A security analyst is responding to an incident on a web server on the company network that is making a large number of outbound requests over DNS.
Which of the following is the FIRST step the analyst should take to evaluate this potential indicator of compromise’?
A . Run an anti-malware scan on the system to detect and eradicate the current threat
B . Start a network capture on the system to look into the DNS requests to validate command and control traffic.
C . Shut down the system to prevent further degradation of the company network
D . Reimage the machine to remove the threat completely and get back to a normal running state.
E . Isolate the system on the network to ensure it cannot access other systems while evaluation is underway.
Answer: A
Leave a Reply