ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
During incident response for a SaaS platform, you confirm that an attacker is actively exploiting a zero-day vulnerability on one of your production application servers. The event has been triaged and classified as a high-severity security incident. According to industry-standard incident response phases, which action should be taken next?
Isolate the affected server from the network to halt the attack and preserve evidence.
Issue an immediate public breach notification to customers and regulators.
Conduct a post-incident review meeting to capture lessons learned.
Reimage the server and redeploy the application from a trusted code base.
Best-practice guidance such as NIST SP 800-61 places containment immediately after detection, triage, and classification. Isolating the compromised server limits further damage and preserves volatile evidence for later analysis. Reimaging or patching the system are eradication and recovery tasks that should occur only after containment. Public notification and lessons-learned activities belong to the post-incident phase, once the threat has been contained and normal operations restored.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a zero-day vulnerability?
Open an interactive chat with Bash
What is containment in incident response?
Open an interactive chat with Bash
What is NIST SP 800-61?
Open an interactive chat with Bash
What is a zero-day vulnerability?
Open an interactive chat with Bash
Why is containment prioritized during incident response?
Open an interactive chat with Bash
What is NIST SP 800-61 and how does it guide incident response?
Open an interactive chat with Bash
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)