Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Palo Alto Networks Exam PCDRA Topic 11 Question 65 Discussion

Actual exam question for Palo Alto Networks's PCDRA exam
Question #: 65
Topic #: 11
[All PCDRA Questions]

Cortex XDR is deployed in the enterprise and you notice a cobalt strike attack via an ongoing supply chain compromise was prevented on 1 server. What steps can you take to ensure the same protection is extended to all your servers?

Show Suggested Answer Hide Answer
Suggested Answer: D

The best step to ensure the same protection is extended to all your servers is to create indicators of compromise (IOCs) of the malicious files you have found to prevent their execution. IOCs are pieces of information that indicate a potential threat or compromise on an endpoint, such as file hashes, IP addresses, domain names, or registry keys. You can create IOCs in Cortex XDR to block or alert on any file or network activity that matches the IOCs. By creating IOCs of the malicious files involved in the cobalt strike attack, you can prevent them from running or spreading on any of your servers.

The other options are not the best steps for the following reasons:

A is not the best step because conducting a thorough Endpoint Malware scan may not detect or prevent the cobalt strike attack if the malicious files are obfuscated, encrypted, or hidden. Endpoint Malware scan is a feature of Cortex XDR that allows you to scan endpoints for known malware and quarantine any malicious files found. However, Endpoint Malware scan may not be effective against unknown or advanced threats that use evasion techniques to avoid detection.

B is not the best step because enabling DLL Protection on all servers may cause some false positives and disrupt legitimate applications. DLL Protection is a feature of Cortex XDR that allows you to block or alert on any DLL loading activity that matches certain criteria, such as unsigned DLLs, DLLs loaded from network locations, or DLLs loaded by specific processes. However, DLL Protection may also block or alert on benign DLL loading activity that is part of normal system or application operations, resulting in false positives and performance issues.

C is not the best step because enabling Behavioral Threat Protection (BTP) with cytool may not prevent the attack from spreading if the malicious files are already on the endpoints or if the attack uses other methods to evade detection. Behavioral Threat Protection is a feature of Cortex XDR that allows you to block or alert on any endpoint behavior that matches certain patterns, such as ransomware, credential theft, or lateral movement. Cytool is a command-line tool that allows you to configure and manage the Cortex XDR agent on the endpoint. However, Behavioral Threat Protection may not prevent the attack from spreading if the malicious files are already on the endpoints or if the attack uses other methods to evade detection, such as encryption, obfuscation, or proxy servers.


Create IOCs

Scan an Endpoint for Malware

DLL Protection

Behavioral Threat Protection

Cytool for Windows

Contribute your Thoughts:

Janae
2 months ago
I'd say option C is the way to go. Behavioral Threat Protection with cytool? Sounds like a party! Just don't forget to bring the snacks and energy drinks, because this is gonna be an all-nighter.
upvoted 0 times
...
Tyisha
2 months ago
Option A? Seriously? Malware scans are so 2010. We need some real cybersecurity magic, like Cortex XDR. Let's put on our best wizard hats and make this attack disappear!
upvoted 0 times
Tony
10 days ago
D) Create IOCs of the malicious files you have found to prevent their execution.
upvoted 0 times
...
Noah
12 days ago
C) Enable Behavioral Threat Protection (BTP) with cytool to prevent the attack from spreading.
upvoted 0 times
...
Ernest
14 days ago
B) Enable DLL Protection on all servers but there might be some false positives.
upvoted 0 times
...
Lashawnda
20 days ago
A) Conduct a thorough Endpoint Malware scan.
upvoted 0 times
...
...
Clare
2 months ago
Option D sounds like a good idea, but I'm not sure how effective it will be in the long run. Might as well just unplug all the servers and call it a day. Less chance of getting hacked that way.
upvoted 0 times
Allene
1 months ago
Might as well just unplug all the servers and call it a day. Less chance of getting hacked that way.
upvoted 0 times
...
Carlota
1 months ago
Option D sounds like a good idea, but I'm not sure how effective it will be in the long run.
upvoted 0 times
...
...
Bette
2 months ago
I would say option B is the way to go. DLL Protection might have some false positives, but better safe than sorry, right? Gotta keep those servers locked down tight.
upvoted 0 times
Paz
1 months ago
Creating IOCs of the malicious files found is also important to prevent their execution.
upvoted 0 times
...
Samira
1 months ago
I think enabling Behavioral Threat Protection with cytool could also be helpful in preventing the attack from spreading.
upvoted 0 times
...
Kimbery
1 months ago
I agree, option B sounds like a good precaution to take.
upvoted 0 times
...
...
Keva
2 months ago
I think conducting a thorough Endpoint Malware scan is also important to ensure all servers are protected.
upvoted 0 times
...
Elly
2 months ago
I agree with An, but we should also create IOCs of the malicious files.
upvoted 0 times
...
Gianna
2 months ago
Definitely go with option C. Behavioral Threat Protection is the way to go to prevent the spread of the attack. Who needs sleep when you have cytool, am I right?
upvoted 0 times
Marti
2 months ago
Let's make sure all servers are protected with Behavioral Threat Protection.
upvoted 0 times
...
Chara
2 months ago
Cytool is a powerful tool to have in your arsenal for security.
upvoted 0 times
...
Carry
2 months ago
I agree, option C is the best choice to prevent the attack from spreading.
upvoted 0 times
...
...
An
3 months ago
I think we should enable Behavioral Threat Protection (BTP) with cytool.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77