An organization's hunt team thinks a persistent threats exists and already has a foothold in the enterprise network. Which of the following techniques would be BEST for the hunt team to use to entice the adversary to uncover malicious activity?
A.
Deploy a SOAR tool.
B.
Modify user password history and length requirements.
Decoy files, also known as honeypots, are fake assets that are designed to lure attackers into interacting with them, revealing their presence and potentially exposing their tactics, techniques, and procedures (TTPs). By placing decoy files on adjacent hosts, the hunt team can potentially lure the adversary into interacting with them, revealing their presence and potentially exposing their malicious activity.
A decoy file can include honeytokens and/or canary traps. These decoy files contain data that would be appealing to an adversary, such as user credentials, email addresses, account numbers, etc., but the data contained in the decoy file is fake. A decoy file could also include executables or "phone home" mechanisms to aid in the detection and analysis of their use. The purpose of the decoy file is to help aid in the detection of malicious activity, including the source.
Source:
Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
All of the options can be useful for the hunt team, but one technique that may be particularly effective in luring the adversary into revealing their activities is the implementation of decoy files on adjacent hosts. This technique involves placing files on the network that appear to be valuable or sensitive data, but are in fact traps that the attacker will be drawn to. The files can be designed to trigger alerts or log the attacker's actions when accessed, allowing the hunt team to gain insight into the attacker's tactics and techniques. Therefore, option D, "Implement decoy files on adjacent hosts," may be the best choice for enticing the adversary to uncover malicious activity.
This says that the threat "exists and already has a foothold in the ... network", they don't need to be enticed, they are present. I would think they need to isolate the threat and watch them. Odds are they already know what they are there for too, seeing new files might make them change their game. I am no pro though, just trying to understand the compt game.
Agree with Patinho777. Answer is D as the keyword is "to use the entice the adversary"
upvoted 2 times
...
This section is not available anymore. Please use the main Exam Page.CAS-004 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
patinho777
Highly Voted 2 years, 3 months agoBiteSize
9 months, 3 weeks agoMr_BuCk3th34D
Highly Voted 1 year, 4 months agoBrianny93
Most Recent 6 months, 3 weeks agoBiteSize
9 months, 3 weeks agoCASP_Master
12 months agobigerblue2002
1 year, 9 months agoRevZig67
1 year, 11 months agowillsy
2 years, 2 months agoiosnet
2 years, 2 months ago