A security analyst notices unusual outbound traffic from a server in the DMZ to an external IP address on port 4444. The server runs a web application. Which action should the analyst take first?
Trap 1: Disconnect the server from the network.
Disconnecting may be necessary later, but first gather information to understand the threat.
Trap 2: Reboot the server to clear any malware.
Rebooting may destroy volatile evidence needed for forensic analysis.
Trap 3: Block the outbound traffic at the firewall.
Blocking without investigation may hide evidence and disrupt monitoring.
- A
Disconnect the server from the network.
Why wrong: Disconnecting may be necessary later, but first gather information to understand the threat.
- B
Reboot the server to clear any malware.
Why wrong: Rebooting may destroy volatile evidence needed for forensic analysis.
- C
Check the server's running processes and established connections.
This provides immediate visibility into potential compromise without destroying evidence.
- D
Block the outbound traffic at the firewall.
Why wrong: Blocking without investigation may hide evidence and disrupt monitoring.