CompTIA CySA+ (CS0-001) — Question 49

A threat intelligence analyst who works for a financial services firm received this report:
"There has been an effective waterhole campaign residing at www.bankfinancecompsoftware.com. This domain is delivering ransomware. This ransomware variant has been called "LockMaster" by researchers due to its ability to overwrite the MBR, but this term is not a malware signature. Please execute a defensive operation regarding this attack vector."
The analyst ran a query and has assessed that this traffic has been seen on the network. Which of the following actions should the analyst do NEXT? (Choose two.)

Answer options

• A. Advise the firewall engineer to implement a block on the domain
• B. Visit the domain and begin a threat assessment
• C. Produce a threat intelligence message to be disseminated to the company
• D. Advise the security architects to enable full-disk encryption to protect the MBR
• E. Advise the security analysts to add an alert in the SIEM on the string "LockMaster"
• F. Format the MBR as a precaution

Correct answer: B, D

Explanation

The correct actions are B and D. Visiting the domain for a threat assessment is crucial to understand the nature of the attack and potential impacts. Enabling full-disk encryption is also a proactive step to protect against MBR overwriting. The other options, while relevant, do not address immediate assessment and protection needs as effectively.