Performing CyberOps Using Cisco Security Technologies (CBRCOR) — Question 60
A SIEM tool fires an alert about a VPN connection attempt from an unusual location. The incident response team validates that an attacker has installed a remote access tool on a user's laptop while traveling. The attacker has the user's credentials and is attempting to connect to the network.
What is the next step in handling the incident?
Answer options
- A. Block the source IP from the firewall
- B. Perform an antivirus scan on the laptop
- C. Identify systems or services at risk
- D. Identify lateral movement
Correct answer: C
Explanation
The correct step is to identify systems or services at risk, as this helps in understanding the potential impact of the breach and what needs to be secured. Blocking the source IP might prevent further access but does not address the existing compromise. Performing an antivirus scan is useful but may not detect all remote access tools, and identifying lateral movement is a secondary step that should follow after assessing the immediate risks.