An organization's IT department has noticed an unusual increase in outbound network traffic and several user accounts originating from a single IP address. Which of the following would be the MOST appropriate action to perform FIRST in order to begin the incident response process?
Immediately isolate the affected systems from the network to prevent further unauthorized access
Shut down the organization's internet connection to stop the outflow of data
Gather all relevant logs and artifacts related to the abnormal activity and ensure they are securely stored
Contact law enforcement to report an ongoing cyberattack and seek guidance
The correct answer is 'Gather all relevant logs and artifacts related to the abnormal activity and ensure they are securely stored'. In the incident response process, the initial detection and analysis phase involves gathering and preserving evidence that could indicate the nature and scope of an incident. Ensuring the data integrity and chain of custody of logs and artifacts is crucial before moving on to other tasks such as isolating affected systems or contacting law enforcement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are logs and artifacts in the context of incident response?
Open an interactive chat with Bash
Why is it important to preserve evidence before taking further actions like isolating systems?
Open an interactive chat with Bash
What does the incident response process typically involve after gathering logs?