Missed Elements in Incident Response for Ransomware Outbreak
Question
First responders, who are part of a core incident response team, have been working to contain an outbreak of ransomware that also led to data loss.
In a rush to isolate the three hosts that were calling out to the NAS to encrypt whole directories, the hosts were shut down immediately without investigation and then isolated.
Which of the following were missed? (Choose two.)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.DE.
The incident response team's actions to isolate the three hosts calling out to the NAS to encrypt directories without further investigation may have missed critical evidence that would help in determining the extent of the damage and the source of the attack. The question asks for two of the possible things that could have been missed, and here are the explanations:
A. CPU, process state tables, and main memory dumps: When a system is shut down, the information stored in the main memory, such as running processes, network connections, and system states, is lost. Examining the CPU, process state tables, and memory dumps could provide vital information about the ransomware's behavior and its source. For example, memory dumps could contain information about the ransomware's encryption keys or the attacker's command-and-control servers.
B. Essential information needed to perform data restoration to a known clean state: Shutting down and isolating the affected hosts may have prevented the ransomware from further spreading, but it also means that the essential information needed to restore the systems to a known clean state may have been lost. This information includes backup copies of critical data and system configurations, network maps, and application dependencies. Without this information, it may be challenging to determine which systems need restoration and what data needs to be restored.
C. Temporary file system and swap space: Temporary file systems and swap spaces are used by the operating system to store temporary files and data. Ransomware attacks often involve the creation of temporary files that are later used to encrypt data. Examining these temporary files could provide clues about the ransomware's behavior and its source. Additionally, swap space could contain sensitive information, such as passwords or cryptographic keys, that could be used by the attacker.
D. Indicators of compromise to determine ransomware encryption: Indicators of compromise (IOCs) are evidence of malicious activity that can be used to determine the type of ransomware used, its behavior, and its source. IOCs could include file hashes, network traffic patterns, or system logs. By analyzing IOCs, the incident response team can gain a better understanding of the attack's scope and the level of damage caused by the ransomware.
E. Chain of custody information needed for investigation: The chain of custody information tracks the handling of evidence from the time it is discovered until it is presented in court. It includes information such as who collected the evidence, when and where it was collected, who had custody of the evidence, and how it was stored and transported. Failing to document the chain of custody could lead to the evidence being dismissed in court or may make it challenging to determine its authenticity.
In summary, the two things that may have been missed by the incident response team are the CPU, process state tables, and main memory dumps, and essential information needed to perform data restoration to a known clean state.
