An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has:
• created the initial evidence log.
• disabled the wireless adapter on the device.
• interviewed the employee, who was unable to identify the website that was accessed.
• reviewed the web proxy traffic logs.
Which of the following should the analyst do to remediate the infected device?
To effectively remediate an infected device, updating the system firmware and reimaging the hardware is the best approach. Reimaging ensures that the system is restored to a known-good state, thereby eliminating any malware that may have persisted. Updating the system firmware is also crucial for addressing any potential vulnerabilities that malware could have exploited. This method provides a thorough and reliable solution to remove all traces of malware and reset the system to a secure state.
A. Update the system firmware and reimage the hardware. Reimaging the hardware involves wiping the device and restoring it to a known-good state. This is a common and effective remediation technique for malware infections. Updating the system firmware is also a good practice to ensure that known vulnerabilities are patched. It's important to perform these actions to eliminate the malware and any potential persistence mechanisms that may exist.
Please, who has chosen these options as an answer? B and C have nothing to do with each other. These options are discarded. Let's go with the other two During an incident, the system must be rebuilt, either from scratch or using an image or backup of the system from a known safe state. If the system was compromised because it contained a security vulnerability, and not because of the use of a compromised user account, it is likely that backups and images of that system will have that same vulnerability. After this explanation, it seems that option D is not the best option as the malware could have infected system files and by deleting and restoring the user's profile, the malware would still be there. Option A talks about firmware and reimages the hardware Wouldn't it be the software? Normally malware infects system files. Now then. It could be that the malware has exploited some vulnerability in the hardware and in that case, option A would be the best answer and, once the hardware has been updated, proceed to restore the system.
Questionamento confuso, mas na minha opção Atualizar o Firmware não parece ser razoável visto que não é citado a causa raiz do incidente. Excluir o perfil e recuperar o backup parece ser o mais próximo do ideal.
B. Due to the following comment.
This is tricky because the incident response team wasn't able to determine the root cause so they wouldn't want to reimage the device, instead you would harden the device by increasing the security.
Therefore I would pick B, I learned this from Dion's training..
Based on the actions taken so far and the need to remediate the infected device, the most appropriate option would be:D. Delete the user profile and restore data from backup.By deleting the user profile, you remove any potential lingering malware or malicious configurations associated with that profile. Then, restoring the data from a backup ensures that the device is returned to a known, clean state, reducing the risk of further infection or compromise. This approach effectively removes the malware and restores the device to a safe state without the need for extensive hardware changes or additional software installations.
I agree with A since the website cannot be identified and there's no way of knowing the capability of malware without further analysis. It would be better if they clone it to run in a sandbox for study before purging.
The more I consider it the more it makes sense that A is the correct answer. You have to clean the disk to ensure there's not persistence and reinstall OS from fresh.
D. can not guarantee elimination of persistence. What kind of script kiddy garbage hides itself in a user profile and not at least in a central drive location? A. is the only clear guarantee of remediation.
D) Deleting the user profile and restoring data from backup would be the best action to remediate the infected device, according to CompTIA CySA+ CS0-003 objective 3.2. Remediation involves removing malware and restoring systems. Deleting the infected user profile and restoring from a clean backup removes the malware persistence while restoring data. A) Firmware updates and full reimage is unnecessary based on the details. B) Additional scanning software is useful but does not directly remediate. C) A proxy server helps prevent future infections but does not address current malware. Therefore, wiping the infected user profile and restoring data from backup aligns closest with effectively remediating the compromised system, as covered in the CS0-003 incident response domain.
If the malware was able to actually install, then there's a good chance its able to get past the profile as well. At a minimum, it could write to things like the temp directory, public downloads, or tasks.