Exam CS0-002 topic 1 question 96 discussion

Gather intelligence on threats is always part of the preparation phase which includes requirements analysis etc. Answer A looks correct. https://digitalguardian.com/blog/five-steps-incident-response

A -> This is the first phase of intelligence life cycle not incident response life cycle B -> Does not make sense C -> This sounds correct but I feel like recovery and threat intelligence does not fit so well together D -> These terms are not common in cybersec Final Answer: C

The cybersecurity analyst is MOST likely executing indicator enrichment and research pivoting during the incident response effort via threat intelligence. This involves gathering additional information and context on identified indicators of compromise (IOCs), such as IP addresses, domains, hashes, and other artifacts, to gain insight into the threat actor's tactics, techniques, and procedures (TTPs) and possible attribution. By enriching IOCs with open-source and proprietary intelligence sources and pivoting across different data sets, the analyst can generate new leads, prioritize the investigation, and improve the detection and prevention capabilities. The other options listed (requirements analysis and collection planning, containment and eradication, and recovery and post-incident review) are also part of the incident response process, but they are not specifically related to the use of threat intelligence.

Me thinks the most likely is D. It's asking what the analyst is 'executing" Indicator enrichment = gathering IOCs to better understand its relevance to the IR and its impact. research pivoting - using information gained from one area of research and pivot to another area for more investigation.

In the context of incident response, threat intelligence refers to the collection and analysis of information about potential security threats. The analyst is likely executing indicator enrichment and research pivoting, which involves collecting and analyzing information about potential security threats and using that information to identify other related threats. This may involve using tools such as threat intelligence platforms, malware sandboxes, and open-source intelligence (OSINT) sources to gather and analyze data. The goal is to improve the understanding of the threat and identify any potential indicators of compromise that can be used to contain and eradicate the threat. Requirements analysis and collection planning involve identifying the information that is needed to support an incident response effort. Containment and eradication involve taking steps to prevent the threat from spreading and remove it from the system or network. Recovery and post-incident review involve restoring normal operations and conducting a review of the incident to identify lessons learned and areas for improvement.

It's definitely D but it seems like many of you are confused over why. Remember the question asks what the analyst is doing (or, in other words - how is threat intelligence benefiting the IR effort?) A -> These are the first phases of the Intelligence lifecycle, not an incident response effort B -> These phases come after we've identified the threat; it's this identification which threat intelligence supports C -> Post-incident activities are where we identify what can be improved based on what happened during the incident D -> This is the answer, because it's what the threat intelligence is actually benefiting us. It is going to give us better indicators of compromise to narrow on that could help us pivot our research (think the OODA loop) in the right direction. For those who mentioned the preparation phase of IR, this is where we develop hardening, carry out training / exercises, establish procedures - essentially do everything we can to be ready for the big moment.

During an incident response effort, threat intelligence is used to gather information about the incident and the attackers involved. The cybersecurity analyst's role in this process would involve gathering and analyzing data, such as IP addresses, domain names, and malware samples, in order to identify and track the attackers. This process is known as indicator enrichment and research pivoting. It falls under the category of information gathering and analysis, as opposed to implementing security controls, incident containment, and incident recovery.

Going with A because I've never heard of D.

supporting incident response with threat intelligence actually provides enrichment on incident and pivoting on research.

The others don't make sense, thus it's A

I'm thinking that it is A. I did some research on indicator enrichment and to me it sounds like part of the requirements analysis and collection(IoC threat intelligence gathering).

Wouldn't D be incorporated as part of A? .

Key Objectives at Each Phase of the Threat Intelligence Lifecycle Planning and direction: Set the scope and objectives for core intel roles and processes. Collection: Deploy data gathering and processing techniques and sources. Analysis: Translate raw intel into meaningful and taxonomized actors, events, and attributes. Production: Assess intel significance and severity based on business and environmental context. Dissemination and feedback: Report on finished intel, considering urgency and confidentiality.

I personally think it's D. but every other test dump site says A.... idk...

looks good to me

The question states this is part of an incident response. There's only one phase of the Threat Intelligence Lifecycle that occurs post-event, phase 6 - Feedback. This is where we reanalyze our intelligence and decide if our alerts (indicators) are working effectively and if we should redirect (pivot) our assets/research. I've voting D.

A goes to explain better