A compromised hypervisor represents a complete failure of the virtualization security boundary, granting the attacker potential control over all hosted virtual machines (VMs) and a powerful pivot point for lateral movement. The most critical immediate step, according to established incident response principles, is containment. Disconnecting the hypervisor from the network immediately severs the attacker's command and control (C2) channel and prevents them from exfiltrating data or attacking other systems on the network. This action isolates the threat, limiting the scope of the damage, which is the primary objective in the initial phase of handling a critical security incident.

A. Increase the monitoring frequency of virtual machine logs.

This is a detective, not a mitigative, action. It does not stop the active attack, and the attacker could potentially alter the logs from the compromised hypervisor.

B. Restart all virtual machines hosted by the hypervisor.

This is ineffective because the compromise is at the hypervisor level. The attacker would retain control of the hypervisor and could simply re-compromise the VMs upon restart.

D. Apply the latest hypervisor patches and updates.

Patching is a preventative and recovery measure, not an immediate containment step for an active breach. It will not eject an attacker who is already in the system.

1. NIST Special Publication 800-61 Rev. 2

Computer Security Incident Handling Guide. Section 3.3.2

"Containment

" states that a major decision is "how much to disconnect the affected systems from the network." For a severe compromise

complete disconnection is a primary strategy to prevent the attacker from causing further damage.

2. NIST Special Publication 800-125

Guide to Security for Full Virtualization Technologies. Section 5.3

"Hypervisor

" describes the hypervisor as the most critical component. A compromise at this level is catastrophic

implicitly requiring immediate and decisive containment actions like network isolation to prevent the compromise from spreading.

3. Souppaya

M.

& Scarfone

K. (2011). NIST Special Publication 800-146

Cloud Computing Synopsis and Recommendations. Section 5.2.2

"Network Security

" discusses the risk of a compromised hypervisor allowing an attacker to "gain access to the underlying physical infrastructure and from there to other tenants." This highlights the urgency of preventing lateral movement

which is best achieved by network isolation.

4. Garfinkel

T.

& Rosenblum

M. (2005). When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing. Proceedings of the 10th conference on Hot Topics in Operating Systems

Vol. 10. This foundational academic paper discusses the severe implications of a Virtual Machine Monitor (hypervisor) compromise

noting that it "subverts the security of every guest OS running above it

" reinforcing the need for immediate

drastic containment measures.