A security team discovers that attackers have compromised a web server and are using it to distribute malware to customers. What is the FIRST action that should be taken?

  1. Investigate the attack to gather evidence
  2. Disconnect the server from the network ✓
  3. Check web server logs for attack details
  4. Restore the server from a known-good backup

Correct answer: Disconnect the server from the network

Option B is correct because when a web server is actively distributing malware to customers, the immediate priority is containment, which means disconnecting the server from the network to stop ongoing harm to customers and prevent further spread of the malware. Option A is incorrect because investigation and evidence gathering are important but are secondary to stopping active harm; evidence can still be collected after the server is isolated. Option C is incorrect because reviewing logs is part of the investigation phase and should occur after the server has been contained, not before stopping the active threat. Option D is incorrect because restoring from a backup is a recovery action that happens later in the incident response process, after containment and forensic analysis are complete.

Topic: Threats, Vulnerabilities, and Mitigations · incident response, containment, web server security, security+

Practice CompTIA Security+ (SY0-701) Questions Free