GCIH Question #576: Real Exam Question with Answer & Explanation

The correct answer is B: Image the compromised host's RAM then disable the host's upstream switch port. Containment is intended to stop the bleeding and prevent further compromise. In this scenario, the goals are to stop the scanning and capture volatile data, for further analysis. Disabling the switch port will stop the scanning, imaging the RAM and leaving the system powered up p

Incident Response & Cyber Kill Chain

Question

A company's internal LAN is being scanned by a compromised workstation. Which of the following is a 'Containment Phase' action that protects volatile data?

Options

ADisconnect the compromised host's network cable and perform a graceful shutdown
BImage the compromised host's RAM then disable the host's upstream switch port
CPlace a passive hub between the compromised host and its upstream switch
DEnable the compromised host's OS-level firewall and set the first rule to deny all

Explanation

Containment is intended to stop the bleeding and prevent further compromise. In this scenario, the goals are to stop the scanning and capture volatile data, for further analysis. Disabling the switch port will stop the scanning, imaging the RAM and leaving the system powered up preserves volatile data.

Topics

#incident containment#volatile data#RAM imaging#network isolation

Community Discussion

No community discussion yet for this question.

Full GCIH Practice