Exam CS0-002 topic 1 question 93 discussion

Surprised it isn't D?

The answer is B I thought it was A at first, However after reading the following insert form Malwarebytes on the functions of a Endpoint Detection and Response, it definitely makes sense to go with B. EDR SUMMARY: This refers to EDR’s ability to capture images of an endpoint at various times and re-image or rollback to a previous good state in the event of an attack. EDR also gives administrators the option to isolate endpoints and prevent further spread across the network. Remediation and rollback can be automated, manual, or a combination of the two.

D. Logical network segmentation and the use of jump boxes

Always Patch your system, Is the first and most important rule and It is mandatory if you have to protect CRITICAL assets. That would have prevented any kind of spreaded infections.

I choose B because EDR could stop the infection at the host level, rather than allowing it to spread throughout the network segment before stopping the spread. I think D is good, but B is better especially the bigger the network segment gets.

In this scenario, the malware is originating from a single workstation with legitimate administrator credentials. By implementing logical network segmentation and the use of jump boxes, the spread of the malware could be contained to the segment of the network where the infected workstation is located, rather than allowing it to spread to critical systems across multiple segments. While vulnerability scans and proper patching (A), properly configured and updated EDR solutions (B), and honeynets used to catalog anomalous behavior and update IPS (C) are all important security measures, they would not be as effective in preventing the spread of the malware in this specific scenario as logical network segmentation and the use of jump boxes.

C. implementing logical network segmentation, critical systems can be isolated from other less critical systems and users, limiting the potential spread of malware.

I initially was leaning towards B because why wouldn't an EDR be able to detect and prevent infection? Microsoft Defender for Endpoint, for example, can perform Automated Investigation and Response (AIR) which includes isolating a device, quarantining files, etc. Also, it's mentioned the analyst who owns that workstation has valid admin creds, so has the malware escalated privileges and is it operating under that account? If so, would they just be able to connect to the jump host anyways? https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-auto-investigation?view=o365-worldwide#remediation-actions Given the details/context that this is more network based, however, I think the answer they want you to give is D (definitely a valid answer and should be part of the overall security posture regardless of the question).

chatGPT told me it's D

Going with D

I believe the answer to be A. This is my reasoning: "the workstation swept the network looking for vulnerable hosts to infect" - so we know that this is the trigger for this attack. "Which of the following would have worked BEST to prevent the spread of this infection?" - So which answer would be best to prevent this infection? A. Vulnerability scans of the network and proper patching - patching the vulnerable hosts would stop/prevent this from happening again.

Please read the question everyone. B will not stop the spread, it will prevent it from happening in the first place. Administrator credentials were exploited, the only option the prevents the SPREAD is D.

I think deploying and configuring the endpoint security is the best option

A honeynet is a network set up with intentional vulnerabilities hosted on a decoy server to attract hackers. They are expressly set up to attract and trap interlopers who attempt to penetrate other people's computer systems... If that machine was compromised with malware that scanned for targets that were vulnerable it would hit that honeynet and become trapped and thats that.. it would be stuck in there for the SOC to study and analyze for further review.

I selecting B for the following reasons: How EDR Works EDR security solutions use advanced techniques to proactively detect and respond to threats. Data Collection EDR tools install software agents on all devices and collect telemetry data from communications, queries, processes, and user logins which get stored in central logs. Data Analysis Behavioral analysis establishes a baseline of normal activity over time to help identify anomalies that represent malicious behavior. Response In case of a suspected breach, EDRs quarantine malware while isolating and testing the malicious file in a safe sandboxed environment.

The keyword here is to prevent the spread of the infection - can only be best acheived by use of network segmentation and use of jump boxes. Answer is D.

Using EDR, the threat hunters work proactively to hunt, investigate and advise on threat activity in your environment. When they find a threat, they work alongside your team to triage, investigate and remediate the incident, before it has the chance to become a full-blown breach https://www.crowdstrike.com/cybersecurity-101/endpoint-security/endpoint-detection-and-response-edr/#:~:text=Using%20EDR%2C%20the%20threat%20hunters,become%20a%20full%2Dblown%20breach.