A security operations center (SOC) analyst is investigating a web server that has been compromised for the third time in two months. After each of the first two incidents, the response team restored the server from a clean backup and blocked the attacker's source IP address in the firewall. A deeper analysis of the latest incident reveals that a SQL injection vulnerability in the site's customer feedback form is the entry point. Which of the following actions best represents addressing the root cause of the repeated compromises?
Isolate the server and perform a full malware scan to identify any dormant threats.
Implement a more aggressive backup and restoration schedule for the web server.
Patch the web application to validate user input and prevent SQL injection.
Continue to block the attacker's source IP address after each detected incident.
The root cause of the repeated compromises is the SQL injection vulnerability, which attackers can exploit regardless of their source IP address. Simply blocking the IP is a temporary, reactive measure. Restoring from a backup only cleans the immediate infection but does not fix the exploitable flaw. Patching the application code to eliminate the SQL injection vulnerability is the only action that addresses the fundamental problem, thereby preventing future exploitation of this specific vector.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of log analysis during incident response?
Open an interactive chat with Bash
What is the difference between root cause analysis and superficial fixes?