The primary objective is to implement compensating controls to contain an active adversary on a live system while maintaining critical functionality. Deploying an Endpoint Detection and Response (EDR) solution provides deep visibility into system activities and allows responders to actively block or disrupt malicious processes, thereby reducing the adversary's capabilities without taking the server offline. Concurrently, using microsegmentation allows for the creation of granular, stateful firewall policies that restrict network connectivity to only what is explicitly required—in this case, the connection from the web server to the database server on a specific port. This network-level control effectively contains the adversary, preventing lateral movement to other parts of the network while preserving the necessary service connections.

A. Dropping the tables on the database server is a destructive action that violates the requirement to keep the service functional and results in data loss.

C. Stopping the httpd service would make the web application inaccessible, directly contradicting the requirement to keep the web service running and accessible.

E. Commenting out the HTTP account in /etc/passwd would disable the service account, causing the web server process to fail and violating the accessibility requirement.

F. Moving the database to the already compromised web server would be a major architectural change that increases risk by consolidating assets on a compromised host.

1. National Institute of Standards and Technology (NIST). (2012). Special Publication 800-61 Rev. 2

Computer Security Incident Handling Guide.

Section 3.3.3

Containment

p. 27: This section outlines containment strategies

which include isolating affected hosts or network segments. Microsegmentation is a modern implementation of network segmentation that creates "secure zones in data centers and cloud deployments that allow companies to isolate workloads from one another and secure them individually." This directly supports option D as a containment strategy.

2. Souppaya

M.

& Scarfone

K. (2013). NIST Special Publication 800-128

Guide for Security-Focused Configuration Management of Information Systems.

Section 4.3

Isolate

p. 21: Discusses isolation as a security technique. "Isolation may be implemented through physical or logical separation... Logical separation can be accomplished through a variety of mechanisms

such as access control lists (ACLs) on routers and firewalls..." Microsegmentation is an advanced form of logical separation

aligning with this principle for containment (Option D).

3. Al-Shaer

E.

& Wei

J. (2021). Modeling and Verification of Micro-segmentation for Zero-Trust Security. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (pp. 3215–3217).

Abstract & Section 1: The paper describes microsegmentation as a key enabler for a Zero-Trust security model

which "enforces strict access control and network segmentation to prevent lateral movement." This directly supports the use of microsegmentation (Option D) to contain an adversary.

DOI: https://doi.org/10.1145/3460120.3485373

4. Boicea

A.

et al. (2018). EDR

EPP

and NGAV: The new triple-threat in endpoint security. 2018 10th International Conference on Electronics

Computers and Artificial Intelligence (ECAI).

Section II.A

Endpoint Detection and Response (EDR): This section describes EDR as a solution that "records system activities and events taking place on endpoints... and provides forensic analysis and remediation capabilities to identify and stop attacks." This capability to actively reduce an adversary's actions supports Option B.

DOI: https://doi.org/10.1109/ECAI.2018.8679018