An information security analyst discovered a virtual machine server was compromised by an attacker. Which of the following should be the FIRST steps to confirm and respond to the incident? (Choose two.)
A.
Pause the virtual machine.
B.
Shut down the virtual machine.
C.
Take a snapshot of the virtual machine.
D.
Remove the NIC from the virtual machine.
E.
Review host hypervisor log of the virtual machine.
agree... kinda, most of my research was torn between Pause and Shutdown, most recommendations was to shutdown, but I can see pausing would work as well. As it would keep running memory.
Now that I am rethinking, I agree with catastrophie. DE. Confirm = review logs, Respond = remove the NIC (that would contain the VM) and you could analyze it from VShpere console.
E. Review host hypervisor log of the virtual machine: The first step is to review the host hypervisor log of the virtual machine to determine the extent of the compromise, identify the attacker's methods and tools, and determine what data or systems may have been accessed or compromised. This step can help determine the best course of action to mitigate the incident.
B. Shut down the virtual machine: The second step is to shut down the virtual machine to prevent further damage to the system and the data it contains. Shutting down the virtual machine can prevent the attacker from continuing to access or modify data on the compromised system and limit the spread of the compromise to other systems in the network.
In the incident response plan, the analyst's initial step is identification, but it necessitates analysis for confirmation, a process facilitated by reviewing the logs. In a corporate setting, it's prudent not to hastily disconnect the system without verification; instead, a thorough examination of logs is recommended. Subsequently, the containment of the incident becomes crucial, presenting a choice among various valid responses. Personally, I lean towards opting for shutting down the system over removing the NIC. The rationale behind this choice lies in the preservation of artifacts essential for further investigation. While removing the NIC may be a more forceful option, it comes at the cost of potentially losing critical evidence. Therefore, my preference is to proceed with reviewing logs and initiating a shutdown for a comprehensive and cautious incident response.
"which of the following should be the FIRST steps to confirm and respond to the incident? (Choose two.)" If I am conductiong an action, as pausing the VM, or as taking a snapshot etc. I am not confirming anything as it is mentioned in the questen. So reading the logs would be the best to confirm
I would say B,E. B:Shutting down the compromised virtual machine is an essential response step to prevent further damage and mitigate the risk of the attacker's continued presence.
E:Reviewing the host hypervisor log is crucial as it can provide valuable information about the activities and events related to the virtual machine.
Pausing the virtual machine may allow the attacker to continue operating because the attacker may have already gained persistent access to the system or may have left behind a backdoor or other means of maintaining access. If the attacker still has access to the system, they may be able to continue their activities even if the virtual machine is paused. Additionally, pausing the virtual machine does not provide any additional information to the analyst and may only serve to alert the attacker that their activities have been discovered. Therefore, taking a snapshot of the virtual machine and reviewing the hypervisor logs are more effective first steps to confirm and respond to a compromised virtual machine
Removing the NIC (network interface card) from the virtual machine may be a useful step to prevent the attacker from communicating with the outside world. However, removing the NIC may not necessarily stop the attacker from continuing to operate within the virtual machine. The attacker may have already gained access to the system and may have multiple methods of communication, such as an internal network or other communication channels. Removing the NIC may also prevent the analyst from collecting important information about the attacker's activities
A. Pause the virtual machine and C. Take a snapshot of the virtual machine should be the FIRST steps to confirm and respond to the incident.
Pausing the virtual machine will isolate the compromised system and prevent it from further communicating with other systems on the network. This can help to contain the incident and reduce the risk of further damage.
Taking a snapshot of the virtual machine is important for preserving the state of the system at the time of compromise. The snapshot can be used for analysis and forensic purposes to determine the cause of the incident, identify the extent of the damage, and develop a response plan.
A. Pause the virtual machine.
C. Take a snapshot of the virtual machine.
The first step in responding to a suspected compromise of a virtual machine should be to pause the virtual machine to prevent any further activity or data exfiltration, and take a snapshot of the virtual machine for later analysis. This will allow the information security analyst to preserve the state of the virtual machine, including all files, system settings, and configurations, for a comprehensive analysis and investigation of the incident. By taking a snapshot, the analyst can revert back to a known good state in case the investigation reveals that the virtual machine is indeed compromised and needs to be rebuilt.
I would go with D,E. If the VM server (assuming they are using VM server in terms of type one hypervisors - VMWare, Hyper-V, etc.) was compromised then they have access to the hypervisor, this would allow for the potential of a host escape, allowing them to access other physical hosts. By removing the NIC you restrict the attack to that one physical host. With the NIC removed, you've cut off access to the attacker and since the host was compromised, all VM's on that host are considered compromised. Pausing a VM in this situation would seem like it would be as effective as rolling up the window of a convertible with the top down during a rain storm. With the host system isolated you'd be able to review the logs to attempt to find the VM point of entry. Then you can proceed with pausing, creating snapshots of the VMs and proceeding with the investigation.
All this goes out the window if I'm overthinking this and in fact they are talking about a single virtual machine setup as a server such as RHEL... In that case A,D would be what I chose.....
A. Pause the virtual machine. - I was leaning towards this but you can achieve what you need with C & D.
B. Shut down the virtual machine.- This is a no, you would lose the evidence and CompTIA always state not to shut the VM down.
C. Take a snapshot of the virtual machine. -This allows you to preserve and analyse the issue. (Confirm)
D. Remove the NIC from the virtual machine. - Stops the spread (contain)
E. Review host hypervisor log of the virtual machine.- You can do this but the analysis can be done through the snapshot.
F. Execute a migration of the virtual machine.- I don't need to explain this one surely.
Or maybe it is A & C - To pause the VM to stop any further exploitation, and take a snapshot to analyse the issue. States "first steps" in the question - so you would pause and analyse the VM before containing the issue. So A&C and then D would come after.
This is always discussed from comptia reviewers: turning off/shutting down a compromised VM is a NO. Logical thing to do is to first suspend, then take the snapshot of the VM
B. Shutdown the virtual machine - It will stop the other files manipulation and spreading. It also preserves the server for investigation and no other changes will happen anymore. You don't want to do snapshots(aka BACKUP) on that server coz it will take a lot of time especially if this is a big server and has lots of files. If you want to back it up, you can clone it while it is shut down. If it happens that the compromise is a worm, then it will change the files while the server is still on, the time that the snapshots is done, you cant even recover any files coz the whole thing is encrypted. This applies also in removing the NIC. Compromise always needs immediate action not another problem.
Secondly, which of the following should be the FIRST steps to confirm?
E. Check the logs in the hypervisor on that specific VM to investigate. Even if the server is shut down, checking the logs of the hypervisor will still work since this is the host logs, this is your first step to confirm.
This section is not available anymore. Please use the main Exam Page.CS0-002 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
forklord72
Highly Voted 2 years, 8 months agoCock
2 years, 4 months agoCatoFong
2 years, 4 months agouday1985
1 year, 10 months agoBig_Dre
1 year, 9 months ago2Fish
2 years, 3 months ago2Fish
2 years, 3 months agokiduuu
Highly Voted 2 years, 2 months agoedro
Most Recent 1 year, 7 months agoheinzelrumpel
1 year, 11 months agoNixon333
1 year, 11 months agoSleezyglizzy
1 year, 11 months agoalayeluwa
2 years, 2 months agoDree_Dogg
1 year, 9 months agoHereToStudy
2 years, 3 months agoHereToStudy
2 years, 3 months agoGaven
2 years, 3 months agoencxorblood
2 years, 4 months agoCatoFong
2 years, 4 months agodavid124
2 years, 5 months agocatastrophie
2 years, 5 months ago2Fish
2 years, 3 months agomhop321
2 years, 5 months agomhop321
2 years, 5 months agoCyberNoob404
2 years, 5 months agoroman1000
2 years, 6 months agoiking
2 years, 6 months ago