Exam CAS-004 All QuestionsBrowse all questions from this exam
Go to Exam
Question 27

While investigating a security event, an analyst finds evidence that a user opened an email attachment from an unknown source. Shortly after the user opened the attachment, a group of servers experienced a large amount of network and resource activity. Upon investigating the servers, the analyst discovers the servers were encrypted by ransomware that is demanding payment within 48 hours or all data will be destroyed. The company has no response plans for ransomware.

Which of the following is the NEXT step the analyst should take after reporting the incident to the management team?

    Correct Answer: B

    The next step after reporting the incident to the management team should be to isolate the servers to prevent the spread of the ransomware. Isolating the affected servers is crucial in stopping the ransomware from spreading to other parts of the network and minimizing further damage. This step is essential to contain the incident and protect the remaining infrastructure while further investigation and remediation steps are planned and implemented.

Discussion
patinho777Option: B

I think that isolating the network comes before notifying law enforcement.

dangerelchulo

That would be correct but analysts do not hold the job to do the isolation, he notified management to do so. Question ask about analyst next step only possible answer is notify law enforcement. Read the question carefully

SallySausage

Wrong. Analysts don't choose how the business responds to incidents, management does. If a security analyst at a company notifies law enforcement without their supervisor's direct say so, they are getting fired.

dangerelchuloOption: C

I think the question needs to be explain this way. Analyst is only task with reviewing the event so no admin rights were give. After finding the issued he reported to management team (if he was admin he should already isolated prior to reporting). Next step is to follow company protocol for ransomware but there is none so to prevent legal issues you notify authorities. Final step depends what company decides to deal with the ransomware reset (best option) also pay (not suggested). So giving the scenario the Analyst should notify law enforcement to handle the issue. Isolation is always the first choice if you are the admin or have control of the systems but clearly he is just looking at logs with user access

dangerelchulo

The more i read questions from CompTIA they have no set standard meaning for job description and i seen in some question an analyst doing admin work so I am going to say is Isolation. Based on what the event stated first step is isolation.

BiteSizeOption: B

From the analyst's perspective, the Cybersecurity Incident Response Team (CSIRT) handles the incident directly. Notifying management after detection and initial triage have taken place already is a no-brainer. Then, the next step for the analyst would be to reduce the impact on the network by isolating infected machines. Management would notify law enforcement or a Cyber Protection Team (CPT) to clear, hunt, and harden the network. Source: Verifying against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

BoatsOption: B

No IT employee would ever contact LE without going through management. Even and IT director or CIO would not do that without approval of a CEO/Board approval. Also, FBI would not respond if the value was under a certain amount.

dangerelchulo

an Analyst also has no admin right, otherwise the question would had stated that what the sys admin or management team next step. Also given that analyst job is to review the event ant take appropriate action 1 notify management to isolate 2 report legal since company has no due process for incident 3 after report restore servers. If there are more steps than that let me know. step 1 completed next step is 2

Big_HarambeOption: B

The company has no response plans for ransomware - therefore they have no plan to isolate the servers.

kycuguOption: C

C is the correct answers

AlexJacobsonOption: B

A really sh*tty question... It can easily be B (isolate), but the questions says "next step after reporting the incident to management team" (can mean management, or team managing the servers - admins), so it can also be C (as analyst don't have control over servers, so we can assume he said to admins to isolate servers while he calls the police).

dangerelchuloOption: C

The analyst does not manage the system, that is why he notified the management team to do the isolation. Analyst only next possible step is to notify law enforcement. So C is the correct answer. Always read the whole question they are tricky, Big_Harambe was on the right path as well.

dangerelchulo

I was wrong it is isolation.

RevZig67Option: B

I think isolating the servers

thea_smithOption: B

B is correct

SangSangOption: B

I vote B, for anyone who concern about the Analyst role, check the question number 38, it still Analyst but all about technical actions.

holymollyOption: B

I think isolating the network comes first Contact me at <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="e5888a89899ccb82849791808ba58a9091898a8a8ecb868a88">[email protected]</a> to get all questions

AnarckiiOption: B

Isolate, report, negotiate if last resort with law enforcement involved

joinedatthehopOption: C

I agree with DangerElChulo on this one. The answer should be C. The key word here is Analyst. While it would be common sense to isolate first, this is not the analysts job.

joinedatthehop

This is a classic CompTIA mind bender as isolation should 100% be the first step. The confusion comes in when we take into consideration the job duty of the person being talked about in the question is "Analyst".

Andre876Option: B

I believe it is B. it would be best to isolate the servers first to prvent further spread as well as to to prevent the attacker from making changes to the system before the police arrives.

tineboy46Option: C

C is the correct pick. key word is (Analyst)

dgfhyjfghfgfkfhdOption: B

Isolating first makes much better real-world sense. While you're on the phone with detective Derp, all your corporate data is probably getting tunneled to Taiwan. Quarantine, then call the cops...