CompTIA CySA+ (CS0-003) — Question 354

A security analyst is performing a malware analysis on a device and receives the following instructions:

• Reduce the blast radius of the potential threat.
• Preserve forensic data for post-incident analysis.
• If securely possible, preserve connectivity for live analysis.

Which of the following will best help the analyst during the investigation?

Answer options

• A. Configure an EDR agent to isolate the network with authorized exceptions to the NOC VLAN.
• B. Execute a SOAR playbook to trigger a malware scan on the company's assets.
• C. Use file integrity monitoring to determine if the suspicious file was modified.
• D. Collect the suspicious file using SFTP and reimage the device.

Correct answer: A

Explanation

Option A is correct because isolating the network minimizes the potential threat's spread while allowing authorized access, which helps in preserving forensic data and maintaining connectivity. The other options do not effectively address the need to limit the blast radius while also preserving evidence and connectivity; for example, B focuses on scanning rather than isolation, C does not prevent further damage, and D involves reimaging, which can destroy evidence.