CERTIFIED-IN-CYBERSECURITY Question #555: Real Exam Question with Answer & Explanation

Question

A junior cybersecurity analyst has detected a ransomware attack on the company's servers and has activated the incident response team. Which is the next BEST course of action? ()

Options

• AUpdate all server anti-virus software with the latest updates
• BGenerate support tickets to restore the affected systems to their previous state
• CInvestigate how the ransomware entered the company's servers
• DAttempt to isolate any compromised servers to prevent further damage

Explanation

The analyst should attempt to quarantine all infected hosts to limit further spread. In the case of a ransomware attack, the immediate priority should be to contain the threat and prevent it from spreading to other systems. For example, suppose an organization's file server is infected with ransomware. In this case, the incident response team should immediately isolate the server from the network to prevent the ransomware from spreading to other servers or workstations. The other options, while still important in a cybersecurity strategy, do not address the immediate needs of the situation. Investigating how the malware entered the network is necessary, but it comes after the immediate threat has been contained. Creating help desk tickets to reimaging infected systems is part of the recovery process, not the immediate response to the malware's spread, and updating all endpoint antivirus solutions with the latest updates, while generally a proactive and necessary step, may not immediately mitigate the current malware threat.

No community discussion yet for this question.