Scenario: During an incident response, you discovered malware on a server. The malware was promptly removed, and the server was restored. What should be your next step?

A.  Close the incident

B.  Conduct a lessons-learned meeting

C.  Update security policies

D.   Analyze root cause

Answer:  D

A. Close the Incident

Closing the incident is the final administrative action.

• The Risk: If you close the incident immediately after "cleaning" the server, you are leaving the door open for a re-infection. If the malware arrived via an unpatched vulnerability or a compromised service account, the attacker can simply re-infect the server five minutes after you "close" the ticket.

B. Conduct a Lessons-Learned Meeting

The "Lessons Learned" or Post-Incident Review (PIR) is a critical part of the Post-Incident Activity phase.

• The Timing: This meeting involves stakeholders from various departments to discuss the response process. To have a productive meeting, you first need the technical data from the root cause analysis. You can't learn "how to prevent this" if you don't yet know "how it happened."

C. Update Security Policies

Updating policies is a Directive Control that may result from an incident.

• The Scope: If the root cause analysis shows that the malware was installed because an admin used a personal USB drive, you might update the "Acceptable Use Policy." However, you shouldn't change high-level policies based on every single malware infection until you understand if the problem was a policy failure or a technical failure.

D. Analyze Root Cause

Root Cause Analysis (RCA) is part of the Eradication and Recovery phases.

• Why it's the Answer: You have performed "Containment" (removing the malware). Now you must ensure Eradication of the vulnerability. Was it a phishing email? An open RDP port? A zero-day exploit? Analyzing the root cause allows you to patch the specific hole, rotate the specific compromised keys, or fix the specific configuration that led to the breach.