CompTIA CySA+ (CS0-003) — Question 520

An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of the following should the CSIRT conduct next?

Answer options

• A. Take a snapshot of the compromised server and verify its integrity
• B. Restore the affected server to remove any malware
• C. Contact the appropriate government agency to investigate
• D. Research the malware strain to perform attribution

Correct answer: A

Explanation

Taking a snapshot of the compromised server is crucial as it preserves the current state for forensic analysis, which is essential for understanding the breach. Restoring the server prematurely may lead to loss of valuable evidence, while contacting government agencies or researching the malware strain can be done later in the investigation process.