You are the CISO at Wonderland county government. The incident response team reports to you that unknown ransomware has successfully attacked the county’s file servers and encrypted production data. As a CISO, which of the following do you think the IR team should conduct next?
A. Identify the root cause and remediate the problem
B. Prioritize the incident
C. Isolate infected machines
D. Validate if the incident is true
Wentz’s Book, The Effective CISSP: Security and Risk Management https://www.amazon.com/dp/B087JL6BXR
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Isolate infected machines.
The following is a general incident response procedure:
- An incident should be validated to make sure it’s a genuine incident.
- The incident is prioritized, categorized, and documented.
- Related parties or stakeholders should be notified, reported, or escalated.
- The incident is contained.
- The root cause of the incident is identified, eradicated, and remediated.
Since the IR team has reported to you, as a CISO, it implies that the IR team has validated and prioritized the incident and followed the notification or escalation procedure based on the priority of the incident. So, the next step should be containing the incident or “isolating infected machines.”
There are various approaches to IR, so the approach you adopted will affect your answer. In real life, some activities are conducted in parallel. It’s good to understand different approaches, e.g., Sybex, CBK, NIST, ISACA, or other well-known sources.
Tiers of Incident Response
Since the incident may be analyzed, prioritized, and reported by tier 1 analyst, the tier 2 responder starts containing the incident after tier 1 triage. The size and organization may affect the IR procedure.
- Questions of the Day – 20190815
- BUILDING A SOC WITH SPLUNK
- How to automate security operations centers with artificial intelligence
- The Modern Security Operations Center, SecOps and SIEM: How They Work Together
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.