The correct answer is to temporarily block the source IP address at the firewall. This directly addresses the immediate threat by preventing further malicious login attempts from the identified source. Brute-force attacks rely on repeated attempts, and blocking the source IP effectively halts this activity.

The option to initiate a full system scan for malware on the web server is a good general security practice but is not the most effective immediate action for a brute-force login attempt. While malware could be involved, the primary indicator points to credential stuffing or brute-forcing.

Notifying the system administrator to change all user passwords is a reactive measure that might be necessary later, but it’s not the most immediate mitigation for an ongoing attack. It’s a broad action that might not be required if the attack is contained.

Increasing logging verbosity for all network devices is a valuable step for investigation and future analysis, but it does not stop the current attack. The immediate priority is to stop the unauthorized access attempts.

This question tests understanding of immediate incident response actions for common attack types like brute-force attacks. It highlights the importance of rapid containment and mitigation. In a real-world SOC, identifying the source of an attack and blocking it is a primary step in preventing further compromise.

The correct answer is to isolate the affected workstation from the network. This is the most critical step in containing a ransomware outbreak. By disconnecting the infected machine, the analyst prevents the malware from spreading to other systems on the network, which is crucial for limiting the damage and the scope of the incident.

Performing a deep forensic analysis of the workstation is important for understanding the attack, but it should not be prioritized over containment. Forensic analysis can be done after the immediate threat of spread has been addressed.

Notifying all employees about the ransomware attack is a good communication strategy, but it doesn’t directly stop the spread of the malware. Communication should happen concurrently with containment efforts.

Deploying an antivirus signature update across the network is a proactive measure that might help prevent future infections or detect existing ones, but it is not as immediate or effective as isolating the already compromised machine to stop ongoing encryption and lateral movement.

This question assesses knowledge of the incident response lifecycle, specifically the containment phase. It emphasizes the importance of stopping the spread of malware. In a SOC, rapid isolation of compromised endpoints is a fundamental containment strategy for ransomware.

The correct answer is Cross-Site Scripting (XSS). The presence of `

The correct answer is data exfiltration. A database server is a prime target for attackers seeking sensitive information. The unusual port, large data volume, and connection to an unknown external IP strongly suggest that data is being copied off the network.

Malware propagation is a possibility, but the primary concern with a database server sending large amounts of data externally is the theft of that data. Malware propagation typically involves spreading to other internal systems.

A Denial of Service (DoS) attack against the external IP is unlikely. The server is initiating the connection and sending data, which is the opposite of a DoS attack.

Unauthorized remote access for administrative purposes is a concern, but the large volume of data being sent suggests more than just remote administration. It points to a significant transfer of information.

This question assesses the ability to infer potential threats based on network traffic patterns and the role of the affected system. It highlights the importance of understanding the value of data stored on different types of servers. In a SOC, identifying potential data exfiltration is a high-priority task.

The correct answer is a threat intelligence feed that provides lists of known malicious IP addresses and their associated reputation. This type of feed is specifically designed to identify and flag IP addresses that have been associated with malicious activities, such as brute-force attacks, phishing, or command and control (C2) communication. Knowing if the source IP is already flagged as malicious allows for rapid risk assessment and prioritization of the alert.

A vulnerability database is useful for identifying weaknesses in systems but does not directly help in assessing the immediate risk of a specific IP address initiating a login attempt.

A malware analysis sandbox report is valuable for understanding the behavior of a specific piece of malware, but it’s not directly relevant to assessing the reputation of an IP address making login attempts.

A security awareness training module is for educating users and preventing social engineering attacks; it does not provide real-time threat intelligence on IP addresses.

This question focuses on the practical application of threat intelligence in a SOC environment. It emphasizes how different types of intelligence are used for specific tasks, such as IP reputation checking for alert triage. Understanding the role of threat feeds is crucial for effective security monitoring.

The correct answer is to take a forensic image of the hard drive. This is the most crucial initial step in malware analysis because it creates an exact, bit-for-bit copy of the original drive. This allows the analyst to perform all subsequent analysis on the image, preserving the original evidence in its current state. This is vital for maintaining the integrity of the evidence and ensuring that any analysis performed does not alter the original infected system, which could compromise forensic findings.

Immediately disconnecting the machine from the network is a critical containment step, but it’s not the initial step for *analysis*. Analysis should ideally be performed on a preserved copy of the system.

Running a full system scan with the installed antivirus software is a good step, but it’s a form of detection and remediation, not a foundational analysis step. It might also alert the malware to the analyst’s presence, potentially causing it to alter its behavior or self-destruct.

Analyzing the system’s registry for suspicious entries is a valuable part of malware analysis, but it should be performed on a forensic image, not directly on the live system, to avoid altering evidence.

This question tests the fundamental principles of digital forensics and malware analysis, particularly the importance of evidence preservation. It highlights the “first-responder” actions in an incident. In a SOC, understanding the order of operations for handling a potentially compromised endpoint is paramount.

The correct answer is Security Awareness and Best Practices. Phishing attacks primarily target human users. By educating employees on how to identify and report phishing attempts, and by establishing clear procedures for handling suspicious emails, the organization significantly reduces the likelihood of successful attacks. Even if an attacker bypasses technical controls, well-trained users can act as a crucial line of defense.

The Principle of Least Privilege is important for limiting the damage an attacker can do *after* gaining access, but it doesn’t directly prevent the initial compromise via phishing.

Defense-in-Depth is a strategy of layering multiple security controls. While important, it’s a broader concept. For phishing, the human element is often the weakest link, making user awareness the most direct countermeasure.

The Confidentiality, Integrity, Availability (CIA Triad) is a foundational model for security objectives. While phishing attacks can impact all three, it doesn’t specify the *method* to combat them.

This question emphasizes the human element in cybersecurity and its importance in combating social engineering attacks like phishing. It highlights that technical controls alone are often insufficient. In a SOC, understanding that user education is a critical component of a comprehensive security strategy is vital.

The correct answer is to investigate the domain and its associated IP addresses for known malicious indicators. This is a crucial step in threat intelligence gathering and incident analysis. By checking the domain against threat intelligence feeds, reputation databases, and performing WHOIS lookups, the analyst can quickly determine if the domain is known to be malicious, which helps in confirming the suspicion of C2 communication.

Blocking all outbound DNS requests to the suspicious domain is a containment measure, but it should be done *after* confirming the malicious nature of the domain. Premature blocking might disrupt legitimate business operations if the domain is not actually malicious.

Performing a vulnerability scan on the internal server making the requests is a good follow-up action to understand how the server might have been compromised, but it’s not the most immediate step to assess the threat posed by the domain itself.

Increasing the logging level for all network devices is a general investigative step that can provide more data, but it doesn’t directly address the immediate need to understand the threat posed by the specific domain.

This question tests the analyst’s ability to interpret network traffic patterns and leverage threat intelligence for investigation. It highlights the process of validating suspicious activity. In a SOC, correlating network events with external threat data is a core function.

The correct answer is to analyze the web application server logs for evidence of unauthorized database queries or data modification. While the IDS alert indicates an *attempt*, confirming success requires examining the logs of the target system, specifically the web application and its associated database. These logs would show if the injected SQL code was executed and if it resulted in any unauthorized actions, such as data retrieval or alteration.

Performing a vulnerability scan on the web application server is a good practice for identifying weaknesses but does not directly confirm if a specific past attack was successful.

Blocking the source IP address at the firewall is a containment measure that should be considered, but it doesn’t confirm the success or impact of the attack.

Reviewing the IDS signature that triggered the alert helps understand why the alert was generated but doesn’t confirm the actual outcome of the attack on the application.

This question assesses the analyst’s understanding of how to validate alerts and determine the impact of an attack. It emphasizes the importance of correlating IDS alerts with application-level logs. In a SOC, moving beyond just alerts to confirm actual compromise is a critical skill.

The correct answer is deploying a centralized endpoint management solution with full-disk encryption policies. This approach allows for automated deployment, configuration, and enforcement of encryption across all company laptops. The management solution can ensure that encryption is enabled, manage recovery keys, and report on compliance status, providing a scalable and effective way to enforce the policy.

Manually instructing users to enable full-disk encryption is prone to human error, non-compliance, and lack of verification. Users might forget, misunderstand instructions, or intentionally bypass the requirement.

Implementing a network access control (NAC) solution that blocks non-compliant devices is a good secondary control for enforcement, but it relies on the initial detection of non-compliance. The primary mechanism for ensuring encryption is through centralized management.

Conducting regular manual audits of each laptop’s encryption status is time-consuming, resource-intensive, and reactive. It’s a verification step, not an enforcement mechanism.

This question addresses the practical implementation of security policies and the use of technology for enforcement. It highlights the benefits of centralized management for ensuring compliance with data protection requirements. In a SOC, understanding how to enforce security policies through technology is important.

The correct answer is that the `svchost.exe` process may have been hijacked or is hosting a malicious service. `svchost.exe` is a generic host process for services that run from DLLs. While legitimate, it can be exploited by malware to disguise malicious activity. Unusual outbound connections from `svchost.exe`, especially to unknown IPs on standard ports like 443, are a strong indicator of compromise, as malware can inject itself into or masquerade as a legitimate service.

The option suggesting a legitimate software update is possible but less likely given the connection to an *unknown* IP address. Legitimate updates typically connect to known Microsoft servers.

The option suggesting a false positive from the IDS is always a possibility, but the analyst should investigate further before dismissing it, especially when the behavior is unusual for the process.

The option suggesting the server is attempting to establish a VPN connection is also possible, but VPN connections usually have specific configurations and often connect to known VPN endpoints, not arbitrary unknown IPs.

This question tests the analyst’s knowledge of common Windows processes and how they can be abused by malware. It highlights the importance of behavioral analysis and understanding what constitutes normal versus anomalous activity for system processes. In a SOC, recognizing process hijacking is a critical detection skill.

The correct answer is to analyze file system access logs and USB device connection logs. File system logs can reveal which files were accessed, copied, or modified by the employee. USB connection logs can indicate if external storage devices were connected, which are common methods for exfiltrating data. Correlating these logs can provide strong evidence of data transfer.

Performing a memory dump of the employee’s workstation is useful for capturing volatile data and running processes at the time of the dump, but it’s less direct for proving data exfiltration compared to file system and device logs, which provide a historical record of actions.

Reviewing network firewall logs for outbound connections from the employee’s IP is valuable for detecting large data transfers, but it might not capture smaller transfers or transfers over encrypted channels. It also doesn’t specify *what* data was transferred.

Examining the employee’s email server logs is important if email was used for exfiltration, but it’s only one potential channel and might not capture data transferred via other means.

This question focuses on digital forensics and incident investigation, specifically for insider threats. It highlights the importance of collecting and analyzing relevant logs to reconstruct user activity and identify data exfiltration. In a SOC, understanding how to investigate insider threats requires a broad approach to evidence collection.

The correct answer is that DNS tunneling is being used to exfiltrate data or establish a covert channel. DNS tunneling abuses the DNS protocol to transmit non-DNS data. This often results in unusually large DNS queries or responses, and the use of port 53 for data transfer. Attackers use this method to bypass firewalls and security controls that may not closely inspect DNS traffic.

The option suggesting a legitimate software update is unlikely. While some updates use DNS, the traffic volume described is atypical for standard update processes.

The option suggesting the server is participating in a botnet for DDoS attacks is less likely. While botnets use various communication methods, DNS tunneling is a specific technique for covert communication, not typically for launching DDoS attacks directly, though it could be used for command and control.

The option suggesting the firewall is misconfigured is a possibility, but the analyst should first investigate the traffic pattern itself as a potential threat before assuming a configuration error.

This question tests the understanding of advanced network attack techniques and how they manifest in network traffic. It highlights the importance of scrutinizing seemingly legitimate protocols for malicious use. In a SOC, recognizing DNS tunneling is a key skill for detecting covert communications.

The correct answer is to automatically isolate the affected workstation from the network. SOAR platforms are designed to automate repetitive and time-sensitive incident response tasks. For a ransomware alert, the immediate priority is containment to prevent spread. Isolating the infected machine is a critical containment step that can be effectively automated by a SOAR platform, preventing further encryption and lateral movement.

Automatically initiating a full system forensic image is a valuable step but is typically a more involved process that might require human oversight or be triggered after initial containment. It’s not usually the *first* automated action for containment.

Automatically sending an email notification to the CISO is a communication step, which is important, but it doesn’t directly contain the threat. SOAR’s primary strength lies in taking action.

Automatically deploying an antivirus signature update to all endpoints is a proactive security measure, but it’s not the most immediate response to an *already detected* ransomware infection on a specific workstation. The focus needs to be on the infected machine first.

This question assesses the understanding of SOAR platforms and their role in automating incident response. It highlights how automation can significantly speed up critical actions like containment. In a SOC, understanding SOAR capabilities is key to improving efficiency and response times.

The correct answer is to de-obfuscate the PowerShell script and analyze its commands. Obfuscation is a common technique used by malware to hide its true intent. By de-obfuscating the script, the analyst can reveal the underlying commands and understand what the script is trying to achieve, such as downloading further malicious payloads, establishing persistence, or communicating with a C2 server. This provides crucial insight into the nature of the threat.

Blocking the external URL at the firewall is a containment measure, but it should be done after understanding the script’s purpose. If the script is benign, blocking the URL might be unnecessary. If it’s malicious, blocking is a good step, but understanding the script is paramount.

Immediately terminating the scheduled task is also a containment measure. While it stops the immediate execution, it doesn’t provide insight into the script’s purpose or how the task was created, which is essential for a thorough investigation and preventing recurrence.

Performing a full system scan on the server is a detection and remediation step. While useful, it might not specifically reveal the functionality of the obfuscated script as effectively as direct analysis.

This question focuses on threat hunting and malware analysis techniques. It emphasizes the importance of understanding the code behind suspicious activities. In a SOC, the ability to analyze scripts and understand obfuscation is vital for proactive threat detection.

The correct answer is Identity and Access Management (IAM). IAM is fundamental to cloud security as it controls who can access what resources and what actions they can perform. By implementing strong IAM policies, including multi-factor authentication (MFA) and role-based access control (RBAC), organizations can effectively prevent unauthorized access to their cloud resources.

The Shared Responsibility Model defines the security obligations of the cloud provider and the customer, but it doesn’t directly prevent unauthorized access itself.

Cloud Service Models (IaaS, PaaS, SaaS) describe the level of abstraction and management provided by the cloud vendor, influencing how security is managed, but IAM is the direct mechanism for access control.

Cloud Deployment Models (Public, Private, Hybrid) describe how cloud infrastructure is deployed, which has security implications, but IAM is the core component for managing access within any deployment model.

This question tests the understanding of core cloud security principles. It highlights the critical role of IAM in securing cloud environments. In a SOC, understanding cloud security concepts is increasingly important as organizations adopt cloud technologies.

The correct answer is Directory Traversal. Directory Traversal (also known as path traversal) attacks aim to exploit vulnerabilities in web applications to access files and directories that are outside the web server’s root directory. Attackers use special sequences like `../` (dot-dot-slash) to navigate up the directory tree and access sensitive files. The examples provided (`/etc/passwd`, `.bak` files) are classic targets for this type of attack.

SQL Injection attacks involve injecting malicious SQL code into database queries, not accessing files directly.

Cross-Site Scripting (XSS) attacks involve injecting malicious scripts into web pages to be executed by users’ browsers.

Brute-Force Attacks involve repeatedly trying different credentials to gain unauthorized access, typically to login pages.

This question assesses the ability to identify common web application vulnerabilities based on attack patterns observed in logs. It’s crucial for SOC analysts to recognize these patterns to effectively triage and investigate security alerts.

The correct answer is to forward the email to the threat intelligence team for analysis and blocking of the malicious URL. This approach ensures that the threat is properly documented, analyzed, and that the malicious infrastructure (URL, sender) can be blocked across the organization. It also allows for the collection of valuable threat intelligence that can be used to improve defenses.

Deleting the email from the user’s inbox is a reactive measure that prevents this specific user from clicking, but it doesn’t address the broader threat or prevent similar emails from reaching other users.

Instructing the user to click the link to confirm it’s malicious is extremely risky and should never be done. This could lead to the user’s system being compromised.

Blocking the sender’s email address at the mail gateway is a good step, but attackers often use spoofed sender addresses or switch to new ones quickly. Blocking the malicious URL is generally more effective.

This question tests the understanding of incident handling procedures for phishing emails and the importance of leveraging specialized teams for analysis and remediation. It highlights the process of turning a single reported incident into actionable threat intelligence.

The correct answer is that the server has been compromised, and an attacker created a backdoor account. The creation of an unauthorized user account with elevated privileges, especially when the legitimate user denies creating it and it’s used to access sensitive areas, is a strong indicator of a security breach. Attackers often create such accounts to maintain persistent access to compromised systems.

The option suggesting the user forgot they created the account is possible but less likely given the context of unauthorized access to sensitive directories.

The option suggesting a legitimate system administrator created the account for maintenance is also possible, but it should be verified through proper change management logs and communication with administrators. Without such verification, unauthorized account creation is a red flag.

The option suggesting the account was automatically created by a new application is unlikely for a standard user account with elevated privileges. Applications typically use service accounts or specific permissions, not full user accounts with login capabilities.

This question assesses the ability to interpret system logs and identify signs of compromise. It emphasizes the importance of scrutinizing user account activity. In a SOC, recognizing unauthorized account creation is a critical indicator of a potential breach.

The correct answer is a policy that scans outgoing emails for patterns matching credit card numbers and social security numbers and blocks emails containing them. This is a direct and effective way to prevent the exfiltration of specific types of sensitive data via email. DLP solutions use pattern matching (e.g., regular expressions) to identify and flag or block sensitive information.

A policy that encrypts all outgoing emails is a good security practice for confidentiality but doesn’t specifically prevent the transmission of sensitive data if the encryption keys are compromised or if the recipient is malicious. It also doesn’t address the *content* of the data.

A policy that monitors all network traffic for any data leaving the organization is too broad and would likely generate an overwhelming number of alerts, making it difficult to manage and potentially missing specific sensitive data. It also doesn’t focus on the email channel.

A policy that requires multi-factor authentication for all email users is an access control measure that helps prevent unauthorized access to email accounts, but it doesn’t prevent a legitimate user from intentionally or unintentionally sending sensitive data.

This question tests the understanding of Data Loss Prevention (DLP) technologies and their application in preventing data exfiltration. It highlights the importance of content-aware policies. In a SOC, understanding how DLP works is crucial for protecting sensitive information.

The correct answer is the user account that was successfully compromised. Knowing which user account was compromised is critical because it dictates the level of access the attacker has gained. This information helps determine the potential impact of the breach, what sensitive data or systems the attacker can now access, and what further steps are needed for containment and eradication.

The contents of the file the attacker attempted to download are important for understanding what the attacker was after, but knowing the compromised account provides the immediate context of their access level.

The source IP address of the attacker is important for blocking and tracking, but it doesn’t tell you the impact of the compromise itself.

The timestamp of the successful login is useful for correlating events, but the compromised account is more critical for understanding the immediate risk.

This question emphasizes the importance of understanding the impact of a compromise. In incident response, identifying the compromised entity (user, system, etc.) is a primary step in assessing the situation.

The correct answer is to utilize a specialized DDoS mitigation service or scrubbing center. Distributed Denial-of-Service (DDoS) attacks, by definition, come from a vast number of distributed sources, making it impractical to block individual IP addresses. DDoS mitigation services are designed to absorb and filter out malicious traffic at scale before it reaches the organization’s network, using techniques like traffic scrubbing and anomaly detection.

Implementing a Web Application Firewall (WAF) with strict rate-limiting rules can help mitigate some types of attacks, but it may not be sufficient against large-scale volumetric DDoS attacks that can overwhelm the WAF itself.

Blocking all incoming traffic from the identified source IP addresses is ineffective for DDoS attacks because the sources are numerous and constantly changing, making it impossible to block them all.

Increasing the bandwidth of the affected web servers might temporarily help absorb some traffic, but it’s often a costly and unsustainable solution against sophisticated DDoS attacks that can generate traffic volumes far exceeding typical bandwidth capacities.

This question tests the understanding of effective strategies for mitigating large-scale network attacks. It highlights the limitations of traditional security controls against certain types of threats and the need for specialized solutions.

The correct answer is that the user’s email account has been compromised and is being used for spam or phishing. When a legitimate user account is sending emails that the user denies sending, especially with suspicious content like “Invoice Attached” and a link, it strongly indicates that the account’s credentials have been stolen and the account is being used maliciously by an attacker.

The option suggesting the user is intentionally sending these emails for legitimate business purposes is contradicted by the user’s denial.

The option suggesting a misconfiguration in the email service’s outbound filtering is possible, but the primary indicator is the unauthorized sending of emails from a compromised account.

The option suggesting the emails are part of a legitimate marketing campaign is unlikely given the user’s denial and the typical nature of such campaigns (which are usually managed through dedicated marketing platforms, not individual user accounts).

This question assesses the ability to identify signs of account compromise. It highlights the importance of correlating user reports with log analysis. In a SOC, recognizing compromised accounts is a critical step in incident response.

The correct answer is that an attacker can trick a logged-in user into performing unwanted actions on the web application without their knowledge. CSRF attacks exploit the trust a web application has in an authenticated user. By crafting a malicious link or form, an attacker can cause a logged-in user’s browser to send an unintended request to the web application, such as changing their email address, making a purchase, or transferring funds, all without the user’s explicit consent.

The option suggesting an attacker can inject malicious scripts into the web page to steal user credentials describes a Cross-Site Scripting (XSS) vulnerability, not CSRF.

The option suggesting an attacker can gain direct access to the application’s database describes a SQL Injection vulnerability, not CSRF.

The option suggesting an attacker can perform a denial-of-service attack against the web server is not the primary risk of CSRF. While a CSRF attack might involve sending many requests, its core purpose is to trick a user into performing specific, unauthorized actions.

This question tests the understanding of common web application vulnerabilities and their specific risks. It’s crucial for SOC analysts to differentiate between these vulnerabilities and understand their potential impact.

The correct answer is defined roles and responsibilities for each team member involved in the response. In a high-pressure incident like a data breach, clarity on who is responsible for what is paramount. This ensures that tasks are not duplicated, critical steps are not missed, and communication flows efficiently. Clear roles prevent confusion and enable a swift, coordinated response.

A detailed list of all potential attack vectors is useful for general security planning but is too broad for a specific incident response playbook. The playbook should focus on the steps for a *confirmed* breach.

Instructions on how to perform a full network scan might be a part of the investigation, but it’s a technical step, not the overarching organizational element that defines the response structure.

A guide on how to write a press release is important for communication, but it’s a specific communication task, not the core element that defines the operational response structure. Roles and responsibilities encompass all aspects of the response, including communication.

This question focuses on the practical aspects of incident response planning and the importance of clear organizational structure during a crisis. It highlights that effective response is not just about technical steps but also about human coordination.

The correct answer is to calculate the file’s hash (MD5, SHA-256) and check it against threat intelligence feeds. Calculating the hash is a quick and non-intrusive first step. If the hash is already known to be associated with a specific piece of malware, it can immediately confirm the suspicion and provide valuable context about the file’s origin and behavior without needing to execute or deeply analyze it.

Executing the file in a sandbox environment is a form of dynamic analysis, which is typically performed after initial static analysis or when static analysis is inconclusive.

Analyzing the file’s strings for suspicious keywords is a part of static analysis, but calculating the hash is a more fundamental and often faster initial step for identification.

Disassembling the file using a disassembler is a more advanced static analysis technique that requires more time and expertise. It’s usually performed after initial identification steps.

This question tests the understanding of malware analysis techniques, specifically the initial steps of static analysis. It emphasizes the efficiency of using file hashes for quick identification. In a SOC, knowing how to quickly triage suspicious files is essential.

The correct answer is to review authentication logs for successful logins that include MFA verification. Authentication logs provide definitive proof of whether MFA was successfully used during login attempts. By analyzing these logs, the security team can confirm that MFA is active and being used by employees, providing an objective measure of compliance.

Sending out a survey to employees asking if they have enrolled in MFA relies on self-reporting, which can be inaccurate or dishonest. It does not provide verifiable proof.

Manually checking the MFA status on each employee’s account is impractical and not scalable for a large organization.

Blocking access for any user who has not reported MFA enrollment is a punitive measure that might be necessary as a last resort, but it’s not the primary method for *verifying* successful enrollment and usage. It’s an enforcement mechanism, not a verification method.

This question addresses the practical implementation and verification of security controls. It highlights the importance of using system logs for objective compliance monitoring. In a SOC, understanding how to audit and verify security policy adherence is crucial.

The correct answer is to implement account lockout policies that temporarily disable accounts after a set number of failed login attempts. Account lockout is a direct defense against brute-force attacks. By locking out accounts after a defined number of failed attempts, the attacker is prevented from continuing their attempts to guess credentials, effectively halting the attack on those specific accounts.

Blocking all incoming traffic to the web server would be an overly broad and disruptive measure, likely causing a denial of service for legitimate users.

Notifying all users to change their passwords immediately is a good general security practice, but it’s a reactive measure and doesn’t stop the ongoing attack. It might be necessary later, but it’s not the most effective immediate countermeasure.

Performing a full vulnerability scan on the web server is a good practice for identifying weaknesses but does not directly stop an ongoing brute-force attack.

This question tests the understanding of common attack mitigation techniques. It emphasizes the importance of implementing specific controls that directly counter the observed attack vector.

The correct answer is that the server may be compromised and communicating with a command and control (C2) server. Unusual outbound encrypted traffic from an internal server to an unapproved external IP address is a strong indicator of a compromise. Malware often uses encrypted channels to communicate with C2 servers for instructions, data exfiltration, or to download additional malicious payloads, thereby bypassing network security controls that might inspect unencrypted traffic.

The option suggesting a legitimate software update is less likely because such updates typically use known, approved destinations and often have identifiable patterns.

The option suggesting the traffic is a false positive should be investigated, but the unusual nature of the traffic warrants a deeper look before dismissing it.

The option suggesting the server is attempting to establish a secure VPN connection is possible, but VPNs usually connect to known VPN endpoints and have specific configurations. Unapproved external IPs and unusual traffic patterns raise suspicion.

This question assesses the ability to interpret network traffic anomalies and infer potential security threats. It highlights the importance of scrutinizing encrypted traffic for malicious activity. In a SOC, identifying C2 communication is a critical detection task.

The correct answer is to maintain a strict chain of custody for all collected evidence. The chain of custody is a documented record of the handling, transfer, and storage of evidence from the time it is collected until it is presented in court. This process ensures that the evidence has not been tampered with, altered, or contaminated, which is essential for its legal admissibility.

Performing a live memory acquisition of the workstation is an important forensic technique, but it’s a method of evidence collection, not a guarantee of admissibility.

Analyzing the workstation’s registry for suspicious entries is part of the analysis phase, which occurs after evidence has been collected and preserved under a proper chain of custody.

Immediately wiping the workstation’s hard drive would destroy the evidence, making it impossible to analyze and certainly inadmissible in any legal proceeding.

This question focuses on the fundamental principles of digital forensics and legal evidence handling. It emphasizes the importance of procedural correctness in ensuring the validity of forensic findings.