During the investigation of a security incident, an analyst has narrowed down the potential causes to a shortlist of vulnerabilities. Which of the following actions is most effective in determining the actual exploited vulnerability that led to the compromise?
Reviewing public CVE databases for matches with the shortlisted vulnerabilities.
Verifying patch levels and update histories for the affected systems.
Examining the less secure network paths to find the most plausible point of entry.
Analyzing the correlation between exploit signatures and network traffic.
Analyzing the correlation between exploit signatures and network traffic is the best method to determine the actual exploited vulnerability. This involves examining the network traffic for patterns or signatures that are known to be associated with specific exploits. This approach not only confirms whether an exploit took place but also links the exploit directly to the corresponding vulnerability. Reviewing CVE databases, while necessary, doesn’t confirm which vulnerability was exploited. Examining less secure network paths can uncover potential vulnerabilities but does not conclusively determine if and how they were exploited. Verifying patch levels may reveal missing patches but does not necessarily identify the actual exploited vulnerability.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are exploit signatures?
Open an interactive chat with Bash
What are CVE databases and how are they used?
Open an interactive chat with Bash
Why is analyzing network traffic important during a security incident investigation?