How do effectively managed connectors impact the overall security posture of a SOC?
Correct Answer: A
Question 7
Which connector on FortiAnalyzer is responsible for looking up indicators to get threat intelligence?
Correct Answer: C
Question 8
Refer to the exhibits. What can you conclude from analyzing the data using the threat hunting module?
Correct Answer: B
* Understanding the Threat Hunting Data: * The Threat Hunting Monitor in the provided exhibits shows various application services, their usage counts, and data metrics such as sent bytes, average sent bytes, and maximum sent bytes. * The second part of the exhibit lists connection attempts from a specific source IP (10.0.1.10) to a destination IP (8.8.8.8), with repeated "Connection Failed" messages. * Analyzing the Application Services: * DNS is the top application service with a significantly high count (251,400) and notable sent bytes (9.1 MB). * This large volume of DNS traffic is unusual for regular DNS queries and can indicate the presence of DNS tunneling. * DNS Tunneling: * DNS tunneling is a technique used by attackers to bypass security controls by encoding data within DNS queries and responses. This allows them to extract data from the local network without detection. * The high volume of DNS traffic, combined with the detailed metrics, suggests that DNS tunneling might be in use. * Connection Failures to 8.8.8.8: * The repeated connection attempts from the source IP (10.0.1.10) to the destination IP (8.8.8.8) with connection failures can indicate an attempt to communicate with an external server. * Google DNS (8.8.8.8) is often used for DNS tunneling due to its reliability and global reach. * Conclusion: * Given the significant DNS traffic and the nature of the connection attempts, it is reasonable to conclude that DNS tunneling is being used to extract confidential data from the local network. * Why Other Options are Less Likely: * Spearphishing (A): There is no evidence from the provided data that points to spearphishing attempts, such as email logs or phishing indicators. * Reconnaissance (C): The data does not indicate typical reconnaissance activities, such as scanning or probing mail servers. * FTP C&C (D): There is no evidence of FTP traffic or command-and-control communications using FTP in the provided data. References: * SANS Institute: "DNS Tunneling: How to Detect Data Exfiltration and Tunneling Through DNS Queries" SANS DNS Tunneling * OWASP: "DNS Tunneling" OWASP DNS Tunneling By analyzing the provided threat hunting data, it is evident that DNS tunneling is being used to exfiltrate data, indicating a sophisticated method of extracting confidential information from the network.
Question 9
According to the National Institute of Standards and Technology (NIST) cybersecurity framework, incident handling activities can be divided into phases. In which incident handling phase do you quarantine a compromised host in order to prevent an adversary from using it as a stepping stone to the next phase of an attack?
Correct Answer: A
NIST Cybersecurity Framework Overview: The NIST Cybersecurity Framework provides a structured approach for managing and mitigating cybersecurity risks. Incident handling is divided into several phases to systematically address and resolve incidents. Incident Handling Phases: Preparation: Establishing and maintaining an incident response capability. Detection and Analysis: Identifying and investigating suspicious activities to confirm an incident. Containment, Eradication, and Recovery: Containment: Limiting the impact of the incident. Eradication: Removing the root cause of the incident. Recovery: Restoring systems to normal operation. Containment Phase: The primary goal of the containment phase is to prevent the incident from spreading and causing further damage. Quarantining a Compromised Host: Quarantining involves isolating the compromised host from the rest of the network to prevent adversaries from moving laterally and causing more harm. Techniques include network segmentation, disabling network interfaces, and applying access controls. Reference: NIST Special Publication 800-61, "Computer Security Incident Handling Guide" NIST Incident Handling Detailed Process: Step 1: Detect the compromised host through monitoring and analysis. Step 2: Assess the impact and scope of the compromise. Step 3: Quarantine the compromised host to prevent further spread. This can involve disconnecting the host from the network or applying strict network segmentation. Step 4: Document the containment actions and proceed to the eradication phase to remove the threat completely. Step 5: After eradication, initiate the recovery phase to restore normal operations and ensure that the host is securely reintegrated into the network. Importance of Containment: Containment is critical in mitigating the immediate impact of an incident and preventing further damage. It buys time for responders to investigate and remediate the threat effectively. Reference: SANS Institute, "Incident Handler's Handbook" SANS Incident Handling Reference: NIST Special Publication 800-61, "Computer Security Incident Handling Guide" SANS Institute, "Incident Handler's Handbook" By quarantining a compromised host during the containment phase, organizations can effectively limit the spread of the incident and protect their network from further compromise.
Question 10
What is the impact of poorly configured playbook triggers in a SOC environment?
