During an incident response, what is the BEST method to isolate a compromised system to prevent lateral movement while maintaining evidence for analysis?
Reimage the system to a known good state
Log off any users and wait for further instructions
Disconnect the network interface card (NIC) from the network
Disconnecting the network interface card (NIC) from the network is the best method to isolate a compromised system and prevent further lateral movement. This action halts communication between the compromised system and other systems on the network, effectively containing the threat. Additionally, this method preserves the integrity of evidence on the system, allowing for proper forensic analysis later. Shutting down the system, reimaging, or simply logging off may preserve some aspects of the evidence, but they all increase the risk of losing critical information needed to analyze the incident fully.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does lateral movement mean in cybersecurity?
Open an interactive chat with Bash
Why is maintaining evidence important during an incident response?