The SOC is reviewing processes and procedures after a recent incident.
The review indicates it took more than 30 minutes to determine that quarantining an infected host was the best course of action.
This allowed the malware to spread to additional hosts before it was contained.
Which of the following would be BEST to improve the incident response process?
A.
Updating the playbooks with better decision points B.
Dividing the network into trusted and untrusted zones C.
Providing additional end-user training on acceptable use D.
Implementing manual quarantining of infected hosts.
A.
The SOC is reviewing processes and procedures after a recent incident.
The review indicates it took more than 30 minutes to determine that quarantining an infected host was the best course of action.
This allowed the malware to spread to additional hosts before it was contained.
Which of the following would be BEST to improve the incident response process?
A.
Updating the playbooks with better decision points
B.
Dividing the network into trusted and untrusted zones
C.
Providing additional end-user training on acceptable use
D.
Implementing manual quarantining of infected hosts.
A.
The incident described in the question highlights the need for a better incident response process. The incident response process is a set of procedures that an organization follows when an incident occurs to minimize the impact of the incident and prevent it from happening again.
Option A: Updating the playbooks with better decision points This option suggests that the incident response playbook should be updated with better decision points. The playbook provides guidance on what actions should be taken during an incident. The decision points are the critical points in the process where decisions need to be made. By updating the playbook with better decision points, the response team can make better decisions during an incident, which can lead to a faster and more effective response.
Option B: Dividing the network into trusted and untrusted zones This option suggests that the network should be divided into trusted and untrusted zones. This can help to isolate infected hosts and prevent the spread of malware. However, it may not be the best option in this scenario since the malware has already spread to additional hosts before it was contained.
Option C: Providing additional end-user training on acceptable use This option suggests that additional end-user training on acceptable use should be provided. While end-user training is important, it may not be the best option in this scenario since the incident was caused by a malware infection.
Option D: Implementing manual quarantining of infected hosts This option suggests that infected hosts should be manually quarantined. Manual quarantining involves isolating the infected host from the network to prevent the malware from spreading. This option is the best option in this scenario since it directly addresses the issue that caused the incident. By implementing manual quarantining, infected hosts can be isolated quickly, which can prevent the malware from spreading to additional hosts.
Therefore, the best option to improve the incident response process would be to implement manual quarantining of infected hosts (Option D). However, updating the playbooks with better decision points (Option A) can also be beneficial in improving the incident response process.