A systems administrator has isolated an infected system from the network and terminated the malicious process from executing.
Which of the following should the administrator do NEXT according to the incident response process?
A. Restore lost data from a backup.
B. Wipe the system.
C. Document the lessons learned.
D. Determine the scope of impact.
Admin has isolated an infected system from the network AND TERMINATED the malicious process (implying that it has been removed) If it has been removed, then yes restore lost data, so A. thanks for your deception comptia.
I am leaning toward D. Given the information in the question, I think we are still in identification. Definitely not A or C.
I would choose B. Recovery should follow Eradication.
My guess is D. Seem like we’re still at the identification part of the response. A would be be apart of recovery.