After a security breach, an analyst determines that several endpoints have been compromised with persistent malware. Isolation procedures have been completed, and the decision has been made to re-image the affected systems to a known good state. Prior to the re-imaging process, which of the following steps is MOST important to perform to maintain the integrity of the incident response process?
Re-configuring the endpoint protection on the systems to prevent future infections
Immediately disconnecting the affected systems from all networks
Ensuring a complete backup of the system has been created
Deploying patches to all other systems in the network to prevent spread
Prior to re-imaging an affected system, it is important to ensure that all relevant data has been preserved. This includes creating complete backups of the system, which might later be used for forensic analysis, determining the root cause of the incident, and aiding in post-incident recovery and lessons learned. Without proper data preservation, valuable evidence might be lost, which could be crucial for a thorough investigation and learning from the incident to prevent future breaches. Other answers, while important in different contexts, do not supersede the significance of data preservation immediately before re-imaging.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is backing up the system important before re-imaging?
Open an interactive chat with Bash
What types of data should be included in a complete system backup?
Open an interactive chat with Bash
What are the risks of not backing up before re-imaging?