While analyzing a security incident, a CSIRT confirms that at least three production servers and several user workstations show signs of intrusion. Before any containment action is taken, the lead analyst must establish how far the attacker has spread within the environment. Which action will provide the MOST accurate picture of the overall compromise scope?
Perform a quick scan using antivirus software on all systems
Isolate all potentially compromised systems from the network
Conduct thorough log analysis and correlate findings with known Indicators of Compromise (IoCs)
Re-image all suspected systems and return them to operation
The most reliable way to understand the full extent of a breach is to perform comprehensive log analysis across hosts, network devices, and security tools and correlate those findings with trusted threat-intelligence indicators of compromise (IoCs). Correlation highlights lateral movement and additional affected assets that may not yet display obvious symptoms. Isolating or re-imaging systems and running quick antivirus scans are containment or recovery activities; they do not systematically reveal every compromised host and therefore risk overlooking parts of the intrusion.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Indicators of Compromise (IoCs)?
Open an interactive chat with Bash
Why is log analysis critical during incident response?
Open an interactive chat with Bash
How do you correlate findings from logs with IoCs?