nerdexam
(ISC)2

CISSP · Question #340

A Security Operations Center (SOC) receives an incident response notification on a server with an active intruder who has planted a backdoor. Initial notifications are sent and communications are esta

The correct answer is C. Removing the server from the network may prevent catching the intruder. Before performing the next step in an incident response, it must be considered or evaluated that removing the server from the network may prevent catching the intruder who has planted a backdoor. This is because the intruder may still be connected to the server or may try to reco

Submitted by chen.hong· Mar 5, 2026Security Operations

Question

A Security Operations Center (SOC) receives an incident response notification on a server with an active intruder who has planted a backdoor. Initial notifications are sent and communications are established. What MUST be considered or evaluated before performing the next step?

Options

  • ANotifying law enforcement is crucial before hashing the contents of the server hard drive
  • BIdentifying who executed the incident is more important than how the incident happened
  • CRemoving the server from the network may prevent catching the intruder
  • DCopying the contents of the hard drive to another storage device may damage the evidence

How the community answered

(43 responses)
  • A
    7% (3)
  • B
    19% (8)
  • C
    47% (20)
  • D
    28% (12)

Explanation

Before performing the next step in an incident response, it must be considered or evaluated that removing the server from the network may prevent catching the intruder who has planted a backdoor. This is because the intruder may still be connected to the server or may try to reconnect later, and disconnecting the server may alert the intruder or lose the opportunity to trace the intruder's source or identity. Therefore, it may be better to isolate the server from the network or monitor the network traffic to gather more evidence and information about the intruder. Notifying law enforcement, identifying who executed the incident, and copying the contents of the hard drive are not the factors that must be considered or evaluated before performing the next step, as they are either irrelevant or premature at this stage of the incident response.

Topics

#incident response#active intruder#containment strategies#forensics considerations

Community Discussion

No community discussion yet for this question.

Full CISSP Practice