Security Operations

Question 1

Which type of threat intelligence source is most likely available without a subscription

Answer 1

Open source.

Question 2

What term best describes the intelligence source that uses tools like Cisco Talos to automatically look up information about the past activity of IP addresses sending emails?

Answer 2

Reputation data.

Question 3

What cloud tier best describes AWS Lambda, a serverless computing service that allows developers to write and execute functions directly on the cloud platform?

Answer 3

Function-as-a-Service (FaaS).

function-as-a-service (FaaS) computing. A service like Lambda
could also be described as platform-as-a-service (PaaS), because FaaS is a subset of
PaaS. However, the term FaaS is the one that best describes this service.

Question 4

What is the user attempting to do with the command:
./john -wordfile:/home/user12/mylist.txt -format:lm hash.txt?

Answer Choices:
A. They are attempting to hash a file.
B. They are attempting to crack hashed passwords.
C. They are attempting to crack encrypted passwords.
D. They are attempting a pass-the-hash attack.

Answer 4

B. They are attempting to crack hashed passwords.

Explanation:
The command uses John the Ripper, a password-cracking tool, along with a wordlist (mylist.txt) and a file containing password hashes (hash.txt) in LAN Manager (LM) format. This setup is designed to reverse the hashing process and discover plaintext passwords, indicating a password-cracking attempt.

Question 5

What is Geoff’s best option to secure network appliances that have exposed services such as Telnet, FTP, and web servers?

Answer Choices:
A. Enable host firewalls.
B. Install patches for those services.
C. Turn off the services for each appliance.
D. Place a network firewall between the devices and the rest of the network.

Answer 5

D. Place a network firewall between the devices and the rest of the network.

Explanation:
Placing a network firewall between the devices and the rest of the network allows control over access to the exposed services. This approach is particularly effective if disabling services on the appliances is not feasible due to operational requirements. A network firewall can filter traffic, limit exposure, and mitigate risks associated with vulnerable or unnecessary services while maintaining device functionality.

This ensures security without directly modifying the configuration of the appliances.

Question 6

What issue should Ian report to management upon discovering that multiple certificates in his organization are self-signed?

Answer Choices:
A. Self-signed certificates do not provide secure encryption for site visitors.
B. Self-signed certificates can be revoked only by the original creator.
C. Self-signed certificates will cause warnings or error messages.
D. None of the above.

Answer 6

C. Self-signed certificates will cause warnings or error messages.

Explanation:
Self-signed certificates are not inherently insecure in terms of encryption but are not trusted by default because they lack validation from a trusted Certificate Authority (CA). This leads to warnings or error messages for users, reducing trust and potentially indicating a misconfigured or insecure system. Reporting this issue highlights the need for proper certificates issued by trusted CAs to maintain security and usability.

Question 7

TCP port 636 is often used for?

Answer 7

LDAP

Question 8

What does the network flow entry most likely show if the destination IP address (10.2.2.3) is not a system on Cynthia’s network?

A. A web browsing session
B. Data exfiltration
C. Data infiltration
D. A vulnerability scan

Answer 8

Data exfiltration

Explanation:
The network flow indicates a large amount of data transfer (9.1 GB sent from the internal system 10.1.1.1 to an external IP 10.2.2.3). This volume and direction of traffic strongly suggest data exfiltration, where sensitive data is being transferred out of the organization to an unknown or unauthorized destination. Since 10.2.2.3 is not recognized as a valid system on the network, it likely represents a threat actor’s system collecting stolen data.

Question 9

During a regularly scheduled PCI compliance scan, Fred discovers that port 3389 is open on one of the point-of-sale terminals he manages. What service should he expect to find enabled on the system?

Answer Choices:
A. MySQL
B. RDP
C. TOR
D. Jabber

Answer 9

B. RDP

Explanation:
Port 3389 is the default port for Remote Desktop Protocol (RDP), which is used for remote access to Windows-based systems. If this port is open on a point-of-sale terminal, it suggests that remote desktop access is enabled on the system, which may pose a security risk. This should be addressed immediately to prevent unauthorized remote access.

A. MySQL typically uses port 3306.
C. TOR typically operates on random or dynamic ports.
D. Jabber typically uses port 5222 for XMPP-based communication.

Question 10

Saanvi discovers services running on ports 8080 and 8443 as part of her intelligence-gathering process. What services are most likely running on these ports?

A. Botnet C&C
B. Nginx
C. Microsoft SQL Server instances
D. Web servers

Answer 10

D. Web servers

Explanation:
Ports 8080 and 8443 are commonly used by web servers:

Port 8080 is often used as an alternative HTTP port, typically for web servers or proxy servers running on non-standard ports.
Port 8443 is frequently used for HTTPS traffic, especially for web servers offering secure connections over HTTP (HTTPS) on a non-default port.

While services like Nginx (B) could use these ports, they are more associated with web server traffic in general, so D. Web servers is the best choice.

A. Botnet C&C and C. Microsoft SQL Server instances typically use other ports (such as port 1433 for Microsoft SQL Server).

Question 11

Angela wants to gather network traffic from systems on her network. What tool can she use to best achieve this goal?

A. Nmap
B. Wireshark
C. Sharkbait
D. Dradis

Answer 11

B. Wireshark

Explanation:
Wireshark is a powerful network protocol analyzer that allows users to capture and inspect network traffic in real-time. It provides detailed information about the data packets traveling across the network, making it the best tool for gathering network traffic.

A. Nmap is primarily a network scanning tool used for discovering hosts and services on a network but not for capturing traffic.

C. Sharkbait is not a widely recognized or relevant tool for network traffic capture.

D. Dradis is a collaboration and reporting tool used for penetration testing and vulnerability assessments, not for capturing network traffic.

Question 12

Wang submits a suspected malware file to malwr.com and receives information about its behavior. What type of tool is malwr.com?

A. A reverse-engineering tool
B. A static analysis sandbox
C. A dynamic analysis sandbox
D. A decompiler sandbox

Answer 12

C. A dynamic analysis sandbox

Explanation:

Malwr.com is an online malware analysis service that performs dynamic analysis. This means it executes the suspected file in a controlled environment (a sandbox) to observe its behavior in real-time. The service reports on actions such as file creation, registry changes, network connections, and other activities, which help identify malicious behavior.

A. A reverse-engineering tool typically focuses on disassembling and analyzing the code, but doesn’t observe live behavior.

B. A static analysis sandbox analyzes the file without executing it, usually examining the file’s structure and code.

D. A decompiler sandbox is used to transform compiled code back into higher-level code, which isn’t the primary function of malwr.com.

Question 13

Sarah has been asked to assess the technical impact of suspected reconnaissance performed against her organization. She is informed that a reliable source has discovered that a third party has been performing reconnaissance by querying WHOIS data. How should Sarah categorize the technical impact of this type of reconnaissance?

A. High.
B. Medium.
C. Low.
D. She cannot determine this from the information given.

Answer 13

C. Low.

Explanation:
Querying WHOIS data is a common method used for gathering public information about domain names and IP addresses. This type of reconnaissance typically involves looking up details such as domain ownership, registration details, and contact information. While it can provide useful intelligence to attackers, the information obtained from WHOIS queries is generally publicly available and does not directly expose critical vulnerabilities or weaknesses in the network or systems. Therefore, the technical impact of this type of reconnaissance is typically considered low.

However, it can still be part of a larger reconnaissance effort, but on its own, it doesn’t pose an immediate or high technical threat.

Question 14

The flow logs show ICMP Echo request (ping) packets sent from a source IP (10.1.1.1) to a range of destination IPs (10.2.2.6 to 10.2.2.11), with ICMP replies received in return. This indicates that the system is performing a?

A. A port scan
B. A failed three-way handshake
C. A ping sweep
D. A traceroute

Answer 14

C. A ping sweep

where the device is sending ICMP requests to multiple hosts to check their availability and get responses.

A. A port scan would involve scanning specific ports (not ICMP Echo requests).

B. A failed three-way handshake would involve TCP traffic, not ICMP.

D. A traceroute would involve ICMP packets with time-to-live (TTL) expiration, but this log shows simple ping requests and responses rather than TTL-based probes.

Question 15

A tarpit, or a system that looks vulnerable but is actually intended to slow down attackers, is an example of what type of technique?

A. A passive defense
B. A sticky defense
C. An active defense
D. A reaction-based defense

Answer 15

C. An active defense

Explanation:
A tarpit is an example of an active defense technique. It deliberately slows down or traps attackers, making it harder for them to achieve their goals by engaging with them in a way that consumes their resources (such as time and bandwidth). It doesn’t passively observe or simply block attacks; it actively engages with the attacker by making them believe they are making progress, thus slowing their efforts.

A. A passive defense typically involves methods like monitoring or detection without direct interaction with the attacker.

B. A sticky defense is not a standard term in cybersecurity defense strategies.

D. A reaction-based defense refers to defensive measures taken in response to an event or attack, such as activating a response mechanism. However, a tarpit is preemptively designed to delay or trap attackers.

Question 16

Susan needs to test thousands of submitted binaries. She needs to ensure that the applications do not contain malicious code. What technique is best suited to this need?

A. Sandboxing
B. Implementing a honeypot
C. Decompiling and analyzing the application code
D. Fagan testing

Answer 16

A. Sandboxing

Explanation:
Sandboxing is the best technique for testing applications in a controlled environment. It allows you to run the binaries in isolation from the rest of the system, observing their behavior without the risk of them affecting the underlying host. This method is ideal for ensuring that the applications do not contain malicious code because it allows for both static and dynamic analysis while preventing any harmful actions from affecting the actual network or system.

B. Implementing a honeypot is used to attract and study attackers, not to test submitted binaries.

C. Decompiling and analyzing the application code can be useful for static analysis, but it’s not the best method when dealing with thousands of binaries, as it can be very time-consuming.

D. Fagan testing refers to a formal code review methodology, typically used for checking software quality, but it is not designed for identifying malicious code in binaries.

Question 17

During his analysis of a malware sample, Sahib reviews the malware files and binaries without running them. What type of analysis is this?

A. Automated analysis
B. Dynamic analysis
C. Static analysis
D. Heuristic analysis

Answer 17

C. Static analysis

Static analysis involves examining the malware code or binaries without executing them. This can include techniques like disassembling or decompiling the code to inspect its structure, behavior, and any embedded malicious payloads. In this case, Sahib is reviewing the files without running them, which is the definition of static analysis.

A. Automated analysis refers to the use of automated tools to analyze malware, but the key aspect here is the method (reviewing without execution), not automation.

B. Dynamic analysis involves running the malware in a controlled environment to observe its behavior, such as system modifications or network communication.

D. Heuristic analysis involves looking for patterns or behaviors that are typical of known malware but doesn’t specifically refer to the method of analyzing the binaries.

Question 18

Susan is reviewing files on a Windows workstation and believes that cmd.exe has been replaced with a malware package. Which of the following is the best way to validate her theory?

A. Submit cmd.exe to VirusTotal.

B. Compare the hash of cmd.exe to a known good version.

C. Check the file using the National Software Reference Library.

D. Run cmd.exe to make sure its behavior is normal.

Answer 18

A. Submit cmd.exe to VirusTotal.

Explanation:
Submitting the file to a tool like VirusTotal is Susan’s best option because it can quickly scan the file for known malware signatures and virus-like behaviors. This approach not only identifies whether the file has been altered but also checks for any malicious code embedded in it.

B. Compare the hash of cmd.exe to a known good version will indicate whether the file matches an unaltered version but won’t detect unknown or newly modified malware.

C. Check the file using the National Software Reference Library can help verify the file’s authenticity but does not provide insight into whether the file is malicious.

D. Run cmd.exe to make sure its behavior is normal is unsafe and could further compromise the system if the file is indeed malicious.

Question 19

Bobbi is deploying a single system to manage a sensitive industrial control process. The system will operate independently without any network connections. What security strategy is being deployed?

A. Network segmentation
B. VLAN isolation
C. Airgapping
D. Logical isolation

Answer 19

C. Airgapping

Explanation:
Airgapping is a security strategy where a system is completely isolated from any external or internal networks, including the internet. This ensures maximum security by preventing any potential network-based attacks. Unlike network segmentation or VLAN isolation, which still allow some level of communication, airgapping involves full physical disconnection.

Question 20

Ian needs to deploy a secure wireless network alongside a public wireless network in his organization without adding additional costs and complexity. What type of segmentation should he implement?

Answer Choices:
A. SSID segmentation
B. Logical segmentation
C. Physical segmentation
D. WPA segmentation

Answer 20

Correct Answer:
B. Logical segmentation

Explanation:
Logical segmentation involves using the same physical access points to create separate networks by logically isolating them. This approach minimizes costs and complexity compared to physical segmentation, which would require additional access points. By logically segmenting the networks, Ian can meet the needs of both secure and public wireless networks without the conflicts or costs associated with physical segmentation. SSID and WPA segmentation are not valid segmentation techniques in this context

Question 20

Barbara has segmented her virtualized servers using VMware to ensure that the networks remain secure and isolated. What type of attack could defeat her security design?

A. VLAN hopping
B. 802.1q trunking vulnerabilities
C. Compromise of the underlying VMware host
D. BGP route spoofing

Answer 20

Correct Answer:
C. Compromise of the underlying VMware host

Explanation:
The security of virtualized environments like VMware depends heavily on the underlying host. If an attacker compromises the VMware host, they could potentially gain access to all the virtualized servers and bypass the network segmentation. While VLAN hopping and 802.1q trunking vulnerabilities are concerns for physical network isolation, the virtualized nature of VMware makes the host the most critical point of failure. BGP route spoofing pertains to routing attacks and is not directly related to VMware security.

Question 21

What major issue would Charles face if he relied on hashing malware packages to identify malware packages?

Answer Choices:
A. Hashing can be spoofed.
B. Collisions can result in false positives.
C. Hashing cannot identify unknown malware.
D. Hashing relies on unencrypted malware samples.

Answer 21

Correct Answer:
C. Hashing cannot identify unknown malware.

Explanation:
Hashing is effective for identifying known malware, but it cannot detect new or unknown malware samples because these samples will not have existing hash values in the database. Malware authors can modify the code to create entirely new hashes, making it impossible for a hash-based approach to identify them unless the specific version of the malware has already been seen.

Question 22

Noriko wants to ensure that attackers cannot access his organization’s building automation control network. Which of the following segmentation options provides the strongest level of assurance that this will not happen?

Answer Choices:
A. Air gap
B. VLANs
C. Network firewalls
D. Host firewalls

Answer 22

Correct Answer:
A. Air gap

Explanation:
An air gap is the strongest form of network segmentation, as it physically isolates a network from all other networks, including the internet. This means that the building automation control network would be completely disconnected from any other network, ensuring that attackers cannot access it remotely or via any other compromised network. VLANs, network firewalls, and host firewalls offer segmentation but do not provide the same level of isolation as an air gap.

Question 23

Angela has decided to roll out a multifactor authentication system. What are the two most common factors used in MFA systems?

Answer Choices:
A. Location and knowledge
B. Knowledge and possession
C. Knowledge and biometric
D. Knowledge and location

Answer 23

Correct Answer:
B. Knowledge and possession

Explanation:
The two most common factors used in multifactor authentication (MFA) systems are knowledge (something the user knows, such as a password or PIN) and possession (something the user has, such as a mobile device, smart card, or token). Biometric factors (like fingerprints or facial recognition) are also used but are not as common as knowledge and possession in typical MFA setups.

Question 24

What purpose does the OpenFlow protocol serve in software-defined networks? Answer Choices: A. It captures flow logs from devices. B. It allows software-defined network controllers to push changes to devices to manage the network. C. It sends flow logs to flow controllers. D. It allows devices to push changes to SDN controllers to manage the network.

Answer 24

Correct Answer: B. It allows software-defined network controllers to push changes to devices to manage the network. Explanation: The OpenFlow protocol is a key component in Software-Defined Networking (SDN). It enables the SDN controller to communicate directly with the network devices (such as switches and routers), pushing updates and configurations to those devices to manage the flow of network traffic. It allows network management to be centralized and programmable, making network configuration more flexible and dynamic.

Question 25

Rick’s security research company wants to gather data about current attacks and sets up a number of intentionally vulnerable systems that allow his team to log and analyze exploits and attack tools. What type of environment has Rick set up? Answer Choices: A. A tarpit B. A honeypot C. A honeynet D. A blackhole

Answer 25

Correct Answer: C. A honeynet Explanation: A honeynet is a network of intentionally vulnerable systems designed to attract and trap attackers. It provides a broader scope than a single honeypot (which is just one vulnerable system), allowing security teams to gather detailed information about attack tools and techniques across multiple systems. This makes honeynets valuable for research and threat intelligence gathering.

Question 26

Kalea wants to prevent DoS attacks against her serverless application from driving up her costs when using a cloud service. What technique is not an appropriate solution for her need? Answer Choices: A. Horizontal scaling B. API keys C. Setting a cap on API invocations for a given timeframe D. Using timeouts

Answer 26

Correct Answer: A. Horizontal scaling Explanation: Horizontal scaling involves adding more resources (e.g., additional instances or functions) to handle increased traffic, which may lead to higher costs, especially during a DoS attack. While it can help handle load, it doesn't necessarily prevent malicious traffic from reaching the application, and it might increase costs in the event of an attack. The other techniques, like API keys, setting caps on API invocations, and timeouts, are more directly focused on limiting or controlling access to prevent abuse and cost escalation during attacks.

Question 27

Brandon is designing the hosting environment for containerized applications. Application group A has personally identifiable information, application group B has health information with different legal requirements for handling, and application group C has business-sensitive data handling requirements. What is the most secure design for his container orchestration environment given the information he has? Answer Choices: A. Run a single, highly secured container host with encryption for data at rest. B. Run a container host for each application group and secure them based on the data they contain. C. Run a container host for groups A and B, and run a lower-security container host for group C. D. Run a container host for groups A and C, and run a health information–specific container host for group B due to the health information it contains.

Answer 27

Correct Answer: B. Run a container host for each application group and secure them based on the data they contain. Explanation: The most secure design is to separate the container hosts by application group based on the sensitivity of the data they contain. Application groups with stricter legal or regulatory requirements, such as group A (personally identifiable information) and group B (health information), should be isolated in their own environments with appropriate security measures, such as encryption, access control, and network isolation. This ensures that each group’s specific data handling and security requirements are met while minimizing the risk of unauthorized access or data leakage.

Question 28

What is the best security option to prevent attacks like keyloggers from compromising user credentials? Answer Choices: A. Multifactor authentication B. Password complexity rules C. Password lifespan rules D. Prevent the use of USB devices

Answer 28

Correct Answer: A. Multifactor authentication Explanation: Multifactor authentication (MFA) adds an additional layer of security by requiring more than just a password to authenticate users. Even if a keylogger captures a password, the attacker would still need to bypass the second authentication factor (e.g., text message code, app code, or biometric verification) to gain access, significantly reducing the risk of exploitation.

Question 29

What type of technology are Facebook Connect, CAS, Shibboleth, and AD FS examples of? Answer Choices: A. Kerberos implementations B. Single sign-on implementations C. Federation technologies D. OAuth providers

Answer 29

Correct Answer: B. Single sign-on implementations Explanation: Facebook Connect, CAS, Shibboleth, and AD FS are all examples of Single Sign-On (SSO) implementations, which allow users to authenticate once and gain access to multiple systems or applications without needing to log in again.

Question 30

What is OAuth ?

Answer 30

Open Authorization is an open standard for authorization, not authentication. It allows a user to grant third-party applications access to their resources (such as data or services) without sharing their username and password. OAuth is often used to allow users to log into one application using their credentials from another (e.g., signing into a website using your Google or Facebook account). OAuth is focused on authorization, enabling users to give limited access to their data to third-party applications without sharing login credentials. SSO (Single Sign-On), on the other hand, is focused on authentication, allowing users to log into multiple applications or services with a single set of credentials. A user logs into a new photo-editing app using their Google account. Instead of entering their Google username and password, they authenticate with Google (via OAuth) and grant the app access to their photos stored in Google Photos. The app receives an access token that allows it to interact with Google Photos on the user's behalf, but it cannot access anything beyond the granted scope (such as emails or calendar events).

Question 31

What term describes defenses that obfuscate the attack surface by deploying decoys and attractive targets to slow down or distract an attacker? Answer Choices: A. An active defense B. A honeyjar C. A bear trap D. An interactive defense

Answer 31

Correct Answer: A. An active defense Explanation: Active defense involves deploying dynamic measures such as decoys (e.g., honeypots and honeynets) to mislead attackers, slow down their progress, and gather intelligence about malicious activities.

Question 32

Which web service security measure reduces the likelihood of a successful on-path (man-in-the-middle) attack? Answer Choices: A. Use TLS. B. Use XML input validation. C. Use XML output validation. D. Virus-scan files received by the web service.

Answer 32

Correct Answer: A. Use TLS. Explanation: TLS (Transport Layer Security) encrypts data in transit, ensuring confidentiality and integrity, which protects against on-path (man-in-the-middle) attacks. Other options like XML validation and virus scanning enhance security in different ways but do not address data interception during transmission.

Question 33

What type of access is typically required to compromise a physically isolated and air-gapped system? Answer Choices: A. Wired network access B. Physical access C. Wireless network access D. None of the above, because an isolated, air-gapped system cannot be accessed

Answer 33

Correct Answer: B. Physical access Explanation: Physically isolated and air-gapped systems are disconnected from any network. To compromise them, physical access is generally required, such as using external storage devices to introduce malware.

Question 34

Which of the following parties directly communicate with the end user during a SAML transaction? Answer Choices: A. The relying party B. The SAML identity provider C. Both the relying party and the identity provider D. Neither the relying party nor the identity provider

Answer 34

Correct Answer: C. Both the relying party and the identity provider Explanation: In a SAML transaction, the identity provider (IdP) authenticates the user and communicates with them during login, while the relying party (RP) interacts with the user to provide access to the requested service. Both parties are involved in communication with the user.

Question 35

What is SAML?

Answer 35

SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties, specifically: An identity provider (IdP) that authenticates a user. A service provider (SP) that provides the service or resource the user wants to access. SAML allows a user to authenticate once and access multiple services without needing to log in again (a concept called single sign-on, or SSO).

Question 36

How SAML Works:

Answer 36

Frodo (user) logs into SSO first thing in the morning. Frodo then tries to open the webpage to his CRM. The CRM – the service provider – checks Frodo’s credentials with the identity provider. The identity provider sends authorization and authentication messages back to the service provider, which allows Frodo to log into the CRM. Frodo can use the CRM and get work done. “Need 8 volunteers for a tough project…”

Question 37

Which of the following is not a benefit of physical segmentation? A. Easier visibility into traffic B. Improved network security C. Reduced cost D. Increased performance

Answer 37

Correct Answer: C. Reduced cost Explanation: Physical segmentation involves isolating network traffic using separate hardware, which increases visibility, security, and performance by limiting congestion and lateral movement of attackers. However, it does not reduce costs—in fact, it tends to increase costs due to the need for additional infrastructure and maintenance.

Question 38

What three layers make up a software-defined network? A. Application, Datagram, and Physical layers B. Application, Control, and Infrastructure layers C. Control, Infrastructure, and Session layers D. Data link, Presentation, and Transport layers

Answer 38

Correct Answer: B. Application, Control, and Infrastructure layers Explanation: A Software-Defined Network (SDN) consists of three key layers: Application Layer: The top layer where network services (like firewalls and load balancers) are defined. Control Layer: The middle layer, responsible for managing and controlling the network flow and decisions. Infrastructure Layer: The bottom layer, which consists of the physical network devices (like switches and routers) controlled by the control layer.

Question 39

Which of the following is not a common use case for network segmentation? A. Creating a VoIP network B. Creating a shared network C. Creating a guest wireless network D. Creating trust zones

Answer 39

Correct Answer: B. Creating a shared network Explanation: Network segmentation is typically used to separate different parts of a network to improve security, performance, and management. Common use cases include: Creating a VoIP network (A): Segregating voice traffic from other network traffic. Creating a guest wireless network (C): Isolating guest devices from the main internal network. Creating trust zones (D): Segmenting the network into different trust levels, such as separating critical systems from less-sensitive systems. Creating a shared network (B) goes against the idea of segmentation, as it involves grouping all devices together, which could lead to security and performance issues.

Question 39

Camille wants to integrate with a federation. What will she need to authenticate her users to the federation? A. An IDP B. An SP C. An API gateway D. An SSO server

Answer 39

Correct Answer: A. An IDP Explanation: In a federated identity system, IDP (Identity Provider) is responsible for authenticating users and providing their identity to other systems. IDP (A) is the system that holds and verifies the user's credentials. SP (B) refers to the Service Provider, which relies on the IDP for authentication. API gateway (C) is used to manage and secure APIs, but not for authentication in a federation. SSO server (D) provides single sign-on capabilities, but it is not the core component for federated authentication.

Question 40

What issues should Brandon consider before choosing to use the vulnerability management tools he has in his non-container-based security environment? A. Vulnerability management tools may make assumptions about host durability. B. Vulnerability management tools may make assumptions about update mechanisms and frequencies. C. Both A and B. D. Neither A nor B. A non-container-based security environment refers to a traditional infrastructure setup where applications are deployed directly onto physical or virtual machines, rather than being run in isolated containers.

Answer 40

Correct Answer: C. Both A and B. Explanation: When using vulnerability management tools, especially in a non-containerized environment, Brandon should consider both host durability and update mechanisms. Host durability: Some vulnerability management tools may expect a stable, long-term presence of hosts, which may not be the case in non-containerized environments where hosts might be decommissioned or replaced frequently. Update mechanisms and frequencies: Vulnerability management tools may also assume a specific update frequency or patching schedule for hosts, and if the system deviates from these assumptions, vulnerabilities might not be addressed in time.

Question 41

What open standard should Amira use if she wants to deploy a single sign-on (SSO) solution that supports both authentication and authorization, and allows federating with a variety of identity providers and service providers? Answer Choices: A. LDAP B. SAML C. OAuth D. OpenID Connect

Answer 41

Correct Answer: B. SAML Explanation: SAML (Security Assertion Markup Language) is an open standard used for single sign-on (SSO) that supports both authentication and authorization. It is commonly used for federating between identity providers (IdPs) and service providers (SPs), allowing users to authenticate once and access multiple services without needing to log in to each separately. It is widely supported for federated authentication across different systems. Why not the others? A. LDAP (Lightweight Directory Access Protocol): LDAP is a protocol used to query and modify directory services, not for SSO or federated authentication. C. OAuth: OAuth is an open standard for authorization (not authentication) that allows third-party services to access a user's resources without exposing the user's credentials. While OAuth is part of the modern identity landscape, it doesn't inherently provide SSO. D. OpenID Connect: OpenID Connect is an authentication protocol built on top of OAuth 2.0. While it supports user authentication, it is typically used more for web and mobile applications, and is not as broadly supported in federated environments as SAML.

Question 42

Nathan is designing the logging infrastructure for his company and wants to ensure that a compromise of a system will not result in the loss of that system’s logs. What should he do to protect the logs? Answer Choices: A. Limit log access to administrators. B. Encrypt the logs. C. Rename the log files from their common name. D. Send the logs to a remote server.

Answer 42

Correct Answer: D. Send the logs to a remote server. Explanation: Sending logs to a remote server ensures that even if a system is compromised, the logs will not be lost. Storing logs centrally provides greater security and makes it more difficult for attackers to tamper with or delete logs. Other options like limiting access, encrypting, or renaming files could help in some cases but do not fully protect logs from being lost or altered in the event of a system compromise.

Question 43

Ansel knows he wants to use federated identities in a project he is working on. Which of the following should not be among his choices for a federated identity protocol? Answer Choices: A. OpenID B. SAML C. OAuth D. Authman

Answer 43

Correct Answer: D. Authman Explanation: Authman is not a recognized or standard protocol for federated identity management. OpenID, SAML, and OAuth are all widely used protocols for federated identity systems. OpenID is a decentralized protocol for single sign-on (SSO). SAML (Security Assertion Markup Language) is used for exchanging authentication and authorization data between parties, commonly used in enterprise environments. OAuth is an authorization framework that allows access delegation, often used alongside OpenID Connect for federated authentication and authorization.

Question 44

Abul wants to identify typical behavior on a Windows system using a built-in tool to understand memory, CPU, and disk utilization. What tool can he use to see both real-time performance and over a period of time? A. sysmon B. sysgraph C. resmon D. resgraph

Answer 44

Answer: C. resmon (Resource Monitor) Explanation: Resource Monitor is a built-in Windows tool that provides detailed real-time data on system performance, including memory, CPU, and disk utilization. It allows users to monitor both real-time and historical system performance. Not A: A. sysmon: Sysmon (System Monitor) is a Windows Sysinternals tool that provides detailed information about system activity, such as process creation, network connections, and file creation. While it’s great for security and forensic analysis, it doesn't provide a graphical interface for real-time performance metrics like CPU, memory, or disk utilization.

Question 45

What does execution of wmic.exe, powershell.exe, or winrm.vbs most likely indicate if you discover one or more was run on a typical end user’s workstation? Answer Choices: A. A scripted application installation B. Remote execution of code C. A scripted application uninstallation D. A zero-day attack

Answer 45

Correct Answer: B. Remote execution of code Explanation: These tools (wmic.exe, powershell.exe, and winrm.vbs) are often used for remote management and administration. If discovered running on an end user's workstation, it most likely indicates that an attacker is executing commands remotely on the system, potentially as part of a lateral movement or remote code execution attack. They are typically not used in normal user activities.

Question 46

While Lucy is monitoring the SIEM, she notices that all of the log sources from her organization’s New York branch have stopped reporting for the past 24 hours. What type of detection rules or alerts should she configure to make sure she is aware of this sooner next time? Answer Choices: A. Heuristic B. Behavior C. Availability D. Anomaly

Answer 46

Correct Answer: C. Availability Explanation: Availability detection rules are designed to alert when a system, service, or data source becomes unavailable. In this case, since the log sources from the New York branch have stopped reporting, an availability alert would trigger as soon as the logs stop being received, allowing Lucy to be aware of the issue promptly. Why not the rest: A. Heuristic: Detects patterns of behavior, not log availability, so it wouldn't alert you to missing logs. B. Behavior: Focuses on deviations in actions, not the absence of data. D. Anomaly: Detects outliers in data, but not the lack of data itself.

Question 47

Lucy is tasked with configuring alerts that are sent to system administrators. She builds a rule that can be represented in pseudocode as follows: Send an SMS alert every 30 seconds when systems do not send logs for more than 1 minute. The average administrator at Lucy’s organization is responsible for 150–300 machines. What danger does Lucy’s alert create? A. A DDoS that causes administrators to not be able to access systems B. A network outage C. Administrators may ignore or filter the alerts D. A memory spike

Answer 47

Answer: C. Administrators may ignore or filter the alerts Explanation: If Lucy configures an alert that sends an SMS every 30 seconds when systems don't send logs for more than 1 minute, the administrators may become overwhelmed by the constant barrage of alerts. Given their high workload (150-300 machines), they may start ignoring or filtering out the alerts due to alert fatigue, which would defeat the purpose of the monitoring system. Why not the others: A. A DDoS that causes administrators to not be able to access systems: This isn't a DDoS attack. The alerts would overwhelm the administrators, but not affect system access. B. A network outage: The alerting system itself doesn't cause network outages. D. A memory spike: This wouldn't cause a memory spike in the system; it only causes alert overload.

Question 48

Disabling unneeded services is an example of what type of activity? A. Threat modeling B. Incident remediation C. Proactive risk assessment D. Reducing the threat attack surface area

Answer 48

Answer: D. Reducing the threat attack surface area Explanation: Disabling unneeded services is a proactive security measure aimed at minimizing the potential points of entry for attackers. By removing or disabling unnecessary services, you reduce the "attack surface" — the number of services and vulnerabilities that could potentially be exploited by malicious actors. Why not the others: A. Threat modeling: This involves identifying and understanding potential threats, but disabling services is more of a preventive action than part of a threat modeling process. B. Incident remediation: This typically refers to responding to and fixing issues after an incident has occurred, not a proactive step. C. Proactive risk assessment: While disabling services reduces risk, risk assessment itself involves identifying, evaluating, and mitigating risks, which is broader than just disabling services.

Question 49

What type of information can Gabby determine from Tripwire logs on a Linux system if it. is configured to monitor a directory? A. How often the directory is accessed B. If files in the directory have changed C. If sensitive data was copied out of the directory D. Who has viewed files in the directory

Answer 49

Answer: B. If files in the directory have changed Explanation: Tripwire is a file integrity monitoring tool that checks for changes to files and directories. It logs alterations such as file modifications, deletions, and additions. If Tripwire is configured to monitor a directory, it can detect and log any changes to the files within that directory. Why not the others: A. How often the directory is accessed: Tripwire does not track access times or access frequency. It focuses on detecting changes to files, not access patterns. C. If sensitive data was copied out of the directory: Tripwire cannot track file transfers or copying. It can only detect changes to files within the monitored directory, not how or where they are used or copied. D. Who has viewed files in the directory: Tripwire does not monitor file access by specific users. It focuses on changes to file contents and attributes, not who accessed or viewed a file.

Question 50

While reviewing tcpdump data, Kwame discovers that hundreds of different IP addresses are sending a steady stream of SYN packets to a server on his network. What concern should Kwame have about what is happening? A. A firewall is blocking connections from occurring. B. An IPS is blocking connections from occurring. C. A denial-of-service attack. D. An ACK blockage

Answer 50

Answer: C. A denial-of-service attack. Explanation: The behavior Kwame is seeing—hundreds of different IP addresses sending SYN packets to a server—indicates a SYN flood attack, which is a form of Denial of Service (DoS) attack. In a SYN flood, the attacker sends a large number of SYN requests to a target server, but never completes the handshake (by sending the final ACK), causing the server to wait for connections and eventually become overwhelmed or unavailable. Why not the others: A. A firewall blocking connections: Firewalls block traffic, but don’t generate SYN packets. B. An IPS blocking connections: IPS would drop malicious traffic, not cause SYN floods. D. An ACK blockage: ACK blockage affects connection completion, not SYN flooding.

Question 51

While reviewing email headers, Saanvi notices an entry that reads as follows: From: “John Smith, CIO” with a Received: parameter that shows mail.demo.com [10.74.19.11]. Which of the following scenarios is most likely if demo.com is not a domain belonging to the same owner as example.com? A. John Smith’s email was forwarded by someone at demo.com. B. John Smith’s email was sent to someone at demo.com. C. The headers were forged to make it appear to have come from John Smith. D. The mail.demo.com server is a trusted email forwarding partner for example.com.

Answer 51

Answer: C. The headers were forged to make it appear to have come from John Smith. Explanation: A. John Smith’s email was forwarded by someone at demo.com: If the email were forwarded, demo.com would appear in the Received field, but it wouldn't necessarily show up as the originating server. B. John Smith’s email was sent to someone at demo.com: If the email was sent to someone at demo.com, there would be no reason for demo.com to appear in the Received header as a sending server. D. The mail.demo.com server is a trusted email forwarding partner for example.com: If this were the case, the domain demo.com would be part of the example.com infrastructure, but it's not mentioned as being a trusted partner. Thus, the most likely scenario is that the email headers were forged to make it appear that the email came from John Smith when it may not have.

Question 52

Fiona wants to prevent email impersonation of individuals inside her company. What technology can best help prevent this? A. IMAP B. SPF C. DKIM D. DMARC

Answer 52

Answer: D. DMARC A. IMAP (Internet Message Access Protocol): This is a protocol used for retrieving and storing emails on a mail server. It is not a security technology designed to prevent email impersonation. It simply allows email clients to access emails stored on a server, but it does not provide protection against spoofing or impersonation. B. SPF (Sender Policy Framework): SPF helps prevent email spoofing by verifying that the sender's IP address is authorized to send emails on behalf of a domain. It helps, but not as fully as DMARC. C. DKIM (DomainKeys Identified Mail): DKIM provides a way for sending mail servers to digitally sign emails, verifying their authenticity, but it requires DMARC for enforcement. D. DMARC (Domain-based Message Authentication, Reporting, and Conformance): DMARC is the most effective of these options as it combines SPF and DKIM to ensure email authenticity, prevent spoofing, and provide reporting. It helps prevent email impersonation

Question 53

While analyzing a malware file that she discovered, Tracy finds an encoded file that shebelieves is the primary binary in the malware package. Which of the following is not a typeof tool that the malware writers may have used to obfuscate the code? A. A packer B. A crypter C. A shuffler D. A protector

Answer 53

the answer is C. A shuffler. Explanation: A. A packer: As mentioned earlier, a packer is a tool used to compress or encrypt files to obscure their true contents, commonly used in malware to make detection and analysis more difficult. B. A crypter: A crypter is designed to encrypt or obfuscate malware code, making it harder for antivirus software to detect and for analysts to reverse engineer the malicious behavior. C. A shuffler: While the term "shuffler" might sound like something related to obfuscation, it is not commonly used in malware analysis or for obfuscating the actual binary code. It's not a standard tool in malware development, making it the correct answer for "not a type of tool used to obfuscate code." D. A protector: Protectors are used to prevent tampering or reverse engineering of software, and they are used in both malware and legitimate software to prevent cracking and analysis. So, C. A shuffler is the correct answer because it's not a typical tool used for obfuscating malware code.

Question 54

Frank’s team uses the following query to identify events in their threat intelligence tool. Why would this scenario be of concern to the security team? select * from network-events where data.process.image.file = ‘cmd.exe’ AND data.process.parentImage.file != ‘explorer.exe’ AND data.process.action = ‘launch’ A. Processes other than explorer.exe typically do not launch command prompts. B. cmd.exe should never launch explorer.exe. C. explorer.exe provides administrative access to systems. D. cmd.exe runs as administrator by default when launched outside of Explorer

Answer 54

The correct answer is A. Processes other than explorer.exe typically do not launch command prompts. Explanation: A. A cmd.exe process launched by something other than explorer.exe could indicate suspicious behavior, such as malware trying to invoke cmd.exe outside normal usage. B. cmd.exe can legitimately launch explorer.exe, so this isn't a concern. C. explorer.exe doesn't provide administrative access by default. D. cmd.exe doesn't run as administrator by default unless specifically invoked with elevated privileges.

Question 55

While reviewing the command history for an administrative user, Lakshman discovers a suspicious command that was captured: ln /dev/null ~/.bash_history What action was this user attempting to perform? A. Enabling the Bash history B. Appending the contents of /dev/null to the Bash history C. Logging all shell commands to /dev/null D. Allowing remote access from the null shell

Answer 55

Correct Answer: C. Logging all shell commands to /dev/null. Why? The command ln /dev/null ~/.bash_history links the history file to /dev/null, discarding all command logs to hide activity. Why Not Others? A. It disables history, not enables it. B. It replaces the file, not appends to it. D. Unrelated to remote access or shells

Question 55

Charles wants to determine whether a message he received was forwarded by analyzing the headers of the message. How can he determine this? A. Reviewing the Message-ID to see if it has been incremented. B. Checking for the In-Reply-To field. C. Checking for the References field. D. You cannot determine if a message was forwarded by analyzing the headers

Answer 55

Correct Answer: D. You cannot determine if a message was forwarded by analyzing the headers. Why? Email headers do not reliably indicate if a message was forwarded; forwarding can appear as a new message from the forwarder. Why Not Others? A. Message-ID does not increment with forwarding. B. In-Reply-To is used for replies, not forwarding. C. References track message threads, not forwarding.

Question 56

Susan wants to check a Windows system for unusual behavior. Which of the following persistence techniques is not commonly used for legitimate purposes? A. Scheduled tasks B. Service replacement C. Service creation D. Autostart registry keys

Answer 56

Correct Answer: B. Service replacement Why? Service replacement involves replacing legitimate system services with malicious ones, a technique almost exclusively used for malicious purposes. Why Not Others? A. Scheduled tasks: Often used for legitimate automation. C. Service creation: Commonly used for installing new services. D. Autostart registry keys: Frequently employed for legitimate software that needs to run on startup.

Question 57

2. Ben wants to quickly check a suspect binary file for signs of its purpose or other information that it may contain. What Linux tool can quickly show him potentially useful information contained in the file? A. grep B. more C. less D. strings

Answer 57

Correct Answer: D. strings Why? strings extracts human-readable strings from binary files, which can help Ben identify text, such as URLs, file paths, or other hints about the file's purpose. Why Not Others? A. grep: Used for searching specific patterns in text files, not for extracting readable strings from binary files. B. more: A pager used to view the contents of a file one screen at a time, but it doesn't specifically analyze binary files for readable strings. C. less: Similar to more, it's a pager tool but does not extract strings from binary files.

Question 58

Carol wants to analyze email as part of her antispam and antiphishing measures. Which of the following is least likely to show signs of phishing or other email-based attacks? A. The email’s headers B. Embedded links in the email C. Attachments to the email D. The email signature block

Answer 58

Correct Answer: D. The email signature block Why? The email signature block is least likely to reveal phishing signs. Why Not Others? A. Email headers show sender info, useful for spotting spoofing. B. Embedded links may lead to malicious sites. C. Attachments often carry malware.

Question 59

Lukas wants to prevent users from running a popular game on Windows workstations he is responsible for. How can Lukas accomplish this for Windows workstations? A. Using application allowlisting to prevent all prohibited programs from running. B. Using Windows Defender and adding the game to the blocklist file. C. Listing it in the Blocked Programs list via secpol.msc. D. You cannot blocklist applications in Windows 10 without a third-party application.

Answer 59

Correct Answer: A. Using application allowlisting to prevent all prohibited programs from running. Why Not Others: B. Windows Defender is for malware, not game blocking. C. Secpol.msc isn't effective for specific program blocking. D. Windows 10 can block apps without third-party software.

Question 60

Naomi wants to analyze malware by running it and capturing what it does. What type of tool should she use? A. A containerization tool B. A virtualization tool C. A sandbox tool D. A packet analyzer

Answer 60

Correct Answer: C. A sandbox tool Explanation: A sandbox tool is designed to run potentially dangerous files, such as malware, in an isolated environment. This allows the analyst to observe the behavior of the malware without risk to the host system.

Question 61

Ian lists the permissions for a Linux file that he believes may have been modified by an attacker. What do the permissions shown here mean? -rwxrw-r&—1 chuck admingroup 1232 Feb 28 16:22 myfile.txt A. User chuck has read and write rights to the file; the Administrators group has read, write, and execute rights; and all other users only have read rights. B. User admingroup has read rights; group chuck has read and write rights; and all users on the system can read, write, and execute the file. C. User chuck has read, write, and execute rights on the file. Members of admingroup group can read and write to the file but cannot execute it, and all users on the system can read the file. D. User admingroup has read, write, and execute rights on the file;

Answer 61

Correct Answer: C. User chuck has read, write, and execute rights on the file. Members of admingroup group can read and write to the file but cannot execute it, and all users on the system can read the file. Explanation: The permissions -rwxrw-r-- can be broken down as follows: rwx: User (chuck) has read, write, and execute permissions. rw-: Group (admingroup) has read and write permissions, but no execute permissions. r--: Others (everyone else) have read-only permissions.

Question 62

While reviewing web server logs, Danielle notices the following entry. What occurred? 10.11.210.6 - GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme= total 200 A. A theme was changed. B. A file was not found. C. An attempt to edit the 404 page. D. The 404 page was displayed.

Answer 62

Correct Answer: C. An attempt to edit the 404 page. Explanation: The log entry indicates a GET request made to the theme-editor.php script within the WordPress admin panel. This script is commonly used to edit themes, and the query parameters suggest that the file being targeted is 404.php. This suggests that the user was trying to edit or modify the 404 error page. GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme=: This shows an attempt to access the theme editor for the file 404.php within a WordPress theme. The status code 200 indicates a successful request, meaning the page was accessible, but it doesn't directly indicate that the file was changed.

Question 63

Melissa wants to deploy a tool to coordinate information from a wide range of platforms so that she can see it in a central location and then automate responses as part of security workflows. What type of tool should she deploy? A. UEBA B. SOAR C. SIEM D. MDR

Answer 63

Answer: B. SOAR Explanation: SOAR (Security Orchestration, Automation, and Response) tools centralize security data and automate responses across platforms, which fits Melissa's need to coordinate and automate security workflows. UEBA detects anomalies but doesn't automate workflows. SIEM monitors and logs but lacks automation.

Question 64

How does data enrichment differ from threat feed combination? A. Data enrichment is a form of threat feed combination for security insights, focuses on adding more threat feeds together for a full picture, and removes third-party data to focus on core data elements rather than adding together multiple data sources. B. Data enrichment uses events and nonevent information to improve security insights, instead of just combining threat information. C. Threat feed combination is more useful than data enrichment because of its focus on only the threats. D. Threat feed combination techniques are mature, and data enrichment is not ready for enterprise use.

Answer 64

Answer: B. Data enrichment uses events and non-event information to improve security insights, instead of just combining threat information. Explanation: Data enrichment involves enhancing existing data by adding additional context, such as information from non-event sources (e.g., user data, asset data), to provide more comprehensive security insights. Threat feed combination simply integrates multiple threat intelligence sources to form a fuller picture of the threat landscape. Option A is incorrect because data enrichment focuses on enhancing data rather than just focusing on core data elements. Option C is incorrect because data enrichment adds value by including more contextual information, not just focusing on threats. Option D is incorrect because data enrichment is already widely used in enterprise environments.

Question 65

Kathleen wants to verify on a regular basis that a file has not changed on the system that she is responsible for. Which of the following methods is best suited to this? A. Use sha1sum to generate a hash for the file and write a script to check it periodically. B. Install and use Tripwire. C. Periodically check the MAC information for the file using a script. D. Encrypt the file and keep the key secret so the file cannot be modified.

Answer 65

Answer: B. Install and use Tripwire. Explanation: Tripwire is a file integrity monitoring tool specifically designed to detect changes to files and directories. It regularly checks the integrity of the system's files and alerts administrators if changes are detected, making it the best choice for Kathleen's needs. Option A (using sha1sum): While using sha1sum to generate a hash and checking it periodically could work, it's less efficient and reliable compared to a specialized tool like Tripwire. Option C (checking MAC information): While checking the file's MAC (Modification, Access, and Change) times could indicate changes, it's not as comprehensive or reliable as Tripwire for file integrity monitoring. Option D (encrypting the file): Encrypting the file will prevent unauthorized modifications, but it does not address Kathleen’s goal of verifying the file's integrity on a regular basis.

Question 66

Fiona is considering a scenario in which components that her organization uses in its software that come from public GitHub repositories are Trojaned. What should she do first to form the basis of her proactive threat-hunting effort? A. Search for examples of a similar scenario. B. Validate the software currently in use from the repositories. C. Form a hypothesis. D. Analyze the tools available for this type of attack

Answer 66

C. Forming a hypothesis should be Fiona’s next step. Once she starts to consider a scenario, she needs to identify the target and likely adversary techniques and determine how she would verify the hypothesis.

Question 67

. Tracy has reviewed the CrowdStrike writeup for an APT group known as HELIX KITTEN, which notes that the group is known for creating “thoroughly researched and structured spear-phishing messages relevant to the interests of targeted personnel.” What types of defenses are most likely to help if she identifies HELIX KITTEN as a threat actor of concern for her organization? A. DKIM B. An awareness campaign C. Blocking all email from unknown senders D. SPF

Answer 67

. B. Awareness campaigns are among the most effective ways to counter spear phishing. A well-resourced APT organization will send email from legitimate email addresses, thus bypassing most DKIM and SPF defenses. Blocking email from all unknown senders is not acceptable to most organizations.

Question 68

Micah wants to use the data he has collected to help with his threat-hunting practice. What type of approach is best suited to using large volumes of log and analytical data? A. Hypothesis-driven investigation B. Investigation based on indicators of compromise C. Investigation based on indications of attack D. AI/ML-based investigation

Answer 68

he correct answer is D. AI/ML-based investigation. Explanation: AI/ML-based investigations are best for handling large datasets, as they can quickly analyze and detect patterns or anomalies in massive volumes of data, adapting over time. Why not the others? A. Hypothesis-driven investigation: Involves testing theories, but doesn't scale well for large data volumes. B. Indicators of compromise (IoC): Focuses on known threats but is limited for large, diverse datasets. C. Indications of attack (IoA): Detects behaviors of attacks but is less efficient without AI/ML for large data.

Question 69

Naomi wants to improve the detection capabilities for her security environment. A major concern for her company is the detection of insider threats. What type of technology can she deploy to help with this type of proactive threat detection? A. IDS B. UEBA C. SOAR D. SIEM

Answer 69

The correct answer is B. UEBA (User and Entity Behavior Analytics). Explanation: UEBA is specifically designed to identify unusual or suspicious behaviors that might indicate insider threats by analyzing user and entity activities. It uses machine learning and analytics to detect deviations from normal behavior. Why not the others? A. IDS (Intrusion Detection System): Primarily detects external attacks, not specifically tailored for insider threat detection. C. SOAR (Security Orchestration, Automation, and Response): Automates incident response but doesn’t focus directly on proactive threat detection. D. SIEM (Security Information and Event Management): Collects and analyzes log data but doesn’t specialize in detecting insider threats through behavioral analysis.

Question 70

Ling wants to use her SOAR platform to handle phishing attacks more effectively. What elements of potential phishing emails should she collect as part of her automation and workflow process to triage and assign severity indicators? A. Subject lines B. Email sender addresses C. Attachments D. All of the above

Answer 70

The correct answer is D. All of the above. Explanation: For effective triage and severity assignment of phishing emails, it is important to collect various elements that can indicate the authenticity or malicious nature of an email. These elements include: Subject lines: Often, phishing emails use misleading or urgent subject lines to trick recipients. Email sender addresses: Phishing emails often use forged or suspicious sender addresses. Attachments: Malicious attachments can contain malware or links to phishing websites.

Question 71

Mila is reviewing feed data from the MISP open-source threat intelligence tool and sees the following entry: "Unit 42 has discovered a new malware family we've named "Reaver" with ties to attackers who use SunOrcal malware. SunOrcal activity has been documented to at least 2013, and based on metadata surrounding some of the C2s, may have been active as early as 2010. The new family appears to have been in the wild since late 2016 and to date we have only identified 10 unique samples, indicating it may be sparingly used. Reaver is also somewhat unique in the fact that its final payload is in the form of a Control panel item, or CPL file. To date, only 0.006% of all malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare.", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "disable_correlation": false, "object_relation": null, "type": "comment"}, {"comment": "", "category": "Persistence mechanism", "uuid": "5a0a9d47- 1c7c-4353-8523-440b950d210f", "timestamp": "1510922426", "to_ids": false, "value": "%COMMONPROGRAMFILES%\\services\\", "disable_correlation": false, "object_relation": null, "type": "regkey"}, {"comment": "", "category": "Persistence mechanism", "uuid": "5a0a9d47-808c-4833-b739-43bf950d210f", "timestamp": "1510922426", "to_ids": false, "value": "%APPDATA%\\microsoft\\mmc\\", "disable_correlation": false, "object_relation": null, "type": "regkey"}, {"comment": "", "category": "Persistence mechanism", "uuid": "5a0a9d47-91e0- 4fea-8a8d-48ce950d210f", "timestamp": "1510922426", "to_ids": false, "value": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ Shell Folders\\Common Startup" How does the Reaver malware maintain persistence? A. A blog post B. Inserts itself into the Registry C. Installs itself as a runonce key D. Requests user permission to start up

Answer 71

The correct answer is B. Inserts itself into the Registry. Explanation: The persistence mechanism described in the MISP feed includes registry keys that are associated with the Reaver malware. Specifically, the entries mentioned are: "%COMMONPROGRAMFILES%\services\" "%APPDATA%\microsoft\mmc\" "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup" These paths indicate that Reaver malware inserts itself into the Windows Registry, a common technique for ensuring persistence on the system. By adding these registry keys, Reaver can ensure that it is executed each time the system starts, thus maintaining its presence on the infected machine.

Question 72

Fiona has continued her threat-hunting efforts and has formed a number of hypotheses. What key issue should she consider when she reviews them? A. The number of hypotheses B. Her own natural biases C. Whether they are strategic or operational D. If the attackers know about them

Answer 72

The correct answer is B. Her own natural biases. Explanation: When reviewing hypotheses, it's crucial for Fiona to be aware of her own natural biases, as they can influence how she interprets data or the conclusions she draws. Biases could lead her to focus too heavily on certain types of threats while overlooking others, which could result in ineffective or incomplete threat-hunting efforts. Being aware of these biases allows her to approach the review process more objectively and consider all possibilities.

Question 73

Nathan wants to determine which systems are sending the most traffic on his network. What low-overhead data-gathering methodology can he use to view traffic sources, destinations, and quantities? A. A network sniffer to view all traffic B. Implementing NetFlow C. Implementing SDWAN D. Implementing a network tap

Answer 73

The correct answer is B. Implementing NetFlow. Explanation: NetFlow is a network protocol developed by Cisco that collects IP traffic data, which provides insights into network traffic flow. A. Network sniffer: Resource-intensive and captures excessive data, causing performance issues. C. SD-WAN: Primarily for managing and optimizing WAN traffic, not for detailed traffic analysis. D. Network tap: Hardware-based, more complex, and expensive compared to software solutions like NetFlow.

Question 74

What do DLP systems use to classify data and to ensure that it remains protected? A. Data signatures B. Business rules C. Data egress filters D. Data at rest

Answer 74

The correct answer is: B. Business rules Explanation: DLP (Data Loss Prevention) systems use business rules to classify data, ensuring it remains protected based on the organization's specific policies, such as data types, sensitive information, and where it can be accessed or shared.

Question 75

Benicio wants to implement a tool for all the workstations and laptops in his company that can combine behavioral detection attack indicators based on current threat intelligence with real-time visibility into the systems. What sort of tool should he select? A. An IPS B. An EDR C. A CRM D. A UEBA

Answer 75

B. An EDR (Endpoint Detection and Response) Explanation: An EDR (Endpoint Detection and Response) tool is designed to provide real-time visibility into endpoint activities, monitor for behavioral indicators of compromise (IoCs), and integrate with current threat intelligence. It combines detection and response capabilities to help identify and mitigate threats on workstations and laptops.

Question 76

Eric wants to analyze a malware binary in the safest way possible. Which of the following methods has the least likelihood of allowing the malware to cause problems? A. Running the malware on an isolated VM B. Performing dynamic analysis of the malware in a sandbox C. Performing static analysis of the malware D. Running the malware in a container service

Answer 76

The correct answer is: C. Performing static analysis of the malware Explanation: Performing static analysis of the malware involves examining the malware's code without executing it, thus preventing it from running and potentially causing harm. This is the safest method, as it does not allow the malware to execute and spread. A. Isolated VM: VMs still run the malware, which poses a risk of escape or damage if isolation fails. B. Dynamic analysis in a sandbox: Allows malware to run, which could lead to it escaping or causing harm if the sandbox isn't secure. D. Running in a container: Containers are less isolated than VMs, increasing the risk of malware escaping.

Question 77

Tom wants to improve his detection capabilities for his software-as-a-service (SaaS) environment. What technology is best suited to give him a view of usage, data flows, and other details for cloud environments? A. EDR B. CASB C. IDS D. SIEM

Answer 77

The best option for Tom to improve detection capabilities in his SaaS environment is B. CASB (Cloud Access Security Broker). A CASB provides visibility and control over data and user activity in cloud services, helping to monitor usage, data flows, and other cloud-specific details. Here’s why the others aren't the best fit: A. EDR (Endpoint Detection and Response): Primarily focuses on endpoint monitoring, not cloud services. C. IDS (Intrusion Detection System): Monitors for network intrusions but doesn’t specifically address cloud environments. D. SIEM (Security Information and Event Management): Collects and analyzes security data from across an organization's network, but CASBs provide specialized cloud-focused security features.