What is the MOST effective response to a hacker who has already gained access to a network and will attempt to pivot to other resources?
What is the MOST effective response to a hacker who has already gained access to a network and will attempt to pivot to other resources?
The most effective response to a hacker who has already gained access to a network and will attempt to pivot to other resources is to shut down the network. This immediate action aims to contain and eliminate the threat, preventing the hacker from causing further damage or moving to other systems. While it may disrupt normal business operations, it is a decisive measure to mitigate the risk and allows the security team to assess the situation without the threat escalating further.
I really got laughed when I saw the answer is "segment the network". Which this solution requires careful design, consideration, and implementation. Which takes time. I don't know how security team can respond to the network by segment it at that time. What kind of network is this?
Agreed.
Agrred.
The keyword is "response to hacker" A. Warn users of a breach - could be internal users or stakeholders, not a direct response to a hacker B. Reset all passwords - won't help as the attacker has gained access to a network C. Segment the network - best option as you don't want attackers to break more systems with gained access D. Shut down the network - can't afford it as it may affect business operations
C is correct
I go for d because a respond is asked. You cannot respond by segment the network on the fly. This must be done in advanced.
Unplug the network.... but forensic people might not like you for that or what if is a bigger network?. I don't like this question.... am going with "C" but i do believe is a bit too late to VLAN/Segment the network bcs the attacker is already in the network.
T think it should be B. According to NIST Cybersecurity Framework. Identify->Protect->Detect->Response->Recovery A. Warn users of a breach - This is a response to the threat but it's not effective response. B. Reset all passwords - This is a good response and should be the first step to response hacker to prevent gaining access or lateral movement to other resources in the network. If the hacker can gain access into the network that means that some credentials were compromised. C. Segment the network - This should be done in protect state. You have to re-design and re-configure the network diagram and it may take time. D. Shut down the network - This is a response but if you shut down the network you can't access the network also.
I also agree with B as best option for this scenario. Because the hacker seems know at least one password. If we force all passwords to be reset, this is an effective and rapid response. But of course not a complete one.
Option C sounds correct, but segmenting the network after the hacker is already on it may not be effective. Unless you know which part of the network the hacker has accessed, so that you can disconnect that part and segment the network.
But the question is: do you actually have time to segment the network while attack is in progress..? Option C seems to be more in line with the strategy on the long run. However, none of the other options doesn't seem to be viable either. Hope I am not getting this kind of questions during the real exam..
C, segment the network, because hacker attempt to pivot to other resources
The most effective response to a hacker who has already gained access to a network and may attempt to pivot to other resources is to segment the network (option C)
Answer C) Segment the network https://reciprocity.com/resources/https-reciprocity-com-resources-what-is-pci-dss-network-segmentation/
The most effective response is to kill everything. It might not be the best immediate one for business as it also stops the business, but at least it will stop the hacker. I see lots of people talk about segmenting the network. That's a preventive measure, not a response. Segmenting the network is done at design, and changing the network architecture takes hours (if not well done at all), or weeks (if properly done).
You need to contain the threath immediately. Segmenting is not done by a day. So shutdown is the answer. And B is not bad to do but, if he has already a domain admin account. He easily can bypass that.