An initial action in incident investigation is to identify indicators of compromise, often called IOCs. IOCs are observable artifacts that suggest malicious activity, such as suspicious IP addresses, domains, file hashes, registry keys, process names, login patterns, or unusual network connections. Identifying IOCs helps determine whether an incident exists, what systems may be affected, and what evidence should be collected next. Creating a timeline is important, but it normally depends on first gathering relevant indicators and event data. Writing a threat intelligence report is a later analytical or communication activity. Removing threats from the system is part of containment or eradication and should be performed carefully after enough evidence is preserved and scope is understood. In security operations, moving too quickly to remove artifacts can destroy evidence and weaken understanding of the incident. The investigation process should establish source, scope, impact, and containment priorities. Reference/topics: Security Operations 6.1, investigate and mitigate; Security Operations 6.3, incident response plan.
Batch 4 — Questions 41–55
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit