A web server is attacked and compromised. Which of the following should be performed FIRST to handle the incident?

A.
Dump the volatile storage data to a disk.

B.
Run the server in a fail-safe mode.

C.
Disconnect the web server from the network.

D.
Shut down the web server.

Explanation:
The first action is to disconnect the web server from the network to contain the damage and prevent more actions by the attacker. Dumping the volatile storage data to a disk may be used at the investigation stage but does not contain an attack in progress. To run the server in a fail-safe mode, the server needs to be shut down. Shutting down the server could potentially erase information that might be needed for a forensic investigation or to develop a strategy to prevent future similar attacks.