Performing CyberOps Using Cisco Security Technologies (CBRCOR) — Question 6

An organization had a breach due to a phishing attack. An engineer leads a team through the recovery phase of the incident response process. Which action should be taken during this phase?

Answer options

• A. Host a discovery meeting and define configuration and policy updates
• B. Update the IDS/IPS signatures and reimage the affected hosts
• C. Identify the systems that have been affected and tools used to detect the attack
• D. Identify the traffic with data capture using Wireshark and review email filters

Correct answer: B

Explanation

The correct action is to update the IDS/IPS signatures and reimage the affected hosts, as this helps to eliminate any remaining threats and ensures that the systems are secured. Other options, while important, focus on identification and policy updates rather than immediate recovery actions needed to restore affected systems.