A security analyst received an alert from the antivirus software identifying a complex instance of malware on a company’s network. The company does not have the resources to fully analyze the malware and determine its effect on the system. Which of the following is the BEST action to take in the incident recovery and post-incident response process?
A. Wipe hard drives, reimage the systems, and return the affected systems to ready state.
B. Detect and analyze the precursors and indicators; schedule a lessons learned meeting.
C. Remove the malware and inappropriate materials; eradicate the incident.
D. Perform event correlation; create a log retention policy.