Certified Security - Specialty

Sign Up Free or Log In to participate!

Stop the instance immediately? 0:36

I’d challenge your suggestion that the first thing you should do in the case of a compromised host is to stop it immediately. Forensically, that’s one of the last things you would look to do. Move it into a forensic security group (isolate), tag it as compromised, snapshot the disk, then snapshot the memory (margarita shotgun)… And then you can stop the host.

See https://github.com/ThreatResponse/aws_ir

0 Answers

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?