Exam CS0-003 topic 1 question 62 discussion

When a security analyst believes a single virtual server has been compromised and has isolated it from the network, the next steps for the CSIRT (Computer Security Incident Response Team) should focus on investigating and containing the incident. In this context, the most appropriate action would be: A. Take a snapshot of the compromised server and verify its integrity Explanation: Take a snapshot: Creating a snapshot involves capturing the current state of the virtual server, including its configuration and data. This snapshot can serve as a forensic image for later analysis. Verify its integrity: The CSIRT should analyze the snapshot to identify signs of compromise, understand the extent of the incident, and determine the nature of the compromise. Verifying the integrity involves checking for any unauthorized changes, unusual activities, or indicators of compromise.

Preserve the evidence after isolation. B makes sense no sense immediately after isolating. You would restore the system and lose all data prior to collecting for evidence / investigation? NIST doesn't recommend restoring prior to collecting the data...

Going with "A" based upon CompTia's 6 step method to troubleshooting. Identify the problem, Establish a theory of probable cause Test the Theory. "A" would be the third step. It is a CompTia exam.

According to NIST Incident Response, once the infected system has been contained, the next step would be eradication & recovery (ie. restore the infected system) then you would verify the malware has been removed.

The next action that the CSIRT should conduct after isolating the compromised server from the network is to take a snapshot of the compromised server and verify its integrity. Taking a snapshot and verifying its integrity can help preserve and protect any evidence or information related to the incident, as well as prevent any tampering, contamination, or destruction of evidence.