A threat actor used a phishing email to deliver a file with an embedded macro.
The file was opened, and a remote code execution attack occurred in a company's infrastructure.
Which steps should an engineer take at the recovery stage?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
When a company suffers a remote code execution attack due to a phishing email with an embedded macro, the recovery process should focus on identifying and addressing the vulnerabilities that were exploited by the attacker. The following steps should be taken at the recovery stage:
A. Determine the systems involved and deploy available patches: The first step is to identify which systems were compromised and the extent of the damage. Once the affected systems have been identified, the engineer should deploy any available patches or updates to fix the vulnerabilities that were exploited by the attacker. This will help to prevent similar attacks in the future and improve the overall security posture of the organization.
B. Analyze event logs and restrict network access: It is important to analyze the event logs to identify any suspicious activity that may have occurred before or during the attack. The engineer should also restrict network access to prevent the attacker from continuing to exploit any vulnerabilities in the system.
C. Review access lists and require users to increase password complexity: Access lists should be reviewed to ensure that only authorized users have access to sensitive data and systems. Additionally, users should be required to increase their password complexity to make it harder for attackers to guess or crack their passwords. This will help to prevent future attacks that rely on weak or compromised passwords.
D. Identify the attack vector and update the IDS signature list: The engineer should identify the attack vector used by the attacker and update the IDS signature list to detect and block similar attacks in the future. This will help to improve the overall security posture of the organization and prevent similar attacks from occurring in the future.
In summary, the recovery process should focus on identifying and addressing the vulnerabilities that were exploited by the attacker, analyzing event logs, restricting network access, reviewing access lists, requiring users to increase password complexity, identifying the attack vector, and updating the IDS signature list. By taking these steps, the organization can improve its security posture and prevent similar attacks from occurring in the future.