매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
Certified SOC Analyst (CSA) 온라인 연습
최종 업데이트 시간: 2026년03월09일
당신은 온라인 연습 문제를 통해 EC-Council 312-39 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 312-39 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 100개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
The core problem described is that the SOC is treating raw indicators (IoCs) as if they are actionable intelligence (CTI), without enough context to prioritize. IoCs are often low-context, high-volume, and time-sensitive; many are noisy, shared infrastructure, or already outdated. CTI (cyber threat intelligence) adds context―adversary, campaign, intent, targeting, confidence, and recommended actions―so analysts can decide what matters for their environment. The scenario explicitly states the alerts “lack critical context” and the team “lacks tools and intelligence to correlate IoCs with real-world threats,” which is fundamentally a failure to distinguish IoC data from intelligence. Information overload is a symptom, but the underlying challenge is that the organization is ingesting IoCs without intelligence enrichment and prioritization logic. Budget/skill can contribute, but the question asks for the greatest challenge given the described conditions. From a SOC perspective, solving this requires enrichment (TI platforms, reputation + context), correlation with internal telemetry, scoring based on relevance, and focusing on behaviors and impact rather than indicator volume alone. Therefore, distinguishing IoC from CTI is the best answer.
정답:
Explanation:
Reliable delivery across unreliable networks is primarily a transport-layer concern. The syslog transport layer covers how messages are transmitted between devices, relays, and collectors, including protocol choice and delivery assurance. Many syslog deployments default to UDP for simplicity, but UDP is lossy and does not guarantee delivery―problematic for remote sites and compliance-driven logging. Hardening transport typically involves using TCP (reliable delivery), TLS for encryption and integrity, buffering/queueing at relays, retransmission handling, and monitoring of connection health and backlog. The content layer is about message format and fields; management and filtering is about routing and reduction of noise; application layer relates to the syslog-generating and receiving software. Those are important, but they do not address the fundamental need for dependable delivery under network instability. From a SOC perspective, transport reliability directly impacts forensic completeness, alert accuracy, and compliance evidence. Therefore, optimizing and hardening the syslog transport layer is the correct priority.
정답:
Explanation:
These actions align most strongly with eradication because they are removing the root cause of compromise and eliminating the adversary’s ability to persist. Applying an emergency patch to the exploited mail server closes the vulnerability that enabled initial access. Updating mail filtering rules to block the malicious payload reduces reinfection risk and removes the delivery path. Network segmentation can be a containment measure, but in this context it is being implemented as a corrective control to prevent continued lateral movement and re-compromise as part of eliminating the threat’s operational pathways. Evidence gathering is already implied by the forensic identification of the exploited CVE; recovery would involve restoring services and data after the threat is removed. In SOC practice, containment stops immediate spread (isolate servers, block traffic), while eradication focuses on removing malware, closing exploited vulnerabilities, removing persistence, and making the environment safe for return-to-service. Because the scenario explicitly includes patching and control changes aimed at eliminating the exploit vector and stopping recurrence, eradication is the best fit.
정답:
Explanation:
Alerting and reporting is the SIEM/SOC function that turns detected conditions into actionable notifications and tracked incidents. The scenario requires real-time detection triggers (thresholds/anomalies), analyst notifications, and automatic ticket/incident generation with relevant context fields (event type, duration, affected device, OS version). That is exactly what alerting does: it monitors rules, correlations, and analytics outputs and produces alerts/incidents; reporting provides structured summaries and operational views for stakeholders and audits. Log collection is only ingesting data and does not create incidents. Log parsing extracts fields from raw messages, and log normalization standardizes those fields across sources―both are foundational, but they do not themselves generate alerts or tickets. In SOC practice, effective alerting depends on good parsing/normalization so alerts carry the right context, but the function that performs continuous monitoring and triggers incident workflows is alerting and reporting. This also supports escalation workflows, SLA tracking, and post-incident documentation because the alert/incident record becomes the primary case artifact.
정답:
Explanation:
An in-house/internal SOC model best fits when data sovereignty, strict control of sensitive data, and operational independence are the top priorities―and when the organization has the budget and staffing capacity to operate 24/7. For a government agency handling health records, limiting third-party access reduces legal, compliance, and privacy risk. An internal SOC can ensure that telemetry, incident artifacts, and investigative outputs remain within national borders and under direct governance, supporting sovereignty mandates and chain-of-custody requirements. Outsourced or multi-MSSP models increase external data exposure and often require sharing logs, incident details, or access into systems―conflicting with the requirement for complete control. A hybrid model can be effective when internal capability is limited and external expertise is needed, but the prompt explicitly states the agency can hire many professionals and wants full control. From a SOC operations perspective, an in-house SOC also allows customization of playbooks, escalation paths, and compliance reporting aligned to government standards, and it reduces dependency on vendor timelines during high-severity incidents. Therefore, the most suitable model is in-house/internal SOC.
정답:
Explanation:
The scenario describes creating a ticket and escalating/assigning it to the appropriate analyst, which is incident recording and assignment. This phase is where the SOC formally documents the reported event, creates an incident record in the tracking system (often SIEM/SOAR or ticketing), sets initial severity/priority, and assigns ownership for investigation. While triage will follow quickly (or may begin in parallel), the explicit action described is logging the incident as a ticket and escalating it to Tier 2. Containment would involve actions to stop spread (isolate endpoint, block C2, disable accounts), which are not described yet. Notification refers to informing broader stakeholders (management, legal, IT) and is not the focus here. From a SOC workflow standpoint, accurate incident recording and assignment is crucial because it ensures accountability, preserves initial report details (time, symptoms, impacted user/device), and triggers SLA-driven response processes. Once assigned, the Tier 2 analyst will conduct triage and verification, then drive containment and eradication if ransomware is confirmed.
정답:
Explanation:
Amazon GuardDuty is the fully managed AWS threat detection service designed to analyze CloudTrail events, VPC Flow Logs, and DNS logs to identify suspicious and malicious activity. It uses threat intelligence and behavioral models to detect patterns such as unusual API calls, anomalous network connections (including known malicious destinations), and suspicious DNS activity―directly matching the scenario requirements. Macie is focused on discovering and protecting sensitive data (especially in S3) through classification and data exposure detection, not broad threat detection across API/network/DNS. AWS Config is a configuration compliance and drift monitoring service; it tracks resource configurations and policy compliance but does not provide threat detection based on network and activity logs. Security Hub aggregates and normalizes findings from multiple AWS security services and partners; it is a central view and compliance/finding management layer, but it relies on services like GuardDuty to generate threat findings. From a SOC perspective, GuardDuty provides the near-real-time detection signals the team needs, and those findings can be forwarded to SIEM/SOAR workflows for triage and response.
정답:
Explanation:
Packet filters are a network security control that inspects packet headers (source/destination IP, ports, protocol flags) to allow or block traffic. Their known limitation is that they generally do not inspect encrypted payload content; they can see metadata but not the application-layer data inside TLS/SSL sessions. The scenario describes a solution that “inspects data packets in real time” but struggles with encrypted traffic, which aligns with packet filtering and other header-based inspection approaches. VPN, SSH, and IPsec are encryption technologies/protocols themselves, not the inspection control; they create encrypted tunnels that make payload inspection harder. From a SOC viewpoint, packet filtering is valuable for fast enforcement and reducing attack surface, but it is limited for detecting threats embedded in encrypted sessions. To improve visibility, SOC teams often complement packet filters with TLS termination at controlled points (proxies), endpoint telemetry (process initiating connection), and flow analytics (NetFlow/IPFIX) to detect anomalies in encrypted traffic based on behavior and metadata.
정답:
Explanation:
Machine learning is the key AI technology for detecting suspicious activity without predefined signatures by learning patterns from data and identifying anomalies, outliers, and high-risk behaviors. In SOC contexts, ML can model normal baselines for users, hosts, and applications, then flag deviations such as unusual authentication patterns, unexpected data transfers, or rare process behaviors―capabilities that are particularly useful against zero-days and APTs that evade signature-based tools. NLP is valuable for processing human-language text (tickets, email content, narrative logs), but it is not the primary engine for behavioral anomaly detection across telemetry. Static IP blocking is a manual control that can be bypassed and does not “learn” or adapt. Heuristic-based signatures still rely on predefined patterns, even if they are generalized, and are not the same as adaptive learning. From a SOC perspective, ML can improve detection coverage when combined with strong telemetry and tuning, but it also requires governance: monitoring model drift, validating outputs, and ensuring explainability for analysts. Because the scenario prioritizes signatureless detection and real-time adaptation, machine learning is the best fit.
정답:
Explanation:
This activity is Recovery because it focuses on restoring systems and business operations to a normal, trusted state after the threat has been contained and eradicated. Restoring encrypted data from backups, rebuilding compromised workstations, and re-enabling network access are all recovery tasks. The key objective in recovery is to return services safely while ensuring the environment is clean and stable―hence validation steps before reconnecting systems to production networks. Containment would have occurred earlier and would include isolating affected VLANs/hosts and stopping spread. Eradication would include removing ransomware artifacts, closing persistence, patching vulnerabilities (which the scenario says has already been done), and ensuring the attacker cannot regain access. Post-incident activities occur after recovery and include lessons learned, reporting, process improvements, and control updates. From a SOC operational standpoint, recovery is often the most resource-intensive phase because it requires coordination between security, IT operations, application owners, and business units to restore systems, verify integrity, and monitor for reinfection. Because the scenario is explicitly about restore/rebuild and safe return-to-service, the correct phase is recovery.
정답:
Explanation:
Use cases should be selected based on the availability and quality of data because detections cannot work without reliable telemetry. In SOC engineering, the first constraint is data: what sources exist, how complete they are, how quickly they arrive, and whether fields are parsable and consistent. Choosing use cases that your environment can actually support produces faster time-to-value, fewer false positives, and fewer blind spots. Prioritizing “zero-day” use cases is too vague and often unrealistic, because zero-days vary widely and require strong behavioral telemetry and baselines. Implementing as many use cases as possible spreads resources thin and increases noise, creating alert fatigue. Compliance-driven use cases are important, but if the underlying data is missing or poor quality, compliance rules will still fail operationally and can create a false sense of security. A mature approach is: start with high-value, high-feasibility detections that match available data (identity compromise, suspicious admin actions, endpoint malware, critical network anomalies), then expand as data coverage improves. Therefore, data availability and quality should guide initial use case selection.
정답:
Explanation:
Strategic threat intelligence is aimed at executive and program-level decision-making. It focuses on high-level risk trends, geopolitical drivers, adversary motivations, target selection, and emerging threat landscapes that influence long-term security posture and investment priorities. The question emphasizes senior management concerns, long-term implications, and broad risks affecting financial institutions―hallmarks of strategic intelligence. Technical intelligence is focused on specific indicators (IPs, domains, hashes) and technical artifacts for immediate detection. Tactical intelligence focuses on adversary tactics, techniques, and procedures (TTPs) that help defenders improve detections and controls. Operational intelligence is more immediate, relating to current campaigns, adversary capabilities, and near-term targeting information used for active defense and incident response. While tactical and operational intelligence are valuable for SOC detections and playbooks, the requirement here is “high-level risks and long-term implications,” which maps most directly to strategic threat intelligence.
정답:
Explanation:
Isolating the finance department’s VLAN is a classic containment action. Containment focuses on limiting spread, stopping additional damage, and preventing further compromise while the team stabilizes the environment. In ransomware incidents, rapid segmentation and isolation can prevent lateral movement, reduce the number of encrypted systems, and preserve critical services. The scenario shows escalation to leadership, activation of the IRT, and immediate network isolation―all consistent with containment. Eradication would come next and involves removing ransomware artifacts, closing exploited vulnerabilities, eliminating persistence mechanisms, and ensuring the threat cannot return. Evidence gathering and forensic analysis may occur in parallel after containment, especially to preserve volatile evidence, but the central action described is isolation to stop spread. Notification involves informing stakeholders (legal, leadership, regulators) and is not the primary activity described. From a SOC playbook standpoint, containment is often the first priority once ransomware is confirmed because time is critical: every minute of uncontrolled spread
increases operational and financial impact. Therefore, the current phase is containment.
정답:
Explanation:
This is best classified as “Vulnerable and outdated components” because the organization is knowingly running a third-party library with a known exploitable vulnerability and has rolled back the available fix. In web application security, third-party dependencies are a major risk driver because attackers routinely target widely used frameworks and libraries, especially when exploit code becomes available or active exploitation is observed. Even if the rollback was motivated by stability, leaving the vulnerable component in production without compensating controls (WAF rules, disabling vulnerable functionality, strict input validation, segmentation) maintains high risk. Software and data integrity failures would focus on unauthorized changes or untrusted code deployment; the issue here is the presence of a known vulnerable dependency. Security logging/monitoring failures refer to insufficient visibility, not the root exposure. Insecure design refers to architectural weaknesses built into the application; while dependency management can be part of secure design, the immediate classification is the vulnerable component itself. From a SOC perspective, this classification drives remediation: prioritize patch-compatible fixes, upgrade dependency versions, implement compensating controls until patching is possible, and improve change management to prevent security rollback without risk acceptance and mitigation.
정답:
Explanation:
If critical logs are not reaching the SIEM, the most direct root cause is an architectural or configuration failure in the SIEM deployment. A SIEM’s detection capability depends on ingesting the right telemetry from key control points (network, endpoint, identity, cloud). Missing firewall, IDS, and endpoint logs creates blind spots that will prevent detections from firing, even for well-known attacks, because the SIEM simply lacks the required evidence. This commonly happens due to misconfigured collectors/agents, incorrect forwarding rules, blocked network paths, wrong ports/protocols, parsing failures, certificate/auth issues, or incomplete onboarding of data sources. While lack of SIEM knowledge can affect tuning and interpretation, it does not explain missing log delivery. Volume-handling issues typically show up as ingestion throttling, dropped events, or delayed indexing after logs are onboarded―not as a complete absence of critical sources. Performance delays can degrade detection timeliness, but again the scenario states the logs are not reaching the SIEM at all. From a SOC engineering standpoint, the first troubleshooting steps are data pipeline validation (connectivity, agent health, message counts), ingestion dashboards, and source-side forwarding verification. Therefore, improper configuration or deployment architecture is the correct reason.