An analyst is responding to an incident within a cloud infrastructure. Based on the logs and traffic analysis, the analyst thinks a container has been compromised. Which of the following should the analyst do FIRST?
A.
Perform threat hunting in other areas of the cloud infrastructure.
B.
Contact law enforcement to report the incident.
C.
Perform a root cause analysis on the container and the service logs.
D.
Isolate the container from production using a predefined policy template.
The FIRST thing you need to do when you have an alert is to confirm if that is indeed a true positive or not. You don't isolate until you know for sure what's happening.
What would it mean in a corporate environment to isolate the host/server/container every time you receive an alert without even analyzing first?
In our case "the analyst THINGS a container has been compromised", so do we have a spread for sure? Not really...
If you have 1000 containers which you think that are compromised, you isolate them all with the risk to produce a business disruption without even knowing which is the root cause?
Root cause is definitely where my knee jerk reaction would be, but in IR you don't get down to root cause until after you've stopped the spread. You need just enough suspicion that something is going on to be able to stop the spread. Then root cause analysis is done to make sure you can eradicate it completely (not missing anything or making assumptions) and prevent it moving forward.
The analyst should isolate the container from production using a predefined policy template first. Isolating the container is a containment measure that can help prevent the spread of the compromise to other containers or systems in the cloud infrastructure. Containment is an important step in the incident response process, as it can limit the impact and damage of an incident. Using a predefined policy template can help automate and standardize the isolation process, ensuring that it is done quickly and consistently
I believe it is C because in the question it said the analyst THINKS a container has been compromised. As an analyst you need to confirm this belief. Confirm is the first step in incident response
Isolate the container from production using a predefined policy template should be the FIRST step the analyst takes after suspecting that a container has been compromised. This will help prevent the compromise from spreading to other parts of the cloud infrastructure and limit the potential damage. Once the container has been isolated, the analyst can proceed with performing a root cause analysis on the container and the service logs to determine the cause of the compromise and take appropriate action to remediate the issue.
D. Analyst is responding to incident and is technically in the "Detection and Analysis" phase. Next Step is to Containment, to limit the scope and magnitude of the incident. So D gets my vote
One reviewer already said many sites have A as the answer, and Adrian831 has some good points. Here's why I think A is right:
The analyst has evaluated information and thinks a compromise has occurred. Our best bet is to try and look for other IOC’s to confirm that perception. Threat hunting is focused on finding IoC’s before an incident has been confirmed.
I'm sorry, the remaining steps are all based on phases of the incident response, which means a threat was confirmed. Other comments are essentially correct in that Containment comes before RCA. (I think everyone knows law enforcement isn't even close to a consideration here)
A root cause analysis (RCA) should be conducted after an incident has been identified and contained to determine the underlying cause of the incident. The goal of a RCA is to identify the factors that contributed to the incident, so that measures can be put in place to prevent similar incidents from happening in the future.
logs and traffic have been reviewed so me thinks the word "thinks" in this question is to throw you off and they have actually determined the container is compromised, next step is to contain.
Many other sites are claiming A as the answer. I am not sure of the answer but this is an FYI. Still reviewing this one.
I get your point Adrian but I think there is more to this one.
I agree with D. First isolate to prevent further damage, then analyse root cause.
upvoted 4 times
...
This section is not available anymore. Please use the main Exam Page.CS0-002 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Adrian831
Highly Voted 2 years, 9 months agoMaverick713
2 years, 9 months agoAdrian831
2 years, 9 months agoAdrian831
2 years, 9 months agoMaverick713
2 years, 9 months agoAdrian831
2 years, 8 months agojleonard_ddc
2 years, 3 months agoth3man
2 years, 8 months agoskibby16
Most Recent 1 year, 7 months agoChilaqui1es
1 year, 8 months agoChilaqui1es
1 year, 8 months agoSimpbizkit
2 years, 2 months agokiduuu
2 years, 2 months ago2Fish
2 years, 3 months agokhrid4
2 years, 3 months agojleonard_ddc
2 years, 3 months ago2Fish
2 years, 3 months agoabsabs
2 years, 4 months agoabsabs
2 years, 4 months agotrojan123
2 years, 5 months agoforklord72
2 years, 8 months agoR00ted
2 years, 8 months agobigerblue2002
2 years, 9 months agomarc4354345
2 years, 9 months ago