During an incident response, the team identifies that the attacker gained access through a compromised service account with domain admin privileges. Which of the following steps should be taken FIRST to contain the incident?
Directly removes the attacker's foothold.
Why this answer
Disabling the compromised account and revoking its tokens (e.g., Kerberos TGTs via `Set-ADAccountControl -Disable` and clearing cached tickets) immediately stops the attacker's current authentication and lateral movement capabilities. This is the fastest containment step because the service account with Domain Admin privileges is the direct vector; isolating systems or resetting all passwords is slower and may not address active token reuse.
Exam trap
ISC2 often tests the principle that containment must be immediate and targeted; candidates mistakenly choose isolation or forensic analysis first, forgetting that the compromised account is the root cause and that tokens can outlive password resets.
How to eliminate wrong answers
Option A is wrong because isolating all affected systems can disrupt business operations and may not stop the attacker if they have already established persistence via the compromised account or tokens on other systems. Option B is wrong because resetting all user passwords is a broad, time-consuming step that does not immediately revoke the attacker's active Kerberos tickets or NTLM hashes for the compromised service account, leaving a window for continued access. Option C is wrong because performing a full forensic analysis before any action violates the incident response priority of containment over evidence preservation; the attacker could cause further damage or destroy evidence during the delay.