Memory contents including files and malware are lost when the power is turned off. This is because memory is a volatile storage device that requires constant power to retain data. If a system has been compromised and is being used to exfiltrate data to a competitor, the CSIRT may want to preserve the memory contents for forensic analysis and evidence collection. Therefore, the CSIRT may tell the engineer to immediately disconnect the network cable and not do anything else to prevent further data loss or tampering. References: https://www.comptia.org/certifications/security#examdetails https://www.comptia.org/content/guides/comptia-security-sy0-601-exam-objectives https://resources.infosecinstitute.com/topic/memory-acquisition-and-analysis/

A seems logical

Unplugging the network cable does not turn off power

I don't know why people are choosing D when the question clearly states the engineer asked to unplug the network cables and don't do anything else, there was no mentioning of turning off the power. So, A is the right answer.

I am inclined to go with D. The phrase, "and to not do anything else" in the question implies that the power cable should not be unplugged. Answer choice D is the explanation for why it shouldn't be unplugged -- bc it will result in a loss of memory. Unplugging it from the network isolates it, however they would still want to investigate the data, meaning they need to make sure it isn't lost. While an insider attack may be a possibility, there wasn't enough indicative information within the question to justify selecting A

Here's why the answer should be A. 1) a machine inside the company is potentially exfiltrating data to a competitor 2) exfiltration in this case would be internal to the company 3) this makes this an insider threat (while it could happen via a RAT - there's no mention that the security software would have flagged this - we can presume it would have been, so we can safely assume that this exfiltration is being done by an employee) 4) CSIRT's request means he/she believes the exfiltration is actively going on 5) because of this, asks Systems Engineer to pull the network connection 6) the SE is not instructed to shut the machine off 7) The last answer is NOT a REASON (it is merely a statement of fact) 8) Either A) or C) could be a REASON - B) is completely out of the context of this question 9) If the CSIRT didn't think the SE was trustworthy, he/she wouldn't be talking to them, right?

The CSIRT asked the engineer to "to immediately disconnect the network cable" not to "turn off" the system. It can't be D. why not C?

A. The CSIRT thinks an insider threat is attacking the network. The general idea here is that there is an active cyber attack happenings. What is one of the steps in the Incident Response process? It is to contain the device. So the network is plug is being pulled to contain the device. Why? Because there is an active cyber attack occurring.

D seems correct but the phrasing of the answer is pretty bad.

By disconnecting the network cable and powering off the compromised system, you can disrupt any ongoing activities related to data exfiltration and prevent the potential spread of malware or further compromise. This is a common response in incident response to prevent the attacker from maintaining control over the system and to preserve the system's current state for forensic analysis. Fileless malware, in particular, operates in memory and may not leave traces on disk, so preserving memory contents for analysis is crucial to understanding the extent of the compromise and identifying the attacker's methods.

You need to maintain and preserve all evidence and artifacts in memory..etc..the only way to do that is to unplug the cable and keep the pc powered on...it is D

I think it is A. Systems Engineer was told to disconnect the network cable and not the power cable.

I thought it was A initially but now that I think about it, it has to be D. A implies that they are disconnecting the network cable specifically because of an insider threat, in reality, it could be any number of different attackers exfiltrating the data through the network. It is however certain that they would want to avoid powering off the system to preserve memory contents. The disconnecting of the network cable stops the threat from progressing without the need for the destruction of evidence.

Not sure why D...

Not sure how people are answering related to the power supply. Unplugging a network cable does not cut off power.

The CSIRT simply contained the incident by disconnecting the compromised computer from the network. however, essential evidence lies in the memory(RAM) in the system which will all be lost should power be cut.

The statement mentions that the CSIRT engineer advised that the "network cable" to be disconnected, not the "power supply cable," which is different and to do nothing else. Just my 3 cents.