An organization has noticed an unusual amount of traffic to a legacy server. Upon investigation, it was discovered that a service account has been used to elevate permissions and install unauthorized software. Which of the following should be the FIRST step in the incident response process to handle this situation?
Containment is the appropriate initial step following detection in an incident response process when the incident has already occurred and there's a need to prevent further damage or unauthorized activity. In this scenario, containing the threat by stopping the service account's actions is the priority to prevent further unauthorized activities, such as data exfiltration or lateral movement within the network. Preparation' is the process of getting ready for an incident before it occurs. 'Eradication' is performed after containment and involves removing the components of the incident, such as unauthorized software. 'Recovery' is the process of restoring systems to normal operation after the threat has been eradicated.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'containment' specifically involve in incident response?
Open an interactive chat with Bash
What are the roles of 'preparation' in incident response?
Open an interactive chat with Bash
What steps are involved in the 'eradication' phase of incident response?