220-1102 Question #623: Real Exam Question with Answer & Explanation

Question

A user clicked a link in an email, and now the cursor is moving around on its own. A technician notices that File Explorer is open and data is being copied from the local drive to an unknown cloud storage location. Which of the following should the technician do first?

Options

• AInvestigate the reported symptoms.
• BRun anti-malware software.
• CEducate the user about dangerous links.
• DQuarantine the workstation.

Explanation

When a user's computer exhibits signs of active compromise, such as data exfiltration, the technician should first quarantine the workstation.

Common mistakes.

• A. Investigating the reported symptoms is important, but it should happen after the immediate threat of spread or further damage has been contained by quarantining the device.
• B. Running anti-malware software is part of the eradication phase, which comes after containment to remove the threat, not as the initial response when active data copying is observed.
• C. Educating the user about dangerous links is a crucial preventative and post-incident measure, but it does not address the immediate, active security incident unfolding on the workstation.

Concept tested. Incident response - containment

Reference. https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

No community discussion yet for this question.