A company has adopted and established a continuous-monitoring capability, which has proven to be effective in vulnerability management, diagnostics, and mitigation. The company wants to increase the likelihood that it is able to discover and therefore respond to emerging threats earlier in the life cycle.
Which of the following methodologies would BEST help the company to meet this objective? (Choose two.)
A. Install and configure an IPS.
B. Enforce routine GPO reviews.
C. Form and deploy a hunt team.
D. Institute heuristic anomaly detection.
E. Use a protocol analyzer with appropriate connectors.
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
Wouldnt A include D? IPS can use heuristic anomaly detection
After doing more research and coming back to this question, I believe the answer is CD, but the question is a bad question.
Explanation:
D is obviously one of the correct answers.
The gray area is that it doesnt specify what kind of heuristic detection device would be used. It could be either an EDR or an IPS. EDR are IPS on steroids. They can include threat hunting inside the solution. Therefore, if the heuristic anomaly detection device implemented was an EDR, this would cover C. It would be easier and more cost effective as well. BUT why would you need an EDR along with an IPS? You wouldnt. This makes me think that D is referring to a heuristic IPS device. Along with this, assembling a threat hunting team would be the best way to detect and respond to threats early.
Just my thoughts/breakdown. May be thinking too in-depth, but the question is bad
Also, gotta think that IPS deal with networking (packets and what is coming across the wire), while EDR deal with behavior analysis and threat databases. Idk, the answer could be AD or CD. Hopefully the exam doesnt have this question
CD or AD hard to decide. increase the likelihood… to discover and respond to emerging threats earlier.
A. Install and configure an IPS. (Intrusion Prevention System could be an enhancement, but company already “established a continuous-monitoring capability..”)
B. Enforce routine GPO reviews. (GPO is useless in this scenario)
C. Form and deploy a hunt team. (an addition of hunt team would increase discovery and respond)
D. Institute heuristic anomaly detection. (definitely this one)
E. Use a protocol analyzer with appropriate connectors. (does not detect and automatically id threat)
I would definitely choose D.
However, I was in doubt between A (IPS) and C (hunt team).
From CASP official material:
“Hunt teaming is yet another technique that facilitates incident response. Instead of passively monitoring entities and systems, a team of security personnel will actively “hunt” for indicators of compromise in a particular environment. This is based on the assumption that you may already be compromised, even if you don’t notice any overt signs of an incident. A hunt team will typically examine hosts and network activity for evidence of command and control (C&C) channels used in a botnet; unusual registry keys that could indicate persistent malware; rogue hardware that is attached to the network; suspicious or unusual network port and protocol usage; unauthorized accounts; and more.”
Company’s objective: discover and respond to emerging threats earlier in the life cycle
I would rather choose C (hunt team).
A & D
What is your justification A over C?
Wouldnt A include D? IPS can use heuristic anomaly detection