ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
An e-commerce company runs its web tier on an Auto Scaling group of Amazon EC2 instances in a public subnet. After detecting a web shell on several instances, the incident response team applied a WAF rule to block the attacker's IP addresses. According to NIST guidelines for long-term containment, which additional action best balances continued service availability with risk reduction?
Detach the VPC's internet gateway to sever all inbound and outbound traffic for every subnet.
Stop the entire Auto Scaling group and keep it offline until the forensic investigation is finished.
Replace the Auto Scaling launch template with a hardened, patched AMI and perform a rolling update that cycles out the existing instances.
Immediately terminate the compromised instances without replacement and issue a public outage notice.
Long-term containment seeks to keep the service operating while ensuring that only trusted, fully remediated resources remain in production. NIST SP 800-61 recommends rebuilding compromised hosts from trusted media, applying patches, and gradually returning clean systems to service. Replacing the Auto Scaling launch template with a hardened, patched AMI and performing a rolling update meets these goals: the workload stays online, every new instance is clean, and compromised nodes are phased out. Simply powering off the group, deleting the internet gateway, or terminating instances without replacement all disrupt availability and either exceed the scope of containment or move directly into eradication and recovery phases, making them unsuitable as long-term containment measures.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is NIST SP 800-61 and why is it important for incident response?
Open an interactive chat with Bash
What is a rolling update and how does it help in mitigating risks during incident containment?
Open an interactive chat with Bash
What is an AMI, and why is using a hardened, patched AMI crucial in this scenario?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Incident Response and Recovery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .