Exam CAS-004 All QuestionsBrowse all questions from this exam
Go to Exam
Question 428

SIMULATION

-

During the course of normal SOC operations, three anomalous events occurred and were flagged as potential IoCs. Evidence for each of these potential IoCs is provided.

INSTRUCTIONS

-

Review each of the events and select the appropriate analysis and remediation options for each IoC.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

    Correct Answer:

Discussion
23169fd

Given answer is correct. IoC1: Analysis: "Canonical name records in a public DNS cache are being updated." Remediation: "Configure the DNS server to perform recursion." IoC2: Analysis: "Someone is footprinting a network subnet." Remediation: "Block ping requests across the WAN interface." IoC3: Analysis: "An employee is using P2P services to download files." Remediation: "Enforce endpoint controls on third-party software installations."

MacherGaming

IOC 1: This is a DNS canonical name (CNAME) update. Is this malicious? Unknown, but it certainly looks suspicious. Solution: Configure the DNS server to perform recursion. This will allow the server to query other DNS servers to validate requests which reduces the likelihood of malicious updates. IOC 2: Someone is footprinting a network subnet. A single source IP addres with pings to incrementing IP addresses. Solution: The log indicates the network device is droping ICMP requests. No further action is needed. As a side note, if this WERE coming across the WAN interface we wouldnt have a private IP address as the source. IOC 3: An employess is using P2P services to download files. A GET request for x-bittorrent.gzip from an external IP (2.1.0.0) with a successful HTTP response (200). Solution: Enforce endpoint controls on third-party software installation.

b49eb27

i partially agree with these. IOC 1:analysis - application is performing an update (The evidence is more toward an application updating initiated by the web server which is behavior for an update. Remediation: nothing . IOC2:analysis- footprinting a subnet remediation - block ping requests. IOC3: analysis - Employe using PTP to download files remediation - blocklist of malicious ports

armid

i agree with you except last remediation would be enforce controls on 3rd party app installs (bit torrent clients). Bit torrent ports are not necessarily malicious.

armid

the only thing that is bothering me a little is that why WAN interface in Remediation 2. Who says its WAN interface. But its the most probable answer they wanted.

SirL

Hi guys, is given answer correct