Scenario: Your SOC has identified an ongoing data exfiltration attempt from an internal network to an external IP. What should be your immediate action?

A.  Block the external IP

B.  Disconnect the affected workstation

C.  Monitor the data being sent

D.  Notify law enforcement

Answer:  A

Explanation:

In a situation where an ongoing data exfiltration attempt is detected, the immediate priority is to stop the unauthorized data transfer to contain the damage. Blocking the external IP associated with the data exfiltration would terminate the ongoing unauthorized transfer, making it the most immediate action you should take. Here's why the other options are less immediate or ideal:

Disconnect the affected workstation: While this is also a strong measure, it may be too drastic and could hamper the ability to gather further evidence. Blocking the external IP is a more focused immediate action.

Monitor the data being sent: While monitoring can provide valuable information about what data is being exfiltrated, the immediate priority is to stop the exfiltration. Monitoring can come after the immediate threat is blocked.

Notify law enforcement: While it might become necessary to involve law enforcement, that is usually a later step that comes after containment and after gathering evidence and understanding the extent of the breach.

Therefore, the most immediate action to take would be to block the external IP to halt the unauthorized data transfer.