Cisco Exam 350-201 Topic 3 Question 85 Discussion

Actual exam question for Cisco's 350-201 exam

Question #: 85
Topic #: 3

A SOC analyst is investigating a recent email delivered to a high-value user for a customer whose network their organization monitors. The email includes a suspicious attachment titled ''Invoice RE: 0004489''. The

hash of the file is gathered from the Cisco Email Security Appliance. After searching Open Source Intelligence, no available history of this hash is found anywhere on the web. What is the next step in analyzing this attachment to allow the analyst to gather indicators of compromise?

ARun and analyze the DLP Incident Summary Report from the Email Security Appliance

BAsk the company to execute the payload for real time analysis

CInvestigate further in open source repositories using YARA to find matches

DObtain a copy of the file for detonation in a sandbox

Show Suggested Answer

Suggested Answer: A, D

by Rory at Apr 24, 2024, 11:09 PM

Limited Time Offer

25%

Off

Get Premium 350-201 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Hubert

12 days ago

YARA, huh? Sounds like a good old-fashioned detective work. But I'm not sure I'd want to go snooping around open source repositories. Who knows what kind of digital booby traps might be waiting for us there?

upvoted 0 times

...

Leslee

14 days ago

I'm feeling a bit like a lab rat here. Executing the payload? No way, I'm not going to be the guinea pig for that one. Let's stick to the sandbox, where we can observe the attachment's behavior safely.

upvoted 0 times

...

Gerald

18 days ago

Option D is clearly the way to go. Detonating the file in a sandbox is the best way to analyze it and gather indicators of compromise. Anything else would be like trying to defuse a bomb with your bare hands.

upvoted 0 times

...