Exam CAS-004 topic 1 question 499 discussion

B. Review the operating system logs and update the DLP rules. This will help identify the use of unauthorized USB devices and implement measures to prevent data exfiltration.

o Identifying IoCs: Checking the operating system logs for suspicious activity related to the unauthorized USB device usage is crucial. This can include timestamps of unusual file access, attempts to copy sensitive data, or unusual device connections. o DLP Rule Update: Implementing or updating Data Loss Prevention (DLP) rules can prevent future exfiltration attempts by identifying and blocking the transfer of sensitive data. This can be set up to trigger alerts if specific files or data types are attempted to be transferred via USB or other unauthorized methods.

Why Not B. Review the OS logs and update the DLP rules? While reviewing operating system logs (syslog, audit logs, journalctl, etc.) might show USB activity, this alone does not identify the specific device used for exfiltration. DLP (Data Loss Prevention) rules are preventative measures that can stop future exfiltration but will not help with forensic investigation of an already-used device. Correct Answer: D. Obtain the device ID using dmesg and update the portable storage inventory.

The correct option in this case is D. Obtain the device ID using dmesg and update the portable storage inventory. In this scenario, the security analyst is investigating a potential insider threat involving the use of an unauthorized USB device to exfiltrate proprietary data. The primary focus should be on identifying the USB device used for the exfiltration and taking steps to track it. dmesg: On Linux systems, dmesg is a command used to view the kernel's log messages, which can provide information about newly connected hardware devices, including USB devices. By using dmesg, the analyst can check the logs for entries related to the connection of the unauthorized USB device, including the device ID, which is critical for identifying and tracking the device. Updating the portable storage inventory: Once the device is identified, it’s important to update the inventory to keep track of all connected and authorized USB devices. This can help ensure only approved devices are used and that unauthorized devices can be flagged for future incidents.

B is the stronger answer as you can leverage logs to identify the device, and determine what other actions occurred on the system. That and the approach of updating an inventory vs. updating DLP rules is arguably less effective for responding to an event that already happened.

Ans D. The best option for identifying the Indicators of Compromise (IoCs) and providing an appropriate response in the context of a potential insider threat involving an unauthorized USB device would be: D. Obtain the device ID using dmesg and update the portable storage inventory. This approach directly addresses the investigation by identifying the specific USB device used, allowing for further analysis and action regarding its usage and potential data exfiltration.

I would say it is D. B isn't direct prevent the problem which already exfiltrated

Data visibility and endpoint DLP can secure data at-rest and ensure that users do not exfiltrate data via a removable device, such as a USB. The exercise does not specify if the DLP is a network or endpoint based.