Pg19

Question 1

A WAF weekly report shows that a daily spike occurs from the same subnet. An open-source review indicates the IP addresses belong to a legitimate internet service provider but have been flagged for DDoS attacks and reconnaissance scanning in the past year. Which of the following actions should a SOC analyst take first in response to these traffic uptick activities?

A. Recommend a firewall rule implementation to deny all traffic from the IP subnet.
B. Continue monitoring because the traffic spike did not cause any security notifications or concerns.
C. Review the network logs to identify the context of traffic and what action was taken.
D. Check the resource consumption levels to determine whether the uptick is due to a device performance issue.

Answer 1

Review the network logs to identify the context of traffic and what action was taken.

Question 2

In the last hour, a high volume of failed RDP authentication attempts has been logged on a critical server. All of the authentication attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following mitigating controls would be most effective to reduce the rate of success of this brute-force attack? (Choose two.)

A. Increase the granularity of log-on event auditing on all devices.
B. Enable host firewall rules to block all outbound traffic to TCP port 3389.
C. Configure user account lockout after a limited number of failed attempts.
D. Implement a firewall block for the IP address of the remote system.
E. Install a third-party remote access tool and disable RDP on all devices.
F. Block inbound to TCP port 3389 from untrusted remote IP addresses at the perimeter firewall.

Answer 2

Configure user account lockout after a limited number of failed attempts.

Block inbound to TCP port 3389 from untrusted remote IP addresses at the perimeter firewall.

Question 3

A Chief Information Security Officer (CISO) has decided the cost to protect an asset is greater than the cost of losing the asset. Which of the following risk management principles is the CISO following?

A. Accept
B. Avoid
C. Transfer
D. Mitigate

Answer 3

Accept

Question 4

After an upgrade to a new EDR, a security analyst received reports that several endpoints were not communicating with the SaaS provider to receive critical threat signatures. To comply with the incident response playbook, the security analyst was required to validate connectivity to ensure communications. The security analyst ran a command that provided the following:

ComputerName: comptia007 -

RemotePort: 443 -

InterfaceAlias: Ethernet 3 -

TopTestSucceeded: False -

Which of the following did the analyst use to ensure connectivity?

A. nmap
B. tnc
C. ping
D. tracert

Answer 4

tnc

Question 5

A company was able to reduce triage time by focusing on historical trend analysis. The business partnered with the security team to achieve a 50% reduction in phishing attempts year over year. Which of the following action plans led to this reduced triage time?

A. Patching
B. Configuration management
C. Awareness, education, and training
D. Threat modeling

Answer 5

Awareness, education, and training

Question 6

Several incidents have occurred with a legacy web application that has had little development work completed. Which of the following is the most likely cause of the incidents?

A. Misconfigured web application firewall
B. Data integrity failure
C. Outdated libraries
D. Insufficient logging

Answer 6

Outdated libraries

Question 7

An incident response team is assessing attack vectors of malware that is encrypting data with ransomware. There are no indications of a network-based intrusion. Which of the following is the most likely root cause of the incident?

A. USB drop
B. LFI
C. Cross-site forgery
D. SQL injection

Answer 7

USB drop

Question 8

Which of the following best explains the importance of the implementation of a secure software development life cycle in a company with an internal development team?

A. Increases the product price by using the implementation as a piece of marketing
B. Decreases the risks of the software usage and complies with regulatory requirements
C. Improves the agile process and decreases the amount of tests before the final deployment
D. Transfers the responsibility for security flaws to the vulnerability management team

Answer 8

Decreases the risks of the software usage and complies with regulatory requirements

Question 9

A security analyst needs to block vulnerable ports and disable legacy protocols. The analyst has ensured NetBIOS trio, Telnet, SMB, and TFTP are blocked and/or disabled. Which of the following additional protocols should the analyst block next?

A. LDAPS v3
B. SNMP v1
C. TLS 1.3
D. Kerberos v5

Answer 9

SNMP v1

Question 10

A company is launching a new application in its internal network, where internal customers can communicate with the service desk. The security team needs to ensure the application will be able to handle unexpected strings with anomalous formats without crashing. Which of the following processes is the most applicable for testing the application to find how it would behave in such a situation?

A. Fuzzing
B. Coding review
C. Debugging
D. Static analysis

Answer 10

Fuzzing

Question 11

A SOC analyst observes reconnaissance activity from an IP address. The activity follows a pattern of short bursts toward a low number of targets. An open-source review shows that the IP has a bad reputation. The perimeter firewall logs indicate the inbound traffic was allowed. The destination hosts are high-value assets with EDR agents installed. Which of the following is the best action for the SOC to take to protect against any further activity from the source IP?

A. Add the IP address to the EDR deny list.
B. Create a SIEM signature to trigger on any activity from the source IP subnet detected by the web proxy or firewalls for immediate notification.
C. Implement a prevention policy for the IP on the WAF.
D. Activate the scan signatures for the IP on the NGFWs.

Answer 11

Create a SIEM signature to trigger on any activity from the source IP subnet detected by the web proxy or firewalls for immediate notification.

Question 12

A company’s internet-facing web application has been compromised several times due to identified design flaws. The company would like to minimize the risk of these incidents from reoccurring and has provided the developers with better security training. However, the company cannot allocate any more internal resources to the issue. Which of the following are the best options to help identify flaws within the system? (Choose two.)

A. Deploying a WAF
B. Performing a forensic analysis
C. Contracting a penetration test
D. Holding a tabletop exercise
E. Creating a bug bounty program
F. Implementing threat modeling

Answer 12

Contracting a penetration test
Creating a bug bounty program

Question 13

A SOC team lead occasionally collects some DNS information for investigations. The team lead assigns this task to a new junior analyst. Which of the following is the best way to relay the process information to the junior analyst?

A. Ask another team member to demonstrate their process.
B. Email a link to a website that shows someone demonstrating a similar process.
C. Let the junior analyst research and develop a process.
D. Write a step-by-step document on the team wiki outlining the process.

Answer 13

Write a step-by-step document on the team wiki outlining the process.

Question 14

Which of the following choices is most likely to cause obstacles in vulnerability remediation?

A. Not meeting an SLA
B. Patch prioritization
C. Organizational governance
D. Proprietary systems

Answer 14

Proprietary systems

Question 15

A security analyst needs to identify services in a small, critical infrastructure ICS network. Many components in the network are likely to break if they receive malformed or unusually large requests. Which of the following is the safest method to use when identifying service versions?

A. Use nmap -sV to identify all assets on the network.
B. Use Burp Suite to conduct service identification.
C. Use nc to manually perform banner grabbing.
D. Use Nessus with restricted concurrent connections.

Answer 15

Use Nessus with restricted concurrent connections.

Question 16

A web application has a function to retrieve content from an internal URL to identify CSRF attacks in the logs. The security analyst is building a regular expression that will filter out the correctly formatted requests. The target URL is https://10.1.2.3/api, and the receiving API only accepts GET requests and uses a single integer argument named “id.” Which of the following regular expressions should the analyst use to achieve the objective?

A. ^(?!https://10.1.2.3/api\?id=[0-9]+)
B. ^https://10.1.2.3/api\?id=\d+
C. (?:^https://10.1.2.3/api\?id=[0-9]+)
D. ^https://10.1.2.3/api\?id=[0-9]+$

Answer 16

^https://10.1.2.3/api\?id=[0-9]+$

Question 17

A security analyst needs to identify a computer based on the following requirements to be mitigated:

• The attack method is network based with low complexity.
• No privileges or user action is needed.
• The confidentiality and availability level is high with a low integrity level.

Given the following CVSS 3.1 output:

Computer1 -
CVSS3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H

Computer2 -
CVSS3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

Computer3 -
CVSS3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H

Computer4 -
CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

Which of the following machines should the analyst mitigate?

A. Computer1
B. Computer2
C. Computer3
D. Computer4

Answer 17

Computer4

Question 18

An analyst would like to start automatically ingesting IoCs into the EDR tool. Which of the following sources would be the most cost effective for the analyst to use?

A. Government bulletins
B. Social media
C. Dark web
D. Blogs

Answer 18

Government bulletins