A security analyst, while doing a security scan using packet c capture security tools, noticed large
volumes of data images of company products being exfiltrated to foreign IP addresses. Which of
the following is the FIRST step in responding to scan results?
A.
Incident identification
B.
Implement mitigation
C.
Chain of custody
D.
Capture system image
Explanation:
Incident identification is the first step in responding to an incident.
Incident mitigation is the actual step of responding to the incident so as to reduce risk, prevent recurrence and start the recovery process.
Chain of custody refers to a basic forensic procedure that is taken into account after an event occurred.
Capturing an image of the system is the process of making an exact copy of the contents of the hard drive in the system.
I go over the book again and the book NEVER say “implement mitigation” is the first step in responding to an incident. Incident response procedures involves: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control.
I would pick A because the question is asking for FIRST step.
0
0
Exfiltration is the unauthorized transfer of data. My opinion is that the analyst has already identified the incident and should move to the next step in the procedure.
0
0
Yes, but next step is not incident mitigation. The next step would be incident isolation, so I think A is the correct answer.
0
0
Okay, you are a lowly admin and you see a bunch of pictures going to foreign governments. Your first reaction is to block the pictures. Unbeknownst to you, your company had a huge contract that they were negotiating with the other government and you just killed the deal.
Regardless of the situation, you have to first ID the incident.
0
0
Does “exfiltrate” mean it’s safe to assume that something nefarious is happening, or is it just more crappy CompTIA question construction?
0
0