My Story Partners Podcasts Blog Resources Contact CISSP Training Program
Academy Login

Weekly CISSP Practice

Exam Questions

Week 24 - Question 1

Scenario: Your SOC has identified an ongoing data exfiltration attempt from an internal network to an external IP. What should be your immediate action?

 

A.  Block the external IP

B.  Disconnect the affected workstation

C.  Monitor the data being sent

D.  Notify law enforcement

 

Answer:  A

Explanation:

A. Block the external IP

In the CISSP mindset, once an incident is confirmed, your primary goal is to contain the damage while maintaining business continuity as much as possible.

  • Why it's the Answer: Blocking the external IP at the firewall or boundary gateway is a "surgical" strike. It immediately breaks the connection and stops the "bleeding" (the data loss) without necessarily crashing the internal workstation or alerting the user. It is the fastest way to stop the exfiltration while keeping the affected system "live" for further forensic analysis.

  • The Goal: This provides immediate Containment—the most critical step after identification.

B. Disconnect the affected workstation

Disconnecting the workstation (pulling the plug) is a "sledgehammer" approach.

  • The Risk: While this certainly stops the exfiltration, it can have negative side effects. It might destroy volatile evidence (data in RAM) that a forensic investigator needs to determine how the breach occurred. It also causes immediate business disruption to the user of that workstation.

  • The Order: You typically block the malicious destination first, then isolate the host for forensic imaging once the immediate emergency is neutralized.

C. Monitor the data being sent

Monitoring is a Detective action, but the scenario states you have already identified the threat.

    • The Priority: Once you know data is being stolen, you have moved past the "Identification" phase and into the "Containment" phase. Continuing to monitor while data is actively leaving the building is a violation of Due Care. You stop the theft first; you can analyze the logs later to see what was taken.

 

D. Notify law enforcement

Notification is a Reporting/Administrative requirement.

  • The Timing: Law enforcement should be notified according to your organization’s policy and legal counsel, but never before the threat is contained. Police cannot stop the bits from flying across the wire in real-time; your technical team must do that first.

Key Takeaway for the CISSP Exam

Containment Strategy:

  1. Stop the flow: Block the destination IP or Command & Control (C2) server.

  2. Isolate the source: Move the affected host to a "Sandboxed" or "Quarantine" VLAN.

  3. Preserve evidence: Capture a memory dump and disk image before wiping or rebooting the machine.

Podcasts

Check out my weekly podcasts that delve deep into the relevant topics related to each of CISSP domains. In addition, I will go over specific questions and they can be interpreted and answered.

Listen Podcasts

CISSP Cyber Training Academy

Tired of not knowing how to study for the CISSP Exam? 

Check out the CISSP Cyber Training Academy to help you on your journey!

Learn about the Academy!

CISSP Cyber Training - YouTube

Check out my video collection on YouTube discussing all the details needed to help you pass the CISSP exam.   

Check out channel