A security analyst detects unusual outbound traffic from a server that normally communicates only with internal systems. The firewall logs show connections to an external IP address on port 443/tcp. Which incident response step should the analyst perform FIRST?
Trap 1: Run a full antivirus scan on the server.
Scanning may alert the attacker and does not prevent ongoing data exfiltration.
Trap 2: Immediately shut down the server.
Shutdown may destroy volatile evidence and degrade system availability.
Trap 3: Disconnect the entire network segment.
This may cause unnecessary business disruption; isolate only the affected system.
- A
Run a full antivirus scan on the server.
Why wrong: Scanning may alert the attacker and does not prevent ongoing data exfiltration.
- B
Isolate the server from the network.
Containment stops the threat from causing further damage.
- C
Immediately shut down the server.
Why wrong: Shutdown may destroy volatile evidence and degrade system availability.
- D
Disconnect the entire network segment.
Why wrong: This may cause unnecessary business disruption; isolate only the affected system.