Question

Scenario: An organization has an incident response plan that requires reporting incidents after verifying them. For security purposes, the organization has not published the plan. Only members of the incident response team know about the plan and its contents. Recently, a server administrator noticed that a web server he manages was running slower than normal. After a quick investigation, he realized an attack was coming from a specific IP address. He immediately rebooted the web server to reset the connection and stop the attack. He then used a utility he found on the Internet to launch a protracted attack against this IP address for several hours. Because attacks from this IP address stopped, he didn't report the incident.
What should have been done before rebooting the web server?A. Review the incidentB. Perform remediation stepsC. Take recovery stepsD. Gather evidence

Answer 1

D, gather evidence, it’s obvious he should have reported the problem which as many evidence possibly found, instead decides to reboot the server.