Performing CyberOps Using Cisco Security Technologies - Exam 350-201-CBRCOR

Next Step for Analyst

Prev Question Next Question

Question

A security analyst receives an escalation regarding an unidentified connection on the Accounting A1 server within a monitored zone.

The analyst pulls the logs and discovers that a Powershell process and a WMI tool process were started on the server after the connection was established and that a PE format file was created in the system directory.

What is the next step the analyst should take?

Answers

A. Isolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack

B. Identify the server owner through the CMDB and contact the owner to determine if these were planned and identifiable activities

C. Review the server backup and identify server content and data criticality to assess the intrusion risk

D. Perform behavioral analysis of the processes on an isolated workstation and perform cleaning procedures if the file is malicious.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

The security analyst has received an escalation regarding an unidentified connection on the Accounting A1 server within a monitored zone. The logs show that a Powershell process and a WMI tool process were started on the server after the connection was established and that a PE format file was created in the system directory.

In this scenario, the next step the analyst should take is to isolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack. This step is critical as it helps to understand the extent of the breach and the potential damage it may cause. By isolating the server, the analyst can prevent further damage or compromise to the system or network. The forensic analysis helps to identify the source, nature, and extent of the breach. It also helps to determine if the breach was intentional or accidental, the techniques and tools used, and the potential damage it may cause.

Option B, identifying the server owner through the CMDB and contacting the owner to determine if these were planned and identifiable activities, is not the best option because it assumes that the activities were legitimate and ignores the possibility of a malicious attack.

Option C, reviewing the server backup and identifying server content and data criticality to assess the intrusion risk, may be useful in some cases but is not the best option in this scenario as it does not provide immediate insights into the nature of the breach or the type of attack that may have occurred.

Option D, performing behavioral analysis of the processes on an isolated workstation and performing cleaning procedures if the file is malicious, may also be useful, but it is not the best option in this scenario as it does not provide a comprehensive understanding of the extent of the breach or the type of attack that may have occurred. Furthermore, cleaning the system may destroy valuable evidence that may be needed for future investigations.

Therefore, isolating the server and performing forensic analysis of the file is the best course of action to determine the type and vector of a possible attack, identify the source and extent of the breach, and prevent further damage or compromise to the system or network.

Prev Question Next Question