Palo Alto Networks (PANW) Certified Cybersecurity Entry-level Technician (PCCET) Practice Exam

Which method to identify ransomware that uses a zero-day exploit is available in endpoint protection, but not on the firewall?

• A. Attack signatures
• B. Behavior analysis
• C. Observation of attack effects
• D. Data decryption

The correct answer is: Observation of attack effects

Observation of attack effects is a method that plays a crucial role in identifying ransomware, particularly when that ransomware employs zero-day exploits. This method focuses on monitoring the outcomes of an attack, analyzing how ransomware behaves once it has infiltrated a system. In the context of endpoint protection, this approach allows for the detection of unusual activity that ransomware may cause, such as a rapid increase in file encryption activities, creation of unusual file types, or attempts to spread laterally across the network. Since endpoints often have a range of behaviors and actions that can indicate a compromise, observing these effects can help security teams quickly respond to a ransomware incident. Firewalls, on the other hand, primarily focus on monitoring and controlling network traffic based on predetermined security rules, making them less effective at identifying specific behaviors or effects that occur once an endpoint has already been compromised. Thus, observation of attack effects is particularly significant in the endpoint context, where more granular and behavioral insights can be derived to identify ransomware infections before they cause extensive damage.