Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?
Correct Answer: A
MITRE ATT&CK is a framework and knowledge base that describes the tactics, techniques, and procedures (TTPs) used by various adversaries in cyberattacks. MITRE ATT&CK can help security analysts compare TTPs between different known adversaries of an organization, as well as identify patterns, gaps, or trends in adversary behavior. MITRE ATT&CK can also help security analysts improve threat detection, analysis, and response capabilities, as well as share threat intelligence with other organizations or communities
Question 127
An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in order to move the incident forward?
Correct Answer: A
The analyst should focus on the impact of the events in order to move the incident forward. Impact is the measure of the potential or actual damage caused by an incident, such as data loss, financial loss, reputational damage, or regulatory penalties. Impact can help the analyst prioritize the events that need to be investigated based on their severity and urgency, and allocate the appropriate resources and actions to contain and remediate them. Impact can also help the analyst communicate the status and progress of the incident to the stakeholders and customers, and justify the decisions and recommendations made during the incident response12. Vulnerability score, mean time to detect, and isolation are all important metrics or actions for incident response, but they are not the main focus for moving the incident forward. Vulnerability score is the rating of the likelihood and severity of a vulnerability being exploited by a threat actor. Mean time to detect is the average time it takes to discover an incident. Isolation is the process of disconnecting an affected system from the network to prevent further damage or spread of the incident34 . Reference: Incident Response: Processes, Best Practices & Tools - Atlassian, Incident Response Metrics: What You Should Be Measuring, Vulnerability Scanning Best Practices, How to Track Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) to Cybersecurity Incidents, [Isolation and Quarantine for Incident Response]
Question 128
An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with a secure template. Which of the following is the best resource to ensure secure configuration?
Correct Answer: A
The best resource to ensure secure configuration of cloud infrastructure is A. CIS Benchmarks. CIS Benchmarks are a set of prescriptive configuration recommendations for various technologies, including cloud providers, operating systems, network devices, and server software. They are developed by a global community of cybersecurity experts and help organizations protect their systems against threats more confidently1 PCI DSS, OWASP Top Ten, and ISO 27001 are also important standards for information security, but they are not focused on providing specific guidance for hardening cloud infrastructure. PCI DSS is a compliance scheme for payment card transactions, OWASP Top Ten is a list of common web application security risks, and ISO 27001 is a framework for establishing and maintaining an information security management system. These standards may have some relevance for cloud security, but they are not as comprehensive and detailed as CIS Benchmarks
Question 129
During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?
Correct Answer: C
Application security scanning is a process that involves testing and analyzing applications for security vulnerabilities, such as injection flaws, broken authentication, cross-site scripting, and insecure configuration. Application security scanning can help identify and fix security issues before they become exploitable by attackers. Using application security scanning as part of the pipeline for the continuous integration/continuous delivery (CI/CD) flow can help mitigate the problem of finding the same vulnerabilities in a critical application during security scanning. This is because application security scanning can be integrated into the development lifecycle and performed automatically and frequently as part of the CI/CD process.
Question 130
An XSS vulnerability was reported on one of the public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (Select two).
Correct Answer: D,F
Comprehensive Detailed To effectively prevent Cross-Site Scripting (XSS) attacks, implementing appropriate security controls within the application code and at the network layer is critical. Here's a breakdown of each option: A . Implement an IPS in front of the web server Intrusion Prevention Systems (IPS) are primarily designed to detect and prevent network-based attacks, not application-layer vulnerabilities such as XSS. They do not specifically mitigate XSS threats effectively. B . Enable MFA on the website Multi-factor authentication (MFA) strengthens user authentication but does not address XSS, which typically involves injecting malicious scripts rather than compromising user credentials. C . Take the website offline until it is patched While this might temporarily mitigate the risk, it is not a practical solution for ongoing operations, especially when effective preventative controls (e.g., WAF rules or code updates) can be implemented without disabling the service. D . Implement a compensating control in the source code Implementing security controls at the code level is an effective way to mitigate XSS risks. This can involve proper input validation, output encoding, and utilizing libraries that sanitize user inputs. By addressing the root cause in the source code, developers prevent scripts from being injected or executed in the browser. E . Configure TLS v1.3 on the website While TLS v1.3 secures the communication channel, it does not address XSS directly. XSS attacks manipulate client-side scripts, which TLS cannot prevent, as TLS only encrypts data in transit. F . Fix the vulnerability using a virtual patch at the WAF Web Application Firewalls (WAFs) can mitigate XSS vulnerabilities by identifying and blocking malicious payloads. Virtual patching at the WAF level provides a temporary fix by preventing exploit attempts from reaching the application, giving developers time to implement a permanent fix in the source code. Reference: OWASP XSS Prevention Cheat Sheet: Detailed guidance on encoding, sanitizing, and safe coding practices to prevent XSS. NIST SP 800-44: Guidelines on Web Security, discussing WAFs and application-layer protections. CWE-79: Common Weakness Enumeration on Cross-Site Scripting, which outlines ways to address and prevent XSS attacks.