A company's SOC has received threat intelligence about an active campaign utilizing a specific vulnerability. The company would like to determine whether it is vulnerable to this active campaign.
Which of the following should the company use to make this determination?
To determine if a company is vulnerable to a specific active campaign utilizing a known vulnerability, the best approach is to conduct a system penetration test. This allows the company to simulate an attack using the same techniques and tools as the adversary, directly testing the systems for the specific vulnerability in question. This hands-on testing provides clear evidence of whether the vulnerability exists and can be exploited, thus confirming the company’s susceptibility to the ongoing threat.
This is very simple ....Pen-test to use the specific exploit to determine the result of the threat intelligence. answer is B
Pen testing tells you how an opponent could get into your environment. It emphasizes the potential damage of not hardening the environment by showing how different vulnerabilities might be exploited or identifying insecure IT practices. Threat hunting tells you who is already in your environment and what they're up to. It deals with the actual state of the environment and shows what threats are targeting the company. They’re both methods used by defenders to bolster their security, but the former deals with possibly scenarios which may lead to a breach, while the latter works backwards- first looking for a breach, then working backwards to a vulnerability.
"The company would like to determine whether it is vulnerable to this active campaign" The only way for them to determine this is by pentesting
verify if the exploit works. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
Pentest. This is the only way to be sure it is a genuine problem.
conducting a Pen Test seems the most logical to me
Threat Hunting: Best used when there is a need to quickly determine if an attack has already occurred or if there are signs of compromise related to the specific threat. Penetration Testing: Best used to validate whether the environment is susceptible to the specific vulnerability and to understand the potential impact and exploitability.
Threat hunting sounds like a good answer, but remember threat hunting is "proactively searching for cyber threats that are lurking undetected in a network." You look for unusual behavior and IOCs. Threat hunting is not a vulnerability assessment. You would pentest to determine if you were actually vulnerable. https://www.crowdstrike.com/cybersecurity-101/threat-hunting/
A. Threat hunting would be the best option to determine whether the company is vulnerable to a specific active campaign. Threat hunting involves proactively searching through networks or endpoints to detect and isolate advanced threats that evade existing security solutions. By performing threat hunting, the company can identify any indicators of compromise (IoCs) or unusual activity that may be associated with the known vulnerability and active campaign. System penetration testing, log analysis, and the Cyber Kill Chain are all useful security techniques, but they are not specifically designed for identifying vulnerabilities in response to a specific active campaign.
The SIEM tool can be used to scan logs for evidence of the vulnerability, such as attempts to exploit it. If the vulnerability is present, the SIEM tool can also be used to identify the source of the attack and take steps to mitigate it. B is a close second. A pen test can be timely and expensive though. Also, a system pen test may not always be effective in finding vulnerabilities that have already been exploited. If an attacker has already exploited the vulnerability, they may have found a way to hide their activity from a pen test.
Idk. I go back and forth between B and C. We're not concerned with whether or not the vulnerability within the company's network/systems has been exploited, only whether or not the company is actually vulnerable.
Actually my previous answer was wrong: this seems like the right answer. Hypothesis-driven investigations are often triggered by a new threat that’s been identified through a large pool of crowdsourced attack data, giving insights into attackers’ latest tactics, techniques, and procedures (TTP). Once a new TTP has been identified, threat hunters will then look to discover if the attacker’s specific behaviors are found in their own environment. https://www.crowdstrike.com/cybersecurity-101/threat-hunting/
Would this not be using the Cyber Kill Chain? The question mentions a group using a specific vulnerability. From the website: The seven steps of the Cyber Kill Chain® enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures. Threat hunting means they are looking for adversaries already in the system and a system penetration seems to be overkill when you know the actual exploit.