When designing an automated SOAR playbook to minimize dwell time in a ransomware incident with anomalous privileged service accounts, which action should be included?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

When designing an automated SOAR playbook to minimize dwell time in a ransomware incident with anomalous privileged service accounts, which action should be included?

Explanation:
In ransomware incidents involving privileged service accounts, the fastest way to cut off the attacker’s access and reduce dwell time is to automatically invalidate credentials and suspend sessions for those high-risk accounts. Revoke OAuth tokens and suspend sessions stops ongoing authentication and prevents further use of those accounts to move laterally, access resources, or deploy further encryption. Because this action is automated and based on risk signals, it minimizes delay, which is crucial when time is of the essence in containment. Consider that waiting for approvals or adding steps that slow down response delays containment and can allow additional encryption or damage. Submitting hashes to VirusTotal is an intel-gathering step, not an immediate containment action, and adding a YARA-L rule is detection-oriented and may not immediately stop the attacker’s access, especially for privileged service accounts. The focus here is on rapidly neutralizing the attacker’s foothold by taking away credentials used to access critical systems.

In ransomware incidents involving privileged service accounts, the fastest way to cut off the attacker’s access and reduce dwell time is to automatically invalidate credentials and suspend sessions for those high-risk accounts. Revoke OAuth tokens and suspend sessions stops ongoing authentication and prevents further use of those accounts to move laterally, access resources, or deploy further encryption. Because this action is automated and based on risk signals, it minimizes delay, which is crucial when time is of the essence in containment.

Consider that waiting for approvals or adding steps that slow down response delays containment and can allow additional encryption or damage. Submitting hashes to VirusTotal is an intel-gathering step, not an immediate containment action, and adding a YARA-L rule is detection-oriented and may not immediately stop the attacker’s access, especially for privileged service accounts. The focus here is on rapidly neutralizing the attacker’s foothold by taking away credentials used to access critical systems.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy