GIAC Certified Enterprise Defender (GCED) — Question 4

An incident response team is handling a worm infection among their user workstations. They created an IPS signature to detect and block worm activity on the border IPS, then removed the worms artifacts or workstations triggering the rule. Despite this action, worm activity continued for days after. Where did the incident response team fail?

Answer options

• A. The team did not adequately apply lessons learned from the incident
• B. The custom rule did not detect all infected workstations
• C. They did not receive timely notification of the security event
• D. The team did not understand the worm’s propagation method

Correct answer: B

Explanation

The correct answer is B because if the custom rule failed to detect all infected workstations, it would leave some systems unprotected, allowing the worm to persist. The other options, while relevant to incident management, do not directly address the technical failure of not identifying all infected systems.