A security analyst at a financial institution is reviewing a new bulletin from the national Computer Emergency Response Team (CERT). The bulletin describes a phishing campaign targeting the financial sector and includes specific malware hashes and command-and-control (C2) server IP addresses. What is the most effective immediate action for the analyst to take with this information?
Archive the bulletin and its IoCs for inclusion in the next quarterly risk assessment report.
Integrate the malware hashes and IP addresses into the SIEM and EDR systems to hunt for existing compromises and create new detection rules.
Immediately disconnect the primary internet connection to prevent any potential C2 communication.
Forward the bulletin to all employees to warn them about the new phishing campaign.
The correct action is to integrate the indicators of compromise (IoCs) from the bulletin into the organization's security tools. By adding the malware hashes and C2 IP addresses to the Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) systems, the analyst can create detection rules to alert on future activity and perform threat hunting to search for any existing, previously undetected signs of compromise. Forwarding the bulletin to all employees is a useful awareness step but not the most direct technical action for an analyst. Disconnecting the internet is an extreme overreaction that would cause a major business disruption. Archiving the bulletin without acting on it negates the value of timely threat intelligence.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are some examples of government agencies that publish cyber security bulletins?
Open an interactive chat with Bash
How do cyber security bulletins help organizations mitigate risks?
Open an interactive chat with Bash
What kind of information is typically included in cybersecurity bulletins?