Q: 5
An incident response team is working with law enforcement to investigate an active web server
compromise. The decision has been made to keep the server running and to implement
compensating controls for a period of time. The web service must be accessible from the internet via
the reverse proxy and must connect to a database server. Which of the following compensating
controls will help contain the adversary while meeting the other requirements? (Select two).
Options
Discussion
Yeah, B and D are what I picked too. EDR helps monitor and disrupt attacker activity in real-time without killing service, and microsegmentation keeps the attack contained by only allowing required traffic. Pretty sure that's what CompTIA wants here, but can see why E looks tempting.
Looks like B and D make the most sense but I could see some folks picking E. Not 100 percent confident though.
Every CompTIA exam finds a way to overcomplicate with controls you’d never actually deploy mid-response, lol. B and D.
B/D tbh. Deploying EDR gives visibility and can slow down or block attacker actions without shutting things down, which fits since the service has to stay live. Microsegmentation limits what the adversary can access from the web server, helping contain lateral movement. Not totally sure if B is always safe in a live compromise but this matches what I saw on practice sets. Anyone disagree?
D imo. If the DB and web server are already segmented but the reverse proxy is allowed any-to-any, microsegmentation only helps if you can enforce strict rules. B also makes sense for active containment, but only if agents can be deployed safely. Seen similar exam questions trip people up on these edge conditions.
C/D? I don’t think C helps here, B is more of a real compensating control and D stops lateral movement. F just exposes things more so that’s a trap. Anyone else see it differently on practice exams?
B and F. Deploying EDR should help with detection, and moving the database onto the web server sounds like it could make containment easier (less attack surface spread). Not 100% though, maybe I'm missing a risk with F?
B and D tbh. A and C would kill access, which the question says to avoid.
I’d say B and D. EDR lets you monitor and react to what the attacker does without killing service, which is key since the web server needs to stay online. Microsegmentation restricts network access so even if they're inside, they can't move laterally. I think this lines up with how you'd contain an active threat while keeping things running, but happy to hear other takes.
B/E. Lots of practice tests suggest EDR and account hardening, so I'd check the official guide on compensating controls for web compromises.
Be respectful. No spam.
