Question 17

Question

DRAG DROP Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/350-201/page_58_img_1.jpg The Cisco Secure Network Analytics (Stealthwatch) console alerted with “New Malware Server Discovered” and the IOC indicates communication from an end-user desktop to a Zeus C&C Server. Drag and drop the actions that the analyst should take from the left into the order on the right to investigate and remediate this IOC. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/350-201/page_58_img_2.jpg

Liam V. · Answer

Yeah, for incidents like this Stealthwatch alert, you really want to do the search and investigation steps before jumping into containment. So it's: Search for infected hosts → Investigate infected hosts → Investigate and classify the exposure → Examine returned results → Execute rapid threat containment. Makes sense given you need to know what you're dealing with first. If anyone has seen a scenario where you'd contain right away, let me know.

Nathan · Answer

I get why some would want to contain first, but in IR workflows, you normally need to scope the issue before taking containment. So it goes Search for infected hosts, Investigate infected hosts, Investigate & classify exposure, Examine returned results, then Execute rapid threat containment. Open to different approaches if I missed something.

Quinn H. · Answer

Shouldn't the order shift if containment has to happen first due to a 'most secure' requirement? The question just says investigate/remediate.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE