A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?
After isolating the affected workstation from the network, the next critical step is to preserve the current state of the machine for forensic analysis by acquiring a bit-level image. This will ensure that all evidence, including potentially important volatile data, is maintained without any further changes. This method captures an exact sector-by-sector copy of the hard drive or storage device, which is essential for a detailed investigation into the attack. This preserves the integrity of the evidence and allows for a comprehensive analysis later to understand the attack's mechanics and prevent future incidents.
Answer is D. The analyst has already contained the original infected machine. Next would be to identify the scope of the malware (how many users have been affected). After the spread has been contained, the analyst can go back and acquire the bit level image for further forensics. Incident response steps guys.
Apologies. After careful analysis of the question, option D is the most logical choice for the proposed scenario.
The answer is C. Acquire a bit-level image of the affected workstation.
While searching for other mail users who have received the same file (option D) is important for understanding the attack's propagation and identifying potentially affected systems, it may not be the immediate next step after isolating the affected workstation. Acquiring the forensic image takes precedence to ensure that evidence is properly preserved before further actions are taken.
D) search for other users. Phishing emails spread like wild fire if not contained. The question states this is ongoing, so it's possible other users can be affected. C is not a viable option, as fixing one workstation is rather pointless if the ransomware spreads to other workstations. Letting the forest burn to save a tree.
Wow this is a good one. I feel like D is the next move because it's just not clear whether the threat has been contained after workstation was isolated. If it is, then people need to be warned first of an ongoing threat so they don't click on any bait. Secure the scene first before starting investigation.
Both Option C and Option D can be part of a comprehensive incident response plan, but if prioritization is necessary, acquiring a bit-level image is often considered an early and essential step in preserving evidence and understanding the immediate impact on the affected system.
Acquiring a bit-level image (also known as a forensic image) of the affected workstation is crucial for a couple of reasons: Evidence Preservation: It ensures that all the data on the workstation is preserved in its current state, which is essential for any subsequent forensic investigation. This can help in understanding how the ransomware infection occurred, which could be useful in preventing future attacks. Analysis: With a complete image of the workstation, analysts can perform in-depth analysis without the risk of further contaminating the network or losing critical data. The other options, while potentially relevant in certain contexts, are not the immediate next steps:
This information is directly from CertMaster Topic 8B: Incident responders must make quick decisions regarding the most effective containment technique when a system is compromised. The course of action depends on several factors: Ensure the safety and security of all personnel. The first concern of all managers involved with the security response is the safety and security of personnel. Prevent further damage. This will be the overriding priority after the identification of the compromise. Identify whether the intrusion is a primary or a secondary attack (part of a more complex campaign). Avoid alerting the attacker that they have been discovered. Preserve forensic evidence of the intrusion. While waiting for the forensics analyst to arrive, treat the system like any crime scene by preventing anyone from further compromising the system or destroying evidence. Therefore, D would be the most logical answer if we are using this information because it prevents further damage.
but you are contradicting yourself saying that bud. " Preserve forensic evidence of the intrusion. While waiting for the forensics analyst to arrive " read b4 you type bozzo.
READ BEFORE YOU TYPE... Searching for other mail users who may have been affected would be preventing further damage! Have you took the test? Or passed it? Please fix you inner self because it's very unprofessional to be calling people names based off a difference in opinion. God bless!
Certmaster topic 8 is not very clear on ransomware but it gives this link https://www.cisa.gov/stopransomware/ransomware-guide From that guide the steps are somewhat clearer, but sort of confusing. From the link I get that it should be Isolate , but then the next steps are to shutdown and disconnect from network, then also investigate other affected users to include "email". So this questions is very confusing. So is it B, C, or D. It does use the word "NEXT" -- so it would mean shut down - B --- what do you all think? based on that link.
Answer D Because, the question specifically states this is an ongoing ransomware attack.
Search for other mail users who have received the same file (D): Since the ransomware came through a phishing email, it's crucial to identify other potential victims as quickly as possible to contain the spread of the attack. This would help in taking immediate remedial actions, like isolating affected machines or warning users not to open the malicious file.
Think in terms of a hospital, whose patient PII has been ransomed. This is now a criminal matter. This device has been ransomwared, this device is now evidence. Ideally someone else on your team is going to alert others to not click on that link or investigate further, but you, with your one task of investigating that device, need to preserve the volatile/ephemeral evidence.
This is incorrect. You're willing to let the entire database of medical records get compromised just to save a piece of evidence? You want to isolate and prevent the spread of malware. Question states it's ongoing, so you can't just ignore all other workstations.
Before you do this "need to preserve the volatile/ephemeral evidence." - you need to consult legal.. thus. legal should be your next step. So with this question - I believe D is the correct answer.
creating a bit level image called forensic image captures the entire content of the hard drive at that point in time.
issue is ongoing, making sure it doesnt spread more is the priority over making a copy
answer is C. Creating a bit-level image of the affected workstation captures a complete snapshot of the entire disk. This image can be used for forensic analysis later to understand the attack scope, identify potential entry points, and potentially recover data if decryption isn't feasible.
As a Computer forensic analyst at a sheriff's office office, our training has always been "C. Acquire a bit-level image of the affected workstation" first. While this is an important follow-up action to prevent further spread of the ransomware, it is secondary to preserving the forensic evidence from the affected workstation. Identifying other recipients helps in understanding the scope of the attack but should come after securing and analyzing the evidence from the primary affected machine.
A bit-level image, (forensic image) is an exact sector-by-sector copy of the entire hard drive or storage device. (This includes all files, metadata, system configurations, deleted files, and unallocated space). C is the next step needed.