Which activity should an incident handler not perform while addressing email security incidents?

Restoring affected systems from an untrusted backup is a critical activity that an incident handler should avoid when addressing email security incidents. When dealing with security incidents, particularly those related to email, the integrity and trustworthiness of backups are paramount. Using an untrusted backup can lead to reintroducing compromised data or systems, which could perpetuate the security breach or introduce new vulnerabilities.

In an incident response situation, it is essential first to ensure that any backups used for restoration are verified and known to be secure, as they might contain malware or other malicious artifacts that the previous incident allowed to infiltrate. By relying on untrusted backups, there is a significant risk of further compromising the environment rather than recovering from the incident effectively.

In contrast, restoring from a reliable backup, analyzing email access logs, and communicating with email service providers are sound practices that contribute to identifying the scope of the incident, recovering from it effectively, and ensuring better defenses against future incidents.