CompTIA CASP+ (CAS-004) — Question 532

An organization has just been breached, and the attacker is exfiltrating data from workstations. The security analyst validates this information with the firewall logs and must stop the activity immediately. Which of the following steps should the security analyst perform NEXT?

Answer options

• A. Determine what data is being stolen and change the folder permissions to read only.
• B. Determine which users may have clicked on a malicious email link and suspend their accounts.
• C. Determine where the data is being transmitted and create a block rule.
• D. Determine if a user inadvertently installed malware from a USB drive and update antivirus definitions.
• E. Determine if users have been notified to save their work and turn off their workstations.

Correct answer: C

Explanation

The correct answer is C because blocking the transmission of data is crucial to stopping the breach immediately. Options A, B, D, and E do not directly address the immediate need to halt data exfiltration, making them less effective in this urgent situation.