ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
During normal operations, an Endpoint Detection and Response (EDR) platform alerts a security administrator that a user's Windows 10 laptop has begun encrypting files across an SMB-mapped department share, strongly suggesting an active ransomware infection. According to the company's incident response plan, swift containment must precede eradication and recovery. Which immediate action should the administrator take to best contain the threat while preserving forensic evidence and limiting business disruption?
Call law enforcement before making any technical changes to ensure proper legal handling of the incident.
Immediately disable the laptop's network interfaces (unplug Ethernet and disable Wi-Fi) to isolate it from all network communication.
Power down the shared file server to stop the encryption process and prevent further data loss.
Initiate a full antivirus scan on the infected laptop to identify and clean the ransomware.
The primary goal of containment is to prevent further spread of malware while retaining the ability to perform forensic analysis. Physically or logically isolating the infected host from the network stops the ransomware from reaching additional systems and halts ongoing file encryption on shared resources, yet keeps the system powered on so volatile evidence (processes, memory) remains intact. Powering off the file server would disrupt critical services and lose attackers' indicators on the workstation; running an antivirus scan allows encryption to continue during the scan; contacting law enforcement is important but does not address the urgent need to stop propagation. Therefore, immediately disconnecting the laptop's network interfaces is the most effective containment step.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Endpoint Detection and Response (EDR)?
Open an interactive chat with Bash
What is SMB and how does it relate to ransomware incidents?
Open an interactive chat with Bash
Why preserve forensic evidence during incident response?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .