Question

An organization's IRP prioritizes containment over eradication. An incident has been discovered where an attacker outside of the organization has installed crypto-currency mining software on the organization's web servers. Given the organization's stated priorities, which of the following would be the NEXT step?
a. Remove the affected servers from the network.
b. Review firewall and IDS logs to identify possible source IPs.
c. Identify and apply any missing operating system and software patches
d. Delete the malicious software and determine if the servers must be reimaged

Answer 1

Answer:

a. Remove the affected servers from the network.

Explanation:

An organization's incident response process (IRP) can be defined as all of the process involved in the cleanup and recovery of data when they fall victim to an attack or cybersecurity breach. The incident response process comprises of six (6) important stages and these are;

1. Preparation.

2. Detection and analysis (identification).

3. Containment.

4. Eradication.

5. Recovery.

6. Review of incident activities.

When an organization's IRP prioritizes containment over eradication and an incident is discovered, where an attacker outside the organization installed a crypto-currency mining software on the organization's web servers. Given the organization's stated priorities, the cybersecurity engineer should remove the affected servers from the network.

A containment process is focused on taking steps to eliminate or contain the attack. It basically involves acting swiftly in response to the attack, so as to prevent it from spreading across board or in order to mitigate the damage already caused.

In this context, the cybersecurity engineer should remove the affected servers from the network in accordance with the organization's IRP priority (containment).

Furthermore, he could take a step further to contain the attack by installing a firewall and updating their policies in the Intrusion Prevention System (IPS) of the organization.