A security analyst is actively responding to a detected indicator of compromise on a critical system. Which of the following actions should the analyst avoid during this time?

In the context of incident response, particularly when dealing with a detected indicator of compromise on a critical system, it is vital to maintain the integrity of the system and the evidence while the incident is being investigated. During this critical phase, making changes to the system, such as updating processes, can introduce additional variables that might obscure the current state of the system.

Updating processes could alter logs or change the configuration of the system in ways that make forensic analysis challenging. For example, updates might modify or overwrite crucial evidence, such as file timestamps, application states, or memory contents, complicating the assessment of the compromise.

Maintaining the current state of the system ensures that the analyst can accurately identify the nature of the compromise and implement effective remediation strategies without losing valuable information that could help in understanding the attack vector or the attacker’s methods. Therefore, avoiding updates during an active response helps preserve the integrity of the investigation and enhances the effectiveness of the incident response efforts.