Following the detection of aberrant behavior on a critical server that correlates with a known vulnerability alert, what immediate action should an analyst take to best mitigate the risk while preserving the ability to investigate the incident?
Patch the server immediately with the latest updates available for the suspected vulnerability.
Isolate the server by moving it to a quarantine network.
Examine audit trails and security event log entries to identify any indicators of compromise.
Configure the surveillance tools to collect more granular information for a potential forensics analysis.
Isolating the server by placing it in a quarantine network is the most effective immediate action to prevent the propagation of any potentially malicious activity associated with the detected behavior. This preserves the ability to conduct a forensic investigation, while patching might remove important evidence and does not stop ongoing exploitation. Reviewing security logs is an important subsequent step to gather more information about the incident but does not halt current attack vectors. Intensifying surveillance does not directly mitigate an ongoing issue and could delay critical response time.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a quarantine network?
Open an interactive chat with Bash
Why is it important to preserve evidence during incident response?
Open an interactive chat with Bash
What steps should follow after isolating the server?