ops Flashcards by Joel Manning

Which two pieces of information are collected from the IPv4 protocol header? (Choose two.)

C. source IP address of the packet
D. destination IP address of the packet

How well did you know this?

Not at all

Perfectly

In a SOC environment, what is a vulnerability management metric?

internet exposed devices

How well did you know this?

Not at all

Perfectly

Which category relates to improper use or disclosure of PII data?

regulated

How well did you know this?

Not at all

Perfectly

Which regex matches only on all lowercase letters?

[a-z]+

How well did you know this?

Not at all

Perfectly

Which list identifies the information that the client sends to the server in the negotiation phase of
the TLS handshake?

ClientHello, TLS versions it supports, cipher-suites it supports, and suggested compression methods

How well did you know this?

Not at all

Perfectly

An offline audit log contains the source IP address of a session suspected to have exploited a
vulnerability resulting in system compromise.

Which kind of evidence is this IP address?

corroborative evidence

How well did you know this?

Not at all

Perfectly

Which security technology allows only a set of pre-approved applications to run on a system?

application-level whitelisting

How well did you know this?

Not at all

Perfectly

Refer to the exhibit. Which type of log is displayed?

*** has a signature ID

IDS
There is a signature ID, then most definitely the event is a traditional IPS or IDS event.

How well did you know this?

Not at all

Perfectly

Refer to the exhibit. Which two elements in the table are parts of the 5-tuple? (Choose two.)

Source Port
Initiator IP

A 5-tuple refers to a set of five different values that comprise a Transmission Control Protocol/Internet Protocol (TCP/IP) connection. It includes a source IP address/port number, destination IP address/port number and the protocol in use.

How well did you know this?

Not at all

Perfectly

Which security principle is violated by running all processes as root or administrator?

principle of least privilege

How well did you know this?

Not at all

Perfectly

What is the function of a command and control server?

It sends instruction to a compromised system

How well did you know this?

Not at all

Perfectly

What is the difference between deep packet inspection and stateful inspection?

Deep packet inspection allows visibility on Layer 7 and stateful inspection allows visibility on Layer 4

How well did you know this?

Not at all

Perfectly

Which evasion technique is a function of ransomware?

encryption

How well did you know this?

Not at all

Perfectly

What does cyber attribution identity in an investigation?

threat actors of an attack

How well did you know this?

Not at all

Perfectly

Drag and drop the security concept on the left onto the example of that concept on the right.

Threat

Network is compromised

How well did you know this?

Not at all

Perfectly

Drag and drop the security concept on the left onto the example of that concept on the right.

Vulnerability

Lack of an access list

How well did you know this?

Not at all

Perfectly

Drag and drop the security concept on the left onto the example of that concept on the right.

Risk Assessment

Configuration Review

How well did you know this?

Not at all

Perfectly

Drag and drop the security concept on the left onto the example of that concept on the right.

Exploit

Leakage of confidential information

How well did you know this?

Not at all

Perfectly

Drag and drop the access control models from the left onto the correct descriptions on the right.

DAC

Object owner determines permissions

How well did you know this?

Not at all

Perfectly

Drag and drop the access control models from the left onto the correct descriptions on the right.

MAC

OS determines permissions

How well did you know this?

Not at all

Perfectly

Drag and drop the access control models from the left onto the correct descriptions on the right.

RBAC

Role of the subject determines permissions

How well did you know this?

Not at all

Perfectly

Drag and drop the access control models from the left onto the correct descriptions on the right.

ABAC

Attributes of the subject determines permissions

How well did you know this?

Not at all

Perfectly

Drag and drop the technology on the left onto the data type the technology provides on the right.

Netflow

session data

How well did you know this?

Not at all

Perfectly

Drag and drop the technology on the left onto the data type the technology provides on the right.

tcpdump

full packet capture

How well did you know this?

Not at all

Perfectly

Drag and drop the technology on the left onto the data type the technology provides on the right. web content filtering

transaction data

Drag and drop the technology on the left onto the data type the technology provides on the right. traditional stateful firewall

connection event

Which tool is commonly used by threat actors on a webpage to take advantage of the software vulnerabilities of a system to spread malware?

exploit kit

Which two methods might be used by an analyst to detect SSL/TLS encrypted command-and- control communication? (Choose two.)

perform decryption and inspection of SSL/TLS traffic perform analysis of the NetFlow data to detect anomalous TLS/SSL flows

While viewing packet capture data, an analyst sees that one IP is sending and receiving traffic for multiple devices by modifying the IP header. Which technology makes this behavior possible?

NAT

When communicating via TLS, the client initiates the handshake to the server and the server responds back with its certificate for identification. Which information is available on the server certificate?

server name, trusted CA, and public key

A security engineer has a video of a suspect entering a data center that was captured on the same day that files in the same data center were transferred to a competitor. Which type of evidence is this?

indirect evidence

Which two elements of the incident response process are stated in NIST Special Publication 800-61 r2? (Choose two.)

detection and analysis post-incident activity

Which utility blocks a host portscan?

host-based firewall

Which event is user interaction?

opening a malicious file

An intruder attempted malicious activity and exchanged emails with a user and received corporate information, including email distribution lists. The intruder asked the user to engage with a link in an email. When the fink launched, it infected machines and the intruder was able to access the corporate network. Which testing method did the intruder use?

social engineering

Refer to the exhibit. What information is depicted? Top 10 Src AP addr ordered by flows: Date first seen duration src ip addr Flows Packets Bytes pps bps bpp

NetFlow data

Which type of evidence supports a theory or an assumption that results from initial evidence?

corroborative

When you are researching a Windows operating system vulnerability (such as CVE-2016-7211), which organization can provide detailed information about the specific vulnerability?

National Institute of Standards and Technology (NIST)

Which property of a cryptographic hash algorithm is desirable?

collision resistance

Which two elements are assets in the role of attribution in an investigation? (Choose two.)

context threat actor

Which regular expression matches "color" and "colour"?

colou?r

A user received a malicious attachment but did not run it. Which category classifies the intrusion?

delivery

Which process is used when IPS events are removed to improve data integrity?

data normalization

An investigator is examining a copy of an ISO file that is stored in CDFS format. What type of evidence is this file?

data from a CD copied using Linux system

Which piece of information is needed for attribution in an investigation?

known threat actor behavior

Refer to the exhibit. In which Linux log file is this output found? shows an authentication failure

/var/log/auth.log

What is the difference between the ACK flag and the RST flag in the NetFlow log session?

The ACK flag confirms the receipt of the prior segment, and the RST flag allows for the spontaneous termination of a connection

Which type of data typically consists of connection level, application-specific records generated from network traffic?

transaction data

What are three key components of a threat-centric SOC? (Choose three.)

people processes technologies

An analyst is investigating an incident in a SOC environment. Which method is used to identify a session from a group of logs?

5-tuple

Refer to the exhibit. Which type of log is displayed? Date Flow Start Duration Proto Src Ip Addr Port Dst IP addr port packets bytes flows

NetFlow

What should a security analyst consider when comparing inline traffic interrogation with traffic tapping to determine which approach to use in the network?

Tapping interrogation replicates signals to a separate port for analyzing traffic

Which two components reduce the attack surface on an endpoint? (Choose two.)

secure boot restricting USB ports

An analyst discovers that a legitimate security alert has been dismissed. Which signature caused this impact on network traffic?

false negative

Which event artifact is used to identity HTTP GET requests for a specific file?

URI

Which security principle requires more than one person is required to perform a critical task?

separation of duties

What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.)

Untampered images are used in the security investigation process The image is untampered if the stored hash and the computed hash match

What makes HTTPS traffic difficult to monitor?

encryption

An analyst is investigating a host in the network that appears to be communicating to a command and control server on the Internet. After collecting this packet capture the analyst cannot determine the technique and payload used for the communication. Seeing a lot of TLSv1.2 stuff Which obfuscation technique is the attacker using?

transport layer security encryption

What best describes the Security Operations Center (SOC)?

A SOC is related to the people, processes, and technologies that are involved in providing situational awareness through the detection, containment, and remediation of information security threats.

Which term represents a potential danger that could take advantage of a weakness in a system?

threat

Which artifact is used to uniquely identify a detected file?

file hash

How does an attacker observe network traffic exchanged between two users?

man-in-the-middle

Refer to the exhibit. Which event is occurring? $ cuckoo submit --machine cuckoo1 /path/to/binary

A binary is being submitted to run on VM cuckoo1 Explanation: https://cuckoo.readthedocs.io/en/latest/usage/submit/

What is a benefit of agent-based protection when compared to agentless protection?

It provides a centralized platform

Which principle is being followed when an analyst gathers information relevant to a security incident to determine the appropriate course of action?

decision making

An engineer runs a suspicious file in a sandbox analysis tool to see the outcome. The analysis report shows that outbound callouts were made post infection. Which two pieces of information from the analysis report are needed to investigate the callouts? (Choose two.)

host IP addresses domain names

An analyst is exploring the functionality of different operating systems. What is a feature of Windows Management Instrumentation that must be considered when deciding on an operating system?

has a Common Information Model, which describes installed hardware and software

One of the objectives of information security is to protect the CIA of information and systems. What does CIA mean in this context?

confidentiality, integrity, and availability

What is rule-based detection when compared to statistical detection?

proof of a user's action

What is personally identifiable information that must be safeguarded from unauthorized access?

driver's license number

How does an SSL certificate impact security between the client and the server?

by creating an encrypted channel between the client and the server

Which type of exploit normally requires the culprit to have prior access to the target system?

local exploit

Which identifier is used to describe the application or process that submitted a log message?

facility

Which type of data consists of connection level, application-specific records generated from network traffic?

transaction data

At which layer is deep packet inspection investigated on a firewall?

application

Which open-sourced packet capture tool uses Linux and Mac OS X operating systems?

tcpdump

An organization has recently adjusted its security stance in response to online threats made by a known hacktivist group. What is the initial event called in the NIST SP800-61?

precursor

What is an attack surface as compared to a vulnerability?

the sum of all paths for data into and out of the application

What is a difference between SOAR and SIEM?

SOAR platforms are used for threat and vulnerability management, but SIEM applications are not

Refer to the exhibit. Which application protocol is in this PCAP file? shows source/destination IPs, protocol (TCP) then source and destination port 443

HTTP Explanation: TCP is not a application layer protocol. Http is and the used port is 443 (https).

Refer to the exhibit. What is the expected result when the "Allow subdissector to reassemble TCP streams" feature is enabled?

unfragment TCP

What is a difference between inline traffic interrogation and traffic mirroring?

Inline inspection acts on the original traffic data flow Explanation: Inline traffic interrogation analyzes traffic in real time and has the ability to prevent certain traffic from being forwarded Traffic mirroring doesn't pass the live traffic instead it copies traffic from one or more source ports and sends the copied traffic to one or more destinations for analysis by a network analyzer or other monitoring device.

During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve its integrity?

collection

Which NIST IR category stakeholder is responsible for coordinating incident response among various business units, minimizing damage, and reporting to regulatory agencies?

management

An engineer receives a security alert that traffic with a known TOR exit node has occurred on the network. What is the impact of this traffic?

user circumvention of the firewall

Which of the following access control models use security labels to make access decisions?

Mandatory access control (MAC)

What is the main advantage of using a mandatory access control (MAC) model instead of a discretionary access control (DAC) model?

MAC is more secure because the operating system ensures security policy compliance.

How is attacking a vulnerability categorized?

exploitation

A system administrator is ensuring that specific registry information is accurate. Which type of configuration information does the HKEY_LOCAL_MACHINE hive contain?

hardware, software, and security settings for the system

Which step in the incident response process researches an attacking host through logs in a SIEM?

detection and analysis

What is the difference between a threat and a risk?

Threat represents a potential danger that could take advantage of a weakness in a system

Which signature impacts network traffic by causing legitimate traffic to be blocked?

false positive

What is ransomware?

A type of malware that compromises a system and then often demands a ransom from the victim to pay the attacker in order for the malicious activity to cease or for the malware to be removed from the affected system

What two are examples of UDP-based attacks? (Choose two.)

SQL slammer UDP flooding

What causes events on a Windows system to show Event Code 4625 in the log messages?

Someone is trying a brute force attack on the network

Which evasion technique is indicated when an intrusion detection system begins receiving an abnormally high volume of scanning from numerous sources?

resource exhaustion

Refer to the exhibit. What does the message indicate? 10.44.101.23 - - {20Nov/2017:14:18:06 -0500 "GET / HTTP/1.1" 200 1254 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"

a successful access attempt was made to retrieve the root of the website

What are two social engineering techniques? (Choose two.)

phishing pharming

Refer to the exhibit. What does the output indicate about the server with the IP address 172.18.104.139? Not shown : 996 closed ports then shows ports 22/25/110/143

open ports of an email server

Refer to the exhibit. This request was sent to a web application server driven by a database. GET /item.php?id=34' or sleep (10)

blind SQL injection

What is the difference between mandatory access control (MAC) and discretionary access control (DAC)?

MAC is the strictest of all levels of control and DAC is object-based access

A SOC analyst is investigating an incident that involves a Linux system that is identifying specific sessions. Which identifier tracks an active program?

process identification number

A malicious file has been identified in a sandbox analysis tool. Which piece of information is needed to search for additional downloads of this file by other hosts?

file hash value

Which attack method intercepts traffic on a switched network?

ARP cache poisoning In computer networking, ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.

Which two elements are used for profiling a network? (Choose two.)

session duration total throughput A network profile should include some important elements, such as the following: Total throughput - the amount of data passing from a given source to a given destination in a given period of time Session duration - the time between the establishment of a data flow and its termination Ports used - a list of TCP or UDP processes that are available to accept data Critical asset address space - the IP addresses or the logical location of essential systems or data

What does an attacker use to determine which network ports are listening on a potential target device?

port scanning

What type of spoofing attack uses fake source IP addresses that are different than their real IP addresses?

IP spoofing

What is a purpose of a vulnerability management framework?

identifies, removes, and mitigates system vulnerabilities

Refer to the exhibit. Which kind of attack method is depicted in this string?

cross-site scripting

Refer to the exhibit. Which packet contains a file that is extractable within Wireshark? No. time source destination protocol length info 2542 http/1.1 200 OK (GIF89a)

2542

How does certificate authority impact a security system?

It validates domain identity of a SSL certificate

How is NetFlow different than traffic mirroring?

NetFlow collects metadata and traffic mirroring clones data

What is the practice of giving employees only those permissions necessary to perform their specific role within an organization?

least privilege

Which type of data collection requires the largest amount of storage space?

full packet capture

Which HTTP header field is used in forensics to identify the type of browser used?

user-agent

Refer to the exhibit. What is the potential threat identified in this Stealthwatch dashboard?

Host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91.

A security engineer deploys an enterprise-wide host/endpoint technology for all of the company's corporate PCs. Management requests the engineer to block a selected set of applications on all PCs. Which technology should be used to accomplish this task?

application whitelisting/blacklisting

What is the virtual address space for a Windows process?

set of virtual memory addresses that can be used

Refer to the exhibit. What does the message indicate?

a successful access attempt was made to retrieve the root of the website

Which access control model does SELinux use?

MAC

Which two compliance frameworks require that data be encrypted when it is transmitted over a public network? (Choose two.)

PCI HIPAA

Which IETF standard technology is useful to detect and analyze a potential security incident by recording session flows that occurs between hosts?

IPFIX

What do the Security Intelligence Events within the FMC allow an administrator to do?

See if a host is connecting to a known-bad domain.

The target web application server is running as the root user and is vulnerable to command injection. Which result of a successful attack is true?

cross-site scripting request forgery

A network engineer discovers that a foreign government hacked one of the defense contractors in their home country and stole intellectual property. What is the threat agent in this situation?

the foreign government that conducted the attack

What is the practice of giving an employee access to only the resources needed to accomplish their job?

principle of least privilege

Which metric is used to capture the level of access needed to launch a successful attack?

privileges required

What is the difference between an attack vector and attack surface?

An attack surface recognizes which network parts are vulnerable to an attack; and an attack vector identifies which attacks are possible with these vulnerabilities. Explanation: The attack surface of a software environment is the sum of the different points (for "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment. Keeping the attack surface as small as possible is a basic security measure. https://en.wikipedia.org/wiki/Attack_surface In computer security, an attack vector is a specific path, method, or scenario that can be exploited to break into an IT system, thus compromising its security. The term was derived from the corresponding notion of vector in biology. An attack vector may be exploited manually, automatically, or through a combination of manual and automatic activity. https://en.wikipedia.org/wiki/Attack_vector

Which metric in CVSS indicates an attack that takes a destination bank account number and replaces it with a different bank account number?

integrity

A security specialist notices 100 HTTP GET and POST requests for multiple pages on the web servers. The agent in the requests contains PHP code that, if executed, creates and writes to a new PHP file on the webserver. Which event category is described?

installation

What specific type of analysis is assigning values to the scenario to see expected outcomes?

deterministic

When trying to evade IDS/IPS devices, which mechanism allows the user to make the data incomprehensible without a specific key, certificate, or password?

fragmentation

Why is encryption challenging to security monitoring?

Encryption is used by threat actors as a method of evasion and obfuscation.

What is an example of social engineering attacks?

receiving an email from human resources requesting a visit to their secure website to update contact information

Refer to the exhibit. What is occurring in this network? interface: 192.168.1.28 --- 0x11 internet address physical address Type 192.168.1.10 aa-aa-aa-aa-aa-aa dynamic 192.168.1.67 aa-aa-aa-aa-aa-aa dynamic 192.168.1.1 bb-bb-bb-bb-bb static

ARP cache poisoning

Which data format is the most efficient to build a baseline of traffic seen over an extended period of time?

NetFlow

Which action prevents buffer overflow attacks?

input sanitization

Which type of attack occurs when an attacker is successful in eavesdropping on a conversation between two IP phones?

man-in-the-middle

Refer to the exhibit. What should be interpreted from this packet capture?

IP address 192.168.122.100/50272/ 81.179.179.69/80/6 is sending a packet from port 50272 of IP address 192.168.122.100 that is going to port 80 of IP address 81.179.179.69 using IP protocol 6.

What are the two characteristics of the full packet captures? (Choose two.)

Reassembling fragmented traffic from raw data. Providing a historical record of a network transaction.

Refer to the exhibit. An engineer is analyzing this Cuckoo Sandbox report for a PDF file that has been downloaded from an email. What is the state of this file?

The file has an embedded Windows 32 executable and the Yara field lists suspicious features for further analysis.

Refer to the exhibit. What is occurring in this network traffic?

flood of SYN packets coming from a single source IP to a single destination IP

A security expert is working on a copy of the evidence, an ISO file that is saved in CDFS format. Which type of evidence is this file?

CD data copy prepared in Linux system

Which incidence response step includes identifying all hosts affected by an attack?

containment, eradication, and recovery

Which event artifact is used to identify HTTP GET requests for a specific file?

URI

An analyst received an alert on their desktop computer showing that an attack was successful on the host. After investigating, the analyst discovered that no mitigation action occurred during the attack. What is the reason for this discrepancy?

The computer has a HIDS installed on it.

What does cyber attribution identify in an investigation?

threat actors of an attack

Which system monitors local system operation and local network access for violations of a security policy?

host-based intrusion detection

Which action should be taken if the system is overwhelmed with alerts when false positives and false negatives are compared?

Modify the settings of the intrusion detection system.

What is the impact of false positive alerts on business compared to true positive?

False positive alerts are blocked by mistake as potential attacks affecting application availability.

An engineer needs to fetch logs from a proxy server and generate actual events according to the data received. Which technology should the engineer use to accomplish this task?

Web Security Appliance

Refer to the exhibit. Which technology generates this log? deny tcp src outside

firewall

Which filter allows an engineer to filter traffic in Wireshark to further analyze the PCAP file by only showing the traffic for LAN 10.11.x.x, between workstations and servers without the Internet?

ip.src==10.11.0.0/16 and ip.dst==10.11.0.0/16

Which tool provides a full packet capture from network traffic?

Wireshark

A company is using several network applications that require high availability and responsiveness, such that milliseconds of latency on network traffic is not acceptable. An engineer needs to analyze the network and identify ways to improve traffic movement to minimize delays. Which information must the engineer obtain for this analysis?

running processes on the applications and their total network usage

Refer to the exhibit. What is depicted in the exhibit? root@:~#cat access-logs/access

UNIX-based syslog

Which technology should be used to implement a solution that makes routing decisions based on HTTP header, uniform resource identifier, and SSL session ID attributes?

IIS

An organization has recently adjusted its security stance in response to online threats made by a known hacktivist group. What is the initial event called in the NIST SP800-61?

precursor

Which NIST IR category stakeholder is responsible for coordinating incident response among various business units, minimizing damage, and reporting to regulatory agencies?

management

Which incidence response step includes identifying all hosts affected by an attack?

containment, eradication, and recovery

Drag and drop the type of evidence from the left onto the description of that evidence on the right. log that shows a command and control check-in from verified malware

direct evidence

Drag and drop the type of evidence from the left onto the description of that evidence on the right. Firewall log showing successful communication and threat intelligence stating an IP is known to host malware

Indirect evidence

Drag and drop the type of evidence from the left onto the description of that evidence on the right. NetFlow-based spike in DNS Traffic

Corroborative evidence

Which category relates to improper use or disclosure of PII data?

regulated

Which type of evidence supports a theory or an assumption that results from initial evidence?

corroborative

Which two elements are assets in the role of attribution in an investigation? (Choose two.)

context threat actor

Which two elements of the incident response process are stated in NIST Special Publication 800-61 r2? (Choose two.)

detection and analysis post-incident activity

Refer to the exhibit. What does this output indicate? shows ports 21, 22, 23, 85, 80, 110, 443 closed

Email ports are closed on the server.

Which metric should be used when evaluating the effectiveness and scope of a Security Operations Center?

The average time the SOC takes to detect and resolve the incident.

A developer is working on a project using a Linux tool that enables writing processes to obtain these required results: - If the process is unsuccessful, a negative value is returned. - If the process is successful, 0 value is returned to the child process, and the process ID is sent to the parent process. Which component results from this operation?

new process created by parent process

An engineer discovered a breach, identified the threat's entry point, and removed access. The engineer was able to identify the host, the IP address of the threat actor, and the application the threat actor targeted. What is the next step the engineer should take according to the NIST SP 800-61 Incident handling guide?

Reduce the probability of similar threats.

Refer to the exhibit. What is shown in this PCAP file? Get followed by gibberish

The HTTP GET is encoded.

What is a difference between tampered and untampered disk images?

Untampered images are used for forensic investigations.

Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model. The targeted environment is taken advantage of triggering the threat actors code

exploitation

Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model. Backdoor is placed on the victim system allowing the threat actor to maintain the persistence

Installation

Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model. An outbound connection is established to an Internet-based controller server

command and control

Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model. the threat actor takes actions to violate integrity and availability

Actions and Objectives

Drag and drop the elements from the left into the correct order for incident handling on the right.

Preparation Detection and analysis Containment, eradication, and recovery Post incident analysis

The SOC team has confirmed a potential indicator of compromise on an endpoint. The team has narrowed the executable file's type to a new trojan family. According to the NIST Computer Security Incident Handling Guide, what is the next step in handling this event?

Prioritize incident handling based on the impact.

Which technology on a host is used to isolate a running application from other applications?

sandbox

An analyst received a ticket regarding a degraded processing capability for one of the HR department's servers. On the same day, an engineer noticed a disabled antivirus software and was not able to determine when or why it occurred. According to the NIST Incident Handling Guide, what is the next phase of this investigation?

Detection

Which data type is necessary to get information about source/destination ports?

connectivity data

Refer to the exhibit. Which type of attack is being executed? SELECT * FROM people WHERE username = "OR '1'='1';

SQL injection

Which attack represents the evasion technique of resource exhaustion?

denial-of-service

A threat actor penetrated an organization's network. Using the 5-tuple approach, which data points should the analyst use to isolate the compromised host in a grouped set of logs?

protocol, source IP, source port, destination IP, and destination port

Which event is a vishing attack?

impersonating a tech support agent during a phone call

What is indicated by an increase in IPv4 traffic carrying protocol 41 ?

attempts to tunnel IPv6 traffic through an IPv4 network

What is the impact of false positive alerts on business compared to true positive?

False-positive alerts are detected by confusion as potential attacks, while true positives are attack attempts identified appropriately.

An organization's security team has detected network spikes coming from the internal network. An investigation has concluded that the spike in traffic was from intensive network scanning How should the analyst collect the traffic to isolate the suspicious host?

based on the protocols used

What is an incident response plan?

an organizational approach to disaster recovery and timely restoration ot operational services

An engineer is addressing a connectivity issue between two servers where the remote server is unable to establish a successful session. Initial checks show that the remote server is not receiving an SYN-ACK while establishing a session by sending the first SYN. What is causing this issue?

incorrect TCP handshake

A security incident occurred with the potential of impacting business services. Who performs the attack?

threat actor

Refer to the exhibit. An analyst received this alert from the Cisco ASA device, and numerous activity logs were produced. Aug 24 2020 03:02:37: %ASA-4-106023: Deny tcp src outside:209306532003228/51585 dst inside:192.168.150.7/22 by access-group "OUTSIDE" {0x5063b82f, 0x0}

best

Whatt is vulnerability management?

A process to identify and remediate existing weaknesses.

A user received an email attachment named "Hr405-report2609-empl094.exe" but did not run it. Which category of the cyber kill chain should be assigned to this type of event?

delivery

An engineer needs to configure network systems to detect command and control communications by decrypting ingress and egress perimeter traffic and allowing network security devices to detect malicious outbound communications. Which technology should be used to accomplish the task?

digital certificates Explanation: You must use a Root certificate, also referred to as a Certificate Authority (CA) Signing certificate, for HTTPS decryption on the WSA. Digital certificates - the traffic need to be decrypted for further analysis. This technology is used in proxy/WSA.

What is a difference between data obtained from Tap and SPAN ports?

Tap mirrors existing traffic from specified ports, while SPAN presents more structured data for deeper analysis.

Which metric in CVSS indicates an attack that takes a destination bank account number and replaces it with a different bank account number?

integrity

Refer to the exhibit. What is occurring within the exhibit? pure mumbo-jumbo

cross-site scripting attack

Refer to the exhibit. Which component is identifiable in this exhibit? HKEY_LOCAL_MACHINE

Windows Registry hive

An engineer received an alert affecting the degraded performance of a critical server. Analysis showed a heavy CPU and memory load. What is the next step the engineer should take to investigate this resource usage?

Run "ps -ef" to understand which processes are taking a high amount of resources.

What is a difference between an inline and a tap mode traffic monitoring?

Inline monitors traffic without examining other devices, while a tap mode tags traffic and examines the data from monitoring devices.

Which regular expression is needed to capture the IP address 192.168.20.232?

^ (?:[0-9]{1,3}\.){3}[0-9]{1,3}

How does a certificate authority impact security?

It validates the domain identity of the SSL certificate. A certificate authority is a computer or entity that creates and issues digital certificates. CA do not "authenticate" it validates. "D" is wrong because The digital certificate validate a user. CA --> DC --> user, server or whatever.

What is a difference between SIEM and SOAR?

SlEM's primary function is to collect and detect anomalies, while SOAR is more focused on security operations automation and response.

Drag and drop the event term from the left onto the description on the right. Malicious traffic is identified and an alert is generated

True positive

Drag and drop the event term from the left onto the description on the right. Benign traffic incorrectly generates an alert

false positive

Drag and drop the event term from the left onto the description on the right. benign traffic does not generate an alert

True negative

Drag and drop the event term from the left onto the description on the right. Malicious traffic does not generate an alert

false negative

Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model. Threat actor engages in identification and selection of targets

reconnaissance

Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model. An exploit is coupled with a remote access Trojan

weaponization

Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model. The weapon is transferred to the target

delivery

What is a difference between signature-based and behavior-based detection?

Behavior-based identifies behaviors that may be linked to attacks, while signature-based has a predefined set of rules to match before an alert.

Refer to the exhibit. An engineer received an event log file to review. Which technology generated the log? a bunch of allowed tcp and udp traffic

firewall

What is the difference between inline traffic interrogation and traffic mirroring?

Inline interrogation is less complex as traffic mirroring applies additional tags to data.

Refer to the exhibit. A company employee is connecting to mail google.com from an endpoint device. The website is loaded but with an error. What is occurring? The CA root cert is not trusted. To enable trust, install this cert in the trusted root cert authorities store.

Certificate is not in trusted roots.

An analyst is using the SIEM platform and must extract a custom property from a Cisco device and capture the phrase, "File: Clean." Which regex must the analyst import?

^File: Clean$

What describes the concept of data consistently and readily being accessible for legitimate users?

availability

Refer to the exhibit. Which frame numbers contain a file that is extractable via TCP stream within Wireshark? some frames have: FTP Data: (PASSV) (RETR ResumableTransfer.png)

14,16,18, and 19

Refer to the exhibit. Which stakeholders must be involved when a company workstation is compromised?

Anything that sounds techy, anything that isn't, isn't Head of Managed Cyber Security Services System Admin Security Center Analyst Head of Network & Security Infrastructure Services

How does an attack surface differ from an attack vector?

An attack vector matches components that can be exploited, and an attack surface classifies the potential path for exploitation

A security analyst notices a sudden surge of incoming traffic and detects unknown packets from unknown senders. After further investigation, the analyst learns that customers claim that they cannot access company servers. According to NIST SP800-61, in which phase of the incident response process is the analyst?

containment, eradication, and recovery

Which vulnerability type is used to read, write, or erase information from a database?

SQL injection

An automotive company provides new types of engines and special brakes for rally sports cars. The company has a database of inventions and patents for their engines and technical information Customers can access the database through the company's website after they register and identify themselves. Which type of protected data is accessed by customers?

PII data

According to the September 2020 threat intelligence feeds a new malware called Egregor was introduced and used in many attacks. Distnbution of Egregor is pnmanly through a Cobalt Strike that has been installed on victim's workstations using RDP exploits Malware exfiltrates the victim's data to a command and control server. The data is used to force victims pay or lose it by publicly releasing it. Which type of attack is described?

ransomware attack

Syslog collecting software is installed on the server For the log containment, a disk with FAT type partition is used An engineer determined that log files are being corrupted when the 4 GB tile size is exceeded. Which action resolves the issue?

Use NTFS partition for log file containment

What are two categories of DDoS attacks? (Choose two.)

reflected direct

What is an advantage of symmetric over asymmetric encryption?

It is suited for transmitting large amounts of data.

What are two denial-of-service (DoS) attacks? (Choose two)

SYN flood teardrop Explanation: A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash. In both instances, the DoS attack deprives legitimate users (i.e. employees, members, or account holders) of the service or resource they expected. Denial of Service Attacks can take many forms. The most important ones are: SYN Flood UDP Flood ICMP Flood Land Attack Teardrop Attack SYN flood - SYN flood attacks send requests to connect to a server but don’t complete the handshake. The end result is that the network becomes inundated with connection requests that prevent anyone from connecting to the network.

What is the difference between a threat and an exploit?

A threat is a potential attack on an asset and an exploit takes advantage of the vulnerability of the asset

How does TOR alter data content during transit?

It encrypts content and destination information over multiple layers.

Drag and drop the security concept from the left onto the example of that concept on the right. Anything that can exploit a weakness that was not mitigated

threat

Drag and drop the security concept from the left onto the example of that concept on the right. A gap in security or software that can be utilized by threats

vulerability

Drag and drop the security concept from the left onto the example of that concept on the right. possibility for loss and damage of an asset or information

risk

Drag and drop the security concept from the left onto the example of that concept on the right. taking advantage of a software flaw to compromise a resource

exploit

What is a collection of compromised machines that attackers use to carry out a DDoS attack?

botnet

Which type of access control depends on the job function of the user?

role-based access control

The security team has detected an ongoing spam campaign targeting the organization. The team's approach is to push back the cyber kill chain and mitigate ongoing incidents. At which phase of the cyber kill chain should the security team mitigate this type of attack?

delivery

What describes the defense-in-depth principle?

categorizing critical assets within the organization

Refer to the exhibit. A workstation downloads a malicious docx file from the Internet and a copy is sent to FTDv. The FTDv sends the file hash to FMC and the tile event is recorded. What would have occurred with stronger data visibility?

Malicious traffic would have been blocked on multiple devices

What is the impact of encryption?

Confidentiality of the data is kept secure and permissions are validated

An engineer is analyzing a recent breach where confidential documents were altered and stolen by the receptionist. Further analysis shows that the threat actor connected an externa USB device to bypass security restrictions and steal data. The engineer could not find an external USB device. Which piece of information must an engineer use for attribution in an investigation?

list of security restrictions and privileges boundaries bypassed

Refer to the exhibit. During the analysis of a suspicious scanning activity incident, an analyst discovered multiple local TCP connection events. Which technology provided these logs? Error Message$ASA-6-302013: Built (inbound|outbound) TCP connection_id for interface

firewall

Refer to the exhibit. An analyst was given a PCAP file, which is associated with a recent intrusion event in the company FTP server. Which display filters should the analyst use to filter the FTP traffic?

tcp.port==21

Refer to the exhibit. A network administrator is investigating suspicious network activity by analyzing captured traffic. An engineer notices abnormal behavior and discovers that the default user agent is present in the headers of requests and data being transmitted. What is occurring?

indicators of data exfiltration HTTP requests must be plain text

A company encountered a breach on its web servers using IIS 7.5. During the investigation, an engineer discovered that an attacker read and altered the data on a secure communication using TLS 1.2 and intercepted sensitive information by downgrading a connection to export-grade cryptography. The engineer must mitigate similar incidents in the future and ensure that clients and servers always negotiate with the most secure protocol versions and cryptographic parameters. Which action does the engineer recommend?

Install the latest IIS version.

What is the difference between discretionary access control (DAC) and role-based access control (RBAC)?

DAC requires explicit authorization for a given user on a given object, and RBAC requires specific conditions.

Which technology prevents end-device to end-device IP traceability?

NAT/PAT

What are the two differences between stateful and deep packet inspection? (Choose two)

Deep packet inspection operates on Layer 3 and 4. and stateful inspection operates on Layer 3 of the OSI model Stateful inspection is capable of packet data inspections, and deep packet inspection is not

Which type of verification consists of using tools to compute the message digest of the original and copied data, then comparing the similarity of the digests?

data integrity

What is the difference between inline traffic interrogation (TAPS) and traffic mirroring (SPAN)?

TAPS interrogation is more complex because traffic mirroring applies additional tags to data and SPAN does not alter integrity and provides full duplex network.

Which information must an organization use to understand the threats currently targeting the organization?

threat intelligence

What is threat hunting?

Managing a vulnerability assessment report to mitigate potential threats.

An engineer is working with the compliance teams to identify the data passing through the network. During analysis, the engineer informs the compliance team that external penmeter data flows contain records, writings, and artwork Internal segregated network flows contain the customer choices by gender, addresses, and product preferences by age. The engineer must identify protected data. Which two types of data must be identified'? (Choose two.)

PII PHI

What describes the impact of false-positive alerts compared to false-negative alerts?

A false positive is an event alerting for a brute-force attack An engineer investigates the alert and discovers that a legitimate user entered the wrong credential several times A false negative is when a threat actor tries to brute-force attack a system and no alert is raised.

Refer to the exhibit. An engineer received a ticket about a slowed-down web application. The engineer runs the #netstat - an command. How must the engineer interpret the results? shows a bunch of TIME_WAIT messages

The web application server is under a denial-of-service attack.

When an event is investigated, which type of data provides the investigate capability to determine if data exfiltration has occurred?

full packet capture

What is the difference between deep packet inspection and stateful inspection?

Stateful inspection verifies data at the transport layer and deep packet inspection verifies data at the application layer

What is obtained using NetFlow?

session data

How does statistical detection differ from rule-based detection?

Statistical detection defines legitimate data over time, and rule-based detection works on a predefined set of rules

Refer to the exhibit. What must be interpreted from this packet capture? 192.168.88.12 ? 192.168.88.149 TCP 74 49098 ? 80

IP address 192.168.88.12 is communicating with 192.168 88.149 with a source port 49098 to destination port 80 using TCP protocol.

What is a benefit of using asymmetric cryptography?

fast data transfer

An organization is cooperating with several third-party companies. Data exchange is on an unsecured channel using port 80 Internal employees use the FTP service to upload and download sensitive data An engineer must ensure confidentiality while preserving the integrity of the communication. Which technology must the engineer implement in this scenario'?

X.509 certificates

A security engineer notices confidential data being exfiltrated to a domain "Ranso4134-mware31-895" address that is attributed to a known advanced persistent threat group The engineer discovers that the activity is part of a real attack and not a network misconfiguration. Which category does this event fall under as defined in the Cyber Kill Chain?

weaponization

How does agentless monitoring differ from agent-based monitoring?

Agent-based monitoring is less intrusive in gathering log data, while agentless requires open ports to fetch the logs

Which of these describes SOC metrics in relation to security incidents?

time it takes to detect the incident

What is the difference between the ACK flag and the RST flag?

The ACK flag confirms the received segment, and the RST flag terminates the connection.

Refer to the exhibit. An engineer is analyzing a PCAP file after a recent breach. An engineer identified that the attacker used an aggressive ARP scan to scan the hosts and found web and SSH servers. Further analysis showed several SSH Server Banner and Key Exchange Initiations. The engineer cannot see the exact data being transmitted over an encrypted channel and cannot identify how the attacker gained access. How did the attacker gain access?

by using brute force on the SSH service to gain access

Refer to the exhibit. Which field contains DNS header information if the payload is a query or a response? {QR} is the first column,

Refer to the exhibit. What is occurring? under DNS queries, subset, then a name

DNS tunneling

What is the difference between vulnerability and risk?

A vulnerability represents a flaw in a security that can be exploited, and the risk is the potential damage it might cause.

An engineer received a flood of phishing emails from HR with the source address HRjacobm@companycom. What is the threat actor in this scenario?

sender

Refer to the exhibit. A security analyst is investigating unusual activity from an unknown IP address Which type of evidence is this file1? just a bunch of invalid user password entries

indirect evidence

Drag and drop the data source from the left onto the data type on the right. session data

netflow

Drag and drop the data source from the left onto the data type on the right. Alert data

IPS

Drag and drop the data source from the left onto the data type on the right. Full packet capture

Wireshark

Drag and drop the data source from the left onto the data type on the right. Transaction data

server log

A user received a targeted spear-phishing email and identified it as suspicious before opening the content. To which category of the Cyber Kill Chain model does to this type of event belong?

delivery

According to the NIST SP 800-86, which two types of data are considered volatile? (Choose two.)

Refer to the exhibit. An engineer is reviewing a Cuckoo report of a file. What must the engineer interpret from the report? shows something highlighted in the SHA512 field, too blurry to read

The file will not execute its behavior in a sandbox environment to avoid detection.

What is the difference between deep packet inspection and stateful inspection?

Deep packet inspection allows visibility on Layer 7, and stateful inspection allows visibility on Layer 4.

What should an engineer use to aid the trusted exchange of public keys between user tom0411976943 and dan1968754032?

trusted certificate authorities

Which tool gives the ability to see session data in real time?

tcptrace

What is a description of a social engineering attack?

email offering last-minute deals on various vacations around the world with a due date and a counter

What describes a buffer overflow attack?

overloading a predefined amount of memory

Which are two denial-of-service attacks? (Choose two.)

ping of death UDP flooding

Refer to the exhibit. Where is the executable file? by mime is application/x-dosexec

MIME

Why is HTTPS traffic difficult to screen?

The communication is encrypted and the data in transit is secured.

Refer to the exhibit. An employee received an email from an unknown sender with an attachment and reported it as a phishing attempt. An engineer uploaded the file to Cuckoo for further analysis. What should an engineer interpret from the provided Cuckoo report?

Cuckoo cleaned the malicious file and prepared it for usage.

Which two elements of the incident response process are stated in NIST SP 800-61 r2? (Choose two.)

detection and analysis post-incident activity

Which security model assumes an attacker within and outside of the network and enforces strict verification before connecting to any system or resource within the organization?

Zero Trust

An employee received an email from a colleague's address asking for the password for the domain controller. The employee noticed a missing letter within the sender's address. What does this incident describe?

social engineering

What is the difference between indicator of attack (loA) and indicators of compromise (loC)?

loC is the evidence that a security breach has occurred, and loA allows organizations to act before the vulnerability can be exploited.

Refer to the exhibit. An attacker scanned the server using Nmap. What did the attacker obtain from this scan? Port State Service 21/tcp filtered ftp 22/tcp ssh 23/tcp telnet 24/tcp priv-mail 25/tcp smtp 80/tcp http

Gathered information on processes running on the server

An engineer must compare NIST vs ISO frameworks. The engineer deeded to compare as readable documentation and also to watch a comparison video review. Using Windows 10 OS. the engineer started a browser and searched for a NIST document and then opened a new tab in the same browser and searched for an ISO document for comparison. The engineer tried to watch the video, but there was an audio problem with OS so the engineer had to troubleshoot it. At first the engineer started CMD and looked fee a driver path then locked for a corresponding registry in the registry editor. The engineer enabled "Audiosrv" in task manager and put it on auto start and the problem was solved. Which two components of the OS did the engineer touch? (Choose two)

permissions service

During which phase of the forensic process are tools and techniques used to extract information from the collected data?

collection

Which attack is the network vulnerable to when a stream cipher like RC4 is used twice with the same key?

ciphertext-only attack

ops Flashcards

(298 cards)