CV0-003 · Question #769
During a security incident, an IaaS compute instance is detected to send traffic to a host related to cryptocurrency mining. The security analyst handling the incident determines the scope of the inci
The correct answer is C. Create a snapshot of the volumes attached to the instance. The first step in any security incident response is to isolate the affected system from the network. This will prevent the attacker from further compromising the system or spreading the attack to Once the instance has been isolated, the security analyst can perform a memory acqui
Question
During a security incident, an IaaS compute instance is detected to send traffic to a host related to cryptocurrency mining. The security analyst handling the incident determines the scope of the incident is limited to that particular instance. Which of the following should the security analyst do NEXT?
Options
- AIsolate the instance from the network into quarantine
- BPerform a memory acquisition in the affected instance
- CCreate a snapshot of the volumes attached to the instance
- DReplace the instance with another from the baseline
How the community answered
(22 responses)- A9% (2)
- B14% (3)
- C55% (12)
- D23% (5)
Explanation
The first step in any security incident response is to isolate the affected system from the network. This will prevent the attacker from further compromising the system or spreading the attack to Once the instance has been isolated, the security analyst can perform a memory acquisition to collect evidence of the attack. This can be done using a variety of tools, such as a live memory acquisition tool or a post-mortem memory acquisition tool. The security analyst can also create a snapshot of the volumes attached to the instance. This will allow the analyst to restore the instance to a clean state if necessary. Replacing the instance with another from the baseline is not necessary at this stage. However, it may be necessary if the attacker has been able to compromise the instance's root account or other critical systems. Therefore, the next step that the security analyst should take is to isolate the instance from the network into quarantine.
Topics
Community Discussion
No community discussion yet for this question.