Cisco Exam 350-201 Topic 3 Question 85 Discussion

Actual exam question for Cisco's 350-201 exam

Question #: 85
Topic #: 3

A SOC analyst is investigating a recent email delivered to a high-value user for a customer whose network their organization monitors. The email includes a suspicious attachment titled ''Invoice RE: 0004489''. The

hash of the file is gathered from the Cisco Email Security Appliance. After searching Open Source Intelligence, no available history of this hash is found anywhere on the web. What is the next step in analyzing this attachment to allow the analyst to gather indicators of compromise?

ARun and analyze the DLP Incident Summary Report from the Email Security Appliance

BAsk the company to execute the payload for real time analysis

CInvestigate further in open source repositories using YARA to find matches

DObtain a copy of the file for detonation in a sandbox

Show Suggested Answer

Suggested Answer: A, D

by Rory at Apr 24, 2024, 11:09 PM

Limited Time Offer

25%

Off

Get Premium 350-201 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Millie

1 months ago

Oh, great, another email attachment with a suspicious name. It's like these hackers are trying to play 'Guess the Malware' with us. Let's just toss it in the sandbox and see what kind of digital fireworks we can cook up.

upvoted 0 times

Zena

3 days ago

I agree, we need to gather as much information as possible to determine if it's malicious.

upvoted 0 times

...

Chandra

4 days ago

Let's not take any chances, we should definitely detonate that file in a sandbox.

upvoted 0 times

...

Danilo

5 days ago

C: Running and analyzing the DLP Incident Summary Report could also provide valuable insights into the potential threat.

upvoted 0 times

...

Brent

11 days ago

B: Agreed, that's the best way to analyze the attachment and gather indicators of compromise.

upvoted 0 times

...

Celestine

20 days ago

A: Let's not waste any time, we should definitely obtain a copy of the file for detonation in a sandbox.

upvoted 0 times

...

Fanny

2 months ago

DLP Incident Summary Report? That's like trying to solve a murder mystery by reading the police blotter. Nah, I'm going with the sandbox option. At least that way, we can see the attachment in action and really get to the bottom of this.

upvoted 0 times

Maryanne

3 days ago

Agreed, let's not waste time with summaries. Let's go straight to the source and detonate that file.

upvoted 0 times

...

Tennie

4 days ago

I think that's the best way to gather more information and understand the potential threat.

upvoted 0 times

...

Helaine

18 days ago

Yeah, I agree. Let's get that file into a sandbox and see what it's up to.

upvoted 0 times

...

Hubert

2 months ago

YARA, huh? Sounds like a good old-fashioned detective work. But I'm not sure I'd want to go snooping around open source repositories. Who knows what kind of digital booby traps might be waiting for us there?

upvoted 0 times

Ming

2 months ago

B: I agree, it's important to proceed with caution when investigating suspicious attachments. Running the DLP Incident Summary Report might also provide valuable insights.

upvoted 0 times

...

Goldie

2 months ago

A: YARA is a powerful tool for threat hunting. It can help us identify any potential matches in open source repositories.

upvoted 0 times

...

Leslee

2 months ago

I'm feeling a bit like a lab rat here. Executing the payload? No way, I'm not going to be the guinea pig for that one. Let's stick to the sandbox, where we can observe the attachment's behavior safely.

upvoted 0 times

...

Gerald

2 months ago

Option D is clearly the way to go. Detonating the file in a sandbox is the best way to analyze it and gather indicators of compromise. Anything else would be like trying to defuse a bomb with your bare hands.

upvoted 0 times

...