A computer emergency response team is called at midnight to investigate a case in which a mail server was restarted.
After an initial investigation, it was discovered that email is being exfiltrated through an active connection.
Which of the following is the NEXT step the team should take?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The next step the computer emergency response team should take is to perform containment procedures by disconnecting the server. This will help prevent further exfiltration of data and contain the scope of the incident.
Option A, which is to identify the source of the active connection, is a crucial step in investigating the incident, but it should not be the next step in this case. Before identifying the source of the active connection, it is important to contain the incident and prevent further exfiltration of data.
Option B, which is to perform eradication of the active connection and recover, is not appropriate at this stage. Eradication should only be done after containment and investigation to ensure that the root cause of the incident has been addressed.
Option D, which is to format the server and restore its initial configuration, is a drastic measure and should not be the first response. This option will result in data loss and may hinder the investigation of the incident.
In summary, the NEXT step the computer emergency response team should take is to perform containment procedures by disconnecting the server to prevent further exfiltration of data. Once the incident is contained, the team can proceed with identifying the source of the active connection, investigating the incident, eradicating the active connection, and recovering the system.