CompTIA CySA+ (CS0-002) — Question 390

The SOC has received reports of slowness across all workstation network segments. The currently installed antivirus has not detected anything, but a different anti-malware product was just downloaded and has revealed a worm is spreading. Which of the following should be the NEXT step in this incident response?

Answer options

• A. Send a sample of the malware to the antivirus vendor and request urgent signature creation.
• B. Begin deploying the new anti-malware on all uninfected systems.
• C. Enable an ACL on all VLANs to contain each segment.
• D. Compile a list of IoCs so the IPS can be updated to halt the spread.

Correct answer: D

Explanation

The correct answer is D because compiling a list of Indicators of Compromise (IoCs) is crucial for updating the Intrusion Prevention System (IPS) to effectively stop the worm from spreading further. Options A and B are reactive measures that do not address the immediate containment of the threat, while C focuses on network segmentation rather than directly mitigating the ongoing malware incident.