PCCET - 4.4 Questions and Answers (2023/2024) Already Passed

PCCET - 4.4 Questions and Answers (2023/2024) Already Passed What features does Cortex XDR bring? powerful endpoint protection together with endpoint detection and response (EDR) in a single agent What must Cortex XDR prevent? - known or unknown malware from infecting endpoints. - known and unknown exploits, including zero-day exploits Which steps does Cortex XDR take to keep the endpoint safe? 1. User attempts to open executable file 2. Local analysis to stop known malware 3. Machine learning to prevent new malware 4. Behavioral threat Protection for advanced malware 5. WildFire to detect unknown malware 6. attack blocked, endpoint safe In addition to third-party feeds, Cortex XDR uses the intelligence obtained from tens of thousands of subscribers to the Palo Alto Networks WildFire malware prevention service to continuously aggregate threat data and maintain the collective immunity of all users across endpoints, networks, and cloud applications. Explain how Cortex XDR handles this? 1. Before a file runs, the Cortex XDR agent queries WildFire with the hash of any Windows, macOS, or Linux executable file, and any dynamic link library (DLL) or Office macro, to assess its standing within the global threat community. WildFire returns a nearinstantaneous verdict on whether a file is malicious or benign. 2. If a file is unknown, the Cortex XDR agent proceeds with additional prevention techniques to determine whether it is a threat that should be blocked. 3. If a file is deemed malicious, the Cortex XDR agent automatically terminates the process and (optionally) quarantines the file. Cortex XDR uses the intelligence obtained from tens of thousands of subscribers to the Palo Alto Networks WildFire malware prevention service to continuously aggregate threat data and maintain the collective immunity of all users across endpoints, networks, and cloud applications. If WildFire deems the file beningn, what does Cortex XDR do next? the Cortex XDR agent uses local analysis via machine learning on the endpoint trained by the rich threat intelligence from global sources, including WildFire, to determine whether the file can run. local analysis can determine whether a file is likely malicious or benign without relying on signatures, scanning, or behavioral analysis. Each event by itself appears benign as attackers use legitimate applications and operating system functions to achieve their goal. However, a collection of events may represent a malicious event flow. How would Cortex XDR combat this? With Behavioral Threat Protection The Cortex XDR agent can detect and act on malicious chains of events that target multiple operations on an endpoint, such as network, process, file, and registry activity In Cortex XDR, the granular child process protection module prevents what and how does it do that? script-based attacks used to deliver malware by blocking known targeted processes from launching child processes that commonly are used to bypass traditional security approaches What is a child process? is a subprocess created by a parent process that is running on the system. In Cortex XDR, the behavior-based ransomware protection module protects against what and how does it do that? encryption-based behavior associated with ransomware by analyzing and stopping ransomware activity before any data loss occurs To combat these attacks, Cortex XDR employs decoy files to attract the ransomware. What happen when you configure the behavior-based ransomware protection module in prevention mode? it blocks the process attempting to manipulate the decoy files What happens when you configure the behavior-based ransomware protection module in notification mode? the agent logs a security event Why would Cortex XDR send unknown files to WildFire? for discovery and deeper analysis to rapidly detect potentially unknown malware. WildFire uses which techniques to assist Cortex XDR in its job? ● Static analysis is a powerful form of analysis, based in the cloud, that detects known threats by analyzing the characteristics of samples before execution. ● Dynamic analysis (sandboxing) detonates previously unknown submissions in a custom built, evasion-resistant virtual environment to determine real-world effects and behavior. ● Bare-metal analysis uses a hardware-based analysis environment specifically designed for advanced threats that exhibit highly evasive characteristics and can detect virtual analysis. what does WildFire do if it finds that a file is a threat? automatically creates and shares a new prevention control with the Cortex XDR agent and other Palo Alto Networks products in minutes to ensure that the threat is immediately classified as malicious and blocked if it is encountered again. How does Cortex XDR provide Pre-exploit protection? prevents the vulnerability-profiling techniques exploit kits use before launching attacks. By blocking these techniques, the agent prevents attackers from targeting vulnerable endpoints and applications, effectively stopping the attacks before they begin. How does Cortex XDR provide Technique-based exploit prevention? by blocking the exploitation techniques attackers use to manipulate applications. Although there are thousands of exploits, they typically rely on a small set of exploitation techniques that change infrequently. By blocking these techniques, Cortex XDR prevents exploitation attempts before endpoints can be compromised Cortex XDR focuses on exploit techniques rather than on the exploits themselves. How does it do this? 1. Scan documents openend by user. 2. If the attacker attempts to exploit vulnerabilty in OS/application, it is blocked before successful malicious activity is achieved. 3. Endpoint is protected from exploits The Cortex XDR agent prevents exploits that use vulnerabilities in the operating system kernel to create processes with escalated, system-level privileges. It also protects against new exploit techniques used to execute malicious payloads, such as those seen in the 2017 WannaCry and NotPetya attacks. How does it do this? The Cortex XDR agent blocks processes from accessing the injected malicious code from the kernel and thus can stop an attack early in the attack lifecycle without affecting legitimate processes. By blocking the techniques common to exploit-based attacks, the Cortex XDR agent allows customers to do what? ● Protect applications that can't be patched and shadow IT applications. ● Prevent successful zero-day exploits. ● Eliminate the need to urgently patch applications. How does Cortex XDR detect credential-based attacks? Cortex XDR can collect endpoint events, profile behavior to eliminate difficult-to-find attacks. In Cortex XDR, When remediation on the endpoint is needed following an alert or investigation, administrators can take the which actions? ● Isolate endpoints ● Terminate processes ● Block additional executions ● Quarantine malicious files ● Retrieve specific files ● Directly access endpoints with Live Terminal ● Orchestrate response with open APIs In Cortex XDR, When remediation on the endpoint is needed following an alert or investigation, administrators can Isolate an endpoints. How does it do this? by disabling all network access on compromised endpoints except for traffic to the Cortex XDR management console, thus preventing these endpoints from communicating with and potentially infecting other endpoints. In Cortex XDR, When remediation on the endpoint is needed following an alert or investigation, administrators can Terminate processes. Why would it do that? to stop any running malware from continuing to perform malicious activity on the endpoint In Cortex XDR, When remediation on the endpoint is needed following an alert or investigation, administrators can Block additional executions. How does it do that? by blocking it in the policy In Cortex XDR, When remediation on the endpoint is needed following an alert or investigation, administrators can Retrieve specific files. Why would we do this? for further analysis In Cortex XDR, When remediation on the endpoint is needed following an alert or investigation, administrators can Orchestrate response with open APIs. Why would we do this? allow third-party tools to apply enforcement policies and collect agent information from any location Cortex XDR can be implemented in which OS? Windows, macOS, Linux, and Android The Cortex XDR agent prevents attackers from bypassing the macOS digital signature verification mechanism, Gatekeeper. What does this allows you to do? allows or blocks the execution of applications based on their digital signatures, which are ranked in three signature levels: Apple System, Mac App Store, and Developers. The Cortex XDR agent prevents attackers from bypassing the macOS digital signature verification mechanism, Gatekeeper. It extends Gatekeeper functionality to enable customers to specify what? whether to block all child processes or to allow only those with signature levels that match or exceed those of their parent processes. What does The Cortex XDR prevent on an android device? prevents known malware and unknown Android Package Kit (APK) files from running on Android endpoints The Cortex XDR agent protects Linux servers by doing what? preventing attackers from executing malicious ELF files or exploiting known or unknown Linux vulnerabilities to compromise endpoints. When a security event occurs on your Linux server, what does Cortex XDR do? collects forensic information that you can use to analyze the incident further In Corterx XDR, The device control module allows you to do what? to easily manage USB access and gain assurance that you've mitigated USB-based threats. true or false: you need a server license to be able to use Cortex XDR Cloud-based management. false, no server license is needed. your organization can protect hundreds or millions of endpoints without incurring additional operating costs. Cortex XDR combines what to provide a seamless platform experience? endpoint policy management, detection, investigation, and response in one web-based management console Cortex XDR has which elements? name 3 ● Multiple grouping methods ● Security profiles and simplified, rule-based policies ● Incident management Where is the data collected from the Cortex XDR agent stored? Cortex Data Lake Cortex XDR is the world's first detection and response app that breaks silos by doing what? natively integrating endpoint, cloud, and network apps to stop sophisticated attacks The architecture of Cortex XDR is optimized for maximum availability, flexibility, and scalability to manage millions of endpoints. It comprises out of which components? ● Cortex XDR endpoint agent ● Cortex XDR management console ● WildFire malware prevention service ● Cortex Data Lake ● On-premises broker for restricted networks The architecture of Cortex XDR is optimized for maximum availability, flexibility, and scalability to manage millions of endpoints. It comprises out components such as the Cortex XDR endpoint agent. What are its minimum memory and ram usage to ensure a non-disruptive user experience? (512MB of RAM and 200MB of disk space through what do your administrators have complete control over all Cortex XDR agents in your environment? Cortex XDR console The architecture of Cortex XDR is optimized for maximum availability, flexibility, and scalability to manage millions of endpoints. It comprises out components such as the Cortex XDR management console. From the web-based Cortex XDR console, you can do what? - manage endpoint security policy - review security events as they occur - identify threat information - perform additional analysis of associated logs. The architecture of Cortex XDR is optimized for maximum availability, flexibility, and scalability to manage millions of endpoints. It comprises out components such as the Cortex Data Lake. What is it? is a scalable, cloud-based log repository that stores context-rich logs generated by Palo Alto Networks security products, including next generation firewalls, Prisma Access, and Cortex XDR agents The architecture of Cortex XDR is optimized for maximum availability, flexibility, and scalability to manage millions of endpoints. It comprises out components such as the Cortex Data Lake. what does it do? allows you to collect ever-expanding volumes of data without needing to plan for local compute and storage. True or False: The key to Cortex XDR is blocking core exploit and malware techniques, not individual attacks. true Which two advantages does endpoint protection technology have over network traffic analysis? (Choose two.) A. ability to identify most common attacks by their symptoms B. Deployed and managed centrally C. easier to deploy endpoint protection when people work from home D. detects command and control channels E. can easily identify worms A. ability to identify most common attacks by their symptoms C. easier to deploy endpoint protection when people work from home What is the order in which the endpoint checks if a new program is safe? A. behavioral threat protection, then local analysis, then WildFire query B. local analysis, then behavioral threat protection, then WildFire query C. WildFire query, then local analysis, then behavioral threat protection D. local analysis, then WildFire query, then behavioral threat protection B. local analysis, then behavioral threat protection, then WildFire query Of the endpoint checks, which one is bypassed for known programs? A. WildFire query B. behavioral threat protection C. local analysis D. firewall analysis C. local analysis Which three operating systems are supported by Cortex XDR? (Choose three.) A. z/OS B. Linux C. macOS D. Minix E. Android B. Linux C. macOS E. Android