CompTIA Security+ Exam SY0-601: Anomalous Activity Resolution | Next Steps

Resolving Anomalous Activity from Workstations: Next Steps

Prev Question Next Question

Question

A security analyst notices anomalous activity coming from several workstations in the organizations.

Upon identifying and containing the issue, which of the following should the security analyst do NEXT?

Answers

A. Document and lock the workstations in a secure area to establish chain of custody

B. Notify the IT department that the workstations are to be reimaged and the data restored for reuse

C. Notify the IT department that the workstations may be reconnected to the network for the users to continue working

D. Document findings and processes in the after-action and lessons learned report.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

As a security analyst, it is important to follow a proper incident response plan to ensure that the issue is fully resolved and preventive measures are put in place. Here are the steps that the security analyst should take next:

Document the Incident: The first step is to document the incident and gather all the necessary information related to the incident. This documentation will be useful in the after-action report and will also help in future incident response plans.
Contain the Incident: Once the incident has been documented, the next step is to contain it. This means isolating the affected workstations from the network to prevent any further damage. The security analyst should also ensure that the malware or virus is removed from the workstations.
Investigate the Incident: After containing the incident, the security analyst should investigate the cause of the incident and identify any vulnerabilities or weaknesses that may have been exploited. This will help in developing a plan to prevent similar incidents in the future.
Restore Operations: Once the incident has been fully investigated, the security analyst should work with the IT department to restore the workstations and any lost data. This may involve reimaging the workstations and restoring data from backups.
Monitor and Follow-Up: The security analyst should continue to monitor the workstations and the network to ensure that the incident does not reoccur. It is also important to follow-up with the IT department to ensure that any preventive measures that were put in place are effective.
Document Findings: Finally, the security analyst should document all findings related to the incident in an after-action and lessons learned report. This report should include a detailed description of the incident, the steps taken to contain and investigate it, and any recommendations for preventing similar incidents in the future.

Based on the above steps, the correct answer is D. The security analyst should document the findings and processes in an after-action and lessons learned report, as this will provide useful information for future incident response plans.

Prev Question Next Question