A host on a company's network has been infected by a worm that appears to be spreading via SMB. A security analyst has been tasked with containing the incident while also maintaining evidence for a subsequent investigation and malware analysis.
Which of the following steps would be best to perform FIRST?
The best immediate action when a host is infected with a worm, especially one that spreads through network connections like SMB, is to isolate the infected host from the network. This step prevents the worm from spreading to other devices on the network, thus containing the infection. Isolation ensures that the infection is limited to the compromised host without affecting other systems. Other steps such as running a full anti-malware scan or modifying configuration files can be done later. Immediate isolation minimizes the damage and spread of the threat.
Isolating the infected host is almost always the answer when asked "What to do first" after a breach/infection has occurred
agreed with D
Reduce the impact! Isolate the sickness. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
Containment: Isolating the infected host from the network immediately stops the worm from spreading further via SMB connections. This action helps prevent additional hosts from becoming infected.