CompTIA CS0-003 Exam - Topic 3 Question 56 Discussion

Comprehensive and Detailed Explanation From Exact Extract:

The scenario indicates the threat is still active and is appearing across multiple VMs in the same broadcast domain (suggesting lateral movement or propagation within that Layer 2 segment). Since quarantine of a single VM did not stop the threat, the appropriate next step is to broaden containment by isolating the affected subnet / network segment to prevent further spread.

The Sybex CySA+ Study Guide emphasizes that after identifying an incident in progress, responders should move into containment and that containment activities include segmentation and isolation:

Exact extract (Sybex Study Guide):

''After identifying a potential incident in progress, responders should take immediate action to contain the damage... Potential containment activities include network segmentation, isolation, and removal of affected systems.''

It also explains how segmentation (quarantine VLAN) is used to contain compromised systems and protect other systems:

Exact extract (Sybex Study Guide):

''During the early stages of an incident... [responders] built a separate virtual LAN (VLAN) to contain those systems... Putting the systems on this network segment provides some degree of isolation...''

Because the activity is occurring across the broadcast domain, isolating just one VM isn't enough; the team should continue containment by isolating the subnet/segment where the issue is spreading (Option D). Moving to eradication (Option C) before containment is effective risks continued spread and loss of control.