CompTIA Security+ (SY0-501) — Question 383

A security analyst is investigating a potential breach. Upon gathering, documenting, and securing the evidence, which of the following actions is the NEXT step to minimize the business impact?

Answer options

• A. Launch an investigation to identify the attacking host
• B. Initiate the incident response plan
• C. Review lessons learned captured in the process
• D. Remove malware and restore the system to normal operation

Correct answer: D

Explanation

The correct action is to remove malware and restore the system to normal operation, as this directly addresses the immediate threat and helps resume business functions. Initiating the incident response plan is important, but it should have been done earlier in the process. Investigating the attacking host and reviewing lessons learned are useful for long-term security improvements but do not address the current situation's urgency.