Malware is suspected on a server in the environment.
The analyst is provided with the output of commands from servers in the environment and needs to review all output files in order to determine which process running on one Of the servers may be malware.
INSTRUCTIONS
Servers 1 , 2, and 4 are clickable. Select the Server and the process that host the malware.



Solution:
Server1 and svchost.exe

Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

An analyst is responding to an incident within a cloud infrastructure Based on the logs and traffic analysis, the analyst thinks a container has been compromised Which of the following should Ihe analyst do FIRST?

1. A. Perform threat hunting in other areas of the cloud infrastructure
2. B. Contact law enforcement to report the incident
3. C. Perform a root cause analysis on the container and the service logs
4. D. Isolate the container from production using a predefined policy template

Correct Answer: D
The analyst should isolate the container from production using a predefined policy template first. Isolating the container is a containment measure that can help prevent the spread of the compromise to other containers or systems in the cloud infrastructure. Containment is an important step in the incident response process, as it can limit the impact and damage of an incident. Using a predefined policy template can help automate and standardize the isolation process, ensuring that it is done quickly and consistently1.

An analyst receives an alert from the continuous-monitoring solution about unauthorized changes to the firmware versions on several field devices. The asset owners confirm that no firmware version updates were performed by authorized technicians, and customers have not reported any performance issues or outages. Which Of the following actions would be BEST for the analyst to recommend to the asset owners to secure the devices from further exploitation?

1. A. Change the passwords on the devices.
2. B. Implement BIOS passwords.
3. C. Remove the assets from the production network for analysis.
4. D. Report the findings to the threat intel community.

Correct Answer: C
If were referring to other devices, yes - Implement BIOS passwords before they are compromised. But the ones that were already compromised, they need to be removed from the system to avoid further exploitation. Plus, if you put a password on there, the attacker may now have your password.
Remove the assets from the production network for analysis. If the analyst receives an alert about unauthorized changes to the firmware versions on several field devices, the best action to recommend to the asset owners is to remove the assets from the production network for analysis. This would prevent further exploitation of the devices by isolating them from potential attackers and allow the analyst to investigate the source and nature of the unauthorized changes. Changing the passwords on the devices, implementing BIOS passwords, or reporting the findings to the threat intel community are other possible actions, but they are not as effective or urgent as removing the assets from the production network for analysis. Reference: https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

A security analyst needs to automate the incident response process for malware infections. When the following logs are generated, an alert email should automatically be sent within 30 minutes:

Which of the following is the best way for the analyst to automate alert generation?

1. A. Deploy a signature-based IDS
2. B. Install a UEBA-capable antivirus
3. C. Implement email protection with SPF
4. D. Create a custom rule on a SIEM

Correct Answer: D
A security information and event management (SIEM) system is a tool that collects and analyzes log data from various sources and provides alerts and reports on security incidents and events. A security analyst can create a custom rule on a SIEM system to automate the incident response process for malware infections. For example, the analyst can create a rule that triggers an alert email when the SIEM system detects logs that match the criteria of malware infection, such as process name, file name, file hash, etc. The alert email can be sent within 30 minutes or any other desired time frame. The other options are not suitable or sufficient for this purpose. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 15;
https://www.sans.org/reading-room/whitepapers/analyst/security-information-event-management-siem-impleme

A company wants to configure the environment to allow passive network monitonng. To avoid disrupting the sensitive network, which of the following must be supported by the scanner's NIC to assist with the company's request?

1. A. Port bridging
2. B. Tunnel all mode
3. C. Full-duplex mode
4. D. Port mirroring
5. E. Promiscuous mode

Correct Answer: E
Promiscuous mode is the mode that must be supported by the scanner’s NIC to assist with the company’s request of passive network monitoring. Promiscuous mode is a mode of operation for a network interface controller (NIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is specifically programmed to receive. This mode is normally used for packet sniffing, the practice of collecting and logging packets that pass through the network for further analysis, such as the analysis of traffic or bandwidth usage1. Promiscuous mode makes sure all transmitted data packets are received and read by network adapters.