Exam CS0-003 topic 1 question 202 discussion

If the security analyst already has a sample of the malware and its signature, cross-referencing the signature with open-source threat intelligence could indeed be a more efficient next step. This would allow the analyst to quickly identify the malware by comparing it to known threats in threat intelligence databases, saving time and potentially providing immediate insights into the type of malware, its behavior, and mitigation strategies.

Both A and C are good choices, My reasoning for choosing A is because of the question Talking about malware signatures.

Transferring the malware to a sandbox environment allows the analyst to safely observe its behavior, functionality, and characteristics in an isolated setting. This provides insights into the malware type and its impact, such as whether it is a worm, ransomware, or other type of malicious software.

The questions is unclear. I was a big fan of C. But I changed my answer to A, just because it's not talking about the infected machine but the malware. The isolated machine need to be isolated, I believe this question is just talking about the malware, if the malware signature is already captured, simply doing A.

i would go with just because youre trying to find out what type of malware it is. You run it in a sandbox to see how it acts. OSINT will give you information in most cases unless you are the first to see this malware... if you are the first... good luck.

Y'all convinced me it's A

I'll choose A as well. I was leaning to D at first but I read about it. So since the EDR has already collected telemetry and a signature, cross-referencing it with threat intelligence is quicker.

I'm sticking with a here. By definition, telemetry is the automatic recording and transmission of data from remote or inaccessible sources to an IT system in a different location for monitoring and analysis. Based on this definition, the telemetry has been completed by the EDR. It will be much quicker and easier to figure what type of malware it is by uploading the captured signatures to an open source such as VirusTotal than to try and figure it out yourself in a sandbox.

Seems more logic and les time consuming to me...

Both A and C are great, but like jjkylin said we would go with sandboxing here because of the key word "telemetry" which means we are going to monitor the malware.

Both options A and C are valid approaches, but option C is more directly focused on analyzing the behavior of the malware, which aligns with the goal of determining the type of malware based on its telemetry.

Cross-referencing with Open-source Threat Intelligence: This approach involves comparing the malware signature obtained by the EDR (Endpoint Detection and Response) system with existing databases and sources of known malware signatures. Open-source threat intelligence platforms often have extensive databases of malware signatures, behaviors, and attributes. By comparing the obtained signature with these databases, the analyst can quickly identify the type of malware, understand its characteristics, and learn about its typical behaviors and impact. This knowledge is crucial for formulating an effective response strategy.

A sandbox is an isolated and controlled environment where the malware can be executed without affecting the production network. Analyzing the behavior of the malware in a sandbox allows the analyst to observe its actions, interactions, and potential impact on the system, providing valuable telemetry data.

To determine the type of malware based on its telemetry, the security analyst should transfer the malware to a controlled environment like a sandbox. In question it is saying unsure about how to respond.