Which of the following is not an Atomic Indicator?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

Which of the following is not an Atomic Indicator?

Explanation:
Atomic indicators are the simplest, stand-alone signals you can observe directly as artifacts of activity. They map to concrete items you can detect without needing to infer from context. An IP address is a clear network endpoint you can monitor on the wire. A fully qualified domain name is another direct endpoint that can be watched in DNS traffic or logs. A static string appearing in a covert C2 channel is a concrete pattern you can search for in payloads or traffic. In contrast, a hash of a malicious file is a property of a file, and it only matters if you already know the exact sample or you have the file to compare against a database. Malware tends to change across variants, so a single hash isn’t a robust, standalone signal you can rely on for detection across campaigns. It’s useful, but not an Atomic Indicator in this context.

Atomic indicators are the simplest, stand-alone signals you can observe directly as artifacts of activity. They map to concrete items you can detect without needing to infer from context. An IP address is a clear network endpoint you can monitor on the wire. A fully qualified domain name is another direct endpoint that can be watched in DNS traffic or logs. A static string appearing in a covert C2 channel is a concrete pattern you can search for in payloads or traffic.

In contrast, a hash of a malicious file is a property of a file, and it only matters if you already know the exact sample or you have the file to compare against a database. Malware tends to change across variants, so a single hash isn’t a robust, standalone signal you can rely on for detection across campaigns. It’s useful, but not an Atomic Indicator in this context.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy