In a ransomware incident, which containment action is recommended to include in an automated SOAR playbook when privileged accounts show anomalous activity?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

In a ransomware incident, which containment action is recommended to include in an automated SOAR playbook when privileged accounts show anomalous activity?

Explanation:
Rapidly cutting off attacker access by automatically revoking credentials and suspending sessions for privileged accounts is a strong containment approach in a ransomware incident. When anomalous activity is detected on high-privilege accounts, automatically revoking OAuth tokens and signing out or suspending those sessions prevents the attacker from continuing to use valid credentials to move laterally, access critical systems, or exfiltrate data. This minimizes dwell time and reduces the blast radius while the incident response team investigates and remediates, without waiting for manual approvals. Other options don’t fit as well for immediate containment: requiring an approval step slows response precisely when speed is essential; submitting hashes to VirusTotal doesn’t stop active access or contain credential abuse; and deploying a YARA-L rule on scripts may help with detection but doesn’t directly neutralize exposed sessions or tokens in real time.

Rapidly cutting off attacker access by automatically revoking credentials and suspending sessions for privileged accounts is a strong containment approach in a ransomware incident. When anomalous activity is detected on high-privilege accounts, automatically revoking OAuth tokens and signing out or suspending those sessions prevents the attacker from continuing to use valid credentials to move laterally, access critical systems, or exfiltrate data. This minimizes dwell time and reduces the blast radius while the incident response team investigates and remediates, without waiting for manual approvals.

Other options don’t fit as well for immediate containment: requiring an approval step slows response precisely when speed is essential; submitting hashes to VirusTotal doesn’t stop active access or contain credential abuse; and deploying a YARA-L rule on scripts may help with detection but doesn’t directly neutralize exposed sessions or tokens in real time.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy