Performing CyberOps Using Cisco Security Technologies (CBRCOR) — Question 99

A SOC analyst is investigating a recent email delivered to a high-value user for a customer whose network their organization monitors. The email includes a suspicious attachment titled `Invoice RE: 0004489`. The hash of the file is gathered from the Cisco Email Security Appliance. After searching Open Source
Intelligence, no available history of this hash is found anywhere on the web. What is the next step in analyzing this attachment to allow the analyst to gather indicators of compromise?

Answer options

• A. Run and analyze the DLP Incident Summary Report from the Email Security Appliance
• B. Ask the company to execute the payload for real time analysis
• C. Investigate further in open source repositories using YARA to find matches
• D. Obtain a copy of the file for detonation in a sandbox

Correct answer: D

Explanation

The correct answer is D because obtaining a copy of the file for detonation in a sandbox allows for safe execution and analysis of the attachment to observe its behavior and gather indicators of compromise. Option A does not provide direct analysis of the suspicious attachment. Option B is risky as it involves executing potentially malicious code on a live system. Option C may yield results but is less effective than directly analyzing the file in a controlled environment.