EC-Council
312-50V10 · Question #809
312-50V10 Question #809: Real Exam Question with Answer & Explanation
The correct answer is C: Disconnect the email server from the network. When an active breach is detected, the immediate containment step before engaging the IR team is to isolate the compromised server from the network.
Information Security and Ethical Hacking Fundamentals
Question
Nedved is an IT Security Manager of a bank in his country. One day. he found out that there is a security bre ch to his company's email server based on analysis of a suspicious connection from the email server to an unknown IP Address. What is the first thing that Nedved needs to do before contacting the incident response team?
Options
- ALeave it as it Is and contact the incident response team right away
- BBlock the connection to the suspicious IP Address from the firewall
- CDisconnect the email server from the network
- DMigrate the connection to the backup email server
Explanation
When an active breach is detected, the immediate containment step before engaging the IR team is to isolate the compromised server from the network.
Common mistakes.
- A. Leaving the server connected while contacting IR allows the active malicious connection to continue unimpeded, enabling ongoing data exfiltration during the response delay.
- B. Blocking the IP at the firewall addresses only one known vector but does not stop any other malicious processes or backdoors already running on the compromised server itself.
- D. Migrating to a backup server does not isolate the breached server, allowing the attacker to retain their foothold and continue operating from the original compromised system.
Concept tested. Incident response containment - isolating compromised systems
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
#incident response#containment#email server breach#first responder steps
Community Discussion
No community discussion yet for this question.