A security analyst detects that multiple workstations in the finance department are displaying ransom notes and files are being encrypted. The analyst has disconnected the affected workstations from the network. Which of the following should the analyst do next according to the incident response procedure?
Isolating the segment prevents lateral movement of the ransomware. Preserving forensic evidence allows for a thorough investigation to identify the initial infection vector and prevent future incidents.
Why this answer
Option B is correct because the immediate next step in the incident response procedure after containment (disconnecting affected workstations) is to isolate the affected network segment to prevent lateral movement and preserve forensic evidence. This aligns with the NIST SP 800-61 incident response framework, which prioritizes containment, eradication, and recovery in that order, and emphasizes evidence preservation before any remediation actions.
Exam trap
The trap here is that candidates often jump to recovery actions (reimaging or restoring backups) too early, forgetting that the incident response process requires containment and evidence preservation before eradication and recovery.
How to eliminate wrong answers
Option A is wrong because reimaging destroys volatile forensic evidence (e.g., memory contents, encryption keys, malware artifacts) that is critical for root cause analysis and attribution. Option C is wrong because running an antivirus scan on an actively encrypting system can trigger further encryption or destroy evidence, and antivirus tools are ineffective against modern ransomware that uses polymorphic code or fileless techniques. Option D is wrong because restoring from backup without investigation may reintroduce the infection vector or miss indicators of compromise (IoCs) that could prevent future attacks.