A. Halt the penetration test.
This is not the best response because halting the test without further investigation might not be necessary and could delay the security assessment process.
B. Conduct an incident response.
This is not the best response because it might be premature to initiate an incident response without first verifying if the alarm was caused by the penetration test.
C. Deconflict with the penetration tester.
This is the correct response. Deconflicting means communicating with the penetration tester to verify if the alarm was caused by their activities. This is an important step to determine if the alarm is legitimate or part of the test.
D. Assume the alert is from the penetration test.
This is not the best response because assuming without verifying could lead to ignoring a real security incident.
C. Deconflict with the penetration tester.
This step allows the company to verify whether the alarms were triggered by the authorized penetration test or if there may be a real security incident. After confirming with the penetration tester, they can decide on the appropriate next steps, such as halting the test or conducting an incident response if needed.
D. Assume the alert is from the penetration test.
Here's why this is the appropriate action:
Assume the alert is from the penetration test: During a penetration test, it's common for security measures such as intrusion detection systems (IDS), intrusion prevention systems (IPS), or other monitoring tools to detect the activities of the penetration tester. These systems are designed to flag suspicious or anomalous behavior, which includes the actions taken by the penetration tester to identify vulnerabilities. Therefore, the company should initially assume that the triggered alarms are a result of the ongoing penetration test.
I think it's C, the client needs to speak with the pentest team. Assuming is the worst thing you can do. Assuming a breach is a pentester could lead to real ransomware threats nowadays. You can't assume anything.
i believe doing incident response should be the default in any case because usually teams are supposed to respond anyway. Once they identify (and dont wait around if pentester may not be quickly reachable) they can deconflict whether what they found is what the pentester is testing or if it is outside the scope (where then they dont even need to deconflict with the pentester). Incident response first makes the most sense, you never know when a hacker is aware of a pentest going on at a company (because he already compromised them) and decides to use the event as cover for actual damage.
C. Deconflict with the penetration tester: Before taking any further action, it is crucial to confirm whether the triggered security alarms are part of the authorized penetration testing activities. This ensures that there is no misunderstanding and that legitimate testing activities are not mistaken for actual security incidents.
Analysis of Other Options:
A. Halt the penetration test: Halting the test immediately may be unnecessary and could disrupt the planned activities. It should only be considered if deconfliction confirms that the alerts are not part of the test or if there is an immediate threat.
B. Conduct an incident response: Conducting a full incident response may be premature if the alarms are indeed part of the penetration test. Deconfliction should occur first.
D. Assume the alert is from the penetration test: Making assumptions without confirmation could be dangerous if the alerts are actually from a real security incident.
Wouldn't the company need to investigate the alarm so that they can then deconflict? And isn't investigating an alarm a "response," so to speak? Full-blown response, no, but... CompTIA is fun.
C gets you to the quickest answer if it was the pen-tester or not. Going with Incident Response can waist time and resources when a simple call to de-conflict can get you the correct answer faster. If the pen-tester states that it wasn't him you can then start incident response if it was you can still document but you know the answer to what happened.
When security alarms are triggered during a penetration test, it is possible that a real security incident has occurred. Therefore, the company should conduct an incident response to investigate the alarms and determine whether any actual security breach has taken place.
The company should Next conduct an incident response. An incident response is a process that helps the company investigate and identify the source of the security alarms that were triggered to determine whether it was a false alarm or a genuine threat. If it is determined that the alert is from the penetration test, then the company can work with the penetration tester to deconflict or adjust the testing parameters as needed.
Deconflicting with the penetration tester should not be done first because it is important to investigate the source of the alert and determine whether it is a false alarm or a genuine threat before making any changes to the testing parameters. An incident response process helps the company do this, and it is the best course of action to take first in order to determine the cause of the security alarms.
In situations like these, you follow procedure. you first follow the incident response by opening a ticket based on the event generated. Since an IDS is most likely to have triggered this event, you open the ticket and investigate. Then you check if there's any pen tests happening that week/day, and only then you check with the pentest.
Regardless of the reason, you never know an alert is an attack or a pentest until you've followed the incident response process. Then you can close the ticket/ignore the allwer once you've gotten confirmation from the pentester.
B. Conduct an incident response.
The company should conduct an incident response to determine the cause of the security alarm trigger. It is important to investigate the issue to determine whether it is related to the penetration test or if there is an actual security breach. Halting the penetration test, deconflicting with the penetration tester, or assuming the alert is from the test without investigating could potentially put the company at risk.
This section is not available anymore. Please use the main Exam Page.PT0-002 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
fuzzyguzzy
9 months agoMeisAdriano
9 months agofuzzyguzzy
9 months, 1 week agoJay39
9 months, 2 weeks agopizzaThyme
9 months agoSlick0
10 months agoEtc_Shadow28000
10 months, 1 week agoyeti87
1 year, 2 months ago[Removed]
1 year, 3 months agoSkater_Grace
1 year, 6 months agoscweeb
1 year, 9 months agoKingIT_ENG
2 years, 1 month agocy_analyst
2 years, 1 month agoKingIT_ENG
2 years, 1 month ago[Removed]
2 years, 1 month agonickwen007
2 years, 1 month ago[Removed]
2 years, 1 month agoboxv4
1 year, 8 months ago[Removed]
2 years, 1 month ago[Removed]
2 years, 2 months agoRRabbit_111
2 years, 3 months agoRRabbit_111
2 years, 3 months agoBOYA2022
2 years, 4 months agoMasco
2 years, 5 months ago