An organization’s security team observes suspicious processes on a database server. Connection logs reveal proprietary records transferring to an unknown domain. The incident response lead wants to halt infiltration and preserve forensic artifacts for deeper analysis. Which action is recommended next?
Force sessions to end in user accounts across the business infrastructure
Capture system memory and remove the compromised server from the environment
Shut down the impacted system and deploy a stored image to restore functionality
Strengthen firewall rules to block unusual traffic patterns from the compromised subnet
Collecting data from the compromised system’s memory and removing the server from the environment helps protect the broader network while ensuring valuable evidence remains intact for investigation. Wiping the system or reverting to a stored image too soon can destroy key details about the attacker’s methods and tools. Adjusting a firewall policy is helpful, but it does not guarantee crucial in-memory data is captured. Forcing sessions to end across the environment does not address the active threat on the compromised server or preserve evidence for deeper examination.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it important to capture system memory during an incident response?
Open an interactive chat with Bash
What does it mean to 'remove the compromised server from the environment'?
Open an interactive chat with Bash
Why is restoring from a stored image or shutting down the system considered a poor choice in this scenario?