Q: 17
Which of the following is the BEST course of action when an online company discovers a network
attack in progress?
Options
Discussion
B or D, but B is safer. D's a trap since it causes too much disruption in practice.
B does the job without taking the whole company offline. Isolating just the affected segment stops lateral movement and keeps other services up. Pretty sure that's what most incident response playbooks recommend, but let me know if you disagree.
I don't think D is right here, B fits better. Isolating the segment targets just the attack without knocking out the whole network, while D would cause major downtime. Easy trap for people thinking total shutdown is always safest. Pretty sure most IR guidelines go with B, but open to counterpoints.
C or D, but B works better in real-world IR. Isolating just the affected segment (B) stops the attack spreading while letting business run. Killing all access points (D) is overkill unless you can't contain it. Let me know if someone sees it differently.
A is wrong, B. You want to isolate just the affected segment so the attack doesn't spread but the rest of the business can still function. Shutting off everything (D) is way too disruptive, and the other options won't actually stop an active attack. Pretty sure that's what most IR plans recommend.
Guessing B, unless the segment in question hosts critical shared services for the whole org. Otherwise, isolation fits best practice.
B tbh, had a similar scenario in a mock. Isolation limits the damage without killing everything.
Be respectful. No spam.
