Performing CyberOps Using Cisco Security Technologies (CBRCOR) — Question 61

An engineer detects an intrusion event inside an organization's network and becomes aware that files that contain personal data have been accessed. Which action must be taken to contain this attack?

Answer options

• A. Disconnect the affected server from the network.
• B. Analyze the source.
• C. Access the affected server to confirm compromised files are encrypted.
• D. Determine the attack surface.

Correct answer: A

Explanation

The correct action is to disconnect the affected server from the network to prevent further unauthorized access to sensitive data. Analyzing the source, accessing the server, and determining the attack surface are important steps but do not immediately contain the threat, allowing potential data loss to continue.