Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) — Question 267

A SOC analyst detected connections to known C&C and port scanning activity to main HR database servers from one of the HR endpoints, via Cisco StealthWatch. What are the two next steps of the SOC team according to the NIST.SP800-61 incident handling process? (Choose two.)

Answer options

• A. Update antivirus signature databases on affected endpoints to block connections to C&C.
• B. Isolate affected endpoints and take disk images for analysis.
• C. Block connection to this C&C server on the perimeter next-generation firewall.
• D. Provide security awareness training to HR managers and employees
• E. Detect the attack vector and analyze C&C connections.

Correct answer: B, C

Explanation

The correct steps are to isolate affected endpoints and create disk images for forensic analysis (B), and to block the connection to the C&C server at the perimeter firewall (C). Updating antivirus signatures (A) and providing training (D) do not directly address the immediate threat response, while analyzing connections (E) is part of the investigation but not an immediate action.