Exam CISM topic 1 question 199 discussion

A. initiate the incident response plan

Isolation is part of IR.

If it is DDOS attack, isolate system is helping attckers.

B. Initiate incident response. Incident response involves a structured approach to addressing and managing a security incident. Answer A is included is B

This question is actually pretty easy once you read it right. :) It asks for the "BEST course of action". Isolating the system isn't the solution, it's just one step towards the solution. Initiating incident response is the solution, and part of IR is containment (isolation of the affected system), but the thing is IR then goes further until the issue has been resolved.

A is a part of the B. Isolating the server should be done as part of the incident response.

It asks for the BEST solution not the FIRST step. Best solution is to isolate. A

Answer B - A is part of B

you have to isolate the system before you respond to the incident. The answer is A. Isolate the system. After a server has been attacked, the most important step is to isolate the system to prevent further damage and the spread of malware or other threats. This involves disconnecting the server from the network and taking it offline. Once the system is isolated, a thorough investigation can be conducted to determine the extent of the attack and implement appropriate remediation measures. The other options are not as effective: B. Initiate incident response: While initiating incident response is an important step, it should not be done before isolating the system. If the system remains connected to the network, the incident response team may inadvertently spread the attack or compromise other systems.

B. Initiate incident response. Incident response involves a structured approach to addressing and managing a security incident.

You need to start the incident response and WITHIN the containment phase you will isolate the system

The best course of action after a server has been attacked is to isolate the system. Isolating the impacted server quarantines the attack and prevents further compromise or spread. This rapid containment is essential to limit damage and any ongoing threats. Initiating full incident response, conducting audits, and reviewing assessments are all important follow-up actions, but require more time. The priority is to immediately isolate the attacked system to halt the attack and protect the environment. Quickly taking the impacted server offline or blocking its network access enables analysis of the attack to safely occur, stopping ongoing malicious activity. Rapid isolation is key before any other incident response steps commence.

From my understanding, the incident response team or process would help isolate the threat. you guys aren't wrong with choosing A but A seems to be a sub-component of incident response.

A. Isolate the system.

The first step to take after a server has been attacked is to isolate the system from the rest of the network. This will help prevent the attacker from continuing to access the system and spreading the attack to other systems on the network. Once the system is isolated, an incident response plan should be initiated to determine the extent of the damage and take appropriate action to restore the system and prevent future attacks.

The best response is (B) Initiate the incident response process. Rationale: A. Isolate the system is part of the incident response process. In addition to isolate it also has detect and analyze. It has apparently been detected, but has the attack been analyzed for lateral movement? Has its full scope been understood? Without this isolation is premature. and as mentioned is a later phase of incident response. C. Conduct a security audit - A little late for this no? It also doesn't do anything to address the situation. D. Review vulnerability assessment. - A little late for this no? It also doesn't do anything to address the situation.

The incident response plan will have the the details on best course of action