An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the containment trade-off phase, Which response balances containment with evidence preservation?
YARA rules are suitable for identifying malware families using file strings, byte sequences, and conditions.
Why this answer
YARA rules are specifically designed to identify and classify malware samples based on textual or binary patterns, including unique strings and byte sequences. By testing the rule against known-good and known-bad samples, the analyst can validate its accuracy and reduce false positives, making it the most appropriate method for detecting related files from the same campaign.
How to eliminate wrong answers
Option A is wrong because tuning DHCP lease duration affects network address allocation and does not help in detecting malware based on strings or byte patterns. Option B is wrong because using only a firewall deny rule for port 443 blocks HTTPS traffic indiscriminately, which would not identify related malware files and could disrupt legitimate business operations. Option C is wrong because creating a CVE entry is a process for documenting a vulnerability, not a method for detecting or classifying malware samples based on unique patterns.