Your team has identified a breach in progress on an endpoint device within the company's network. What is the FIRST step you should take to isolate this device while minimizing the potential for disruption to your organization's operations?
The correct answer is to disconnect the device from the network. This action immediately stops the potential for the compromised device to communicate with attackers or other systems on the network, helping to prevent lateral movement and further compromise. It is typically the first immediate step taken to isolate an infected system. Physically removing the device could cause unnecessary service interruptions and potentially lead to loss of volatile data that is necessary for analysis. Powering off the device might also result in the loss of valuable forensic data. Enabling the device firewall does not guarantee that the device is isolated from the network, and malware or attackers may have already disabled or created rules to bypass the firewall.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is disconnecting the device from the network considered the first step?
Open an interactive chat with Bash
What is lateral movement in the context of a network breach?
Open an interactive chat with Bash
What are some potential consequences of physically removing or powering off a device during an investigation?