A cloud operations engineer receives a high-severity alert from the SIEM showing multiple failed and then successful root-level SSH logins to several Linux jump hosts at 03:15 local time, well outside normal maintenance hours. The organization's incident-response runbook states that any suspected compromise must be contained within 15 minutes while evidence is preserved for later investigation. Which immediate action BEST meets these requirements?
Disable multi-factor authentication on the jump hosts to simplify administrator access during investigation
Add the suspicious IP addresses to a temporary firewall deny list and start packet capture on the affected hosts
Snapshot the affected VMs and power them off to prevent further damage
Increase the SIEM threshold for failed logins to reduce alert noise while gathering more data
Temporarily blocking the suspicious source addresses at the cloud firewall cuts off the attacker's access (containment) and, because the systems remain online, allows security staff to enable packet capture and collect volatile data and logs. Powering off hosts before containment could disrupt ongoing forensic data collection and violate the 15-minute containment window. Disabling MFA weakens security and does not address the compromise. Raising alert thresholds delays response and leaves the environment exposed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it important to identify and block questionable sources during a security threat?
Open an interactive chat with Bash
What tools can organizations use to identify and block suspicious sources?
Open an interactive chat with Bash
Why is it important to preserve forensic information during a security incident?