CompTIA CySA+ (CS0-002) — Question 197

A company is moving from the use of web servers hosted in an internal data center to a containerized cloud platform. An analyst has been asked to identify indicators of compromise in the containerized environment. Which of the following would best indicate a running container has been compromised?

Answer options

• A. A container from an approved software image has drifted.
• B. An approved software orchestration container is running with root privileges.
• C. A container from an approved software image has stopped responding.
• D. A container from an approved software image fails to start.

Correct answer: A

Explanation

Option A is correct because a drift from an approved software image suggests that the container has been altered, which is a strong indicator of compromise. The other options, while potentially concerning, do not directly indicate that a compromise has occurred; for instance, root privileges (Option B) can be legitimate in some contexts, and unresponsiveness or failure to start (Options C and D) may result from configuration issues rather than a breach.