Based on this behavior, which of the following actions should be taken FIRST to prevent a more serious compromise?

In SIEM software, a security analysis selected some changes to hash signatures from monitored files during the night followed by SMB brute-force attacks against the file servers.

Based on this behavior, which of the following actions should be taken FIRST to prevent a more serious compromise?
A . Fully segregate the affected servers physically in a network segment, apart from the production network.
B . Collect the network traffic during the day to understand if the same activity is also occurring during business hours
C . Check the hash signatures, comparing them with malware databases to verify if the files are infected.
D . Collect all the files that have changed and compare them with the previous baseline

View Answer

Answer: C

Explanation:

The first action that should be taken to prevent a more serious compromise is to check the hash signatures, comparing them with malware databases to verify if the files are infected. This will help to determine if the changes to hash signatures were caused by malicious software or legitimate updates. If the files are infected, they should be quarantined and removed from the network. Checking the hash signatures will also help to identify the type and source of the malware, which can inform further actions such as blocking malicious domains or IPs, updating antivirus signatures, or notifying users3.