GCIH · Question #425
The Network Operations Center has identified and escalated an active denial of service incident on the mail server and several externally facing web sites to the security team for review. What are the
The correct answer is D. Enable IPS and firewall controls to mitigate the events.. Once an active DoS incident has been escalated to the security team, the NOC's next responsibility is to take immediate technical action by enabling IPS and firewall controls to mitigate the ongoing attack.
Question
The Network Operations Center has identified and escalated an active denial of service incident on the mail server and several externally facing web sites to the security team for review. What are the next steps for the NOC team?
Options
- AIssue a company-wide alert to the users detailing the events.
- BMonitor the events and provide new information directly to the security team.
- CContact the web and mail administrators and provide them with the remediation solution.
- DEnable IPS and firewall controls to mitigate the events.
How the community answered
(40 responses)- A18% (7)
- B3% (1)
- C8% (3)
- D73% (29)
Why each option
Once an active DoS incident has been escalated to the security team, the NOC's next responsibility is to take immediate technical action by enabling IPS and firewall controls to mitigate the ongoing attack.
Issuing a company-wide user alert is a communications decision that belongs to management or the incident response team, not the NOC, and is not an immediate technical mitigation step.
Passively monitoring and relaying information is insufficient once the incident has already been escalated - the NOC should move to active mitigation rather than observation only.
Providing a remediation solution to administrators is outside the NOC's scope at this stage; the security team owns remediation decisions after reviewing the escalated incident.
The NOC has direct control over network infrastructure including IPS devices and firewalls, making it their role to implement technical mitigation controls during an active attack. Enabling IPS signatures and ACLs to drop attack traffic is an operational containment step the NOC can execute immediately while the security team investigates. This aligns with NIST SP 800-61r2 guidance that responders with access to affected systems take active containment measures.
Concept tested: NOC role in active incident containment and mitigation
Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
Community Discussion
No community discussion yet for this question.