Exam SC-200 topic 6 question 5 discussion

The security team where I work carries out the activities of option E every single time.

Resetting passwords is the only option that does not disrupt any users or devices like the question requires. This is also what Copilot suggests: The best option is: C. Reset the password for all the accounts that previously signed in to Device1. Explanation: Pass-the-ticket attacks occur when attackers steal and reuse Kerberos tickets to impersonate users. Resetting the passwords for all accounts that previously signed in to Device1 invalidates any stolen Kerberos tickets and prevents further misuse. This action is targeted and minimizes impact on other users and devices. Disabling the user account (as in options A, D, and E) or quarantining the device (as in options B, D, and E) would be more disruptive and might not be necessary immediately if the attack is contained by resetting passwords.

Quarantining Device1 will isolate the compromised device from the network, preventing further malicious activity while minimizing the impact on other users and devices12. If you have any more questions or need further assistance, feel free to ask!

You need to contain the incident without affecting users and devices. The solution must minimize administrative effort." The best way to meet this requirement is to isolate only B:Device1. This method takes into account the following points: • Minimal impact on users: User1's account can continue to operate without deactivating it. • Device Isolation: Isolate Device1 from the network to prevent impact on other devices or users. This approach is a balanced way to effectively contain incidents while minimizing administrative effort. < supplement > reasons why the other alternatives are incorrect are: Option A: Disable User1 only • Reason: Simply disabling User1 will keep Device1 connected to the network, which can affect other devices and users. Option E: Disable User1, isolate Device1, and reset passwords for all accounts that previously signed in to Device1 • Why: This method is the most comprehensive, but it is very much administrative and has a significant impact on users and devices.

A is correct. The user1 is using the stolen ticket, disabling the user1 will cause the user1 to not be able to use the stolen ticket anymore (in fact the user1 will not be able to perform any actions). Also, in this way you do not impact any other user or device. Also in this scenario, a different user (say user2) can still use the same stolen ticket. Also, as the question is about MDI, read this: https://learn.microsoft.com/en-us/defender-for-identity/remediation-actions Good luck

Quarantining Device1: This action isolates the device from the network, preventing it from communicating with other devices, thus containing the threat. It minimizes administrative effort because it doesn't require resetting passwords or disabling accounts unless necessary. This approach allows for further investigation to determine the scope of the compromise.

The attack directily impact to the device, not user

This is a really silly question. How do we respond in a way that does not affect the user or the device? I chose E with the following interpretation "not affect "other" users or devices".

To contain the incident of suspected identity theft (pass-the-ticket) involving User1 and Device1 while minimizing administrative effort and avoiding unnecessary disruption to other users and devices, the best course of action is: B. Quarantine Device1 only. Explanation: Quarantine Device1: Quarantining Device1 isolates the device from the network, preventing any further potential malicious activity from being executed through that device. This action contains the threat while minimizing the impact on other users and devices.

This question is terribly worded. There is no way to avoid some effect on at least one user. I would quarantine the device and reset passwords to all users who've been on the device. Or maybe if I had time, reset the user who's kerberos ticket was stolen and quarantine the device and "monitor" all users who have previously been signed into that device. There is no way to avoid disruption to one or more users. As a cybersecurity specialist, security should be paramount over a users discomfort during reset of password etc. Imagine being the person responsible for full compromise of an organisation. BTW. to my understanding, quarantining the device doesn't stop reuse of the kerberos ticket (before it expires).

Pass the ticket is lateral movement, and as far as I understand the ticket though correlated to the User, lives on the device. So wouldn't we quarantine the device? The user can continue local activity.

The question itself is really badly written and confusing... Option E is could be correct here because, if the exposed device was the issue that the kerberos ticket were stolen, then probably the hacker has dumped the LSAAS and gained access to all previously logged in users kerberos ticket. Option A could be correct here if User1´s kerberos ticket was compromised from a unknown source then disabling the user´s account will mitigate the risk. According to Microsoft: Pass-the-Ticket is a lateral movement technique in which attackers steal a Kerberos ticket from one computer and use it to gain access to another computer by reusing the stolen ticket https://learn.microsoft.com/en-us/defender-for-identity/lateral-movement-alerts

I would choose Option D. This is because resetting the user’s password won’t have any effect in a Kerberos ticket attack. Changing the password won’t invalidate the stolen Kerberos ticket. It’s necessary to disable the user from Active Directory (AD). In this way, if a hacker tries to use the ticket to log in on any other device, it won’t work because the user is disabled. I would also definitely quarantine the device because there’s no telling what else the hacker might have done to that device. This is considered best practice. And yes, you could also argue for Option E. As a best practice, it wouldn’t hurt to change the user’s password as well.

This is because the alert is related to a “pass-the-ticket” attack, which is a type of Kerberos attack where an attacker steals a Kerberos ticket and uses it to gain unauthorized access to resources. The ticket is tied to the device (Device1 in this case), not the user (User1). Therefore, quarantining the device would effectively contain the incident. (GenAI generated)