Question

First responders, who are part of a core incident response team, have been working to contain an outbreak of ransomware that also led to data loss. In a rush to isolate the three hosts that were calling out to the NAS to encrypt whole directories, the hosts were shut down immediately without investigation and then isolated.

Which of the following were missed? (Choose two.)

A. CPU, process state tables, and main memory dumps
B. Essential information needed to perform data restoration to a known clean state
C. Temporary file system and swap space
D. Indicators of compromise to determine ransomware encryption
E. Chain of custody information needed for investigation

Answer 1

The two aspects that were missed during the rush to isolate the hosts were essential information needed for data restoration and indicators of compromise for determining ransomware encryption.

Step-by-step explanation:

The two aspects that were missed during the rush to isolate the hosts were:

1. Essential information needed to perform data restoration to a known clean state: When the hosts were shut down immediately without investigation, the opportunity to gather crucial information about the state of the system and the ransomware's impact was lost. This information is necessary to restore the affected data to a clean state.
2. Indicators of compromise to determine ransomware encryption: By shutting down the hosts without investigation, the chance to examine and identify indicators of compromise, such as file changes, metadata, or log files, was missed. These indicators are key to understanding how the ransomware operated and how it encrypted the directories.