When an intrusion into an organization's network is detected, which of the following should be done FIRST?
When an intrusion into an organization's network is detected, which of the following should be done FIRST?
When an intrusion into an organization's network is detected, the first step should be to identify nodes that have been compromised. This allows for a clear understanding of the scope of the intrusion and helps in formulating an appropriate and effective response. Without knowing which nodes are compromised, actions like blocking nodes, notifying management, or contacting law enforcement cannot be done efficiently or accurately.
Answer is B, How can I block something that has not been identified?
Blocking compromised network nodes helps to immediately contain the intrusion and prevent the attackers from accessing additional systems or causing further harm. This action buys time for the organization to assess the situation, identify the extent of the compromise, and formulate a comprehensive response plan, including identifying the compromised nodes (option B) in detail.
But you have to identify first and then block
Certainly, answer B is better. I was torn between answer D and B. Identifying compromised nodes is crucial for understanding the scope of the intrusion and determining the appropriate response actions. Notifying senior management can follow once there is a clearer picture of the incident.
In the detection phase of incident management, we have to determine whether its a security incident or not Ans:B. Identify nodes that have been compromised
C, the first step after detecting an intrusion is to block all compromised network nodes.
You need to identify the nodes first
Answer: B
The 1st thing to do is to stop it