Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Location Chicago IL, USA

Exam CISSP topic 9 question 306 discussion

Actual exam question from ISC's CISSP
Question #: 306
Topic #: 9
[All CISSP Questions]

What should be the FIRST action for a security administrator who detects an intrusion on the network based on precursors and other indicators?

  • A. Isolate and contain the intrusion.
  • B. Notify system and application owners.
  • C. Apply patches to the Operating Systems (OS).
  • D. Document and verify the intrusion.
Show Suggested Answer Hide Answer

Suggested Answer: C
Reference:
https://securityintelligence.com/dont-dwell-on-it-how-to-detect-a-breach-on-your-network-more-efficiently/

Comments

luistorres21es
3 months ago
At first, you must not make changes to production systems when an attack is in place, this fixes may need to restart the service (remediation is worst than the disease). You first need to identify the abnormal or malicious connection and contain the attack by stop this connection or isolating. It should be option A.
upvoted 3 times
...
Kabbashi
3 months ago
I agree with luistorres21es, if you look at the phases of the incident response you will find that A is the most reasonable. The phases are: Detection, Response, Mitigation, Reporting, Recovery, Remediation and Lessons Learned. Isolate and contain the intrusion is a mitigation action so the answer is A. B is reporting, C is recovery and D is Lessons earned.
upvoted 4 times
...
nikoo
2 months, 3 weeks ago
Search for precursors .. it is stage before incident To be happened
upvoted 1 times
...
Moid
2 months, 2 weeks ago
I think D is correct. The FIRST step is to document and verify that the incident is indeed an intrusion. There is a possibility of false alarm.
upvoted 11 times
...
TLong92
2 months, 2 weeks ago
A is answer
upvoted 2 times
...
StevenL
2 months ago
I vote for D.
upvoted 3 times
...
RGR
1 month, 4 weeks ago
I vote for D. If you don't know the intrusion exactly, how can we isolate and contain the intrusion?
upvoted 2 times
...
Kprotocol
1 month, 3 weeks ago
Should be B (Detect , Response, then mitigate)
upvoted 1 times
...
Tgerstenberg
1 month, 2 weeks ago
I am going with D Trust and Verify!!!
upvoted 1 times
...
leary
1 month, 1 week ago
Verify is first thing needed to do. I vote for D
upvoted 2 times
...
mdog
1 month ago
I think its D, you verify first. Dont do B because you dont want to notify if you havent verified yet
upvoted 1 times
...
fjaleel
1 month ago
A. The crux of the solution is to isolate likely suspicious actions before a definite determination of intrusion.
upvoted 1 times
...
nidoz
3 weeks, 3 days ago
I think D is correct.
upvoted 1 times
...
beowolf
2 weeks, 4 days ago
D is the correct answer. when SOC get the notification from SIEM the analyst will document and investigate/analyze.
upvoted 1 times
...
rakibcissp
1 week, 5 days ago
I think the correct answer C due to the word "precursors and other indicators" if indicator know before then patching system is remediate risk related to that indicator.
upvoted 2 times
...
senator
1 week, 4 days ago
Answer is D
upvoted 1 times
...

SaveCancel