Exam CAS-004 topic 1 question 27 discussion

I think that isolating the network comes before notifying law enforcement.

Why B is the Best Answer? ✔ Stops the spread – Ransomware often spreads laterally across the network. ✔ Prevents further encryption of files & backups – Keeping infected systems online risks more damage. ✔ Preserves forensic evidence – If properly isolated, analysts can investigate without the malware executing further.

B is correct

I vote B, for anyone who concern about the Analyst role, check the question number 38, it still Analyst but all about technical actions.

Isolate, report, negotiate if last resort with law enforcement involved

I agree with DangerElChulo on this one. The answer should be C. The key word here is Analyst. While it would be common sense to isolate first, this is not the analysts job.

From the analyst's perspective, the Cybersecurity Incident Response Team (CSIRT) handles the incident directly. Notifying management after detection and initial triage have taken place already is a no-brainer. Then, the next step for the analyst would be to reduce the impact on the network by isolating infected machines. Management would notify law enforcement or a Cyber Protection Team (CPT) to clear, hunt, and harden the network. Source: Verifying against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

C is the correct answers

I believe it is B. it would be best to isolate the servers first to prvent further spread as well as to to prevent the attacker from making changes to the system before the police arrives.

C is the correct pick. key word is (Analyst)

No IT employee would ever contact LE without going through management. Even and IT director or CIO would not do that without approval of a CEO/Board approval. Also, FBI would not respond if the value was under a certain amount.

The analyst does not manage the system, that is why he notified the management team to do the isolation. Analyst only next possible step is to notify law enforcement. So C is the correct answer. Always read the whole question they are tricky, Big_Harambe was on the right path as well.

The company has no response plans for ransomware - therefore they have no plan to isolate the servers.

I think isolating the servers

Isolating first makes much better real-world sense. While you're on the phone with detective Derp, all your corporate data is probably getting tunneled to Taiwan. Quarantine, then call the cops...

I think It is B. Damage has to be minimize first and that is achieved isolating the servers

This answer is correct. The question mentions the servers were attacked. You can't assume the attack was for any other service or device. So if it is isolated to the servers, the next thing would be notifying law enforcement to begin forensics.