CompTIA CySA+ (CS0-002) — Question 393

An information security analyst discovered a virtual machine server was compromised by an attacker. Which of the following should be the FIRST steps to confirm and respond to the incident? (Choose two.)

Answer options

• A. Pause the virtual machine.
• B. Shut down the virtual machine.
• C. Take a snapshot of the virtual machine.
• D. Remove the NIC from the virtual machine.
• E. Review host hypervisor log of the virtual machine.
• F. Execute a migration of the virtual machine.

Correct answer: A, C

Explanation

The first steps in handling a compromised virtual machine should involve preserving the current state of the system, which can be done by taking a snapshot (option C). Pausing the virtual machine (option A) allows for further investigation without altering its state. Shutting it down (option B) may destroy volatile data, while options D, E, and F do not directly aid in immediate verification or preservation of evidence.