During an active incident response, your team has identified a breach within one of the company's critical servers. After initiating the containment phase, what is the next key action to perform to accurately define the scope of the incident?
Initiate a digital forensics analysis on the directly affected server.
Analyze the extent of the compromise to understand the full impact across the network.
Immediately reset all user credentials within the organization to preclude further unauthorized access.
Start re-imaging all compromised systems to ensure no remnants of the breach remain.
After containing the breach, the correct course of action is to analyze the extent of the compromise across the network. This includes identifying all affected systems, the data accessed, and any lateral movement taken place by the attacker, ensuring that the incident response correctly addresses all areas of impact. Performing digital forensics analysis or resetting user credentials alone may not allow for accurate scoping of the breach, as they do not provide comprehensive information about the breadth of the attack. Re-imaging systems should only take place after understanding the full scope to prevent unnecessary service disruptions or potential evidence destruction.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does it mean to analyze the extent of a compromise?
Open an interactive chat with Bash
What is the containment phase in incident response?
Open an interactive chat with Bash
What is the role of digital forensics in incident response?