CompTIA CASP+ (CAS-004) — Question 156

An analyst received a list of IOCs from a government agency. The attack has the following characteristics:
1. The attack starts with bulk phishing.
2. If a user clicks on the link, a dropper is downloaded to the computer.
3. Each of the malware samples has unique hashes tied to the user.
The analyst needs to identify whether existing endpoint controls are effective. Which of the following risk mitigation techniques should the analyst use?

Answer options

• A. Update the incident response plan.
• B. Blocklist the executable.
• C. Deploy a honeypot onto the laptops.
• D. Detonate in a sandbox.

Correct answer: D

Explanation

The correct answer is D because detonating in a sandbox allows the analyst to observe the behavior of the malware in a controlled environment without risking the actual system. Option A is incorrect because updating the incident response plan does not directly assess endpoint controls. Option B is not suitable as blocklisting the executable may not address all variants of the malware, and option C does not directly help in evaluating the effectiveness of existing controls.