CompTIA CySA+ (CS0-002) — Question 271

In SIEM software, a security analyst detected some changes to hash signatures from monitored files during the night followed by SMB brute-force attacks against the file servers. Based on this behavior, which of the following actions should be taken FIRST to prevent a more serious compromise?

Answer options

• A. Fully segregate the affected servers physically in a network segment, apart from the production network.
• B. Collect the network traffic during the day to understand if the same activity is also occurring during business hours.
• C. Check the hash signatures, comparing them with malware databases to verify if the files are infected.
• D. Collect all the files that have changed and compare them with the previous baseline.

Correct answer: A

Explanation

The correct answer is A, as physically isolating the affected servers prevents further attacks and limits potential damage. While options B, C, and D provide valuable information, they do not take immediate action to secure the environment and could allow further compromise during their execution.