210-255

Question 1

What is accomplished in the identification phase of incident handling?

Answer 1

Determining that a security event has occurred

Question 2

Which two HTTP header fields relate to intrusion analysis? (Choose two)

Answer 2

User-agent

Host

Question 3

Which component of the NIST SP800-61 r2 incident handling strategy reviews data?

Answer 3

Post-incident analysis

Question 4

Which option is generated when a file is run through an algorithm and generates a string specific to the contents of that file?

Answer 4

Hash

Question 5

Which data type is protected under the PCI compliance framework?

Answer 5

Primary account number

Question 6

Which CVSSv3 metric captures the level of access that is required for a successful attack?

Answer 6

Privileges required

Question 7

From a security perspective, why is it important to employ a clock synchronization protocol on a network?

Answer 7

To construct an accurate timeline of events when responding to an incident.

Question 8

You see 100 HTTP GET and POST requests for various pages on one of your web servers. The user agent in the requests contain php code that, if executed, creates and writes to a new php file on the webserver. Which category does this even fall under as defined in the Diamond Model of Intrustion?

Answer 8

Delivery

Question 9

Which option is misuse variety per VERIS enumerations?

Answer 9

Hacking

Question 10

Which stakeholder group is responsible for containment, eradication, and recovery in incident handling?

Answer 10

Leaders and Managers

Question 11

A user on your network receives an email in their mailbox that contains a malicious attachment. There is no indication that the file was run. Which category as defined in the kill-chain model does this activity fall under?

Answer 11

Delivery

Question 12

During which phase of the forensic process are tools and techniques used to extract the relevant information from the collective data?

Answer 12

Examination

Question 13

Which option allows a file to be extracted from a TCP steam within Wireshark?

Answer 13

File > Export Objects

Question 14

Which element can be used by a threat actor to discover a possible opening into a target network and can also be used by an analyst to determine the protocol of the malicious traffic?

Answer 14

Ports

Question 15

In Microsoft Windows, as files are deleted the space they were allocated eventIally is considered available for use by other files. This creates alternating used and unused areas of various sizes. What is this called?

Answer 15

Free space fragmentation

Question 16

In the context of incident handling phases, which two activities fall under scoping?

Answer 16

Identifying the extent that a security incident is impacting protected resources on the network.

Identifying the attackers that are associated with a security incident.

Question 17

Which regular expression matches “color” and “colour”?

Answer 17

colou?r

Question 18

Which description of a retrospective malware detection is true?

Answer 18

You can use historical information from one or more sources to identify the affected host or file.

Question 19

Which process is being utilized when IPS events are removed to improve data integrity?

Answer 19

Data normalization

Question 20

Which element is included in an incident response plan?

Answer 20

Organization mission

Question 21

Which CVSSv3 metric value increases when attacks consume network bandwidth, processor cycles, or disk space?

Answer 21

Availability

Question 22

Which Security Operations Center’s goal is to provide incident handling to a country?

Answer 22

National CSIRT

Question 23

A CMS plugin creates two files that are accessible from the Internet myplugin.html and exploitable.php. A newly discovered exploit takes advantage of an injection vulnerability in exploitable.php. To exploit the vulnerability, one must send an HTTP POST with specific variables to exploitable.php. You see traffic to your webserver that consists of only HTTP Get requests to myplugin.html. Which category best describes this activitiy?

Answer 23

Reconnaissance

Question 24

Which goal of data normalization is true?

Answer 24

Reduce data redundancy

Question 25

Which identifies both the source and destination location?

Answer 25

IP address

Question 26

Which type of analysis assigns values to scenarios to see what the outcome might be in each scenario?

Answer 26

Deterministic

Question 27

Which feature is used to find possible vulnerable services running on a server?

Answer 27

Listening ports

Question 28

Which two options can be used by a threat actor to determine the role of a server? (Choose two)

Answer 28

Running processes

Applications

Question 29

Which option creates a display filter on Wireshark on a host IP address or name?

Answer 29

ip.addr==or ip.host ==

Question 30

You receive an alert for malicious code that exploits Internet Explorer and runs arbitrary code on the site visitor machine. The malicious code is on an external site that is being visited by hosts on your network. Which user agent in the HTTP headers in the requests from your internal hosts warrants further investigation?

Answer 30

Mozilla/5.0 (compatible, MSIE 10.0, Windows NT 6.2, Trident 6.0)

Question 31

During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve its integrity?

Answer 31

Collection

Question 32

Which information must be left out of a final incident reports?

Answer 32

Server hardware configurations

Question 33

Which two components are included in a 5-tuple? (Choose two)

Answer 33

Port number

Destination IP address

Question 34

In VERIS, an incident is viewed as a series of events that adversely affects the information assets of an organization . Which option contains the elements that every event is comprised of according to VERIS incident model?

Answer 34

actors, actions, assets, attributes

Question 35

You see confidential data being exfiltrated to an IP address that is attributed to a known Advanced Persistent Threat group. Assume that this is part of a real attack and not a network misconfiguration. Which category does this event fall under as defined in the Diamond Model of Intrusion?

Answer 35

action on objectives

Question 36

Which option has a drastic impact on network traffic because it can cause legitimate traffic to be blocked?

Answer 36

false positive

Question 37

Which CVSSv3 metric value increases when the attacker is able to modify all files protected by the vulnerable component?

Answer 37

Integrity

Question 38

Which type of analysis allows you to see how likely an exploit could affect your network?

Answer 38

Probabilistic

Question 39

Which network device creates and sends the initial packet of a session?

Answer 39

Source

Question 40

When performing threat hunting against a DNS server, which traffic toward the affected domain is considered a starting point?

Answer 40

UDP traffic

Question 41

An organization has recently adjusted its security stance in response to online threats made by a known hacktivist group. Which term defines the initial event in the NIST SP800-61 r2?

Answer 41

Precursor -> is a sign that an incident may occur in the future

Question 42

You have run a suspicious file in a sandbox analysis tool to see what the file does. The analysis report shows that outbound callouts were made post infection. Which two pieces of information from the analysis report are needed or required to investigate the callouts? (Choose two)

Answer 42

Domain names

Host IP addresses

Question 43

Which option filters a LibPCAP capture that used a host as a gateway?

Answer 43

gateway host

Question 44

Which source provides reports of vulnerabilities in software and hardware to a Security Operations Center?

Answer 44

Internal CSIRT

Question 45

What information from HTTP logs can be used to find a threat actor?

Answer 45

IP address

Question 46

Which element is part of an incident response plan?

Answer 46

Organizational approach to incident response.

Question 47

What mechanism does the Linux operating system provide to control access to files?

Answer 47

File permissions

Question 48

Which string matches the regular expression r(ege)+x?

Answer 48

regeegex

Question 49

Which statement about threat actors is true?

Answer 49

They are perpetrators of attacks

Question 50

Which data element must be protected with regards to PCI?

Answer 50

full name / full account number

Question 51

What kind of evidence can be considered most reliable to arrive at an analytical assertion?

Answer 51

Direct

Question 52

Which CVSSv3 Attack Vector metric value requires the attacker to physically touch or manipulate the vulnerable component?

Answer 52

Physical

Question 53

Which option can be addressed when using retrospective security techniques?

Answer 53

How the malware entered our network.

Question 54

Which netstat command show ports? (Choose two)

Answer 54

netstat -a

netstat -l

Question 55

What is data mapping used for? (Choose two)

Answer 55

data accuracy (integrity)

data visualisation

Question 56

Filtering ports in Wireshark?

Answer 56

tcp.port == 80

Question 57

What attribute belonging VERIS schema?

Answer 57

confidentiality / possession
Integrity / authenticity
availability / utility

Question 58

What is NAC?

Answer 58

Network Access Control

Question 59

What protocol is related to NAC?

Answer 59

802.1X (EAP-TLS, EAP-PEAP or EAP-MSCHAP)

Question 60

What is the definition of confidentiality according to CVSSv3 framework?

Answer 60

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability

Question 61

Which of the following are examples of some of the responsibility of a corporate CSIRT and the policies it helps create? (Choose Four)

Answer 61

Incident classification and handling
Information classification and protection
Information dissemination
Record retention and destruction

Question 62

Which of the following is not an example of weaponization?

Answer 62

Connecting to a CnC server

Question 63

Which of the following has been used to evade IDS / IPS devices?

Answer 63

Fragmentation

Question 64

Which of the following is typically a responsibility of a PSIRT (Product SIRT)?

Answer 64

Disclosure of vulnerabilities in the organization’s products and services

Question 65

Which of the following is an example of a managed security offering where incident response experts monitor and respond to security alerts in a SOC?

Answer 65

Cisco’s Active Threat Analytics (ATA)

Question 66

Which of the following is one of the main goals of data normalization?

Answer 66

To purge redundant data while maintaining data integrity

Question 67

Which of the following can be identified by correlating DNS intelligence and other security events? (Choose two)

Answer 67

Communication to CnC servers

Malicious domain based on reputation

Question 68

Which of the following steps in the kill chain would come before the others?

Answer 68

Delivery

Question 69

Which of the following are core responsibilities of a national CSIRT and CERT?

Answer 69

Protect their citizens by providing security vulnerability info, security awareness training, best practices, and other info

Question 70

Which of the following is one of the main goals of the CSIRT?

Answer 70

Minimize and control the damage associated with incidents, provide guidance for mitigation and work to prevent future incidents

Question 71

Which of the following is not a metadata feature of the DIamond Model?

Answer 71

Devices

Question 72

Which of the following are the three metrics, or scores of the CVSS?

Answer 72

Base
Environmental
Temporal

Question 73

Which of the following are not components of the 5-tuple of a flow in NetFlow? (Choose two)

Answer 73

Flow record ID

Gateway

Question 74

Which of the following is an example of a coordination center?

Answer 74

CERT division of SEI

Question 75

Which of the following is the team that handles the investigation, resolution, and disclosure of security vulnerabilities in vendor products and services?

Answer 75

PSIRT

Question 76

Which of the following are the three broad categories of cybersecurity investigations?

Answer 76

Public, private and individual investigations

Question 77

In addition to cyber crime and attacks, evidence found on a system or network may be presented in a court of law to support accusations of crime or civil action, including which of the following?

Answer 77

Fraud, money laundering and theft
Drug-related crime
Murder and acts of violence
All of the above

Question 78

According to NIST what option is unnecessary for containment strategy?

Answer 78

The delayed containment

Monitoring with methods other than sandboxing

Question 79

At which stage attacking the vulnerability belongs in the Cyber Kill chain?

Answer 79

Exploitation

Question 80

Based on NIST SP800-61 r2 what are the recommended protections against malware?

Answer 80

Malware prevention software

Question 81

Choose the option that best describes NIST data integrity.

Answer 81

You must hash data & backup and compare hashes

Question 82

What is the process of remediation the system from attack so that responsible threat actor can be revealed?

Answer 82

Validating the attacking host’s IP address
Researching the attacking host through search engines
Using incident databases
Monitoring possible attacker communication channels.