An organization has noticed an unusual amount of traffic to a legacy server. Upon investigation, it was discovered that a service account has been used to elevate permissions and install unauthorized software. Which of the following should be the FIRST step in the incident response process to handle this situation?
Containment is the appropriate initial step following detection in an incident response process when the incident has already occurred and there's a need to prevent further damage or unauthorized activity. In this scenario, containing the threat by stopping the service account's actions is the priority to prevent further unauthorized activities, such as data exfiltration or lateral movement within the network. Preparation' is the process of getting ready for an incident before it occurs. 'Eradication' is performed after containment and involves removing the components of the incident, such as unauthorized software. 'Recovery' is the process of restoring systems to normal operation after the threat has been eradicated.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is containment the first step after an incident is detected?
Open an interactive chat with Bash
What methods can be used to contain an incident effectively?
Open an interactive chat with Bash
How does containment differ from eradication in the incident response process?