CompTIA CySA+ Exam CS0-002: Incident Response Plan | Next Step

Incident Response Plan: Handling Threats on the Network

Question

A company's incident response team is handling a threat that was identified on the network.

Security analysts have determined a web server is making multiple connections from TCP port 445 outbound to servers inside its subnet as well as at remote sites.

Which of the following is the MOST appropriate next step in the incident response plan?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

A.

The incident response team has identified a potential threat on the network where a web server is making multiple connections from TCP port 445 outbound to servers inside its subnet as well as at remote sites. To handle this threat, the most appropriate next step would be to capture a forensic image of the memory and disk (Option C).

A forensic image of the memory and disk will allow the incident response team to perform a thorough analysis of the web server to identify the root cause of the suspicious connections. It will provide a snapshot of the system's state, allowing the team to preserve evidence and reconstruct the events leading up to the incident.

Quarantining the web server (Option A) could potentially disrupt the organization's operations, as the web server may be a critical component of the business. Additionally, it may not stop the malicious activity entirely, as the threat may have already spread to other systems on the network.

Deploying virtual firewalls (Option B) may help prevent future incidents, but it may not address the current threat. Virtual firewalls can help limit the scope of network traffic and prevent unauthorized access, but they may not be effective in detecting and preventing all types of attacks.

Enabling web server containerization (Option D) could potentially help mitigate the impact of an attack, but it is not a suitable response to this specific incident. Containerization is a technique used to isolate applications and services from the underlying operating system and other applications, which can help improve security and prevent attacks from spreading. However, in this case, the incident response team needs to investigate the root cause of the suspicious connections and mitigate the immediate threat.

In summary, capturing a forensic image of the memory and disk is the most appropriate next step in the incident response plan. This will allow the team to perform a thorough analysis of the web server to identify the root cause of the suspicious connections and take appropriate action to mitigate the threat.