CompTIA Cloud+ (CV0-003) — Question 58

During a security incident, an IaaS compute instance is detected to send traffic to a host related to cryptocurrency mining. The security analyst handling the incident determines the scope of the incident is limited to that particular instance. Which of the following should the security analyst do NEXT?

Answer options

• A. Isolate the instance from the network into quarantine
• B. Perform a memory acquisition in the affected instance
• C. Create a snapshot of the volumes attached to the instance
• D. Replace the instance with another from the baseline

Correct answer: A

Explanation

Isolating the instance from the network into quarantine is the correct step to prevent further malicious activity. Performing a memory acquisition and creating a snapshot are important but should come after containment. Replacing the instance may not address the immediate threat and could result in loss of forensic evidence.