An incident response team requires documentation for an emai - CompTIA CLO-002

Correct Answer: A. Audit and system logs

Audit and system logs are the best resource to start an investigation into an email phishing campaign. These logs contain records of events related to system activity, such as login attempts, email traffic, and any suspicious activities. By analyzing audit and system logs, the incident response team can trace the origin and impact of the phishing campaign, identify compromised accounts, and assess the scope of the attack.

• Why it’s correct:
  • Audit logs provide a detailed history of events on the email server, including any unusual patterns or unauthorized access attempts related to the phishing attack.
  • System logs contain data about email server activity, which can help identify phishing emails that were sent or received, and track any malicious links or attachments that were executed.
  • Logs are vital for identifying the source of the attack, understanding how the phishing attempt was executed, and gathering evidence for further action.

Why the Other Options Are Incorrect:

Change management procedures (Incorrect)

Change management procedures document the process for making changes to IT systems and infrastructure. While important for tracking system modifications, these documents are unlikely to provide direct insight into an email phishing attack, which is more related to monitoring and auditing system behavior.

• Why it’s incorrect:
  • Change management records focus on planned modifications to the infrastructure, not on detecting or responding to security incidents like phishing.

Departmental policies (Incorrect)

Departmental policies define the rules and procedures for employees within a specific department. While these policies may include guidelines for reporting phishing incidents or handling email security, they are not a primary resource for investigating the technical details of a phishing campaign.

• Why it’s incorrect:
  • Departmental policies provide guidance on behavior and reporting but do not contain the technical data needed for investigating an email phishing attack.

Standard operating procedures (Incorrect)

Standard operating procedures (SOPs) outline routine processes and protocols for various tasks within an organization. While SOPs can provide a framework for responding to incidents, they do not offer the specific, real-time data required to investigate a phishing campaign.

• Why it’s incorrect:
  • SOPs are important for ensuring consistent responses to incidents, but they are not a direct source of information for investigating the specifics of a phishing attack.