Exam CS0-003 topic 1 question 46 discussion

uploading to Virus-total mean disclosing to a third-party !

An air-gapped sandbox is an isolated environment with no internet connectivity, which allows the analyst to analyze the malware in a controlled manner without any risk of the malware communicating with its command-and-control (C2) servers or alerting the attackers. This setup ensures that the analysis stays private, and no information is leaked to the attackers.

It's would be A or D, however, the question says these binaries are "targeted", meaning they are customized for organization and would not be on VirusTotal. Thus, A is the answer. As for gathering intelligence, this can still gathered from a binary, like extracting IoCs with the strings command, etc.

A. is the correct answer. While D. is what I do in real life a lot... (possibly all the time). you really need to give this some thought. or not. question says, analyst is trying to keep this from the threat actors. air-gapped sand box is disconnected from the internet. Threat actors monitor what is being lookup on on VT or talos or any other reputation look up sites.

i vote for D. I check the hash first. I do not alert the attacker, i do not share information to the attacker. What information do i get from the sanbox if i have to deal with a logic bomb with extended sleep?

Isolated Network Hunting - Isolated networks, such as air-gapped networks or networks with limited connectivity to the internet, are often thought to be more secure. However, attackers can still target these networks by exploiting vulnerabilities in connected systems or through physical access. Source CompTia

There really needs to be more context but if the investigation was performed on an enterprise network then doing a query of the file hash using VirusTotal would be my first step. If I'm performing an investigation using any modern EDR I can remotely get the file hash of the binaries without the adversary knowing assuming they are still on the device being investigated. Doing a query of a file hash doesn't disclose any of your information because you're not uploading anything, you're inputting text into a box. If the malware is polymorphic then you could trigger follow-on actions by attempting to copy or move the binaries when moving it to an air-gapped system. In reality, I would do D first and then do A.

Answer is A. An air-gapped sandbox is a virtual machine or a physical device that is isolated from any network connection. This allows the analyst to safely execute the malware binaries and observe their behavior without risking any communication with the attackers or any damage to other systems. Uploading the binary to an air-gapped sandbox is the best option to gather intelligence without disclosing information to the attackers12 Reference: 1: Dynamic Analysis of a Windows Malicious Self-Propagating Binary 2: GitHub - mikesiko/PracticalMalwareAnalysis-Labs: Binaries for the book Practical Malware Analysis

A - "gather intelligence" this can be done via dynamic analysis and observing the behaviour of the binary.

A - the attackers will not know what your doing and you can gather intelligence info from the data - isn't gathering intelligence the same as performing an analysis? D - attackers are going to know what your doing here - Please if you chose D then explain how they will not know?

Not D because Querying the file hashes using VirusTotal could disclose the analyst’s queries to the attackers, as VirusTotal shares its data with the antivirus industry and the public. The attackers could use this information to track the analyst’s investigation or evade detection by changing their file hashes.

Correct Answer: **D. Query the file hashes using VirusTotal** Summary: This option allows the security analyst to gather intelligence on the targeted Windows malware binaries without disclosing information to the attackers. By querying the file hashes using VirusTotal, the analyst can obtain insights from a service that aggregates antivirus scanners and website scanners, providing information about potential threats while maintaining confidentiality in the investigation. Why A is wrong: While uploading the binary to an air-gapped sandbox for analysis (Option A) can help understand the malware's behavior, it doesn't address the goal of gathering intelligence without disclosing information to the attackers. Furthermore, an air-gapped environment lacks internet connectivity, preventing the analyst from using online services like VirusTotal to query file hashes without compromising the air gap.

I think A makes more sense, unless the malware is programmed to destroy itself when detected in a sandbox environment then C is the next best thing.

The answer is A. Upload the binary to an air-gapped sandbox for analysis, only because the question states you don't want to alert the attackers. The attackers are definitely going to know once virustotal processes it and all of a sudden their stealthy malware is identified by most major scanning definitions.

A. Upload the binary to an air-gapped sandbox for analysis An air-gapped sandbox is isolated from the Internet and other networks, which means that no information about the investigation can be inadvertently leaked to the attackers. By analyzing the malware in a controlled and isolated environment, the analyst can observe the behavior of the binaries without the risk of the malware "phoning home" to the attacker's command and control servers or otherwise disclosing the investigation. This approach also prevents the malware from potentially spreading or causing harm to the organization's operational network.

A hash is a one way encryption not meant to be unencrypted. You cannot analyze that which cannot be unencrypted. My answer is "A".

A is correct. D is incorrect because the binaries are "targeted" meaning they will likely have a unique hash not found in virus total's database. In the real world of course virus total can provide other useful information like some static and dynamic analysis but this is outside the scope of answer D, which specifically identifies the hash.