An organization's IT department has noticed an unusual increase in outbound network traffic and several user accounts originating from a single IP address. Which of the following would be the MOST appropriate action to perform FIRST in order to begin the incident response process?
Immediately isolate the affected systems from the network to prevent further unauthorized access
Gather all relevant logs and artifacts related to the abnormal activity and ensure they are securely stored
Shut down the organization's internet connection to stop the outflow of data
Contact law enforcement to report an ongoing cyberattack and seek guidance
The correct answer is 'Gather all relevant logs and artifacts related to the abnormal activity and ensure they are securely stored'. In the incident response process, the initial detection and analysis phase involves gathering and preserving evidence that could indicate the nature and scope of an incident. Ensuring the data integrity and chain of custody of logs and artifacts is crucial before moving on to other tasks such as isolating affected systems or contacting law enforcement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it important to gather logs and artifacts first during an incident response?
Open an interactive chat with Bash
What specific types of logs or artifacts should be collected during an incident?
Open an interactive chat with Bash
How is the chain of custody maintained when gathering evidence?