Question

A SIEM analyst noticed a spike in activities from the guest wireless network to several electronic health record (EHR) systems. After further analysis, the analyst discovered that a large volume of data has been uploaded to a cloud provider in the last six months. Which of the following actions should the analyst do FIRST?

A. Contact the Office of Civil Rights (OCR) to report the breach

B. Notify the Chief Privacy Officer (CPO)

C. Put an ACL on the gateway router

D. Activate the incident response plan.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A threat intelligence analyst who works for a financial services firm received this report: "There has been an effective waterhole campaign residing at www.bankfinancecompsoftware.com. This domain is delivering ransomware. This ransomware variant has been called "LockMaster” by researchers due to its ability to overwrite the MBR, but this term is not a malware signature. Please execute a defensive operation regarding this attack vector.” The analyst ran a query and has assessed that this traffic has been seen on the network. Which of the following actions should the analyst do NEXT? (Choose two.)

A. Advise the security architects to enable full-disk encryption to protect the MBR

B. Advise the firewall engineer to implement a block on the domain

C. Produce a threat intelligence message to be disseminated to the company

D. Visit the domain and begin a threat assessment

E. Format the MBR as a precaution

F. Advise the security analysts to add an alert in the SIEM on the string "LockMaster”

Please explain your choice of answers for a thumbs up. Expert answers only.

Answer 1

A SIEM analyst noticed a spike in activities from the guest wireless network to several electronic health record (EHR) systems. After further analysis, the analyst discovered that a large volume of data has been uploaded to a cloud provider in the last six months. Which of the following actions should the analyst do FIRST?

Ans: C. Put an ACL on the gateway router

A threat intelligence analyst who works for a financial services firm received this report: "There has been an effective waterhole campaign residing at www.bankfinancecompsoftware.com. This domain is delivering ransomware. This ransomware variant has been called "LockMaster” by researchers due to its ability to overwrite the MBR, but this term is not a malware signature. Please execute a defensive operation regarding this attack vector.” The analyst ran a query and has assessed that this traffic has been seen on the network. Which of the following actions should the analyst do NEXT? (Choose two.)

Ans: A. Advise the security architects to enable full-disk encryption to protect the MBR

Ans: D. Visit the domain and begin a threat assessment

Since the ransomware is already on the system, the best possible way to deal with it would be the encrytion of disks and visiting the domain in order to observe what it is doing or like to do.