A security analyst discovers several employee laptops encrypted by ransomware. According to the organization's incident-response playbook, the analyst must first determine the scope of the incident. Which action BEST fulfills that requirement?
Immediately disconnect the infected laptops from the network to stop propagation.
Notify legal counsel about possible breach-reporting obligations.
Draft external and internal status updates for leadership and customers.
Enumerate all devices and network segments that show signs of the ransomware infection.
Identifying every asset that has been encrypted or otherwise affected determines the incident's boundaries and guides containment and recovery measures. Merely notifying stakeholders, disconnecting systems, or drafting reports does not in itself establish scope, although these steps may follow once scope is known.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the steps involved in determining the scope of an incident?
Open an interactive chat with Bash
Why is understanding the scope crucial for incident containment?
Open an interactive chat with Bash
What tools and techniques can help in scoping an incident?