312-39 · Question #63
312-39 Question #63: Real Exam Question with Answer & Explanation
The correct answer is A. Isolate the employee's workstation and revoke remote access. The first step should prioritize immediate containment to stop ongoing exfiltration and prevent further compromise. Isolating the workstation (network isolation or EDR containment) and revoking remote access (terminate sessions, block the suspicious IP, disable the user’s remote
Question
Options
- AIsolate the employee's workstation and revoke remote access
- BConduct a full forensic analysis first
- CDisable the corporate VPN entirely
- DInform the employee's department and wait for evidence
Explanation
The first step should prioritize immediate containment to stop ongoing exfiltration and prevent further compromise. Isolating the workstation (network isolation or EDR containment) and revoking remote access (terminate sessions, block the suspicious IP, disable the user’s remote access methods) directly reduces the attacker’s ability to continue transferring sensitive data and limits lateral movement risk. In incident response, containment precedes deep forensics when active harm is likely; you preserve evidence while stopping the bleeding. Conducting full forensics first can delay containment and allow continued data theft. Disabling corporate VPN entirely is overly disruptive and does not target the specific compromised endpoint or account; it can also hinder business operations and incident response activity. Informing the department and waiting is inappropriate given the indicators of compromise and policy violation (unauthorized USB). After containment, the SOC should preserve volatile evidence if possible (RAM, active connections), collect relevant logs, assess data accessed, and coordinate with legal/HR due to insider threat implications. But the initial, highest-priority action is targeted containment of the affected workstation and access paths.
Community Discussion
No community discussion yet for this question.