nerdexam
CompTIA

CV0-003 · Question #769

During a security incident, an IaaS compute instance is detected to send traffic to a host related to cryptocurrency mining. The security analyst handling the incident determines the scope of the inci

The correct answer is C. Create a snapshot of the volumes attached to the instance. The first step in any security incident response is to isolate the affected system from the network. This will prevent the attacker from further compromising the system or spreading the attack to Once the instance has been isolated, the security analyst can perform a memory acqui

Security

Question

During a security incident, an IaaS compute instance is detected to send traffic to a host related to cryptocurrency mining. The security analyst handling the incident determines the scope of the incident is limited to that particular instance. Which of the following should the security analyst do NEXT?

Options

  • AIsolate the instance from the network into quarantine
  • BPerform a memory acquisition in the affected instance
  • CCreate a snapshot of the volumes attached to the instance
  • DReplace the instance with another from the baseline

How the community answered

(22 responses)
  • A
    9% (2)
  • B
    14% (3)
  • C
    55% (12)
  • D
    23% (5)

Explanation

The first step in any security incident response is to isolate the affected system from the network. This will prevent the attacker from further compromising the system or spreading the attack to Once the instance has been isolated, the security analyst can perform a memory acquisition to collect evidence of the attack. This can be done using a variety of tools, such as a live memory acquisition tool or a post-mortem memory acquisition tool. The security analyst can also create a snapshot of the volumes attached to the instance. This will allow the analyst to restore the instance to a clean state if necessary. Replacing the instance with another from the baseline is not necessary at this stage. However, it may be necessary if the attacker has been able to compromise the instance's root account or other critical systems. Therefore, the next step that the security analyst should take is to isolate the instance from the network into quarantine.

Topics

#incident response#snapshot forensics#cryptocurrency mining#instance isolation

Community Discussion

No community discussion yet for this question.

Full CV0-003 Practice