Exam SY0-701 topic 1 question 65 discussion

Updating the Endpoint Detection and Response (EDR) policies to block the automatic execution of downloaded programs helps to mitigate the risk by preventing malicious software from running even if a user clicks on a phishing link. This technical control directly addresses the potential consequences of a phishing attack by stopping harmful actions from taking place after the initial click, thus reducing the overall impact of the phishing campaign. While raising awareness (option A), implementing email security filters (option B), and creating additional training (option D) are all valuable preventive measures, they do not directly reduce the impact after a phishing link is clicked.

C is the only one that that can actually be controlled by the analyst.. You can train as much as you want but that doesn't mean people listen... Source: all of us here using an exam dump after watching Messers course :)

After reading the question a few times, I'm changing my answer to D. The first time around I didn't catch that a security analyst and management are assessing the organizational performance of a recent phishing campaign. This implies a phishing test. The best course of action based on too many user click-throughs is education.

The correct answer is B. EDR solutions like CrowdStrike do not provide direct link click-through protection. I’d like to better understand how modifying an EDR policy would prevent users from clicking on a phishing link without outright blocking all links they attempt to open. A Secure Email Gateway (SEG) / Email Security Gateway (ESG) is responsible for filtering malicious emails containing phishing URLs or attachments. Click-through protection is a key feature of ESGs like Proofpoint, Microsoft Defender for Office 365, and Mimecast. Admins can adjust filtering aggressiveness, and in this case, it’s likely that the current settings were too lenient, allowing phishing emails through. The best course of action is to modify ESG security filters to prevent these emails from reaching users. Ideally, this would be complemented by reviewing and enhancing security awareness training to reinforce phishing detection skills.

They are talking about analyst So it'll be EDR

C because Question is about when a user clicks on a link in a phishing message

By implementing advanced email security filters, the organization can significantly reduce the likelihood of phishing emails reaching employees in the first place.

Blocking automatic execution does not block all Phishing emails. Some Phishing emails try to redirect you or get you to contact a bad actor. This action is more focused on malware prevention, not necessarily Phishing attempts.

C. Update the EDR policies to block automatic execution of downloaded programs. While raising awareness, implementing email filters, and providing additional training are important measures, updating Endpoint Detection and Response (EDR) policies to block the automatic execution of downloaded programs directly addresses the issue of reducing the impact when a user clicks on a phishing link. This approach helps prevent malicious software from being executed on the user's system, thus mitigating potential harm. Therefore, the correct answer is: C. Update the EDR policies to block automatic execution of downloaded programs.

I think the best option is B. C. Phishing doesn't always come with executable files. It can redirect users to malicious pages which clones legitimate sites too when clicked on phishing links. D. This is an option too. But no matter how many trainings the organizations give to employees, they still fall for phishing emails

"reduce the impact when a user *clicks* on a link" read carefully, C is the only one that makes sense for someone who has already clicked a link.

We can rule out: - C. Update the EDR policies to block automatic execution of downloaded programs. Given that the phishing link could lead to a serverless execution, which doesn't rely on downloading and executing a program on the user's machine, this answer would not fully address the risk. Or what if the link is a scam? Login details are still entered, so the impact when a user clicks on a link in a phishing message is still there. - A (Posters) and D (Training) focus on awareness and education, which are crucial for reducing click-through rates over time but do not directly prevent or mitigate the technical impact of a user clicking on a phishing link. So B is in my opinion the best answer.

"...wants to reduce the impact when a user clicks on a link in a phishing message..."

Phishing is more of social engineering attack and most times does not involve download or running of malicious applications on the user system. More awareness is what is required to secure users against this kind of attacks

Implementing EDR policy updates directly addresses the risk posed by phishing attacks by stopping malicious code from executing, thereby reducing the potential impact of users clicking on phishing links.

Wants to reduce impact AFTER clinking the link. C is the only one that, B is preventive and happens before the user can even click the email

Options A, B, and D represent proactive measures designed to mitigate the risk of exposure to phishing emails or clicking on their links. However, should a phishing email evade our security measures and be clicked by an employee, it becomes imperative to prevent any downloaded files from executing. Updating Endpoint Detection and Response (EDR) policies to block the automatic execution of downloaded programs would effectively thwart the attack.