An incident responder receives a call from a user who reports a computer is exhibiting symptoms consistent with a malware infection.
Which of the following steps should the responder perform NEXT?
A.
Capture and document necessary information to assist in the response.
B.
Request the user capture and provide a screenshot or recording of the symptoms.
C.
Use a remote desktop client to collect and analyze the malware in real time.
D.
Ask the user to back up files for later recovery.
Why would you use remote desktop client to analyze and document when the first thing you are supposed to do even with a suspected infection is isolate?
I think if any of these answers are possibly correct (since none of them mention isolation/quarantine), it would be A if you were an onsite responder and are able to already isolate and investigate.
11
1
a lot of these answers on here are wrong. The answer is A
3
1
The answer is A. Ive notice this site has a couple of the wrong answers.
3
1
So in here we have a malware infection which we must stop from spreading
The first rule of thumb is to remove the computer from the network so as to stop the spread.
Any analysis is then performed “off line”.
B, C and D do not address the problem that the computer is still connected to the network
“B- Request the user capture and provide a screenshot or recording of the symptoms . “
To what avail? We already know that the system is infected, and that would mean that the computer is still left in the network.
Also, the user may not be the best person to do the work, as the person may not have the required expertize. This is why the user contacted the responder in the first place.
C- Use a remote desktop client to collect and analyze the malware in real time.
If the responder connects remotely to the infected desktop two things happen:
i- The desktop is still left connected to the network, negating the rule of thumb
ii- The Responder’s desktop can now be infected by the Malware, by virtue of his/her desktop connecting remotely to an infected machine. This is the last thing a respectable security person would do
D- Ask the user to back up files for later recovery.
This would
i- Leave the computer still connected to the network
ii- The malware has infected the user data which would now be “backed up”. Not only I would be backing up the data, I would also be backing up the malware
iii- It would be best to first deal with the malware ensuring that the data is free of any infection and then, and only then, the data can be backup.
iv- Otherwise, restoring the data which has been backed up will also restore the malware.
The only possible answer is therefore A- Capture and document necessary information to assist in the response.
3
1
the same question got different answers in different websites
1
1