Question

An organization has recently deployed an EDR solution across its laptops, desktops, and server infrastructure. The organization's server infrastructure is deployed in an IaaS environment. A database within the non-production environment has been misconfigured with a routable IP and is communicating with a command and control server.

Which of the following procedures should the security responder apply to the situation?

A. Contain the server.
B. Initiate a legal hold.
C. Perform a risk assessment.
D. Determine the data handling standard.
E. Disclose the breach to customers.
F. Perform an IOC sweep to determine the impact.

Answer 1

When dealing with a suspected data breach from a misconfigured database, the security responder should first contain the server to prevent further data leakage, then perform an IOC sweep to assess the extent of the impact and follow with a comprehensive risk assessment.

Step-by-step explanation:

The situation described involves a misconfigured database in a non-production environment communicating with a command and control server, which suggests a data breach scenario. In response to this issue, the following procedures should be considered:

• Contain the server: This is a critical first step to prevent any further unauthorized access or data leakage. The affected server should be isolated from the network to halt ongoing communication with the command and control server.
• Perform an IOC sweep: Indicators of Compromise (IOC) should be identified to determine the scope and impact of the breach. This step will help in understanding which other assets may have been compromised.
• Perform a risk assessment: A thorough risk assessment should be conducted to evaluate the extent of the breach, identify vulnerabilities, and take corrective actions to prevent future incidents.

Notifying customers and initiating a legal hold might come at subsequent stages, depending on the findings of the risk assessment and the relevant data handling standards.