An organization’s security team observes suspicious processes on a database server. Connection logs reveal proprietary records transferring to an unknown domain. The incident response lead wants to halt infiltration and preserve forensic artifacts for deeper analysis. Which action is recommended next?
Strengthen firewall rules to block unusual traffic patterns from the compromised subnet
Capture system memory and remove the compromised server from the environment
Shut down the impacted system and deploy a stored image to restore functionality
Force sessions to end in user accounts across the business infrastructure
Collecting data from the compromised system’s memory and removing the server from the environment helps protect the broader network while ensuring valuable evidence remains intact for investigation. Wiping the system or reverting to a stored image too soon can destroy key details about the attacker’s methods and tools. Adjusting a firewall policy is helpful, but it does not guarantee crucial in-memory data is captured. Forcing sessions to end across the environment does not address the active threat on the compromised server or preserve evidence for deeper examination.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the importance of capturing system memory during incident response?
Open an interactive chat with Bash
Why is removing a compromised server from the environment recommended?
Open an interactive chat with Bash
Why is restoring the system using a stored image not the best next step?