During an active incident response, an analyst has identified a server that has been compromised by malware. The server is part of a clustered database that includes real-time replication to other nodes. To prevent the spread of the malware, which of the following is the BEST course of action to isolate the compromised server while maintaining the highest degree of operational availability?
Implement a rule on the firewall to block all traffic from the affected server.
Shut down the affected server immediately.
Start re-imaging the affected server to remove the malware.
Disconnect the affected server's network connection.
Disconnecting the affected server's network connection is the correct answer as it ensures immediate isolation from the network, preventing the potential spread of malware to other nodes in the cluster. While it may cause a temporary loss of redundancy or capacity, the other servers in the cluster should be able to compensate for this, maintaining overall availability. Shutting down the server could cause a longer downtime and potential data loss. Blocking the server at the firewall would not be effective if the malware uses allowed protocols or has already spread within the local network. Re-imaging the server is part of the recovery process and would result in significant downtime, which does not align with maintaining operational availability during isolation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is disconnecting the network connection better than shutting down the compromised server?
Open an interactive chat with Bash
How does malware spread within a cluster, and why is isolation critical?
Open an interactive chat with Bash
What steps should be taken after isolating the compromised server?