Question

An organization has hired a red team to simulate attacks on its security posture. Which of the following will the blue team do after detecting an loC?

1) Reimage the impacted workstations.
2) Activate runbooks for incident response.
3) Conduct forensics on the compromised system.
4) Conduct passive reconnaissance to gather information.

Answer 1

The blue team can take several actions after detecting an IOC, including reimaging impacted workstations, activating runbooks for incident response, and conducting forensics on the compromised system.

Step-by-step explanation:

When the blue team detects an IOC (Indication of Compromise), there are several actions they may take:

1. Reimage the impacted workstations: This involves restoring the affected workstations to a known clean state by reinstalling the operating system and software.
2. Activate runbooks for incident response: Runbooks contain predefined procedures and guidelines for the team to follow in the event of an incident, helping them respond efficiently and effectively.
3. Conduct forensics on the compromised system: This involves a thorough investigation of the compromised system, analyzing logs, digital artifacts, and other evidence to understand the nature of the attack.