Step 12. Incident response
You can perform the following response actions:
- Isolate the asset from the network.
- Perform a virus scan.
- Prevent the file from running on assets.
The listed actions are available if KUMA is integrated with Kaspersky Security Center and Kaspersky Endpoint Detection and Response.
Example
The analyst has information about the incident-related assets and the indicators of compromise. This information helps select the response actions.
As part of the incident being considered, it is recommended to perform the following actions:
- Start an unscheduled virus scan of the asset where the file was added to autorun.
The virus scan task is started by means of Kaspersky Security Center. - Isolate the asset from the network for the period of the virus scan.
The asset isolation is performed by means of Kaspersky Endpoint Detection and Response. - Quarantine the ChromeUpdate.bat file and create the execution prevention rules for this file on other assets in the organization.
An execution prevention rule for a file is created by means of Kaspersky Endpoint Detection and Response.
|
Page top