CS0-003 Question #304: Real Exam Question with Answer & Explanation

Question

A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware based on its telemetry?

Options

• ACross-reference the signature with open-source threat intelligence.
• BConfigure the EDR to perform a full scan.
• CTransfer the malware to a sandbox environment.
• DLog in to the affected systems and run netstat.

Explanation

Explanation

Cross-referencing the malware's signature with open-source threat intelligence (OSINT) platforms (such as VirusTotal, MITRE ATT&CK, or AlienVault OTX) is the fastest and most efficient way to identify the malware type based on its telemetry, since the EDR has already done the heavy lifting by capturing the sample and signature. Option B (full EDR scan) would help detect spread but does nothing to identify what the malware actually is. Option C (sandbox analysis) is useful for unknown or unidentified malware, but since a signature already exists, checking threat intel databases is quicker and more appropriate at this stage. Option D (running netstat) is a network diagnostic step that reveals active connections but provides no information about malware classification.

🧠 Memory Tip: Think of it this way - you already have the malware's "fingerprint" (signature). The fastest way to identify a fingerprint is to run it through an existing database, just like law enforcement would. OSINT threat intelligence is that database. Signature = Search first!

No community discussion yet for this question.