During an investigation of a network breach, a security team notices repeated infiltration methods and identical post-compromise activities. They suspect these patterns align with known adversarial steps. Which approach is the best for verifying the repeated adversary infiltration steps?
Activate a host-based system that flags suspicious user processes
Deploy multiple decoy hosts to collect additional malicious behaviors
Review firewall logs for repeated blocked traffic in the same channel
Map each recorded activity to a recognized sequence of adversarial phases to see how they repeat
A well-structured method outlines each breach phase according to recognized markers of malicious activity. Mapping the identified phases enables investigators to classify repeated adversarial patterns in an organized framework. Gathering data through honeynets can reveal more attacker behaviors, but does not confirm classifiable patterns across the entire event chain. Searching logs for blocked connections detects certain attempts but overlooks full phase alignment. Host-based oversight can pinpoint potential threats, yet it does not ensure alignment with recognized phases when assembling a complete picture of an attack.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are recognized sequences of adversarial phases?
Open an interactive chat with Bash
Why is mapping activities more effective than using honeynets?
Open an interactive chat with Bash
How does mapping phases help in identifying repeated infiltration patterns?