A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware based on its telemetry?
To determine the type of malware based on its telemetry, the security analyst should transfer the malware to a sandbox environment. A sandbox is a controlled and isolated environment designed to safely execute and analyze malware. This will allow the analyst to observe the malware's behavior and interactions in a monitored setting, providing valuable telemetry data needed to identify its characteristics and impact. This approach is more effective for real-time analysis compared to simply cross-referencing signatures.
Both A and C are great, but like jjkylin said we would go with sandboxing here because of the key word "telemetry" which means we are going to monitor the malware.
Both options A and C are valid approaches, but option C is more directly focused on analyzing the behavior of the malware, which aligns with the goal of determining the type of malware based on its telemetry.
A sandbox is an isolated and controlled environment where the malware can be executed without affecting the production network. Analyzing the behavior of the malware in a sandbox allows the analyst to observe its actions, interactions, and potential impact on the system, providing valuable telemetry data.
To determine the type of malware based on its telemetry, the security analyst should transfer the malware to a controlled environment like a sandbox. In question it is saying unsure about how to respond.
Seems more logic and les time consuming to me...
Both A and C are good choices, My reasoning for choosing A is because of the question Talking about malware signatures.
Cross-referencing with Open-source Threat Intelligence: This approach involves comparing the malware signature obtained by the EDR (Endpoint Detection and Response) system with existing databases and sources of known malware signatures. Open-source threat intelligence platforms often have extensive databases of malware signatures, behaviors, and attributes. By comparing the obtained signature with these databases, the analyst can quickly identify the type of malware, understand its characteristics, and learn about its typical behaviors and impact. This knowledge is crucial for formulating an effective response strategy.