CompTIA SecurityX (CAS-005) — Question 50

The principal security analyst for a global manufacturer is investigating a security incident related to abnormal behavior in the ICS network. A controller was restarted as part of the troubleshooting process, and the following issue was identified when the controller was restarted:
SECURE BOOT FAILED:
FIRMWARE MISMATCH EXPECTED UXFDC479 ACTUAL 0x79F31B
During the investigation, this modified firmware version was identified on several other controllers at the site. The official vendor firmware versions do not have this checksum. Which of the following stages of the MITRE ATT&CK framework for ICS includes this technique?

Answer options

• A. Evasion
• B. Persistence
• C. Collection
• D. Lateral movement

Correct answer: B

Explanation

The correct answer is B, Persistence, as the presence of modified firmware indicates an attempt to maintain a foothold in the system. This is not an evasion technique (A), which focuses on avoiding detection, nor does it pertain to Collection (C), which involves gathering information. Lateral movement (D) describes the process of moving through the network rather than maintaining access with modified firmware.