Pg13 Flashcards
(16 cards)
Which of the following statements best describes the MITRE ATT&CK framework?
A. It provides a comprehensive method to test the security of applications.
B. It provides threat intelligence sharing and development of action and mitigation strategies.
C. It helps identify and stop enemy activity by highlighting the areas where an attacker functions.
D. It tracks and understands threats and is an open-source project that evolves.
E. It breaks down intrusions into a clearly defined sequence of phases.
It provides threat intelligence sharing and development of action and mitigation strategies.
A Chief Information Security Officer (CISO) is concerned that a specific threat actor who is known to target the company’s business type may be able to breach the network and remain inside of it for an extended period of time. Which of the following techniques should be performed to meet the CISO’s goals?
A. Vulnerability scanning
B. Adversary emulation
C. Passive discovery
D. Bug bounty
Adversary emulation
During an incident, some IoCs of possible ransomware contamination were found in a group of servers in a segment of the network. Which of the following steps should be taken next?
A. Isolation
B. Remediation
C. Reimaging
D. Preservation
Isolation
An MSSP received several alerts from customer 1, which caused a missed incident response deadline for customer 2. Which of the following best describes the document that was violated?
A. KPI
B. SLO
C. SLA
D. MOU
SLA
Which of the following is a reason proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident response?
A. To ensure the report is legally acceptable in case it needs to be presented in court
B. To present a lessons-learned analysis for the incident response team
C. To ensure the evidence can be used in a postmortem analysis
D. To prevent the possible loss of a data source for further root cause analysis
To ensure the report is legally acceptable in case it needs to be presented in court
An attacker has just gained access to the syslog server on a LAN. Reviewing the syslog entries has allowed the attacker to prioritize possible next targets. Which of the following is this an example of?
A. Passive network footprinting
B. OS fingerprinting
C. Service port identification
D. Application versioning
Passive network footprinting
A security analyst observed the following activities in chronological order:
- Protocol violation alerts on external firewall
- Unauthorized internal scanning activity
- Changes in outbound network performance
Which of the following best describes the goal of the threat actor?
A. Data exfiltration
B. Unusual traffic spikes
C. Rogue devices
D. Irregular peer-to-peer communication
Data exfiltration
After reviewing the final report for a penetration test, a cybersecurity analyst prioritizes the remediation for input validation vulnerabilities. Which of the following attacks is the analyst seeking to prevent?
A. DNS poisoning
B. Pharming
C. Phishing
D. Cross-site scripting
Cross-site scripting
During a security test, a security analyst found a critical application with a buffer overflow vulnerability. Which of the following would be best to mitigate the vulnerability at the application level?
A. Perform OS hardening.
B. Implement input validation.
C. Update third-party dependencies.
D. Configure address space layout randomization.
Implement input validation.
The SOC received a threat intelligence notification indicating that an employee’s credentials were found on the dark web. The user’s web and log-in activities were reviewed for malicious or anomalous connections, data uploads/downloads, and exploits. A review of the controls confirmed multifactor authentication was enabled. Which of the following should be done first to mitigate impact to the business networks and assets?
A. Perform a forced password reset.
B. Communicate the compromised credentials to the user.
C. Perform an ad hoc AV scan on the user’s laptop.
D. Review and ensure privileges assigned to the user’s account reflect least privilege.
E. Lower the thresholds for SOC alerting of suspected malicious activity
Perform a forced password reset.
A security analyst is working on a server patch management policy that will allow the infrastructure team to be informed more quickly about new patches. Which of the following would most likely be required by the infrastructure team so that vulnerabilities can be remediated quickly? (Choose two.)
A. Hostname
B. Missing KPI
C. CVE details
D. POC availabilty
E. IoCs
F. npm identifier
Hostname
CVE details
Chief Information Security Officer (CISO) wants to disable a functionality on a business-critical web application that is vulnerable to RCE in order to maintain the minimum risk level with minimal increased cost. Which of the following risk treatments best describes what the CISO is looking for?
A. Transfer
B. Mitigate
C. Accept
D. Avoid
Mitigate
A company has a primary control in place to restrict access to a sensitive database. However, the company discovered an authentication vulnerability that could bypass this control. Which of the following is the best compensating control?
A. Running regular penetration tests to identify and address new vulnerabilities.
B. Conducting regular security awareness training of employees to prevent social engineering attacks.
C. Deploying an additional layer of access controls to verify authorized individuals.
D. Implementing intrusion detection software to alert security teams of unauthorized access attempts
Deploying an additional layer of access controls to verify authorized individuals.
An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy and firewall. Upon further investigation, it appears that the proxy and firewall rules that were in place were removed by a service account that is not recognized. Which of the following parts of the Cyber Kill Chain does this describe?
A. Delivery
B. Command and control
C. Reconnaissance
D. Weaponization
Command and control
A SOC analyst is analyzing traffic on a network and notices an unauthorized scan. Which of the following types of activities is being observed?
A. Potential precursor to an attack
B. Unauthorized peer-to-peer communication
C. Rogue device on the network
D. System updates.
Potential precursor to an attack
Yup
Yup
