A security analyst discovers that a user's account has been used to access sensitive data outside of normal business hours from an unfamiliar IP address. The user claims they were not logged in at that time. Which security operations process should be initiated first?
Trap 1: Perform a forensic analysis of the user's workstation
Forensic analysis is a later step in incident response; first, the incident must be declared and the response team mobilized.
Trap 2: Reset the user's password and enforce multi-factor authentication
These are remediation steps that would follow the initial incident response actions like containment.
Trap 3: Disable the user account immediately
Disabling the account is a containment step that should be part of the incident response plan, but it is not the first process to initiate. First, the incident should be reported and triaged.
- A
Perform a forensic analysis of the user's workstation
Why wrong: Forensic analysis is a later step in incident response; first, the incident must be declared and the response team mobilized.
- B
Reset the user's password and enforce multi-factor authentication
Why wrong: These are remediation steps that would follow the initial incident response actions like containment.
- C
Disable the user account immediately
Why wrong: Disabling the account is a containment step that should be part of the incident response plan, but it is not the first process to initiate. First, the incident should be reported and triaged.
- D
Initiate the incident response process
The incident response process begins with detection and analysis; this scenario meets the criteria for initiating that process.