CompTIA Security+ SY0-701 Practice Question

Containment is the appropriate initial step following detection in an incident response process when the incident has already occurred and there's a need to prevent further damage or unauthorized activity. In this scenario, containing the threat by stopping the service account's actions is the priority to prevent further unauthorized activities, such as data exfiltration or lateral movement within the network. Preparation' is the process of getting ready for an incident before it occurs. 'Eradication' is performed after containment and involves removing the components of the incident, such as unauthorized software. 'Recovery' is the process of restoring systems to normal operation after the threat has been eradicated.