Which of the following should the CSIRT conduct next?

An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network.

Which of the following should the CSIRT conduct next?
A . Take a snapshot of the compromised server and verify its integrity
B . Restore the affected server to remove any malware
C . Contact the appropriate government agency to investigate
D . Research the malware strain to perform attribution

View Answer

Answer: A

Explanation:

The next action that the CSIRT should conduct after isolating the compromised server from the network is to take a snapshot of the compromised server and verify its integrity. Taking a snapshot of the compromised server involves creating an exact copy or image of the server’s data and state at a specific point in time. Verifying its integrity involves ensuring that the snapshot has not been altered, corrupted, or tampered with during or after its creation. Taking a snapshot and verifying its integrity can help preserve and protect any evidence or information related to the incident, as well as prevent any tampering, contamination, or destruction of evidence.