You've confirmed one compromised host. The business demands it be wiped and back online in 10 minutes. What do you push for?
Short answer
Eradicating before you understand scope lets the attacker persist on systems you haven't found and simply return. Quickly hunt the IOCs and stolen credentials across the estate, identify every affected host and persistence mechanism, then eradicate everywhere at once. Wiping one host is whack-a-mole that tips off the attacker while leaving their other footholds intact. A week-long full internet blackout is disproportionate and harms the business. Deleting just the malware file ignores persistence, lateral movement, and the credentials already stolen.
This is a pressure question: the business wants the host wiped and online in ten minutes, and a junior responder caves. The senior move is to push back constructively — contain the known host, but scope before you eradicate, because premature eradication on a single box is how intrusions become recurring breaches.
Why scope-first is the answer
One confirmed compromised host is rarely the whole story. A capable attacker has likely moved laterally, stolen credentials, and planted persistence (scheduled tasks, services, web shells, registry run keys, rogue accounts) on hosts you haven't identified yet. If you wipe the one box you know about, you tip off the attacker and they simply return through a foothold you never found. So you hunt the IOCs and the stolen credentials across the estate first, map every affected host and persistence mechanism, and then eradicate everywhere in one coordinated action — denying the attacker a quiet path back in.
Crucially, scoping does not mean leaving the known host live: you isolate it immediately to satisfy the urgency, then scope in parallel. That gives the business its containment without sacrificing a clean eradication.
Why the other options fail
- Wipe and restore now — fast but blind. It's whack-a-mole: you remove one node, alert the adversary, and leave their other footholds and stolen credentials fully usable. They'll be back, often quieter.
- Cut the whole company off the internet until next week — wildly disproportionate to one confirmed host. It inflicts massive business damage and isn't required to contain a scoped intrusion; targeted isolation does the job.
- Just delete the malware file — ignores persistence, lateral movement, and the credentials already stolen. The file is a symptom; deleting it leaves the disease.
What the interviewer is probing
They want a senior responder who can withstand business pressure and articulate the scope-then-eradicate discipline, parallelizing isolation with hunting so the business still gets fast containment. Naming the persistence and credential angles — and the coordinated, simultaneous eradication — shows you understand how attackers survive sloppy remediation.
Likely follow-ups
- How do you scope quickly without giving the business an open-ended timeline — what can you parallelize?
- What persistence and lateral-movement artifacts would you hunt for across the estate?
- How do you isolate the known host to satisfy the business while you finish scoping?