During an incident response activity, your team has successfully isolated the affected systems to prevent further spread of the incident. What is the NEXT best step to evaluate in order to determine the priority for containment and recovery procedures?
Assess the impact of the incident in terms of data loss, service disruption, and damage to assets.
Determine the scope of affected systems beyond those already isolated.
Continue gathering evidence to pinpoint the initial entry point of the attackers.
Begin the eradication process by removing the threat actor's presence from the network.
After successfully isolating the affected systems, the next step is to assess the impact of the incident to understand the extent of damage, potential data loss, or service disruption. This helps prioritize recovery efforts and allocate resources where they are needed most. Assessing the scope might help understand the breadth of the incident but does not directly measure the severity of the consequences. The eradication phase comes after understanding the impact and successfully containing the incident. Gathering more evidence would be part of the detection and analysis phase, specifically when identifying the cause and nature of the incident rather than evaluating its impact.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'assess the impact of an incident' mean in incident response?
Open an interactive chat with Bash
Why is assessing impact prioritized over other steps, like eradication?
Open an interactive chat with Bash
How does impact assessment influence containment and recovery efforts?