ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
During an incident response in a hybrid cloud environment that hosts public-facing web applications on Amazon EC2 instances behind an Application Load Balancer, investigators confirm that attackers replaced the Nginx binary by compromising an upstream package repository. Containment has isolated the affected instances and blocked outgoing traffic. Following eradication best practices, which action should the response team perform next?
Reimage the affected EC2 instances from a validated, hardened AMI and reinstall software only from trusted repositories with signature verification.
Apply the vendor's latest patch to the compromised Nginx binary on each isolated instance and return them to service.
Delete the altered Nginx binary, restart the web service, and monitor system logs for any recurring anomalies.
Capture full memory dumps and packet captures for forensic review, then shut down the isolated instances permanently.
Eradication focuses on removing the root cause of an incident and eliminating any malicious artifacts that were introduced. Because the attackers tampered with the package repository, the integrity of all installed software on the affected EC2 instances is in doubt. The most reliable way to ensure complete removal of the compromised binary-and any other undetected modifications-is to rebuild each instance from a known-good, hardened Amazon Machine Image (AMI) and then reinstall required software using validated package signatures. Simply patching or deleting the suspect file on the running systems (other options) risks leaving backdoors or additional malicious files in place. Capturing additional forensic data can be valuable, but that step belongs to the analysis phase and should have been completed before containment ended; it does not remove the root cause. Therefore, redeploying clean, trusted images and verifying package integrity is the appropriate eradication action.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Amazon Machine Image (AMI)?
Open an interactive chat with Bash
How does signature verification protect against tampered software repositories?
Open an interactive chat with Bash
What is the purpose of isolating EC2 instances during incident response?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Incident Response and Recovery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .