A security analyst is conducting an investigation regarding a potential insider threat. An unauthorized USB device might have been used to exfiltrate proprietary data from a Linux system.
Which of the following options would identify the IoCs and provide the appropriate response?
To identify indicators of compromise (IoCs) regarding the potential use of an unauthorized USB device on a Linux system, one should use the 'dmesg' command. 'dmesg' provides a log of messages from the kernel, including when USB devices are connected or disconnected. By obtaining the device ID using 'dmesg', the security analyst can verify whether any unauthorized USB devices were connected. Updating the portable storage inventory accordingly is an appropriate response to manage and control the use of such devices and prevent future breaches.
Data visibility and endpoint DLP can secure data at-rest and ensure that users do not exfiltrate data via a removable device, such as a USB. The exercise does not specify if the DLP is a network or endpoint based.