EcoEarth Inc. detects abnormal archival data access from dormant employee profiles, modification of critical datasets, and suspicious encrypted packet transmissions. Given the risk, what is the first responder’s primary action?
A.
Decrypt the suspicious packets to understand the breach.
B.
Notify global ecological partners to review shared data.
C.
Initiate a rollback to a previous safe state using real-time backups.
D.
Isolate and shut down sections of the server showing abnormal activity.
First responders prioritize containment and preservation: stop ongoing harm while protecting evidence. The scenario suggests active misuse (dormant accounts modifying data) and possible exfiltration (encrypted transmissions). The quickest way to prevent further manipulation/leakage is isolating affected services/segments—reducing attacker access paths and limiting spread. This also prevents additional data corruption while investigators capture logs, account activity, and network traces.
(A) decrypting traffic is not a first responder priority; it may be impossible (TLS/unknown keys) and consumes time while damage continues. (B) external notification can be necessary later, but premature partner notification can create panic and doesn’t stop the incident. (C) rollback is a recovery step and can destroy forensic context or reintroduce compromised states if you haven’t validated backup integrity; it also doesn’t address how access happened or stop current attacker sessions unless paired with containment.
Therefore, (D) best matches initial response doctrine: contain first, preserve evidence, then analyze and recover.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit