During an incident response activity, your team has successfully isolated the affected systems to prevent further spread of the incident. What is the NEXT best step to evaluate in order to determine the priority for containment and recovery procedures?
You selected this option
Continue gathering evidence to pinpoint the initial entry point of the attackers.
You selected this option
Determine the scope of affected systems beyond those already isolated.
You selected this option
Assess the impact of the incident in terms of data loss, service disruption, and damage to assets.
You selected this option
Begin the eradication process by removing the threat actor's presence from the network.
After successfully isolating the affected systems, the next step is to assess the impact of the incident to understand the extent of damage, potential data loss, or service disruption. This helps prioritize recovery efforts and allocate resources where they are needed most. Assessing the scope might help understand the breadth of the incident but does not directly measure the severity of the consequences. The eradication phase comes after understanding the impact and successfully containing the incident. Gathering more evidence would be part of the detection and analysis phase, specifically when identifying the cause and nature of the incident rather than evaluating its impact.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What factors should be considered when assessing the impact of an incident?
Open an interactive chat with Bash
Why is it important to prioritize recovery efforts after an incident?
Open an interactive chat with Bash
How does the eradication phase fit into the incident response process?