During the analysis of a security incident, an endpoint is flagged with several alerts, including unusual process executions and network connections to suspicious external IP addresses. Which of the following responses leverages the full potential of the EDR solution and is the MOST immediate and effective in containing the threat?
Performing a full memory dump of the endpoint for a detailed forensic analysis.
Escalating the alerts to the organization's cyber incident-response team for further investigation.
Initiating an on-demand threat hunt to gather more information about the executing processes and network connections.
Isolating the endpoint from the network to prevent further potential data loss or lateral movement.
In this scenario, initiating an on-demand threat hunt gathers intelligence but does not immediately contain the potential threat. A threat hunt is a proactive, in-depth investigation and should occur after containment. A memory dump can preserve forensic data but may risk losing volatile evidence if performed improperly and still does not halt the attacker. Escalating the alerts to the incident-response team is important for coordination but does not itself stop malicious activity. Isolating the endpoint from the network prevents further data loss and lateral movement within seconds, using a core EDR containment capability; therefore, it is the most immediate and effective action.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is EDR and how does it work?
Open an interactive chat with Bash
What are lateral movements in cybersecurity?
Open an interactive chat with Bash
Why is isolating an endpoint important during a security incident?