CAS-005 Question #210: Real Exam Question with Answer & Explanation

Question

After several companies in the financial industry were affected by a similar incident, they shared information about threat intelligence and the malware used for exploitation. Which of the following should the companies do to best identify whether the attacks are being conducted by the same actor? (Choose two.)

Options

• AApply code stylometry.
• BLook for common TTPs.
• CUse IoC extractions.
• DLeverage malware detonation.
• EPerform malware decompilation.
• FVerify malware hashes.

Explanation

To determine if similar financial industry incidents are conducted by the same actor, companies should analyze their common Tactics, Techniques, and Procedures (TTPs) and verify the hashes of the malware used.

Common mistakes.

• A. Applying code stylometry is a highly specialized and often inconclusive method for attributing authorship, especially for threat actors who actively obfuscate their code.
• C. Using IoC extractions (Indicators of Compromise) helps detect ongoing activity but does not reliably link actors if IoCs like IP addresses or domains are frequently changed or reused by different groups.
• D. Leveraging malware detonation in a sandbox helps understand malware behavior but doesn't inherently reveal the actor's identity or directly link separate attacks to the same actor without further correlation.
• E. Performing malware decompilation is a deep reverse engineering technique to understand malware functionality, which is too granular and resource-intensive as a primary method for linking actors across multiple incidents.

Concept tested. Threat actor attribution and intelligence analysis

Reference. https://attack.mitre.org/

No community discussion yet for this question.