SY0-501 · Question #483
SY0-501 Question #483: Real Exam Question with Answer & Explanation
The correct answer is A: Identify the source of the active connection. After discovering email exfiltration through an active connection, the immediate next step in incident response is to identify the source to understand the attack's scope and nature.
Question
A computer emergency response team is called at midnight to investigate a case in which a mail server was restarted. After an initial investigation, it was discovered that email is being exfiltrated through an active connection. Which of the following is the NEXT step the team should take?
Options
- AIdentify the source of the active connection
- BPerform eradication of active connection and recover
- CPerformance containment procedure by disconnecting the server
- DFormat the server and restore its initial configuration
Explanation
After discovering email exfiltration through an active connection, the immediate next step in incident response is to identify the source to understand the attack's scope and nature.
Common mistakes.
- B. Eradication and recovery are later stages of incident response, performed after identification and containment; attempting them without full understanding can be ineffective or incomplete.
- C. While containment is critical, disconnecting the server immediately without first identifying the connection's source could destroy volatile evidence or prevent full understanding of the attack, hindering comprehensive remediation.
- D. Formatting the server is a drastic measure typically reserved for recovery, which would destroy all forensic evidence vital for investigation and preventing future incidents.
Concept tested. Incident Response Lifecycle - Identification Phase
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Community Discussion
No community discussion yet for this question.