A security analyst discovers several employee laptops encrypted by ransomware. According to the organization's incident-response playbook, the analyst must first determine the scope of the incident. Which action BEST fulfills that requirement?
Notify legal counsel about possible breach-reporting obligations.
Draft external and internal status updates for leadership and customers.
Immediately disconnect the infected laptops from the network to stop propagation.
Enumerate all devices and network segments that show signs of the ransomware infection.
Identifying every asset that has been encrypted or otherwise affected determines the incident's boundaries and guides containment and recovery measures. Merely notifying stakeholders, disconnecting systems, or drafting reports does not in itself establish scope, although these steps may follow once scope is known.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'scope of the incident' mean in incident response?
Open an interactive chat with Bash
Why is enumerating affected devices and network segments critical?
Open an interactive chat with Bash
Why is disconnecting infected systems not the first step?