SOC Monthly quiz

Immediately block the user’s account

Click the link to check where it leads

Ask the user to reply to the email for verification

Analyze the email headers for sender details and authentication records

Pay the ransom to retrieve the files

Disconnect the infected machine from the network

Run a full antivirus scan while keeping the system online

Ask the user to rename the encrypted files

Review web server logs and check for signs of successful exploitation

Contact the attacker to negotiate

Upgrade the server hardware

Block IP to prevent SQL attacks

It turns off the Windows Defender Firewall for all network profiles (Domain, Private, and Public).

It disables only the Domain profile of Windows Firewall, leaving Private and Public profiles active.

It blocks all incoming and outgoing traffic by setting the firewall to its strictest mode.

It resets the firewall rules to their default settings without disabling the firewall.

Block the attacker's IP, enforce account lockout policies, and enable multi-factor authentication (MFA).

Change the RDP port from 3389 to a random high-number port to evade attackers.

Disable failed login alerts in the SIEM to reduce noise from brute-force attempts.

Add the attacker’s IP to a global "safe list" to monitor their activity.

Immediately block the user’s account and delete all transferred files from the cloud provider.

Contact the employee FLM directly and ask them to explain their activity.

Disable all outbound internet access to prevent further uploads.

Review SIEM and proxy logs to confirm the source, destination, and nature of the data transfer.

Immediately lock the account, force a password reset, and review the account's recent activity.

Notify the account owner to change their password immediately and continue monitoring the account for further activity.

Reset the password for all users in the organization to prevent widespread compromise.

Decode the Base64 script, review its content, and analyze its behavior in a sandbox environment.

Notify the user to stop running PowerShell scripts, as it may be a common user mistake.

Restart the system and clear the temporary directory to remove traces of the script.

Immediately block all PowerShell execution on the system to stop potential malicious actions.

Disable PasswordAuthentication and enforce the use of public key authentication only.

Disable PubkeyAuthentication and rely solely on password-based authentication for simplicity.

Disable ChallengeResponseAuthentication and rely on password authentication only.

Modify the /etc/ssh/sshd_config file to allow only Challenge-Response authentication

An alert indicating a successful brute-force login attack when there was none

An alert about unusual traffic that is determined to be caused by a DDoS attack

An alert indicating malware detected in a sandbox environment

An alert indicating a legitimate login attempt by an authorized user