A report contains IoC and TTP information for a zero-day exploit that leverages vulnerabilities in a specific version of a web application. Which of the following actions should a SOC analyst take first after receiving the report?
A.
Implement a vulnerability scan to determine whether the environment is at risk.
B.
Block the IP addresses and domains from the report in the web proxy and firewalls.
C.
Verify whether the information is relevant to the organization.
D.
Analyze the web application logs to identify any suspicious or malicious activity.
Before taking any action, the SOC analyst should first verify if the Indicators of Compromise (IoC) and Tactics, Techniques, and Procedures (TTPs) reported are relevant to the organization’s environment. This involves checking if the vulnerable application or version is actually in use. As per CompTIA’s CySA+ guidelines, relevance verification helps in prioritizing resources and response actionseffectively, ensuring that time is not wasted on threats that do not impact the organization. Options A, B, and D are important subsequent steps if the threat is deemed relevant.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit