Exam CS0-002 topic 1 question 147 discussion

Our alerts sources must be updated first (going with D here). I do work for a SOC and when we receive feeds for IOCs we update our bunch of rules in order to detect potential activity related, and sometimes an alert triggers but the traffic is automatically blocked by the firewall so we don't need to blacklist first.

When a threat hunting team receives a new Indicator of Compromise (IoC) that follows a threat actor's profile and activities, the next action should be to update the relevant security controls to detect and mitigate the identified threat. In this context, the most appropriate update would be to: D. The IDS signature Updating the Intrusion Detection System (IDS) signature will help the security system recognize and alert on the specific indicators associated with the threat actor's activities. This ensures that the organization's security infrastructure is better prepared to detect and respond to potential threats.

Blocking the malicious entities for immediate damage control is the primary step, followed by updating the IDS signatures. These two actions are equally vital, embodying both due diligence and due care in fortifying cybersecurity measures. C is the most crucial here

I think its C you "update" a block list but you "add" signatures. Its a close call.

When a threat hunting team receives a new Indicator of Compromise (IoC) from an Information Sharing and Analysis Center (ISAC) that follows a threat actor's profile and activities, the next step should typically involve updating the relevant security controls to enhance detection and protection against the threat. In this context, the most appropriate next action would be: Updating the IDS signature allows the security team to proactively detect and respond to the specific threat associated with the new IoC. By incorporating this IoC into the IDS signature, the system can better identify and alert on potential threats related to the threat actor's profile and activities.

Block list... That's threat actor IOC... I sure would like to block PREVENT them.. IDS wouldn't prevent but detect. I believe I will go for Block list.

the threat hunting team has received a new IoC from an ISAC (Information Sharing and Analysis Center) that follows a threat actor's profile and activities. The team needs to take immediate action to prevent any potential damage. The first step is to update the IDS (Intrusion Detection System) signature. IDS systems are network security appliances that monitor network traffic for signs of suspicious behavior. Updating the IDS signature allows it to recognize and alert the team of any network traffic that matches the IoC. Once the IDS signature has been updated, the team can move on to other tasks, such as updating the blocklist, DNS, or whitelist, depending on the specific circumstances of the IoC

D. The IDS signature should be updated next. A threat hunting team typically uses Indicators of Compromise (IoCs) to identify potential threats or malicious activity in their network. In this scenario, the team has received a new IoC from an Information Sharing and Analysis Center (ISAC) that is related to a known threat actor's profile and activities. To leverage this new information, the team should update their Intrusion Detection System (IDS) signature to include this IoC. This allows the IDS to identify and alert on any traffic that matches the IoC, providing an early warning of potential threats in the network. While updating the whitelist, DNS, and blocklist are also important steps in securing the network, they are not the most immediate and critical next step in response to a new IoC. ChatGPT

"An indicator of compromise (IoC) is a residual sign that an asset or network has been successfully attacked or is continuing to be attacked." Prevent THEN update the detection signature. ANSWER C.

IDS = only detects and log Blocklist = Prevent and also log Why not block known IOC from a trusted source such as ISAC? Why choose to only detect?. It may be too late for your IR teams to respond if you wasted the intelligence in advance and do not configure any action to be taken against the known IOC. Also, when doing blocklist, there's this thing called "retroactive alert" whereas even if you have delayed the input of the IOC into blocklist, "some" products may be able to catch it from the available historical data, if it has already affected your environment.

Agree on D. The question says that they received an IoC from the ISAC -- this does not mean that their organization is compromised, only that there is a new threat to be aware of in the wider world. As others have mentioned, an IoC is not necessarily a blockable IP address, but rather behaviour patterns and other indicators, so updating the IDS to detect these indicators is the only thing that makes sense.

D. The IDS signature The next step after receiving a new Indicator of Compromise (IoC) from an Information Sharing and Analysis Center (ISAC) should be to update the Intrusion Detection System (IDS) signature. The IDS is a key component of an organization's security infrastructure that is designed to detect and alert on malicious activity on the network. By updating the IDS signature with the new IoC, the threat hunting team can be better prepared to detect and respond to the activities of the identified threat actor. Other updates, such as to the whitelist, blocklist, or DNS, may also be necessary depending on the specific threat and the organization's security posture, but updating the IDS signature should be the first step to ensure that the organization is prepared to detect and respond to the identified threat.

i found this link below. answer is D https://accedian.com/blog/what-is-the-difference-between-signature-based-and-behavior-based-ids/

assuming you have an IP address, block it, then worry about your IDS. Remember the IDS only detects doesn't prevent.

D should be the answer. The IoC could be a number of things, not necessarily a "blockable" IP address. Updating the IDS signature helps the IDS to catch the indicator, from whatever source it originates from.

After receiving a new IoC (Indicator of Compromise) from an ISAC (Information Sharing and Analysis Center) that follows a threat actor's profile and activities, the next step for the threat hunting team should be to update the blocklist. A blocklist is a list of known malicious IP addresses, domains, or other indicators of compromise that are used to block or filter out potentially harmful traffic. By updating the blocklist with the new IoC, the threat hunting team can prevent the threat actor from accessing the network or other resources. The correct answer is C: The blocklist.

CORRECTION, answer C. the fact is, given IOC are definitely examples of malicious communication, files, etc. So it has to be blocked, not only detect.