CompTIA CySA+ Exam CS0-002: First Step to Confirm and Respond to a Compromised Virtual Machine Server

Confirming and Responding to a Compromised Virtual Machine Server

Question

An information security analyst discovered a virtual machine server was compromised by an attacker.

Which of the following should be the FIRST step to confirm and respond to the incident?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

C.

The FIRST step to confirm and respond to the incident of a compromised virtual machine server is to isolate the virtual machine from the network by removing its network interface card (NIC).

Option A, pausing the virtual machine, is not an appropriate response as it does not prevent the attacker from continuing to compromise the virtual machine.

Option B, shutting down the virtual machine, can destroy valuable forensic evidence that could be used to investigate the incident.

Option C, taking a snapshot of the virtual machine, can preserve the state of the virtual machine but does not prevent the attacker from continuing to compromise the virtual machine.

Option D, removing the NIC from the virtual machine, is the correct first step as it effectively isolates the virtual machine from the network, preventing the attacker from accessing the compromised system and limiting their ability to cause further damage.

After removing the NIC, the next step would be to investigate the incident and determine the extent of the compromise. This could involve analyzing log files, conducting memory analysis, or examining system files for signs of malicious activity. Once the investigation is complete, appropriate remediation actions should be taken to restore the virtual machine to a secure state.