Confirming the Malicious Document | SY0-601: CompTIA Security+ Exam
Question
A document that appears to be malicious has been discovered in an email that was sent to a company's Chief Financial Officer (CFO)
Which of the following would be BEST to allow a security analyst to gather information and confirm it is a malicious document without executing any code it may contain?
A.
Open the document on an air-gapped network. B.
View the document's metadata for origin clues. C.
Search for matching file hashes on malware websites. D.
Detonate the document in an analysis sandbox.
C.
Explanations
A document that appears to be malicious has been discovered in an email that was sent to a company's Chief Financial Officer (CFO)
Which of the following would be BEST to allow a security analyst to gather information and confirm it is a malicious document without executing any code it may contain?
A.
Open the document on an air-gapped network.
B.
View the document's metadata for origin clues.
C.
Search for matching file hashes on malware websites.
D.
Detonate the document in an analysis sandbox.
C.
The BEST option to gather information and confirm if a document is malicious without executing any code it may contain is to search for matching file hashes on malware websites.
A file hash is a unique digital fingerprint of a file that is created by running an algorithm against the file's contents. If the same algorithm is run against a different copy of the same file, it will produce the same hash. By comparing the hash of a suspicious file to the hashes of known malware on various online databases and websites, security analysts can determine if the file has already been identified as malicious.
The advantages of using this method are that it's quick, easy, and doesn't require any additional hardware or software. However, one downside is that it relies on the assumption that the malicious document has already been identified and added to the database. If the file is a new, previously unknown threat, this method will not be effective.
Option A, opening the document on an air-gapped network, can also be effective, but it carries a significant risk. An air-gapped network is a computer network that is physically isolated from unsecured networks, such as the internet. However, if the document is indeed malicious, opening it on an air-gapped network could still result in an infection if the network isn't entirely secure. Additionally, this option requires a significant amount of time and resources to set up an air-gapped network.
Option B, viewing the document's metadata for origin clues, may be helpful in determining where the document came from, but it won't confirm whether or not the file is malicious.
Option D, detonating the document in an analysis sandbox, is a valid method for analyzing and testing malware. Still, it carries a risk of infecting the sandbox environment if the malware is sophisticated enough to evade detection. Additionally, detonating the document requires specialized software and hardware, and the process can be time-consuming.
