Google Cloud Professional Security Operations Engineer — Question 10

Your team is responsible for cybersecurity for a large multinational corporation. You have been tasked with identifying unknown command and control nodes (C2s) that are potentially active in your organization's environment. You need to generate a list of potential matches within the next 24 hours. What should you do?

Answer options

• A. Write a rule in Google Security Operations (SecOps) that scans historic network outbound connections against ingested threat intelligence Run the rule in a retrohunt against the full tenant.
• B. Load network records into BigQuery to identify endpoints that are communicating with domains outside three standard deviations of normal.
• C. Review Security Health Analytics (SHA) findings in Security Command Center (SCC).
• D. Write a YARA-L rule in Google Security Operations (SecOps) that compares network traffic of endpoints to low prevalence domains against recent WHOIS registrations.

Correct answer: D

Explanation

The correct answer is D because writing a YARA-L rule allows for detailed analysis of network traffic against specific criteria, which is essential for identifying command and control nodes. Option A focuses on historic data, which may not yield timely results, while B is more about statistical anomalies rather than direct C2 identification. Option C involves reviewing existing findings, which does not actively generate new matches within the required timeframe.