Exam CS0-002 topic 1 question 186 discussion

A is the worst option of all or the question is poorly framed. A sandbox is a protected environment to run any software and find out the behaviour. How can a sandbox technology be enabled on end points to prevent a malware. Maybe a Sandbox tool like a Palo Alto Wildfire can detect the malware when in transit and then prevent it but there is no tool with "Sandboxing technology" to prevent malwares on endpoint. I hope I wont get such questions on the exams.

It's A. Answer can be found in the CySA+ Study guide (2nd edition) page 23. Sanboxing will trigger the code and watch for any abnormal behavior, if anything malicious occurs, the code is blocked and the spread is avoided.

C makes more sense. You need application blacklisting so that when you get the alert and you know what software is causing the issue, blacklist it.

Page 79 of CySA+ (not 23) Study Guide (2nd Edition) Sandboxing is an approach used to detect malicious software based on its behavior rather than its signatures. Sandboxing systems watch systems and the network for unknown pieces of code and, when they detect an application that has not been seen before, immediately isolate that code in a special environment known as a sandbox where it does not have access to any other systems or applications. The sandboxing solution then executes the code and watches how it behaves, checking to see if it begins scanning the network for other systems, gathering sensitive information, communicating with a command-and-control server, or performing any other potentially malicious activity. If the sandboxing solution identifies strange behavior, it blocks the code from entering the organization's network and flags it for administrator review. This process, also known as code detonation, is an example of an automated reverse engineering technique that takes action based on the observed behavior of software.

Ugh, these questions. Out of all of them, I will stick with A. It does not specifically mention "Real-Time Sandboxing", but I am choosing A because it is the best answer from all of the ones given. Real-time sandboxing technology allows for the immediate analysis and testing of potentially malicious files and software as they are accessed or executed on a system. This approach is designed to quickly identify and isolate any threats before they can cause harm to the system or spread to other computers on the network.

It's for sure not A - Sandboxing is used to analyze malware not to mitigate potential effects. B - is the way of mitigation by covering the cost of recovering. C - is a way of preventing, but not necessarily mitigating. D - it does not make sense. The only reasonable answer is unexpected answer - B You can try also C, but I don't think CompTIA thinks of it as of mitigating technique. Mitigating technique regarding ransomware is mostly backups

Application blacklisting is only option that mitigates. Sandboxing does nothing to mitigate, you already have an alert, observing it in a sandbox won't help mitigate anything.

100% sure read this article https://www.freecodecamp.org/news/how-to-enable-sandbox-on-windows/

Going with A as well. "Network-based sandboxing is a proven technique for detecting malware and targeted attacks. Network sandboxes monitor network traffic for suspicious objects.. "https://www.gartner.com/reviews/market/network-sandboxing

Why not put sandboxing as answer to most of these questions then. Sounds like it would take care of actual ton of malware.

looks good to me

It should be A Mitigation = Controls = Sandbox.

Am now leaning toward A as the BEST option to mitigate the effects of the threat. While B should still be done (it's just not the BEST answer here). This Ransomware threat would be classified as an unknown threat since it has a new variant (heuristic malware which requires heuristic analysis in a sandbox). Thus, sandbox technology would mitigate the effects (aka consequences) of this unknown threat because it will hopefully prevent the malware from being executed on employee devices. Purchasing cyber insurance does not BEST mitigate the effects (aka consequences) of this unknown threat because it doesn't try to remediate the actual vulnerability. Rather it allows the increased possibility (read link below) of it happening again. We are likelier to avoid an entirely new attack if we just implement sandbox technology. If anything, suffering another ransomware attack has greater effects/consequences because it's also a blow to the company's image and there's no telling if that can be mended. https://www.cbsnews.com/news/ransomware-victims-suffer-repeat-attacks-new-report/

SANBOXING is an approach used to detect malicious software based on its behavior rather than its signatures. Sandboxing solutions watch the host operating system and network for novel or odd behaviors and, when such behaviors are detected they are able to immediately isolate problems in a special environment sandbox where it does not have access to any other systems or applications. The sandboxing solution then executes the code and watches how it behaves, checking to see if it begins scanning the network for other systems, gathering sensitive information, communicating with a command-and-control server, or performing any other potentially malicious activity. https://www.ucertify.com/?func=ebook&chapter_no=2#063hY

Lol A is the worst option

The question asks us to mitigate the "effects" of this type of threat which makes A look reasonable. During lessons-learned activities, the analyst determines the antivirus was able to alert to abnormal behavior; which means the sandboxing would be able to detect and "sandbox" the ransomware thereby mitigating some of the effects.

A, seems appropriate here as it is asking the actions to mitigate the effects of such threats. Sandboxing doesnt stop the threat here but can be used to isolate the issue