Performing CyberOps Using Cisco Security Technologies (CBRCOR) — Question 80

A SOC engineer discovers that the organization had three DDOS attacks overnight. Four servers are reported offline, even though the hardware seems to be working as expected. One of the offline servers is affecting the pay system reporting times. Three employees, including executive management, have reported ransomware on their laptops. Which steps help the engineer understand a comprehensive overview of the incident?

Answer options

• A. Run and evaluate a full packet capture on the workloads, review SIEM logs, and define a root cause.
• B. Run and evaluate a full packet capture on the workloads, review SIEM logs, and plan mitigation steps.
• C. Check SOAR to learn what the security systems are reporting about the overnight events, research the attacks, and plan mitigation step.
• D. Check SOAR to know what the security systems are reporting about the overnight events, review the threat vectors, and define a root cause.

Correct answer: D

Explanation

The correct answer is D because checking SOAR provides insights into the security systems' reports, which is crucial for understanding the incident. Reviewing threat vectors helps identify the avenues of attack, and defining a root cause is essential for addressing the underlying issues. Options A and B focus on packet capture and SIEM logs without addressing the immediate incident context. Option C lacks the emphasis on defining a root cause, which is critical for long-term solutions.