312-50V13 · Question #204
Nedved is an IT Security Manager of a bank in his country. One day. he found out that there is a security breach to his company's email server based on analysis of a suspicious connection from the ema
The correct answer is C. Disconnect the email server from the network. Upon detecting a suspicious connection indicating a security breach, the immediate first step is to disconnect the compromised system from the network to contain the threat.
Question
Options
- ALeave it as it Is and contact the incident response team right away
- BBlock the connection to the suspicious IP Address from the firewall
- CDisconnect the email server from the network
- DMigrate the connection to the backup email server
How the community answered
(34 responses)- A6% (2)
- B3% (1)
- C71% (24)
- D21% (7)
Why each option
Upon detecting a suspicious connection indicating a security breach, the immediate first step is to disconnect the compromised system from the network to contain the threat.
Leaving the compromised server connected and merely contacting the incident response team allows the breach to continue and potentially worsen, violating the principle of containment.
Blocking the connection at the firewall is a good partial containment measure, but disconnecting the server directly offers a more complete and immediate isolation, as other vectors or bypasses might exist.
Disconnecting the email server from the network is the most critical and immediate containment action to prevent further data exfiltration, lateral movement of the attacker, or further compromise of the system, before involving the incident response team for forensic analysis. This isolates the threat.
Migrating to a backup server does not address the ongoing compromise of the original email server and could potentially spread the infection if the backup is also connected or if the migration process is insecure.
Concept tested: Incident response containment strategy
Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
Community Discussion
No community discussion yet for this question.