SY0-701 Question #1021: Real Exam Question with Answer & Explanation

Question

SIMULATION 6 You are a security operations analyst for a healthcare provider. Your main job function is to compare current, high-fidelity threat intelligence feeds to activity occurring on a web server and electronic medical record (EMR) server. INSTRUCTIONS Click on each threat intelligence feed and console connection to: Review the appropriate threat intelligence feed Determine if your servers are targeted Remediate any compromise found by stopping only services connecting to bad hosts and removing associated files Type help into the console to obtain a list of available commands. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. Answer: Web Server - actions to perform 1. Stop sshd, vncserver, and vsftpd because they are actively connected to 36.220.4.27 (SSH, VNC, FTP) - a high-confidence, high-frequency attacker that specifically targets the healthcare sector. 2. Stop the HTTPS process (usually httpd or a downloader such as wget/curl) that is talking to 52.104.29.42 and 66.101.22.80, both flagged with high confidence in today's feed. 3. Remove any files those services dropped (check /tmp, /var/www/html/, and users' home directories) to eliminate footholds left by the attacker. Web Server 36.220.4.27, 52.104.29.42, and 66.101.22.80 all appear in the current high-fidelity feed with Confidence = High; terminating only the services that are communicating with these specific IPs cleanly severs the malicious channels without interrupting unrelated functionality. EMR Server - actions to perform 1. Stop the MSSQL client service (process name typically sqlcmd or isql) that is connected to 76.17.89.65 - the only high-confidence MSSQL threat in the feeds. 2. Stop sshd, vncserver, and vsftpd if they are reaching 36.220.4.27 (same healthcare-focused attacker as above). 3. Delete any artifacts those processes created in /opt/mssql/, /tmp, or a user's home directory. EMR Server 76.17.89.65 (High confidence, MSSQL) and 36.220.4.27 (High confidence, multi-protocol) represent the only current high-fidelity threats relevant to an EMR system. Disabling just the affected services and purging their dropped files removes the compromise while leaving essential EMR functions intact.

Options

• taskAs a security operations analyst, compare current, high-fidelity threat intelligence feeds to activity occurring on a web server and electronic medical record (EMR) server. Review the appropriate threat intelligence feed, determine if your servers are targeted, and remediate any compromise found by stopping only services connecting to bad hosts and removing associated files.
• prerequisites

Explanation

The correct actions involve cross-referencing the threat intelligence feeds with active network connections on both servers, identifying that 36.220.4.27 is a high-confidence, high-frequency attacker specifically targeting healthcare infrastructure. By stopping only the services (sshd, vncserver, vsftpd, and the HTTPS/downloader process) that have active connections to the malicious IP - rather than shutting down all services - the analyst performs targeted, precise remediation that minimizes operational disruption while eliminating the threat vectors. This approach reflects best practice in incident response: validate with threat intel, isolate only compromised processes, and remove associated malicious files to prevent persistence.

No community discussion yet for this question.