An analyst is monitoring network traffic and observes a series of suspicious, but not definitively malicious, port scans originating from an internal IP address targeting a critical database server. According to best practices, what is the most appropriate basis for deciding whether to declare this an incident and escalate it?
Waiting for the system to generate a critical-level automated alert.
Predefined criteria and thresholds documented in the incident response plan.
The analyst's personal judgment and experience with similar events.
Confirmation from the database administrator that an active compromise has occurred.
The decision to declare an event as a security incident and escalate it should not be a subjective judgment call made in the moment, nor should it be delayed until there is absolute certainty of a breach. Effective incident response relies on a formal plan with predefined criteria, thresholds, and escalation procedures. These criteria, established in the incident response plan, ensure a consistent, timely, and organized response to potential threats, minimizing potential damage and recovery costs.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an incident response plan?
Open an interactive chat with Bash
What are predefined criteria and thresholds in incident response?
Open an interactive chat with Bash
Why is it important not to delay responding to potential security incidents?