CompTIA Security+ (SY0-501) — Question 309

A computer emergency response team is called at midnight to investigate a case in which a mail server was restarted. After an initial investigation, it was discovered that email is being exfiltrated through an active connection.
Which of the following is the NEXT step the team should take?

Answer options

• A. Identify the source of the active connection
• B. Perform eradication of active connection and recover
• C. Performance containment procedure by disconnecting the server
• D. Format the server and restore its initial configuration

Correct answer: A

Explanation

The correct step is to identify the source of the active connection, as understanding the origin is crucial for addressing the breach effectively. Simply performing eradication or containment without knowing the source may overlook critical evidence or fail to resolve the issue. Formatting the server would be a last resort and could lead to data loss and further complications.