A cybersecurity analyst has contained a web server compromise by isolating it from the network. A forensic image has been acquired for later analysis. To meet business requirements for a secure and timely recovery, which of the following actions should the analyst perform to complete the eradication and recovery phases for this server?
Perform a system restore using the backup files stored locally on the compromised server.
Install the latest operating system patches and restore system settings from the most recent backup.
Erase the current system and deploy a pre-configured, verified clean image
Run a comprehensive antivirus program to clean the malware and then update all security patches.
The correct action after containing a compromise is to eradicate the threat and recover the system to a known-good state. This involves completely wiping the affected system and deploying a trusted, clean system image. This ensures that any persistent malware, rootkits, or hidden backdoors are removed. Simply running antivirus software or patching a compromised system is insufficient, as advanced threats can evade detection and persist. Restoring from backups that are not verified to be clean or are stored on the compromised machine itself risks reintroducing the malware.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a system image, and why is it important in incident response?
Open an interactive chat with Bash
How can you ensure the system image used for re-imaging is secure?
Open an interactive chat with Bash
Why is using the compromised server's backup files for restoration not recommended?