incident according to the escalation plan. While these are all important steps in the incident response workflow, they are not the first steps that should be taken when a payroll administrator reports an incident.