CISSP · Question #340
A Security Operations Center (SOC) receives an incident response notification on a server with an active intruder who has planted a backdoor. Initial notifications are sent and communications are esta
The correct answer is C. Removing the server from the network may prevent catching the intruder. Before performing the next step in an incident response, it must be considered or evaluated that removing the server from the network may prevent catching the intruder who has planted a backdoor. This is because the intruder may still be connected to the server or may try to reco
Question
A Security Operations Center (SOC) receives an incident response notification on a server with an active intruder who has planted a backdoor. Initial notifications are sent and communications are established. What MUST be considered or evaluated before performing the next step?
Options
- ANotifying law enforcement is crucial before hashing the contents of the server hard drive
- BIdentifying who executed the incident is more important than how the incident happened
- CRemoving the server from the network may prevent catching the intruder
- DCopying the contents of the hard drive to another storage device may damage the evidence
How the community answered
(43 responses)- A7% (3)
- B19% (8)
- C47% (20)
- D28% (12)
Explanation
Before performing the next step in an incident response, it must be considered or evaluated that removing the server from the network may prevent catching the intruder who has planted a backdoor. This is because the intruder may still be connected to the server or may try to reconnect later, and disconnecting the server may alert the intruder or lose the opportunity to trace the intruder's source or identity. Therefore, it may be better to isolate the server from the network or monitor the network traffic to gather more evidence and information about the intruder. Notifying law enforcement, identifying who executed the incident, and copying the contents of the hard drive are not the factors that must be considered or evaluated before performing the next step, as they are either irrelevant or premature at this stage of the incident response.
Topics
Community Discussion
No community discussion yet for this question.