An organization has detected a breach that resulted in unauthorized access to its customer database. Despite efforts to isolate the infected systems, the threat actor maintains persistence in the environment. Which of the following actions would be the MOST effective next step in the recovery process?
Apply patches to the infected systems to close the vulnerabilities exploited by the threat actor.
Increase network monitoring to catch further malicious activities by the threat actor.
Disconnect the infected systems from the network and perform a basic clean-up using antivirus software.
Re-image the infected systems to a known good state before reintegrating them back into the network environment.
Re-imaging the infected systems is considered an effective step in the eradication process as it ensures the complete removal of any malicious software or backdoors left by the threat actor. Simply disconnecting or performing basic clean-up on compromised systems may not guarantee the removal of all components of the threat.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is re-imaging the infected systems more effective than antivirus clean-up?
Open an interactive chat with Bash
What is persistence, and how do threat actors maintain it in compromised environments?
Open an interactive chat with Bash
How does re-imaging compare to patching in a recovery scenario?