An incident response team is recommending changes after analyzing a recent compromise in which: -> a large number of events and logs were involved; -> team members were not able to identify the anomalous behavior and escalate it in a timely manner; -> several network systems were affected as a result of the latency in detection; -> security engineers were able to mitigate the threat and bring systems back to a stable state; and -> the issue reoccurred shortly after and systems became unstable again because the correct information was not gathered during the initial identification phase.
Which two recommendations should be made for improving the incident response process? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.CE.
The incident described in the question involves a large number of events and logs, which the team was not able to identify and escalate in a timely manner. As a result, several network systems were affected, and the security engineers had to mitigate the threat to bring the systems back to a stable state. However, the issue reoccurred because the correct information was not gathered during the initial identification phase.
To improve the incident response process, the following recommendations should be made:
A. Formalize reporting requirements and responsibilities to update management and internal stakeholders throughout the incident-handling process effectively: This recommendation involves establishing clear guidelines and responsibilities for reporting and updating stakeholders throughout the incident response process. By doing so, the incident response team can keep all stakeholders informed about the incident, including its status, impact, and resolution progress. This will help to improve communication and ensure that the team has the support it needs to handle the incident effectively.
E. Modify the incident handling playbook and checklist to ensure alignment and agreement on roles, responsibilities, and steps before an incident occurs: This recommendation involves reviewing and updating the incident handling playbook and checklist to ensure that they are aligned with the organization's policies and procedures. By doing so, the incident response team can ensure that everyone is clear on their roles and responsibilities during an incident, and that the steps to be taken are clearly defined and agreed upon. This will help to improve the incident response process by reducing the latency in detection and ensuring that the correct information is gathered during the initial identification phase.
B, C, and D are also important recommendations, but they are not as relevant to the issues highlighted in the incident. Improving the mitigation phase, implementing an automated operation to pull systems events/logs, and allocating additional resources for the containment phase can all help to improve the incident response process. However, in the context of the incident described in the question, formalizing reporting requirements and responsibilities and modifying the incident handling playbook and checklist are the most important recommendations for improving the incident response process.