When communicating an incident to the general public, an incident manager must collaborate with specialized teams to ensure the message is both legally sound and effectively managed. The Legal department is critical for reviewing all external communications to ensure compliance with data breach notification laws and to mitigate legal liability. The Public Relations department is responsible for crafting the message, managing media inquiries, and preserving the organization's reputation. This dual-pronged approach ensures that public statements are accurate, compliant, and strategically delivered to maintain public trust.

A. Law enforcement: Law enforcement is an external agency to be notified if a crime has occurred, not an internal entity that approves the organization's public communication process.

B. Governance: Governance provides the high-level framework and policies, but the specific, operational task of crafting and approving public statements falls to legal and PR teams.

D. Manager: This option is too vague. The incident manager is a manager who coordinates with other specific functional leads, such as the heads of legal and public relations.

F. Human resources: Human resources primarily handles internal communications and personnel-related matters, not external communications with the general public regarding a security incident.

1. National Institute of Standards and Technology (NIST). (2012). Special Publication 800-61 Rev. 2

Computer Security Incident Handling Guide.

Section 2.4.3

"Relationships with Other Groups

" states

"The CSIRT should also have a close relationship with the organization’s general counsel and public affairs offices. The general counsel can provide advice on legal issues... Public affairs can handle the media

which is particularly important during a high-profile incident." This directly supports the involvement of Legal (general counsel) and Public Relations (public affairs).

2. University of Washington. (2023). UW-IT Information Security and Privacy: Incident Response Plan.

Section "Incident Response Team

" under the subsection for "External Communications

" explicitly lists "University Marketing & Communications" (the public relations function) and the "Office of the Attorney General" (the legal function) as the primary entities responsible for coordinating and approving communications with the media and the public.

3. Solove

D. J.

& Citron

D. K. (2017). Risk and Anxiety: A Theory of Data-Breach Harms. The George Washington University Law School Public Law and Legal Theory Paper No. 2017-10.

Section IV.B

"The Response to a Data Breach

" discusses the institutional response

emphasizing that "companies often hire public relations firms to help them manage the crisis" and that legal counsel is central to navigating the complex web of state and federal notification laws. This academic source underscores the essential roles of both PR and legal teams. (Available via SSRN and university repositories).

The security audit's purpose is to identify unsecured network services. Based on the provided list, FTP (File Transfer Protocol) on port 21 and Telnet on port 23 are inherently insecure. Both of these legacy protocols transmit all data, including usernames and passwords, in cleartext across the network. This allows any attacker with the ability to monitor network traffic (e.g., via a man-in-the-middle attack) to easily capture and read sensitive information. Therefore, their presence represents a significant security vulnerability that requires immediate investigation and remediation, typically by replacing them with secure alternatives like SFTP and SSH, respectively.

B. 22: SSH (Secure Shell) is a secure protocol that provides strong encryption for all transmitted data, including credentials, making it the secure replacement for Telnet.

D. 636: LDAPS (Lightweight Directory Access Protocol Secure) is the secure version of LDAP, using SSL/TLS to encrypt communications. The unsecured version runs on port 389.

E. 1723: While PPTP (Point-to-Point Tunneling Protocol) is considered insecure due to known cryptographic vulnerabilities, FTP and Telnet are more fundamentally unsecured as they lack any encryption whatsoever.

F. 3389: Modern RDP (Remote Desktop Protocol) is a secure protocol that encrypts remote administration sessions, especially when Network Level Authentication (NLA) is enabled.

---

1. National Institute of Standards and Technology (NIST)

Special Publication 800-53 Revision 5

Security and Privacy Controls for Information Systems and Organizations

September 2020. In control family SC (System and Communications Protection)

control SC-8(1) "Cryptographic Protection" mandates the use of validated cryptography for data in transit. Protocols like Telnet and FTP do not meet this requirement as they transmit data in cleartext. (See control SC-8

Page 229).

2. Internet Engineering Task Force (IETF)

RFC 4217

Securing FTP with TLS

October 2005. The introduction (Section 1

Page 2) explicitly states

"The File Transfer Protocol [FTP] ... is weak with respect to security as it sends all passwords and data in the clear." This highlights the inherent insecurity of the standard FTP protocol.

3. Purdue University

CS 42600: Computer Security Courseware

"Lecture 18: Network Security". This and similar university course materials consistently identify Telnet and FTP as canonical examples of insecure protocols that operate in cleartext and should be replaced by secure alternatives like SSH and SFTP. (Specific lecture notes often detail the packet structure showing cleartext credentials).

The observed pattern of regular, periodic, outgoing HTTPS connections from a server to a single public IP address is a classic indicator of Command and Control (C2) beaconing. Malware on the compromised server establishes these connections to "call home" to its controller, receive instructions, or signal its operational status. Using a common protocol like HTTPS on port 443 is a technique used by adversaries to blend malicious traffic with legitimate network activity, making it harder to detect. The "around the clock" nature of the connections reinforces the automated, persistent nature of a C2 beacon.

B. Data exfiltration: This typically involves large or sustained data transfers, not the regular, repeating "heartbeat" pattern described in the scenario.

C. Anomalous activity on unexpected ports: The activity uses HTTPS (port 443), which is a very common and expected port for network traffic, not an unexpected one.

D. Network host IP address scanning: Scanning involves sending probes to many different IP addresses, whereas this activity is directed toward a single, specific public IP.

E. A rogue network device: The traffic originates from a known data-center server, which is a managed asset, not an unauthorized or unknown device on the network.

1. MITRE ATT&CK® Framework. (2023). Technique T1071: Application Layer Protocol. MITRE. Retrieved from https://attack.mitre.org/techniques/T1071/

Reference Detail: Sub-technique T1071.001 (Web Protocols) states

"Adversaries may communicate using HTTP and HTTPS to command and control victim systems... C2 traffic is often camouflaged as normal web traffic to avoid detection." This directly supports the use of HTTPS for C2 communications.

2. NIST Special Publication 800-61 Rev. 2. (2012). Computer Security Incident Handling Guide. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-61r2

Reference Detail: Section 2.3.3

"Sources of Precursors and Indicators

" discusses how network traffic analysis can reveal indicators of compromise. An unexpected outbound connection from a server

especially one with a regular pattern

is a strong indicator of a compromised host

consistent with C2 activity.

3. SANS Institute Reading Room. (2016). Beats on the Wire: A Security Analysis of Command and Control. SANS Technology Institute.

Reference Detail: Page 6 discusses C2 beaconing

stating

"A beacon is a periodic outbound connection attempt from a compromised host to a command and control server... The beaconing interval can be configured to be anything from seconds to days." This describes the exact behavior observed.

The MITRE ATT&CK® framework is best described as a globally accessible, curated knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. Its primary purpose is to serve as a foundation for threat modeling and methodology, enabling organizations to track and better understand adversary behaviors. It is an open-source project that is continuously updated and evolves with contributions from the global cybersecurity community, ensuring it remains relevant against emerging threats. This dynamic nature is a defining characteristic of the framework.

A. This describes application security testing (AST) methodologies like SAST or DAST. While ATT&CK can inform such tests, it is not a testing method itself.

B. This is a better description of an Information Sharing and Analysis Center (ISAC) or a threat intelligence platform (TIP), which focus on the sharing and dissemination of intelligence.

C. This describes a primary use case or outcome of applying the ATT&CK framework, rather than describing the fundamental nature of the framework itself, which is a knowledge base.

E. This accurately describes the Lockheed Martin Cyber Kill Chain®, which models an intrusion as a linear sequence of phases, unlike the ATT&CK matrix, which is non-sequential.

1. The MITRE Corporation. (2023). About ATT&CK. MITRE ATT&CK®. Retrieved from https://attack.mitre.org/resources/getting-started/. In the "What is ATT&CK?" section

it is defined as "a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations." This supports the "tracks and understands threats" aspect. The community-driven and evolving nature is also a central theme.

2. NIST. (2021). Special Publication 800-160

Volume 2

Revision 1: Developing Cyber-Resilient Systems: A Systems Security Engineering Approach. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-160v2r1. In Appendix F

Section F.3

ATT&CK is described as a "curated knowledge base and model for cyber adversary behavior" used to "characterize and describe adversary behaviors." This aligns with the concept of a tool to track and understand threats.

3. Applebaum

A. (2020). A Survey of the MITRE ATT&CK Framework. SANS Institute Reading Room. Retrieved from https://www.sans.org/white-papers/39390/. On page 4

the paper states

"The ATT&CK framework is a knowledge base of adversary behavior and a model for describing the actions an adversary may take... It is a living

community-driven knowledge base that is continuously updated..." This directly supports the description of an evolving

open project for understanding threats.

The primary purpose of implementing a Secure Software Development Life Cycle (SSDLC) is to integrate security practices into every phase of software development, from requirements gathering to deployment and maintenance. This proactive "shift-left" approach systematically reduces the number of vulnerabilities in the final product, thereby decreasing the operational and business risks associated with its usage. Furthermore, many industries are subject to stringent regulatory and compliance frameworks (e.g., PCI DSS, HIPAA, GDPR) that mandate secure software development practices. Adhering to an SSDLC is a critical mechanism for demonstrating and achieving compliance with these legal and industry requirements.

A. The primary goal of an SSDLC is risk reduction and security assurance, not to serve as a marketing tool to justify price increases.

C. An SSDLC integrates with agile processes but typically increases the scope and frequency of security testing throughout the lifecycle, rather than decreasing it.

D. An SSDLC fosters a culture of shared responsibility for security (DevSecOps), embedding it within the development team, not transferring it to another team.

1. National Institute of Standards and Technology (NIST). (2022). Special Publication (SP) 800-218 V1.1

Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities.

Section 1

Introduction

Paragraph 2: "The SSDF’s goal is to reduce the number of vulnerabilities in released software

mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities

and address the root causes of vulnerabilities to prevent recurrences." This directly supports the risk reduction aspect of the correct answer.

2. OWASP Foundation. (n.d.). OWASP Software Assurance Maturity Model (SAMM) v2.0.

Section

Business Functions

Governance (G)

Paragraph 1: "The Governance function is responsible for managing the organization’s software development life cycle. It includes activities related to strategy

metrics

policy

compliance

and education." This highlights the role of an SSDLC in meeting compliance requirements.

3. Mead

N. R. (2005). Security Quality Requirements Engineering (SQUARE) Methodology. Carnegie Mellon University

Software Engineering Institute. CMU/SEI-2005-TR-009.

Page 1

Abstract: "Building secure software is a difficult problem... Failure to do so can result in serious vulnerabilities

leading to loss of money

life

and national security... This report describes the Security Quality Requirements Engineering (SQUARE) methodology... for eliciting

categorizing

and prioritizing security requirements for information technology systems and applications." This academic source establishes the direct link between secure development processes and mitigating risks from vulnerabilities.

The installation of a new EDR solution has led to a significant increase in alerts, causing alert fatigue and overwhelming the security team. To manage this, the organization needs to centralize the aggregation of these alerts and automate the response process.

A SIEM (Security Information and Event Management) system is the primary tool for centralizing security data. It aggregates logs and alerts from various sources, including the new EDR, into a single platform. This allows analysts to correlate events, reduce false positives, and prioritize threats from a unified viewpoint.

A SOAR (Security Orchestration, Automation, and Response) platform complements the SIEM by automating the remediation workload. It uses predefined "playbooks" to execute response actions automatically, such as isolating an endpoint or blocking an IP address, which directly reduces the manual effort required by analysts.

C. MSP: A Managed Service Provider is an external service that would outsource the workload, not provide a tool to help the internal team centralize it.

D. NGFW: A Next-Generation Firewall is a network security device that is a source of security alerts, not a tool for centralizing and managing alerts from other systems.

E. XDR: While Extended Detection and Response centralizes data, it is typically a more integrated, often single-vendor, evolution of EDR. A SIEM is the classic, vendor-agnostic solution for centralizing data from disparate sources, which is the immediate need.

F. DLP: Data Loss Prevention is a specific security control designed to prevent data exfiltration; it would add to the alert volume rather than help manage it.

1. NIST (National Institute of Standards and Technology). (2021). NISTIR 8334 (Draft) - A Response to the Challenge of Finding and Fixing Vulnerabilities. Section 2.2

"Security Orchestration

Automation

and Response (SOAR)

" describes SOAR as a solution to "reduce the burden on security practitioners" by automating "time-consuming

manual

and repetitive tasks." This directly addresses the increased workload.

2. NIST. (2006). SP 800-92 - Guide to Computer Security Log Management. Section 4.3

"Log Management Infrastructures

" discusses the centralization of logs for analysis. It states

"Centralized logging permits the correlation of events among several systems

" which is the core function of a SIEM in addressing a high volume of alerts from sources like an EDR.

3. Carnegie Mellon University. (2017). The 2017 SEI Cyber Intelligence Research Agenda. Section 3.2.2

"Security Orchestration

" discusses the need for tools that "integrate information from a variety of sources (e.g.

SIEMs

threat intelligence platforms...)" and "automate and assist with the response

" highlighting the synergistic roles of SIEM and SOAR. (Document CMU/SEI-2017-SR-001).

4. Suh

B.

& Lee

H. (2021). A Study on the Method of Building an Intelligent Security Control System Using SOAR. Journal of The Korea Institute of Information Security & Cryptology

31(1)

139-150. This academic paper explains that SOAR platforms are introduced to handle the "increasing security threats and alerts" by integrating with SIEMs to automate response procedures

which is the exact scenario described. (DOI: https://doi.org/10.13089/JKIISC.2021.31.1.139).

Dynamic Application Security Testing (DAST) exercises a running application with crafted inputs and analyzes the responses to uncover runtime‐layer flaws such as SQL injection, file-path inclusion (FRI), and cross-site scripting (XSS). Because it is performed throughout development and before production release, it supports the “security-by-design” objective of identifying and remediating vulnerabilities early in the software development life cycle.

A. Reverse engineering – Focuses on dissecting compiled binaries (often third-party or malicious code) rather than proactively finding vulnerabilities in software the organization is developing.

B. Known environment testing – Not an established security-testing methodology; offers no systematic process for detecting web-application vulnerabilities like injection or XSS.

D. Code debugging – Aims to correct logic or syntax errors; it lacks the automated attack simulation and vulnerability signatures required to expose security flaws such as SQLi or XSS.

1. NIST SP 800-115

“Technical Guide to Information Security Testing and Assessment

” §4.6.1 Dynamic Testing

pp. 4-7–4-9 – describes using dynamic analysis to detect SQLi

XSS

and file-inclusion flaws.

2. NIST SP 800-218 Rev.1

“Secure Software Development Framework

” Practice PO.3.3 & PO.4.2 – mandates dynamic analysis during development to identify injection and scripting vulnerabilities.

3. MIT OpenCourseWare 6.858 (Computer Systems Security)

Lecture 4 slides 34-36 – presents DAST tools (e.g.

Burp

ZAP) for finding runtime web-application flaws such as SQLi and XSS.

The scenario describes adversaries using "Living-off-the-Land" (LotL) techniques, where they leverage legitimate, native system tools (e.g., PowerShell, WMI) for malicious activities like privilege escalation. The most direct and effective control against this is application control. By implementing policies to block the execution of untrusted applications or, more granularly, restricting how trusted applications can be run (e.g., preventing Office applications from spawning PowerShell), an organization can directly disrupt the adversary's ability to use these native tools for malicious purposes. This approach, often implemented via application allowlisting, specifically targets the execution of unauthorized code, which is the core of the described threat.

A. Disabling administrative accounts is operationally infeasible, as these accounts are required for legitimate system administration and maintenance tasks.

B. MFA is an authentication control that is most effective at preventing unauthorized access, not at stopping post-compromise activities like local privilege escalation.

C. While system hardening is a valuable practice, adversaries are using core, necessary tools, which typically cannot be disabled or removed without impacting system functionality.

1. MITRE ATT&CK® Framework: The technique T1548

"Abuse Elevation Control Mechanism

" describes adversaries using system features to elevate privileges. The primary listed mitigation is M1048

"Application Control

" which states: "Use application control to prevent the execution of malicious commands and scripts that may be used to abuse elevation control mechanisms." This directly aligns with blocking the execution of untrusted applications. (Source: MITRE ATT&CK

Technique T1548

Mitigation M1048).

2. NIST Special Publication 800-53 Rev. 5

Security and Privacy Controls for Information Systems and Organizations: Control CM-7

"Least Functionality

" advocates for configuring systems to provide only essential capabilities. A key implementation of this principle is "the use of application allowlists... to ensure that only authorized software is allowed to execute." This control directly mitigates the threat of legitimate tools being used for unintended

malicious purposes. (Source: NIST SP 800-53 Rev. 5

Control: CM-7

Page 133).

3. Cybersecurity and Infrastructure Security Agency (CISA): In guidance on protecting against malicious activity

CISA consistently recommends application control as a high-priority defense. For example

in the "Joint Cybersecurity Advisory on Russian State-Sponsored Cyber Actors

" CISA recommends organizations "Implement application allowlisting" as a mitigation against actors who leverage legitimate remote access tools and other LOLbins. (Source: CISA Alert AA22-110A

Mitigations Section).

The output in Tab 1 displays a list of files and their corresponding MD5 hash values. In Windows PowerShell, the Get-ChildItem cmdlet gets the items in a specified location (in this case, the current directory), and the pipe | sends that output to the Get-Filehash cmdlet. The -Algorithm MD5 parameter specifies that the MD5 hashing algorithm should be used. The resulting output format perfectly matches what is shown in Tab 1.

The output in Tab 2 shows active TCP connections, including local and foreign addresses, state, and the process ID (PID). Critically, it also lists the executable file name (e.g., [sftp.exe]) below each relevant connection. The netstat command is used to display network connections. The -b switch displays the executable involved in creating each connection, and the -o switch displays the owning process ID. The combination netstat -bo produces the exact format seen in Tab 2.

To identify the malicious file, we must correlate information from all tabs.

File Integrity Check: First, compare the current file hashes from Tab 1 with the known-good baseline hashes from Tab 4. The MD5 hash for cmd.exe in Tab 1 (372ab...) does not match the baseline hash in Tab 4 (a2cde...). This indicates the cmd.exe file has been modified or replaced.

Network Activity Analysis: Next, examine the network connections in Tab 2. The modified cmd.exe file is shown to have an established outbound connection to 192.168.10.37:http. The Windows Command Prompt (cmd.exe) should not be making persistent outbound network connections, making this behavior highly suspicious and indicative of data exfiltration or command-and-control (C2) communication.

The combination of a failed integrity check (mismatched hash) and suspicious network activity makes cmd.exe the file responsible for the malicious behavior.

Microsoft. (2023). Get-FileHash. Microsoft Docs. Retrieved from docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-filehash. (This official documentation describes the cmdlet used to generate the output in Tab 1.)

Microsoft. (2021). Netstat. Microsoft Docs. Retrieved from docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat. (This document details the netstat command and its parameters, such as -b and -o, which produce the output seen in Tab 2.)

Hogben, G., & Plohmann, D. (2016). Threat Landscape and Good Practice Guide for Smart Home and Converged Media. European Union Agency for Network and Information Security (ENISA). p. 28. (This report discusses how attackers replace legitimate system files, like cmd.exe, with malicious versions to establish persistence and create backdoors, aligning with the observed hash mismatch.)

Tanenbaum, A. S., & Wetherall, D. J. (2011). Computer Networks (5th ed.). Pearson Education. p. 657. (This textbook explains the TCP/IP protocol suite and connection states, providing the foundational knowledge to interpret netstat output and identify unusual established connections like an HTTP connection from cmd.exe.)

A thorough analysis of the provided logs reveals a clear sequence of a security incident.

1. Suspicious Activity: The SFTP log shows the external IP address 41.21.18.102 successfully logging in using the sjames account at 23:01:50. Immediately after, at 23:02:25, this IP writes to the index.html file, which directly corresponds to the website being "maliciously altered." The netstat log corroborates this by showing an ESTABLISHED connection from 41.21.18.102 to the local machine on port 22 (the standard port for SFTP/SSH).
2. Indicator of Compromise (IoC): The most direct evidence of the website defacement is the log entry showing the unauthorized modification of the primary web page. Therefore, the modified index.html file is the key IoC. The 404 errors from other IPs are less critical than a confirmed malicious file write.
3. Corrective Actions: The incident response must focus on containment and eradication.

• Changing the password for the sjames account is the immediate containment action to revoke the attacker's access.
• Deleting the sjames account is a necessary eradication step, ensuring this specific compromised asset can no longer be exploited. This action follows the initial password change to ensure the account is fully removed.

Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer Security Incident Handling Guide (NIST Special Publication 800-61 Rev. 2). National Institute of Standards and Technology.

Page 20, Section 3.3.2 (Containment): Recommends actions such as "changing passwords" for compromised accounts as a primary containment strategy.

Page 23, Section 3.3.3 (Eradication and Recovery): Discusses eradication, which includes "deleting user accounts" that were used in the attack.

Kurose, J. F., & Ross, K. W. (2017). Computer Networking: A Top-Down Approach (7th ed.). Pearson.

Chapter 3, Section 3.5.2: Explains the TCP connection states, including ESTABLISHED, confirming that the netstat output shows an active, two-way connection between the server and the attacker's IP address (41.21.18.102).

Al-Harbi, M. (2020). A Framework for Detecting and Analyzing Web Defacement Attacks. IEEE Access, 8, 185672-185689. https://doi.org/10.1109/ACCESS.2020.3029981

Section III-B, Table II: Lists "Unauthorized file modification" as a primary Indicator of Compromise (IoC) for web defacement attacks, validating the selection of the "Modified index.html file" as the key indicator.