CISSP Question #565: Real Exam Question with Answer & Explanation

Question

What should be the FIRST action for a security administrator who detects an intrusion on the network based on precursors and other indicators?

Options

• AIsolate and contain the intrusion.
• BNotify system and application owners.
• CApply patches to the Operating Systems (OS).
• DDocument and verify the intrusion.

Explanation

When an intrusion is detected, the immediate priority is containment to prevent further damage or lateral movement across the network before any other response steps are taken.

Common mistakes.

• B. Notifying system and application owners is an important step but occurs after containment, as alerting stakeholders before isolating the threat does not stop the active intrusion from spreading.
• C. Applying OS patches is a remediation and hardening activity that occurs much later in the incident response lifecycle, after the intrusion has been contained, eradicated, and the root cause identified.
• D. Documenting and verifying the intrusion is part of the identification and post-incident analysis phases, but acting on containment takes precedence over documentation when an active intrusion is in progress.

Concept tested. Incident response containment as first priority

Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

No community discussion yet for this question.