GCIH · Question #568
As an incident handler for the XYZ Widget Company, you have responded to the breach of your mail server. The server is not in a DMZ but on your internal network and was being used as a launching point
The correct answer is D. Dump logs from the compromised machine to another system for analysis. Attacking back is always a bad idea. Forensic analysis should never be performed on the original hard drive. Pinging the originating IP from the compromised machine may alert the attacker to the fact that you found the compromised machine. Dumping logs to another system for analy
Question
As an incident handler for the XYZ Widget Company, you have responded to the breach of your mail server. The server is not in a DMZ but on your internal network and was being used as a launching point to attack other systems on the same network. Of the choices listed below, which is the BEST next step to take as the lead incident handler?
Options
- APing the IP address where the attack is originating from the compromised machine
- BPerform a forensic analysis on the original hard drive
- CSend a SYN flood to the originating IP address
- DDump logs from the compromised machine to another system for analysis
How the community answered
(31 responses)- A3% (1)
- B13% (4)
- C6% (2)
- D77% (24)
Explanation
Attacking back is always a bad idea. Forensic analysis should never be performed on the original hard drive. Pinging the originating IP from the compromised machine may alert the attacker to the fact that you found the compromised machine. Dumping logs to another system for analysis will help give you information needed for analysis and is the only viable option presented.
Topics
Community Discussion
No community discussion yet for this question.