During an incident response, your team has detected a compromised system that is a part of the network. Which of the following actions is the BEST initial containment strategy to minimize the spread of an attack while preserving the state of the system for further investigation?
Rebooting the system to remove the attack components
Applying all missing patches to the affected system
Isolating the affected system or segment of the network is the best initial containment strategy. It helps to prevent the spread of an attack while allowing the investigation to proceed with minimal interference. Changing access control lists could impact normal operations and may not effectively contain the incident. Rebooting the system could potentially destroy volatile evidence. Applying patches, while important, does not address immediate containment and may alter the state of the system, complicating any ongoing investigation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is isolating the affected system the best initial strategy?
Open an interactive chat with Bash
What are some other containment strategies besides isolation?
Open an interactive chat with Bash
What risks are associated with rebooting a compromised system?