During an incident response, an organization has identified an infected workstation that is part of a botnet and is communicating with external command and control servers. What is the BEST immediate action to contain this threat?
Capture network traffic to analyze the communication with the command and control servers
Change access controls on the infected workstation
Perform a vulnerability scan to identify the infected workstation
Isolating the workstation from the network is the BEST immediate action to thwart the ongoing threat, as it prevents the infected system from communicating with the command and control servers and stops further spread of the infection. Changing access controls might not be effective if the infection is propagating in other ways, and conducting a vulnerability scan or capturing network traffic does not immediately contain the threat.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a botnet?
Open an interactive chat with Bash
What are command and control servers?
Open an interactive chat with Bash
Why is isolating the infected workstation the best option?