A security analyst observes a sudden increase in network bandwidth consumption, unexpected outbound communication from multiple endpoints to an unknown IP address, and correlated anomalies in server logs. Which of the following actions should the incident response team prioritize to best identify and analyze the threat?
Performing a deeper analysis of server logs
Checking for unauthorized privilege escalation on affected systems
Running a full malware scan on the affected endpoints
Initiating a packet capture to analyze network traffic
The incident response team should first prioritize initiating a packet capture to analyze the network traffic in detail. The indicators presented (increased bandwidth, unexpected outbound traffic) strongly suggest an active network-based threat, such as data exfiltration or command-and-control communication. Packet capture is crucial for collecting this ephemeral evidence before the attacker can alter their methods or cease activity. While reviewing server logs, scanning for malware, and checking for unauthorized privileges are all important incident response tasks, capturing the live, malicious traffic provides the most immediate and comprehensive insight into the ongoing network activity that triggered the alert.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is packet capture and how does it work?
Open an interactive chat with Bash
What types of anomalies can be detected in packet captures?
Open an interactive chat with Bash
Why is packet capture prioritized over checking server logs or scanning for malware?