An incident response team is handling a worm infection among their user workstations. They created an IPS signature to detect and block worm activity on the border IPS, then removed the worm's artifacts or workstations triggering the rule. Despite this action, worm activity continued for days after. Where did the incident response team fail?
Identifying and scoping an incident during triage is important to successfully handling a security incident. The detection methods used by the team didn't detect all the infected workstations.
Currently there are no comments in this discussion, be the first to comment!