Performing CyberOps Using Cisco Security Technologies

B.

After the incident response team receives information about abnormal behavior of a host and discovers a malicious file being executed from an external USB flash drive, the next step would be to isolate the infected host from the rest of the subnet.

The reason for isolating the infected host is to prevent further spread of the infection to other systems on the network. Isolating the host would involve disconnecting it from the network or placing it on a separate network segment that has restricted connectivity to other parts of the network. This would help contain the spread of the malware and limit the scope of the incident.

Once the infected host has been isolated, the incident response team can begin analyzing the collected evidence to determine the nature of the infection and the extent of the damage. Analyzing the evidence would involve examining system logs, memory dumps, and other artifacts to identify the malware, determine the scope of the infection, and assess the impact on the affected systems and data.

After analyzing the evidence, the incident response team may then conduct a risk assessment of systems and applications to identify any vulnerabilities or weaknesses that could have been exploited by the malware. This would help the team identify areas that require additional security measures and take steps to mitigate the risk of future attacks.

Installing malware prevention software on the host may also be considered as a preventative measure, but it should only be done after the incident has been contained, and the malware has been removed. Installing prevention software while the malware is still active could cause the malware to hide and make it more difficult to detect and remove. Therefore, isolating the infected host is the first and most critical step in responding to a malware incident.