During the detection and analysis phase of the NIST SP 800-61 incident response lifecycle, an analyst identifies suspicious network traffic from an internal host to a known malicious IP address. Which step should the analyst perform next to validate the alert?
Trap 1: Search for the IP address on VirusTotal and Shodan.
While threat intel enrichment is useful, it is part of validation but not the next immediate step; correlation with internal data is needed first.
Trap 2: Escalate the alert to the incident response team for containment.
Escalation is important but should follow validation.
Trap 3: Contain the host immediately by disconnecting it from the network.
Containment should occur after validation to avoid unnecessary disruption.
- A
Search for the IP address on VirusTotal and Shodan.
Why wrong: While threat intel enrichment is useful, it is part of validation but not the next immediate step; correlation with internal data is needed first.
- B
Correlate the alert with other logs and endpoint data to confirm malicious activity.
Correlation helps validate the alert before taking action.
- C
Escalate the alert to the incident response team for containment.
Why wrong: Escalation is important but should follow validation.
- D
Contain the host immediately by disconnecting it from the network.
Why wrong: Containment should occur after validation to avoid unnecessary disruption.