Exam CAS-004 topic 1 question 46 discussion

This is very simple ....Pen-test to use the specific exploit to determine the result of the threat intelligence. answer is B

Pen testing tells you how an opponent could get into your environment. It emphasizes the potential damage of not hardening the environment by showing how different vulnerabilities might be exploited or identifying insecure IT practices. Threat hunting tells you who is already in your environment and what they're up to. It deals with the actual state of the environment and shows what threats are targeting the company. They’re both methods used by defenders to bolster their security, but the former deals with possibly scenarios which may lead to a breach, while the latter works backwards- first looking for a breach, then working backwards to a vulnerability.

A.

The first step of threat hunting: Establishing a Hypothesis: For example, you might initiate a threat hunting project if your threat intelligence sources show that a new campaign type or adversary group has been identified, or that companies operating in similar markets have been hit by data breaches. (reference: The Official CompTIA CySA+ Student Guide)

Threat Hunting: Best used when there is a need to quickly determine if an attack has already occurred or if there are signs of compromise related to the specific threat. Penetration Testing: Best used to validate whether the environment is susceptible to the specific vulnerability and to understand the potential impact and exploitability.

"The company would like to determine whether it is vulnerable to this active campaign" The only way for them to determine this is by pentesting

Threat hunting sounds like a good answer, but remember threat hunting is "proactively searching for cyber threats that are lurking undetected in a network." You look for unusual behavior and IOCs. Threat hunting is not a vulnerability assessment. You would pentest to determine if you were actually vulnerable. https://www.crowdstrike.com/cybersecurity-101/threat-hunting/

verify if the exploit works. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

Pentest. This is the only way to be sure it is a genuine problem.

A. Threat hunting would be the best option to determine whether the company is vulnerable to a specific active campaign. Threat hunting involves proactively searching through networks or endpoints to detect and isolate advanced threats that evade existing security solutions. By performing threat hunting, the company can identify any indicators of compromise (IoCs) or unusual activity that may be associated with the known vulnerability and active campaign. System penetration testing, log analysis, and the Cyber Kill Chain are all useful security techniques, but they are not specifically designed for identifying vulnerabilities in response to a specific active campaign.

conducting a Pen Test seems the most logical to me

The SIEM tool can be used to scan logs for evidence of the vulnerability, such as attempts to exploit it. If the vulnerability is present, the SIEM tool can also be used to identify the source of the attack and take steps to mitigate it. B is a close second. A pen test can be timely and expensive though. Also, a system pen test may not always be effective in finding vulnerabilities that have already been exploited. If an attacker has already exploited the vulnerability, they may have found a way to hide their activity from a pen test.

Actually my previous answer was wrong: this seems like the right answer. Hypothesis-driven investigations are often triggered by a new threat that’s been identified through a large pool of crowdsourced attack data, giving insights into attackers’ latest tactics, techniques, and procedures (TTP). Once a new TTP has been identified, threat hunters will then look to discover if the attacker’s specific behaviors are found in their own environment. https://www.crowdstrike.com/cybersecurity-101/threat-hunting/

Would this not be using the Cyber Kill Chain? The question mentions a group using a specific vulnerability. From the website: The seven steps of the Cyber Kill Chain® enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures. Threat hunting means they are looking for adversaries already in the system and a system penetration seems to be overkill when you know the actual exploit.