Question 40
Domain 4: Security Operations, Monitoring, and Incident ResponseA security operations team is automating incident response in the cloud. Which automation approach is MOST appropriate for containing a compromised virtual machine?
Correct answer: B
Explanation
Isolating the instance from the network contains the threat by stopping further communication, lateral movement, and data exfiltration while keeping the virtual machine intact. This preserves the system state and evidence for forensic analysis, which is the standard incident response goal for containment: limit damage without destroying artifacts.
Why each option is right or wrong
A. Immediately terminating the instance and all associated storage
B. Isolating the instance from the network while preserving it for analysis
Under NIST SP 800-61 Rev. 2, containment is the phase where responders limit the scope and duration of an incident while preserving evidence for later analysis. For a compromised virtual machine, the appropriate action is to sever its network access but leave the instance powered on or otherwise intact, because that stops command-and-control, lateral movement, and exfiltration without destroying volatile artifacts needed for forensics.
C. Ignoring the alert to avoid disrupting business operations
D. Rebooting the instance without investigating the compromise