3.3.7 PBQs: Threat Hunting
Behavioral threat research combines IoCs to show patterns and techniques used in previous attacks. Which of the following threat indicators is normally associated with a denial-of-service (DoS) attack? Rapidly changing domain IP addresses High memory usage IP addresses from unusual geographic locations Port hopping
IP addresses from unusual geographic locations IP addresses from unusual geographic locations is normally an indicator of a denial-of-service (DoS) attack.
An organization recently experienced a cyber incident that temporarily halted its operations. The cybersecurity team wants to strengthen its resilience strategies and address potential threats before they cause significant harm. As part of this process, the team must look into the primary factor behind the recent incident. Which of the following techniques would MOST effectively pinpoint the cause and enhance operational preparedness? Analyzing historical logs Focusing on real-time network monitoring Conducting penetration tests on critical systems Implementing a hypothesis-driven investigation
Implementing a hypothesis-driven investigation A hypothesis-driven investigation involves proactively searching for potential threats based on specific assumptions. This allows the team to focus on possible causes and identify previously unknown issues, improving the organization's operational preparedness.
A systems administrator is searching for potential vulnerabilities in the network. Which threat-hunting focus area should the administrator examine, as attackers often exploit it through connected systems or physical access? Business-critical assets Isolated networks Lateral movements Misconfigured systems
Isolated networks Isolated networks, such as air-gapped networks or networks with limited connectivity to the internet, are often thought to be more secure. However, attackers can still target these networks by exploiting vulnerabilities in connected systems or through physical access.
A security analyst at an organization receives an alert from their security information and event management (SIEM) system. Upon reviewing the log data, the analyst notices an increase in high-privilege actions within the network. What should the analyst prioritize when investigating this issue to identify the potential underlying cause? Analyze new user accounts. Examine recent file changes and modifications. Review application logs for unexpected behavior. Investigate unusual network traffic patterns.
Analyze new user accounts. The analyst should prioritize analyzing newly created user accounts, as the increase in high-privilege actions may be in relation to the unauthorized introduction of new accounts with elevated permissions.
A large grass seed corporation wants to proactively monitor for potential cyber threats to its grass seed total management system containing customer payment information, the company's own bank accounts, and all historical orders. Which type of threat hunting focus area does this most closely represent? Honeypot Isolated networks Business-critical assets and processes Minimize human engagement
Business-critical assets and processes The grass seed total management system is a business critical asset. Business-critical assets and processes are systems, applications, data, and processes essential to an organization's operations and revenue.
A security analyst for a large financial institution notices abnormal OS process behavior, unauthorized changes, and file system changes occurring on one of the company's servers. The analyst believes there may be a security breach. What is the BEST way to confirm the analyst's suspicions of a breach? Shut down the server immediately to prevent further damage. Check the system logs for unusual activity. Conduct a full system backup to ensure that data is not lost. Ask all employees who have access to the server if they made any changes.
Check the system logs for unusual activity. System logs record all activity on a server, including processes and file changes, which makes it an excellent resource for detecting security breaches.
An organization recently suffered a data breach and must focus on validating data integrity and implementing compensating controls. The IT security team will need to analyze network indicators to identify potential threats and improve security measures. Which of the following actions would be MOST appropriate for the security team to take in this situation? Monitor network traffic for unusual patterns. Utilize secure data backup and recovery procedures. Implement a role-based access control system. Conduct a thorough digital forensics investigation.
Monitor network traffic for unusual patterns. Analyzing network indicators and monitoring network traffic for unusual patterns can help the security team identify potential threats, validate data integrity, and determine the effectiveness of compensating controls.
A security analyst is going through systems looking for potential misconfigurations. What are some key items the analyst should search for while misconfiguration hunting? (Select three.) Weak passwords New user creation Money transfer Open ports Unpatched software Isolated networks Physical access points
One key item to search for during misconfiguration hunting is weak passwords. An attacker can exploit weak passwords and gain control of a system. Another key item to look for while misconfiguration hunting is open ports. Open ports offer attackers potential exploits leading to system compromise. During misconfiguration hunting, it is crucial to search for unpatched software. Unpatched software is a common exploit used by cybercriminals.
A company experiences a severe security incident where an attacker accesses and steals sensitive information from its servers. The incident response team investigates the issue and performs a root cause and forensic analysis. What will the company gain from conducting the forensic analysis? To identify the initial entry point of the attack To identify areas for improvement in the incident response plan To restore services and systems as quickly as possible To gather evidence
To gather evidence The company conducts a forensic analysis to collect and analyze evidence associated with a security incident, such as identifying the attacker and determining compromised data.
When conducting reputational threat research, you begin by selecting one or more sources for indicators of a reputational threat. Which of the following should you compare these indicators against after collecting them? Unauthorized files Unusual file system changes Unusual entries in log files Unauthorized account usage
Unusual entries in log files To perform reputational threat research, select one or more sources for indicators of reputational threats. Then search log files for potential threat indicators. Compare the indicators from log files with data obtained from reputational threat research sources.
