A security analyst receives an alert indicating an internal host is sending outbound traffic on TCP port 25 to multiple external IP addresses. Which action should the analyst take first to investigate potential data exfiltration?
Trap 1: Submit a change request to implement an email content filter.
This is a long-term control, not an immediate investigation step.
Trap 2: Block the outbound traffic on the firewall to prevent potential…
Blocking first may cause service disruption without proper investigation.
Trap 3: Run a full antivirus scan on the host to detect any malware.
This is a later step; initial verification of the host's role is faster and less disruptive.
- A
Submit a change request to implement an email content filter.
Why wrong: This is a long-term control, not an immediate investigation step.
- B
Check if the host is configured as a mail server in the organization's asset database.
This step quickly confirms if the traffic is expected, avoiding unnecessary escalation.
- C
Block the outbound traffic on the firewall to prevent potential data exfiltration.
Why wrong: Blocking first may cause service disruption without proper investigation.
- D
Run a full antivirus scan on the host to detect any malware.
Why wrong: This is a later step; initial verification of the host's role is faster and less disruptive.