I am new to this community and i am preparing for CISSP exam.
During my preparation i have come across below question in one of the practise test and will require you expert input.
When any intrusion is detected what should be your first step?
I'm not an expert either, well a little bit, but I would always take action first to prevent further damage, first stop the bad thing from doing further bad things asap, like hospital's triage you first stop the bleeding, first contain the problem. First containment / isolation of problem, than you can take your time to watch, think, and analyze as much as you like, untill you find out for sure what has exactly happened (what further systems are breached / damaged, etc) and what can you do to remediate the problem, take mitigation actions to prevent this incident happening again, and try to recover from the situation, back to normal operations.