During an active incident response, the cybersecurity team has determined that multiple systems have been compromised by a sophisticated malware strain. What should be the FIRST action taken to prevent further spread of the malware while minimizing disruption to business operations?
The correct answer is Isolation. The first action in a containment strategy is to isolate affected systems to prevent the malware from spreading to other systems or the network. Isolation can involve disconnecting the system from the network, disabling certain features, or placing the system in quarantine. While eradication and recovery are important steps, they only occur after the threat has been successfully contained. Re-imaging is a form of eradication and is not the immediate first action, as it would involve significant downtime without confirming the extent of the damage. Scope needs to be determined beforehand to isolate effectively but is not an action in itself.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does isolation mean in the context of incident response?
Open an interactive chat with Bash
Why is it important to isolate affected systems before determining the scope?
Open an interactive chat with Bash
What is a containment strategy, and how does isolation fit into it?