CompTIA Security+ (SY0-501) — Question 497

An organization's IRP prioritizes containment over eradication. An incident has been discovered where an attacker outside of the organization has installed cryptocurrency mining software on the organization's web servers. Given the organization's stated priorities, which of the following would be the NEXT step?

Answer options

• A. Remove the affected servers from the network.
• B. Review firewall and IDS logs to identify possible source IPs.
• C. Identify and apply any missing operating system and software patches.
• D. Delete the malicious software and determine if the servers must be reimaged.

Correct answer: B

Explanation

Option B is correct because reviewing logs helps to understand the attack's origin and aids in containment efforts. Option A, while it may help in containment, does not directly address identifying the threat source. Options C and D focus on eradication and remediation steps, which are not the priority according to the organization's IRP.