An organization has experienced a security incident involving an advanced persistent threat (APT) that has bypassed existing security controls and established a foothold on the network. As part of the incident response activities, what is the MOST appropriate immediate action to take once the threat is confirmed?
Immediately shutdown the entire network to eradicate the APT's foothold and start the recovery process.
Begin forensic analysis on all systems to understand all the methods the APT used to infiltrate the network.
Start documenting the incident details for the after-action report and notify external stakeholders.
Isolate the affected systems from the network to prevent the APT from further establishing its presence or causing additional damage.
The first and most appropriate immediate action following the confirmation of an advanced persistent threat is to contain the threat. This is to prevent any further spread or damage within the network. Containment strategies may vary depending on the characteristics of the incident but often include isolating affected systems, blocking malicious traffic, or temporarily shutting down services. Eradication and recovery steps only follow after containment is successfully achieved, and while documentation is critical, it does not take precedence over containing an active threat. In this scenario, as we are dealing with an APT, fast action is crucial to limit the threat.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does APT mean and why is it significant in cybersecurity?
Open an interactive chat with Bash
What are the typical containment strategies during a security incident?
Open an interactive chat with Bash
What are the next steps after isolating affected systems from an APT?