During the analysis of a security incident, an endpoint is flagged with several alerts, including unusual process executions and network connections to suspicious external IP addresses. Which of the following responses leverages the full potential of the EDR solution and is the MOST immediate and effective in containing the threat?
Escalating the alerts to the organization's cyber incident response team for further investigation.
Isolating the endpoint from the network to prevent further potential data loss or lateral movement.
Performing a full memory dump of the endpoint for a detailed forensic analysis.
Initiating an on-demand threat hunt to gather more information about the executing processes and network connections.
In this scenario, initiating an on-demand threat hunt to gather more information is a knee-jerk action that does not immediately contain the potential threat. A threat hunt is a proactive, in-depth investigation and should be done after immediate containment. A memory dump may provide useful forensic data but could result in loss of volatile data if done incorrectly and does not contain the threat. Escalation to a cyber incident response team is a necessary step but not the most immediate action to take using EDR capabilities. Isolating the endpoint from the network mitigates the immediate risk of the threat spreading or exfiltrating data without needing to wait for full confirmation of the threat's nature. This quick isolation is a strength of EDR platforms and should be the analyst's priority.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is EDR and how does it work?
Open an interactive chat with Bash
What are lateral movements in cybersecurity?
Open an interactive chat with Bash
Why is isolating an endpoint important during a security incident?