Question

The SOC is reviewing processes and procedures after a recent incident. The review indicates it took more than 30 minutes to determine that quarantining an infected host was the best course of action. This allowed the malware to spread to additional hosts before it was contained.

Which of the following would BEST to improve the incident response process?

A. Updating the playbook with better decision points
B. Dividing the network into trusted and untrusted zones
C. Providing additional end-user training on acceptable use
D. Implementing manual quarantining of infected hosts

Answer 1

The best approach to improve the incident response process is to update the playbook with better decision points to allow quick and informed decisions, thus minimizing delays in actions such as quarantining infected hosts. Option A is correct.

Step-by-step explanation:

To improve the incident response process after a scenario where it took too long to quarantine an infected host, the best course of action would be updating the playbook with better decision points. This means refining the procedures and guidelines to assess and contain threats more rapidly.

A solid, well-designed playbook provides clear instructions and criteria, allowing the Security Operations Center (SOC) team to make quick and informed decisions. This can prevent delays in containment actions such as quarantining infected hosts, which might otherwise allow malware to propagate.

While other options like dividing the network into trusted and untrusted zones, providing additional end-user training on acceptable use, and implementing manual quarantining of infected hosts might be elements of a comprehensive cybersecurity strategy, they do not directly address the specific problem of delayed decision-making revealed in the incident.