You are an incident handler who is investigating a zero-day attack on an endpoint device. You and the triage specialist have identified the specific endpoint that has been breached and have determined that it must be quarantined. Which internal stakeholder will you notify to perform the endpoint quarantine procedure?
- the threat hunter—the most seasoned professional on the SOC team
- the SOC manager
- the NOC manager because the actual quarantining of the system is typically a collaborative effort with the NOC team
- the CISO, who is ultimately responsible for security operations
| Explanation & Hint:
In the scenario of quarantining an infected endpoint device after a zero-day attack, the appropriate internal stakeholder to notify for performing the quarantine would typically be: the NOC manager because the actual quarantining of the system is typically a collaborative effort with the NOC (Network Operations Center) team. The NOC team often has the necessary access and tools to quickly isolate network devices and is typically responsible for network-related tasks such as adjusting firewall rules, changing VLAN assignments, or updating network access control lists to quarantine a system. It’s important for incident handlers to work closely with the NOC to ensure the infected endpoint is isolated to prevent further spread of the attack. |