When an IDS alerts the administrator that an intrusion is taking place, what is often the first action the first responder should perform?
C. Contact law enforcement
D. Restore files from backup
The correct answer is A.
Domain: 2.3. Containment is usually the initial step to be performed by the first responder. While there are various circumstances where other options might be more appropriate, it is generally true that the most common initial step is containment. Containment aims at preventing further damage or distribution of the malicious activity