Which technique is used as a deception tactic in containment/active defense?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

Which technique is used as a deception tactic in containment/active defense?

Explanation:
Deception in containment/active defense relies on luring the attacker with believable but harmless targets so you can observe their methods and gain time to respond. Data decoy is the technique that uses fake data, credentials, or systems (like honeytokens and decoy files) designed to look real enough to tempt an intruder. When the decoys are accessed, alerts fire and you learn what tools, techniques, or paths the attacker is using, while real assets remain protected. This approach both slows the attacker and enriches your telemetry for rapid containment and investigation. Other options don’t fit deception-focused containment. Indicators of compromise development centers on creating signals to detect intrusions, not on misleading the attacker. Campaign identification is about attributing activity to a broader adversary operation, not about tricking or taunting the attacker. Malware gathering is the process of collecting and analyzing malicious samples, not about deceiving the adversary.

Deception in containment/active defense relies on luring the attacker with believable but harmless targets so you can observe their methods and gain time to respond. Data decoy is the technique that uses fake data, credentials, or systems (like honeytokens and decoy files) designed to look real enough to tempt an intruder. When the decoys are accessed, alerts fire and you learn what tools, techniques, or paths the attacker is using, while real assets remain protected. This approach both slows the attacker and enriches your telemetry for rapid containment and investigation.

Other options don’t fit deception-focused containment. Indicators of compromise development centers on creating signals to detect intrusions, not on misleading the attacker. Campaign identification is about attributing activity to a broader adversary operation, not about tricking or taunting the attacker. Malware gathering is the process of collecting and analyzing malicious samples, not about deceiving the adversary.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy