An organization has deployed an agent-based approach to watch over container environments across multiple providers. A suspicious process has been discovered sending data to an unapproved external system. The security team wants to gather evidence for potential forensic scrutiny and reduce possible lateral movement. Which method meets these objectives?
Stop logging the containers and rely on an outside feed to assess the threat
Rebuild the nodes and archive all available logs
Block the default gateway for container traffic for every system involved
Quarantine the container nodes and create snapshots of memory and storage
Quarantining the container nodes while capturing a snapshot of memory and storage allows the team to preserve artifacts for later investigation and contain suspicious activity, preventing it from spreading. Other responses are less effective for incident response. For example, stopping logging and relying on external feeds would end valuable local evidence collection, cutting off critical contextual data. Blocking the default gateway for container traffic across the ecosystem might disrupt legitimate services and hamper targeted collection of artifacts. Rebuilding everything and saving logs is drastic and may lose critical real-time evidence about the active threats.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does it mean to quarantine container nodes?
Open an interactive chat with Bash
Why are memory and storage snapshots important for forensics?
Open an interactive chat with Bash
What risks are associated with blocking a default gateway for container traffic?