Pg12 Flashcards
(19 cards)
An incident response analyst is investigating the root cause of a recent malware outbreak. Initial binary analysis indicates that this malware disables host security services and performs cleanup routines on its infected hosts, including deletion of initial dropper and removal of event log entries and prefetch files from the host. Which of the following data sources would most likely reveal evidence of the root cause? (Choose two.)
A. Creation time of dropper
B. Registry artifacts
C. EDR data
D. Prefetch files
E. File system metadata
F. Sysmon event log
Registry artifacts
File system metadata
When undertaking a cloud migration of multiple SaaS applications, an organization’s systems administrators struggled with the complexity of extending identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?
A. CASB
B. SASE
C. ZTNA
D. SWG
CASB
A security analyst is responding to an incident that involves a malicious attack on a network data closet. Which of the following best explains how the analyst should properly document the incident?
A. Back up the configuration file for all network devices.
B. Record and validate each connection.
C. Create a full diagram of the network infrastructure.
D. Take photos of the impacted items.
Take photos of the impacted items.
A cybersecurity analyst is participating with the DLP project team to classify the organization’s data. Which of the following is the primary purpose for classifying data?
A. To identify regulatory compliance requirements
B. To facilitate the creation of DLP rules
C. To prioritize IT expenses
D. To establish the value of data to the organization
To establish the value of data to the organization
A security analyst observed the following activity from a privileged account:
- Accessing emails and sensitive information
- Audit logs being modified
- Abnormal log-in times
Which of the following best describes the observed activity?
A. Irregular peer-to-peer communication
B. Unauthorized privileges
C. Rogue devices on the network
D. Insider attack
Insider attack
A vulnerability management team found four major vulnerabilities during an assessment and needs to provide a report for the proper prioritization for further mitigation. Which of the following vulnerabilities should have the highest priority for the mitigation process?
A. A vulnerability that has related threats and IoCs, targeting a different industry
B. A vulnerability that is related to a specific adversary campaign, with IoCs found in the SIEM
C. A vulnerability that has no adversaries using it or associated IoCs
D. A vulnerability that is related to an isolated system, with no IoCs
A vulnerability that is related to a specific adversary campaign, with IoCs found in the SIEM
A security analyst has identified a new malware file that has impacted the organization. The malware is polymorphic and has built-in conditional triggers that require a connection to the internet. The CPU has an idle process of at least 70%. Which of the following best describes how the security analyst can effectively review the malware without compromising the organization’s network?
A. Utilize an RDP session on an unused workstation to evaluate the malware.
B. Disconnect and utilize an existing infected asset off the network.
C. Create a virtual host for testing on the security analyst workstation.
D. Subscribe to an online service to create a sandbox environment.
Subscribe to an online service to create a sandbox environment.
Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?
A. Review of security requirements
B. Compliance checks
C. Decomposing the application
D. Security by design
Decomposing the application
Which of the following would an organization use to develop a business continuity plan?
A. A diagram of all systems and interdependent applications
B. A repository for all the software used by the organization
C. A prioritized list of critical systems defined by executive leadership
D. A configuration management database in print at an off-site location
A prioritized list of critical systems defined by executive leadership
The management team requests monthly KPI reports on the company’s cybersecurity program. Which of the following KPIs would identify how long a security threat goes unnoticed in the environment?
A. Employee turnover
B. Intrusion attempts
C. Mean time to detect
D. Level of preparedness
Mean time to detect
Which of the following best describes the key elements of a successful information security program?
A. Business impact analysis, asset and change management, and security communication plan
B. Security policy implementation, assignment of roles and responsibilities, and information asset classification
C. Disaster recovery and business continuity planning, and the definition of access control requirements and human resource policies
D. Senior management organizational structure, message distribution standards, and procedures for the operation of security management systems
Security policy implementation, assignment of roles and responsibilities, and information asset classification
A systems administrator notices unfamiliar directory names on a production server. The administrator reviews the directory listings and files, and then concludes the server has been compromised. Which of the following steps should the administrator take next?
A. Inform the internal incident response team.
B. Follow the company’s incident response plan.
C. Review the lessons learned for the best approach.
D. Determine when the access started.
Follow the company’s incident response plan.
Which of the following is a nation-state actor least likely to be concerned with?
A. Detection by MITRE ATT&CK framework.
B. Detection or prevention of reconnaissance activities.
C. Examination of its actions and objectives.
D. Forensic analysis for legal action of the actions taken.
Forensic analysis for legal action of the actions taken.
Which of the following is a commonly used four-component framework to communicate threat actor behavior?
A. STRIDE
B. Diamond Model of Intrusion Analysis
C. Cyber Kill Chain
D. MITRE ATT&CK
Diamond Model of Intrusion
An employee downloads a freeware program to change the desktop to the classic look of legacy Windows. Shortly after the employee installs the program, a high volume of random DNS queries begin to originate from the system. An investigation on the system reveals the following:
Add-MpPreference –ExclusionPath ‘%Program Files%\ksyconfig’
Which of the following is possibly occurring?
A. Persistence
B. Privilege escalation
C. Credential harvesting
D. Defense evasion
Defense evasion
An organization discovered a data breach that resulted in PII being released to the public. During the lessons learned review, the panel identified discrepancies regarding who was responsible for external reporting, as well as the timing requirements. Which of the following actions would best address the reporting issue?
A. Creating a playbook denoting specific SLAs and containment actions per incident type
B. Researching federal laws, regulatory compliance requirements, and organizational policies to document specific reporting SLAs
C. Defining which security incidents require external notifications and incident reporting in addition to internal stakeholders
D. Designating specific roles and responsibilities within the security team and stakeholders to streamline tasks
Researching federal laws, regulatory compliance requirements, and organizational policies to document specific reporting SLAs
During an incident, a security analyst discovers a large amount of PII has been emailed externally from an employee to a public email address. The analyst finds that the external email is the employee’s personal email. Which of the following should the analyst recommend be done first?
A. Place a legal hold on the employee’s mailbox.
B. Enable filtering on the web proxy.
C. Disable the public email access with CASB.
D. Configure a deny rule on the firewall.
Disable the public email access with CASB.
Which of the following can be used to learn more about TTPs used by cybercriminals?
A. ZenMAP
B. MITRE ATT&CK
C. National Institute of Standards and Technology
D. theHarvester
MITRE ATT&CK
