During an active incident response, an analyst has identified a server that has been compromised by malware. The server is part of a clustered database that includes real-time replication to other nodes. To prevent the spread of the malware, which of the following is the BEST course of action to isolate the compromised server while maintaining the highest degree of operational availability?
Shut down the affected server immediately.
Implement a rule on the firewall to block all traffic from the affected server.
Disconnect the affected server's network connection.
Start re-imaging the affected server to remove the malware.
Disconnecting the affected server's network connection is the correct answer as it ensures immediate isolation from the network, preventing the potential spread of malware to other nodes in the cluster. While it may cause a temporary loss of redundancy or capacity, the other servers in the cluster should be able to compensate for this, maintaining overall availability. Shutting down the server could cause a longer downtime and potential data loss. Blocking the server at the firewall would not be effective if the malware uses allowed protocols or has already spread within the local network. Re-imaging the server is part of the recovery process and would result in significant downtime, which does not align with maintaining operational availability during isolation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does it mean to isolate a server during an incident response?
Open an interactive chat with Bash
Why is disconnecting the server's network connection the best option over other methods?
Open an interactive chat with Bash
What are the risks of shutting down the affected server during an incident response?