CompTIA CASP+ (CAS-003) — Question 274

An organization has recently deployed an EDR solution across its laptops, desktops, and server infrastructure. The organization's server infrastructure is deployed in an IaaS environment. A database within the non-production environment has been misconfigured with a routable IP and is communicating with a command and control server.
Which of the following procedures should the security responder apply to the situation? (Choose two.)

Answer options

• A. Contain the server.
• B. Initiate a legal hold.
• C. Perform a risk assessment.
• D. Determine the data handling standard.
• E. Disclose the breach to customers.
• F. Perform an IOC sweep to determine the impact.

Correct answer: A, F

Explanation

The correct actions are to contain the server to prevent further communication with the command and control server and to perform an IOC sweep to assess the extent of the breach. The other options, such as initiating a legal hold or disclosing the breach to customers, may be relevant later but do not address the immediate need to contain the threat and understand its impact.