If threat actor TTPs are documented in GTI, which approach best informs your detections?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

If threat actor TTPs are documented in GTI, which approach best informs your detections?

Explanation:
Focusing on the actor’s documented TTPs and turning those into detections lets you recognize the attacker’s actual methods, not just static indicators. GTI’s TTPs describe the behaviors and techniques an actor tends to employ—how they gain initial access, escalate privileges, move laterally, exfiltrate data, and so on. When you design detections around those techniques, you’re watching for sequences of behaviors in your telemetry (endpoint, network, cloud, etc.) that map to real attacker methods, which is much more robust than chasing old IOCs or tech-specific signals that can be quickly rotated or irrelevant to current activity. This approach also aligns with a MITRE ATT&CK-like framework, making detections consistent, easier to tune, and easier to share across tools. Compared to pulling in exposed technologies, that method can miss the attacker’s actual behavior and adaptivity. Relying on past reports or IOCs captures history or known indicator strings that may be outdated or insufficient to detect ongoing activity. By grounding detections in TTPs, you’re better positioned to catch malicious activity even as the actor changes tools or infrastructure.

Focusing on the actor’s documented TTPs and turning those into detections lets you recognize the attacker’s actual methods, not just static indicators. GTI’s TTPs describe the behaviors and techniques an actor tends to employ—how they gain initial access, escalate privileges, move laterally, exfiltrate data, and so on. When you design detections around those techniques, you’re watching for sequences of behaviors in your telemetry (endpoint, network, cloud, etc.) that map to real attacker methods, which is much more robust than chasing old IOCs or tech-specific signals that can be quickly rotated or irrelevant to current activity. This approach also aligns with a MITRE ATT&CK-like framework, making detections consistent, easier to tune, and easier to share across tools.

Compared to pulling in exposed technologies, that method can miss the attacker’s actual behavior and adaptivity. Relying on past reports or IOCs captures history or known indicator strings that may be outdated or insufficient to detect ongoing activity. By grounding detections in TTPs, you’re better positioned to catch malicious activity even as the actor changes tools or infrastructure.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy