CompTIA CySA+ Exam CS0-002: Cybersecurity Analyst | Team Hunt | Endpoints

Cybersecurity Analyst Team Hunt on Organization's Endpoints

Prev Question Next Question

Question

A cybersecurity analyst is contributing to a team hunt on an organization's endpoints.

Which of the following should the analyst do FIRST?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

B.

https://www.cybereason.com/blog/blog-the-eight-steps-to-threat-hunting
4. DEVELOP AND TEST A HYPOTHESIS The analysts then establish a hypothesis by determining the outcomes they expect from the hunt. In the fileless malware example, the purpose of the hunt is to find hackers who are carrying out attacks by using tools like PowerShell and WMI. Collecting every PowerShell processes in the environment would overwhelm the analysts with data and prevent them from finding any meaningful information. They need to develop a smart approach to testing the hypothesis without reviewing each and every event. Let's say the analysts know that only a few desktop and server administrators use PowerShell for their daily operations. Since the scripting language isn’t widely used throughout the company, the analysts executing the hunt can assume to only see limited use of PowerShell. Extensive PowerShell use may indicate malicious activity. One possible approach to testing the hunt’s hypothesis would be to measure the level of PowerShell use as an indicator of potentially malicious activity.

When contributing to a team hunt on an organization's endpoints, the first step for a cybersecurity analyst should be to establish a hypothesis.

B. Establish a hypothesis: The hypothesis is a tentative explanation or prediction of what the analyst thinks might be happening in the organization's endpoints. It provides a starting point for the investigation and guides the direction of the team's efforts. The hypothesis could be based on a variety of factors, such as past incidents, alerts from security tools, or suspicious network traffic.

Once the hypothesis is established, the team can proceed with the investigation by writing detection logic, profiling threat actors and activities, and performing process analysis.

A. Write detection logic: The team can create detection logic based on the hypothesis to identify potential threats and malicious activities. The detection logic can be used to configure security tools such as antivirus software, intrusion detection systems, or security information and event management (SIEM) platforms to alert the team if suspicious behavior is detected.

C. Profile the threat actors and activities: The team can profile the threat actors and activities based on the hypothesis. Profiling involves gathering information on the tactics, techniques, and procedures (TTPs) used by the threat actors, their motivations, and their goals. This information can help the team better understand the scope of the attack and identify potential targets.

D. Perform a process analysis: The team can perform a process analysis to identify vulnerabilities and weaknesses in the organization's security infrastructure. This analysis can help the team improve the organization's security posture and prevent future attacks.

In summary, the first step for a cybersecurity analyst contributing to a team hunt on an organization's endpoints should be to establish a hypothesis. This provides a starting point for the investigation and guides the team's efforts. The team can then proceed with writing detection logic, profiling threat actors and activities, and performing process analysis.

Prev Question Next Question