Pg16 Flashcards
(20 cards)
A new SOC manager reviewed findings regarding the strengths and weaknesses of the last tabletop exercise in order to make improvements. Which of the following should the SOC manager utilize to improve the process?
A. The most recent audit report
B. The incident response playbook
C. The incident response plan
D. The lessons-learned register
The lessons-learned register
Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security Officer. The summary needs to include the who-what-when information and evaluate the effectiveness of the plans in place. Which of the following incident management life cycle processes does this describe?
A. Business continuity plan
B. Lessons learned
C. Forensic analysis
D. Incident response plan
Lessons learned
Which of the following most accurately describes the Cyber Kill Chain methodology?
A. It is used to correlate events to ascertain the TTPs of an attacker.
B. It is used to ascertain lateral movements of an attacker, enabling the process to be stopped.
C. It provides a clear model of how an attacker generally operates during an intrusion and the actions to take at each stage.
D. It outlines a clear path for determining the relationships between the attacker, the technology used, and the target.
It provides a clear model of how an attacker generally operates during an intrusion and the actions to take at each stage.
After a recent vulnerability report for a server is presented, a business must decide whether to secure the company’s web-based storefront or shut it down. The developer is not able to fix the zero-day vulnerability because a patch does not exist yet. Which of the following is the best option for the business?
A. Limit the API request for new transactions until a patch exists.
B. Take the storefront offline until a patch exists.
C. Identify the degrading functionality.
D. Put a WAF in front of the storefront.
Put a WAF in front of the storefront.
During a tabletop exercise, engineers discovered that an ICS could not be updated due to hardware versioning incompatibility. Which of the following is the most likely cause of this issue?
A. Legacy system
B. Business process interruption
C. Degrading functionality
D. Configuration management
Legacy system
Which of the following is the best reason to implement an MOU?
A. To create a business process for configuration management
B. To allow internal departments to understand security responsibilities
C. To allow an expectation process to be defined for legacy systems
D. To ensure that all metrics on service levels are properly reported
To allow internal departments to understand security responsibilities
Which of the following documents sets requirements and metrics for a third-party response during an event?
A. BIA
B. DRP
C. SLA
D. MOU
SLA
A SOC analyst wants to improve the proactive detection of malicious emails before they are delivered to the destination inbox. Which of the following is the best approach the SOC analyst can recommend?
A. Install UEBA software on the network.
B. Validate and quarantine emails with invalid DKIM and SPF headers.
C. Implement an EDR system on each endpoint.
D. Deploy a DLP platform to block unauthorized and suspicious content.
Validate and quarantine emails with invalid DKIM and SPF headers.
Which of the following is a benefit of the Diamond Model of Intrusion Analysis?
A. It provides analytical pivoting and identifies knowledge gaps.
B. It guarantees that the discovered vulnerability will not be exploited again in the future.
C. It provides concise evidence that can be used in court.
D. It allows for proactive detection and analysis of attack events.
It provides analytical pivoting and identifies knowledge gaps.
An incident responder was able to recover a binary file through the network traffic. The binary file was also found in some machines with anomalous behavior. Which of the following processes most likely can be performed to understand the purpose of the binary file?
A. File debugging
B. Traffic analysis
C. Reverse engineering
D. Machine isolation
Reverse engineering
A manufacturing company’s assembly line machinery only functions on an end-of-life OS. Consequently, no patches exist for several highly exploitable OS vulnerabilities. Which of the following is the best mitigating control to reduce the risk of these current conditions?
A. Enforce strict network segmentation to isolate vulnerable systems from the production network.
B. Increase the system resources for vulnerable devices to prevent denial of service.
C. Perform penetration testing to verify the exploitability of these vulnerabilities.
D. Develop in-house patches to address these vulnerabilities.
Enforce strict network segmentation to isolate vulnerable systems from the production network.
Which of the following will most likely cause severe issues with authentication and logging?
A. Virtualization
B. Multifactor authentication
C. Federation
D. Time synchronization
Time synchronization
Several critical bugs were identified during a vulnerability scan. The SLA risk requirement is that all critical vulnerabilities should be patched within 24 hours. After sending a notification to the asset owners, the patch cannot be deployed due to planned, routine system upgrades. Which of the following is the best method to remediate the bugs?
A. Reschedule the upgrade and deploy the patch.
B. Request an exception to exclude the patch from installation.
C. Update the risk register and request a change to the SLA.
D. Notify the incident response team and rerun the vulnerability scan.
Reschedule the upgrade and deploy the patch.
A company is in the middle of an incident, and customer data has been breached. Which of the following should the company contact first?
A. Media
B. Public relations
C. Law enforcement
D. Legal
Legal
A list of IoCs released by a government security organization contains the SHA-256 hash for a Microsoft-signed legitimate binary, svchost.exe. Which of the following best describes the result if security teams add this indicator to their detection signatures?
A. This indicator would fire on the majority of Windows devices.
B. Malicious files with a matching hash would be detected.
C. Security teams would detect rogue svchost.exe processes in their environment.
D. Security teams would detect event entries detailing execution of known-malicious svchost.exe processes.
This indicator would fire on the majority of Windows devices.
A Chief Information Security Officer wants to lock down the users’ ability to change applications that are installed on their Windows systems. Which of the following is the best enterprise-level solution?
A. HIPS
B. GPO
C. Registry
D. DLP
GPO
An employee received a phishing email that contained malware targeting the company. Which of the following is the best way for a security analyst to get more details about the malware and avoid disclosing information?
A. Upload the malware to the VirusTotal website.
B. Share the malware with the EDR provider.
C. Hire an external consultant to perform the analysis.
D. Use a local sandbox in a microsegmented environment.
Use a local sandbox in a microsegmented environment.
A Chief Finance Officer receives an email from someone who is possibly impersonating the company’s Chief Executive Officer and requesting a financial operation. Which of the following should an analyst use to verify whether the email is an impersonation attempt?
A. PKI
B. MFA
C. SMTP
D. DKIM
DKIM
An analyst is investigating a phishing incident and has retrieved the following as part of the investigation:
cmd.exe /c c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -
EncodedCommand
Which of the following should the analyst use to gather more information about the purpose of this command?
A. Echo the command payload content into ‘base64 -d‘.
B. Execute the command from a Windows VM.
C. Use a command console with administrator privileges to execute the code.
D. Run the command as an unprivileged user from the analyst workstation.
Echo the command payload content into ‘base64 -d‘.
An organization’s threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?
A. Disable administrative accounts for any operations.
B. Implement MFA requirements for all internal resources.
C. Harden systems by disabling or removing unnecessary services.
D. Implement controls to block execution of untrusted applications.
Harden systems by disabling or removing unnecessary services.
