Performing CyberOps Using Cisco Security Technologies (CBRCOR) — Question 73

A security analyst receives an escalation regarding an unidentified connection on the Accounting A1 server within a monitored zone. The analyst pulls the logs and discovers that a Powershell process and a WMI tool process were started on the server after the connection was established and that a PE format file was created in the system directory. What is the next step the analyst should take?

Answer options

• A. Isolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack
• B. Identify the server owner through the CMDB and contact the owner to determine if these were planned and identifiable activities
• C. Review the server backup and identify server content and data criticality to assess the intrusion risk
• D. Perform behavioral analysis of the processes on an isolated workstation and perform cleaning procedures if the file is malicious

Correct answer: A

Explanation

The correct answer is A because isolating the server and conducting forensic analysis is crucial to understand the nature of the attack and the threat posed by the PE format file. Options B and C focus on communication and risk assessment rather than immediate containment and investigation. Option D, while it involves analysis, does not prioritize isolation and forensic examination necessary for a possible attack.