(6) Sound the Alarm: Detection and Response

Question 1

The first phase of the NIST Incident Response Lifecycle is Preparation. What are the other phases? Select three answers.

Detection and Analysis

Post-Incident Activity

Identify

Containment, Eradication, and Recovery

Answer 1

Detection and Analysis

Post-Incident Activity

Containment, Eradication, and Recovery

Question 2

What type of process is the NIST Incident Response Lifecycle?

Cyclical

Linear

Synchronous

Observable

Answer 2

Cyclical

Question 3

Fill in the blank: An _____ is an observable occurrence on a network, system, or device.

investigation

analysis

incident

event

Answer 3

event

Question 4

A security professional investigates an incident. Their goal is to gain information about the 5 W’s, which include what happened and why. What are the other W’s? Select three answers.

Where the incident took place

When the incident took place

Which type of incident it was

Who triggered the incident

Answer 4

Where the incident took place

When the incident took place

Who triggered the incident

Question 5

What are the goals of a computer security incident response team (CSIRT)? Select three answers.

To handle the public disclosure of an incident

To manage incidents

To prevent future incidents from occurring

To provide services and resources for response and recovery

Answer 5

To manage incidents

To prevent future incidents from occurring

To provide services and resources for response and recovery

Question 6

Which document outlines the procedures to follow after an organization experiences a ransomware attack?

A security policy

A network diagram

A contact list

An incident response plan

Answer 6

An incident response plan

Question 7

Fill in the blank: The job of _____ is to investigate alerts and determine whether an incident has occurred.

technical leads

public relations representative

incident coordinators

security analysts

Answer 7

security analysts

Question 8

Which member of a CSIRT is responsible for tracking and managing the activities of all teams involved in the response process?

Public relations representative

Incident coordinator

Security analyst

Technical lead

Answer 8

Incident coordinator

Question 9

What are some examples of types of documentation? Select three answers.

Alert notifications

Final reports

Policies

Playbooks

Answer 9

Final reports

Policies

Playbooks

Question 10

Fill in the blank: Ticketing systems such as _____ can be used to document and track incidents.

Excel

Jira

Evernote

Cameras

Answer 10

Jira

Question 11

What application monitors system activity, then produces alerts about possible intrusions?

Intrusion detection system

Playbook

Word processor

Product manual

Answer 11

Intrusion detection system

Question 12

What actions does an intrusion prevention system (IPS) perform? Select three answers.

Detect abnormal activity

Stop intrusive activity

Manage security incidents

Monitor activity

Answer 12

Detect abnormal activity

Stop intrusive activity

Monitor activity

Question 13

Which tool collects and analyzes log data to monitor critical activities in an organization?

Security information and event management (SIEM) tool

Intrusion prevention system (IPS) tool

Playbook

Intrusion detection system (IDS) tool

Answer 13

Security information and event management (SIEM) tool

Question 14

Fill in the blank: Security orchestration, automation, and response (SOAR) is a collection of applications, tools, and workflows that uses automation to _____ security events.

respond to

interact with

collect

remediate

Answer 14

respond to

Question 15

Which step in the SIEM process transforms raw data to create consistent log records?

Normalize data

Collect and aggregate data

Analyze data

Centralize data

Answer 15

Normalize data

Question 16

What is the process of gathering data from different sources and putting it in one centralized place?

Aggregation

Notification

Analysis

Normalization

Answer 16

Aggregation

Question 17

Which of the following is an example of a security incident?

An unauthorized user successfully changes the password of an account that does not belong to them.

A user installs a device on their computer that is allowed by an organization’s policy.

An authorized user successfully logs in to an account using their credentials and multi-factor authentication.

A software bug causes an application to crash.

Answer 17

An unauthorized user successfully changes the password of an account that does not belong to them.

Question 18

What process is used to provide a blueprint for effective incident response?

The NIST Incident Response Lifecycle

The incident handler’s journal

The 5 W’s of an incident

The NIST Cybersecurity Framework

Answer 18

The NIST Incident Response Lifecycle

Question 19

Which step does the NIST Incident Response Lifecycle begin with?

Preparation

Containment, Eradication and Recovery

Post-Incident Activity

Detection and Analysis

Answer 19

Preparation

Question 20

What is a computer security incident response team (CSIRT)?

A specialized group of security professionals who focus on incident prevention

A specialized group of security professionals who are trained in incident management and response

A specialized group of security professionals who are solely dedicated to crisis management

A specialized group of security professionals who work in isolation from other departments

Answer 20

A specialized group of security professionals who are trained in incident management and response

Question 21

Fill in the blank: Incident response plans outline the _____ to take in each step of incident response.

instructions

exercises

policies

procedures

Answer 21

procedures

Question 22

Which of the following best describes how security analysts use security tools?

They only use documentation tools for incident response tasks.

They only use detection and management tools during incident investigations.

They only use a single tool to monitor, detect, and analyze events.

They use a combination of different tools for various tasks.

Answer 22

They use a combination of different tools for various tasks.

Question 23

Which statement most accurately describes documentation?

It is a standardized format used to record information across all industries.

It can be audio, video, or written instructions used for a specific purpose.

It serves as legal documentation and evidence in official settings.

It is always digital and stored in a centralized database.

Answer 23

It can be audio, video, or written instructions used for a specific purpose.

Question 24

Fill in the blank: An intrusion detection system (IDS) _____ system activity and alerts on possible intrusions.

protects

manages

analyzes

monitors

Answer 24

monitors

Question 25

What is the difference between a security information and event management (SIEM) tool and a security orchestration, automation, and response (SOAR) tool?

SIEM tools use automation to respond to security incidents. SOAR tools collect and analyze log data, which are then reviewed by security analysts.

SIEM tools are used for case management while SOAR tools collect, analyze, and report on log data.

SIEM tools collect and analyze log data, which are then reviewed by security analysts. SOAR tools use automation to respond to security incidents.

SIEM tools and SOAR tools have the same capabilities.

Answer 25

SIEM tools collect and analyze log data, which are then reviewed by security analysts. SOAR tools use automation to respond to security incidents.

Question 26

What happens during the data collection and aggregation step of the SIEM process? Select two answers.

Data is cleaned and transformed.

Data is centralized in one place.

Data is analyzed according to rules.

Data is collected from different sources.

Answer 26

Data is centralized in one place.

Data is collected from different sources.

Question 27

Which core functions of the NIST Cybersecurity Framework relate to the NIST Incident Response Lifecycle? Select two answers.

Discover

Investigate

Respond

Detect

Answer 27

Respond

Detect

Question 28

What are some roles included in a computer security incident response team (CSIRT)? Select three answers.

Technical lead

Security analyst

Incident coordinator

Incident manager

Answer 28

Technical lead

Security analyst

Incident coordinator

Question 29

What is an incident response plan?

A document that outlines a security team’s contact information

A document that details system information

A document that contains policies, standards, and procedures

A document that outlines the procedures to take in each step of incident response

Answer 29

A document that outlines the procedures to take in each step of incident response

Question 30

What are investigative tools used for?

Analyzing events

Managing alerts

Documenting incidents

Monitoring activity

Answer 30

Analyzing events

Question 31

Which of the following methods can a security analyst use to create effective documentation? Select two answers.

Write documentation using technical language.

Provide clear and concise explanations of concepts and processes.

Provide documentation in a paper-based format.

Write documentation in a way that reduces confusion.

Answer 31

Provide clear and concise explanations of concepts and processes.

Write documentation in a way that reduces confusion.

Question 32

What is the difference between an intrusion detection system (IDS) and an intrusion prevention system (IPS)?

An IDS stops intrusive activity whereas an IPS monitors system activity and alerts on intrusive activity.

An IDS monitors system activity and alerts on intrusive activity whereas an IPS stops intrusive activity.

An IDS and an IPS both have the same capabilities.

An IDS automates response and an IPS generates alerts.

Answer 32

An IDS monitors system activity and alerts on intrusive activity whereas an IPS stops intrusive activity.

Question 33

How do indicators of compromise (IoCs) help security analysts detect network traffic abnormalities?

They capture network activity.

They confirm that a security incident happened.

They provide a way to identify an attack.

They define the attacker’s intentions.

Answer 33

They provide a way to identify an attack.

IoCs help security analysts detect network traffic abnormalities by providing a way to identify an attack. IoCs provide analysts with specific evidence associated with an attack, such as a known malicious IP address, which can help quickly identify and respond to a potential security incident.

Question 34

Fill in the blank: Data _____ is the term for unauthorized transmission of data from a system.

infiltration

exfiltration

pivoting

network traffic

Answer 34

exfiltration

Question 35

An attacker has infiltrated a network. Next, they spend time exploring it in order to expand and maintain their access. They look for valuable assets such as proprietary code and financial records. What does this scenario describe?

Lateral movement

Network data

Large internal file transfer

Phishing

Answer 35

Lateral movement

This scenario describes lateral movement. Lateral movement, also called pivoting, describes an attacker exploring a network with the goal of expanding and maintaining their access.

Question 36

What can security professionals use network traffic analysis for? Select three answers.

To monitor network activity

To understand network traffic patterns

To secure critical assets

To identify malicious activity

Answer 36

To monitor network activity

To understand network traffic patterns

To identify malicious activity

Network traffic analysis provides security professionals with a way to monitor network activity, identify malicious activity, and understand network traffic patterns.

Question 37

Which component of a packet contains the actual data that is intended to be sent to its destination?

Protocol

Footer

Header

Payload

Answer 37

Payload

Question 38

Fill in the blank: A _____ is a file that contains data packets that have been intercepted from an interface or a network.

network protocol analyzer

protocol

packet capture

network statistic

Answer 38

packet capture

Question 39

Which field of an IP header is used to identify whether IPv4 or IPv6 is used?

Options

Type of Service

Version

Flags

Answer 39

Version

Question 40

Which network protocol analyzer is accessed through a graphical user interface?

Wireshark

TShark

Libpcap

tcpdump

Answer 40

Wireshark

Question 41

Which tcpdump option is used to specify the network interface?

-c

-n

-i

-v

Answer 41

-i

Question 42

What is needed to access the tcpdump network protocol analyzer?

Output

Graphical user interface

Packet capture

Command-line interface

Answer 42

Command-line interface

Question 43

What is the first field found in the output of a tcpdump command?

Source IP

Protocol

Timestamp

Version

Answer 43

Timestamp

Question 44

You are using tcpdump to capture network traffic on your local computer. You would like to save the network traffic to a packet capture file for later analysis. Which tcpdump option should you use?

-v

-w

-r

-c

Answer 44

-w

Question 45

Fill in the blank: _____ describes the amount of data that moves across a network.

Network data

Data exfiltration

Network traffic

Traffic flow

Answer 45

Network traffic

Question 46

Which of the following behaviors may suggest an ongoing data exfiltration attack? Select two answers.

Multiple successful multi-factor authentication logins

Network performance issues

Outbound network traffic to an unauthorized file hosting service

Unexpected modifications to files containing sensitive data

Answer 46

Outbound network traffic to an unauthorized file hosting service

Unexpected modifications to files containing sensitive data

Question 47

What information do packet headers contain? Select three answers.

Ports

Payload data

Protocols

IP addresses

Answer 47

Ports

Protocols

IP addresses

Question 48

Do packet capture files provide detailed snapshots of network communications?

Yes. Packet capture files provide information about network data packets that were intercepted from a network interface.

No. Packet capture files do not contain detailed information about network data packets.

Maybe. The amount of detailed information packet captures contain depends on the type of network interface that is used.

Answer 48

Yes. Packet capture files provide information about network data packets that were intercepted from a network interface.

Question 49

Fill in the blank: tcpdump is a network protocol analyzer that uses a(n) _____ interface.

internet

Linux

graphical user

command-line

Answer 49

command-line

Question 50

Which protocol version is considered the foundation for all internet communications?

HTTP

IPv4

UDP

ICMP

Answer 50

IPv4

Question 51

What is used to determine whether errors have occurred in the IPv4 header?

Protocol

Flags

Checksum

Header

Answer 51

Checksum

Question 52

Which IPv4 field uses a value to represent a standard, like TCP?

Version

Total Length

Protocol

Type of Service

Answer 52

Protocol

Question 53

Which tcpdump option applies verbosity?

-i

-n

-c

-v

Answer 53

-v

Question 54

Examine the following tcpdump output:

22:00:19.538395 IP (tos 0x10, ttl 64, id 33842, offset 0, flags [P], proto TCP (6), length 196) 198.168.105.1.41012 > 198.111.123.1.61012: Flags [P.], cksum 0x50af (correct), seq 169, ack 187, win 501, length 42

What is the value of the Type of Service field?

0x50af

0x10

501

6

Answer 54

0x10

Question 55

Do detection tools have limitations in their detection capabilities?

Yes

No

Answer 55

Yes

Detection tools have limitations in their detection capabilities. Detection tools are an important part of incident detection and response, but they cannot detect everything. Additional methods of detection can be used to improve coverage and accuracy.

Question 56

Why do security analysts refine alert rules? Select two answers.

To reduce false positive alerts

To increase alert volumes

To improve the accuracy of detection technologies

To create threat intelligence

Answer 56

To reduce false positive alerts

To improve the accuracy of detection technologies

Question 57

Fill in the blank: _____ involves the investigation and validation of alerts.

Threat hunting

Analysis

Honeypot

Detection

Answer 57

Analysis

Question 58

What are some causes of high alert volumes? Select two answers.

Broad detection rules

Refined detection rules

Sophisticated evasion techniques

Misconfigured alert settings

Answer 58

Broad detection rules

Misconfigured alert settings

Question 59

A security analyst in a security operations center (SOC) receives an alert. The alert ticket describes the detection of the download of a possible malware file on an employee’s computer. Which step of the triage process does this scenario describe?

Receive and assess

Assign priority

Add context

Collect and analyze

Answer 59

Receive and assess

This scenario describes receive and assess, the first step of the triage process. In this step, the security analyst receives an alert and determines whether the alert is valid.

Question 60

What is triage?

The process of returning affected systems back to normal operations

A document that outlines the procedures to sustain business operations during and after a significant disruption

The prioritizing of incidents according to their level of importance or urgency

The ability to prepare for, respond to, and recover from disruptions

Answer 60

The prioritizing of incidents according to their level of importance or urgency

Question 61

Fill in the blank: _____ is the act of limiting and preventing additional damage caused by an incident.

Resilience

Eradication

Containment

Recovery

Answer 61

Containment

Question 62

Which examples describe actions related to the eradication of an incident? Select two answers.

Develop a business continuity plan

Investigate logs to verify the incident

Complete a vulnerability scan

Apply a patch

Answer 62

Complete a vulnerability scan

Apply a patch

Question 63

Which section of a final report contains a high-level overview of the security incident?

Timeline

Executive summary

Recommendations

Agenda

Answer 63

Executive summary

Question 64

What are the goals of a lessons learned meeting? Select two answers.

Review and reflect on a security incident

Identify areas of improvement

Identify an employee to blame

Develop a final report

Answer 64

Review and reflect on a security incident

Identify areas of improvement

Question 65

Fill in the blank: In the NIST Incident Response Lifecycle, reviewing an incident to identify areas for improvement during incident handling is known as the _____.

Preparation phase

Post-incident activity phase

Detection and Analysis phase

Containment, Eradication and Recovery phase

Answer 65

Post-incident activity phase

Question 66

An organization has recovered from a ransomware attack that resulted in a significant disruption to their business operations. To review the incident, the security team hosts a lessons learned meeting. The team realizes that they could have restored the affected systems more quickly if they had a backup and recovery plan in place. Which question would have most likely helped the security team come to this conclusion?

Who discovered the incident?

What could have been done differently?

When did the incident happen?

How was the incident detected?

Answer 66

What could have been done differently?

By asking what could have been done differently, the security team can identify areas of weakness in their incident response process, such as the lack of a backup and recovery plan.

Question 67

Which step of the NIST Incident Response Lifecycle involves the investigation and validation of alerts?

Detection

Discovery

Analysis

Recovery

Answer 67

Analysis

Question 68

What are the benefits of documentation during incident response? Select three answers.

Clarity

Transparency

Quality

Standardization

Answer 68

Clarity

Transparency

Standardization

Question 69

After a ransomware incident, an organization discovers their ransomware playbook needs improvements. A security analyst is tasked with changing the playbook documentation. Which documentation best practice does this scenario highlight?

Update regularly

Be accurate

Be concise

Know your audience

Answer 69

Update regularly

Question 70

Chain of custody documents establish proof of which of the following? Select two answers.

Integrity

Validation

Reliability

Quality

Answer 70

Integrity

Reliability

Question 71

An analyst is responding to a distributed denial of service attack (DDoS). They take several manual steps outlined in the organization’s DDoS playbook. Which type of playbook did they use to respond to the incident?

SOAR

Automated

Semi-automated

Non-automated

Answer 71

Non-automated

Question 72

A security analyst gets an alert involving a phishing attempt. Which step of the triage process does this scenario outline?

Receive and assess

Add context

Assign priority

Collect and analyze

Answer 72

Receive and assess

Question 73

Fill in the blank: Containment is the act of limiting and _____ additional damage caused by an incident.

detecting

removing

eradicating

preventing

Answer 73

preventing

Question 74

Which of the following is an example of a recovery task?

Monitoring a network for intrusions

Applying a patch to address a server vulnerability

Disconnecting an infected system from the network

Reinstalling the operating system of a computer infected by malware

Answer 74

Reinstalling the operating system of a computer infected by malware

Question 75

Fill in the blank: A lessons learned meeting should be held within ____ weeks of an incident.

two

three

four

five

Answer 75

two

Question 76

What does a final report contain? Select three.

Updates

Incident details

Recommendations

Timeline

Answer 76

Incident details

Recommendations

Timeline

Question 77

What is the primary purpose of logs during incident investigation?

To provide a record of event details

To improve user experience

To manage alert volumes

To identify and diagnose system issues

Answer 77

To provide a record of event details

Question 78

A security analyst wants to determine whether a suspicious login was successful. Which log type would be most useful for this purpose?

System

Firewall

Authentication

Network

Answer 78

Authentication

An authentication log would be most useful for this purpose. Authentication logs record login attempts, including whether a login was successful.

Question 79

In the following log, what action does the log entry record?

[ALLOW: wikipedia.org] Source: 192.167.1.1 Friday, 10 June 2022 11:36:12

192.167.1.1

Friday, 10 June 2022 11:36:12

ALLOW

Source

Answer 79

ALLOW

ALLOW refers to the action that has been recorded. In this instance, it allows access to wikipedia.org.

Question 80

Fill in the blank: _____ is the process of examining logs to identify events of interest.

Log file

Logging

Log analysis

Log forwarder

Answer 80

Log analysis

Question 81

Examine the following authentication log:

[2022/12/20 08:20:38.921286] User nuhara logged in successfully

What type of information does this log contain? Select two answers.

Event description

Syslog

Timestamp

Message ID

Answer 81

Event description

Timestamp

Question 82

Which of the following capabilities can syslog be used for? Select three answers.

Log format

Service

Extension

Protocol

Answer 82

Log format

Service

Protocol

Question 83

What are examples of log formats? Select three answers.

Common Event Format (CEF)

Gramm-Leach-Bliley Act (GLBA)

eXtensible Markup Language (XML)

JavaScript Object Notation (JSON)

Answer 83

Common Event Format (CEF)

eXtensible Markup Language (XML)

JavaScript Object Notation (JSON)

Question 84

Which log format uses tags to structure data?

Syslog

Verbose

eXtensible Markup Language (XML)

Comma Separated Values (CSV)

Answer 84

eXtensible Markup Language (XML)

Question 85

A security analyst uses a network protocol analyzer to capture HTTP traffic to analyze patterns. What type of data are they using?

False positive

Signature-based

Host-based

Network telemetry

Answer 85

Network telemetry

They are using network telemetry data. Network telemetry refers to the collection and transmission of network data for analysis, such as HTTP traffic.

Question 86

Which statement accurately describes the difference between a network-based intrusion detection system (NIDS) and a host-based intrusion detection system (HIDS)?

A NIDS only detects known threats; a HIDS detects unknown threats.

A NIDS uses signature analysis to detect threats; a HIDS uses agents.

A NIDS is installed on a network; a HIDS is installed on individual devices.

A NIDS is installed on individual devices; a HIDS is installed on a network.

Answer 86

A NIDS is installed on a network; a HIDS is installed on individual devices.

Question 87

Fill in the blank: The _____ component of an IDS signature includes network traffic information.

rule options

header

signature ID

action

Answer 87

header

Question 88

A security analyst creates a Suricata signature to identify and detect security threats based on the direction of network traffic. Which of the following rule options should they use?

Message

Rev

Content

Flow

Answer 88

Flow

They should use flow. The flow option matches the direction of network traffic flow.

Question 89

In Search Processing Language (SPL), which special character is a wildcard that can be used to substitute with any other character?

!=

|

=

*

Answer 89

*

Question 90

Which of the following steps are part of the security information and event management (SIEM) process? Select three answers.

Monitor activity and alerts related to intrusions

Normalize data so it is ready to read and analyze

Collect and process data

Index data to improve search performance

Answer 90

Normalize data so it is ready to read and analyze

Collect and process data

Index data to improve search performance

Question 91

Fill in the blank: Chronicle uses _____ to search through unstructured logs.

raw log search

metadata

entity search

unified data model

Answer 91

raw log search

Question 92

Which of the following is Splunk’s query language?

SPL

SQL

UDM

IDS

Answer 92

SPL

Question 93

Which software collects and sends logs to a security information and event management (SIEM) tool?

Forwarder

Intrusion detection system (IDS)

Firewall

Network protocol analyzer

Answer 93

Forwarder

Question 94

Examine the following log:

LoginEvent[2021/10/13 10:32:08.958711] auth_session_authenticator.cc:304 Regular user login 1

Which type of log is this?

Network

Location

Application

Authentication

Answer 94

Authentication

Question 95

Fill in the blank: A syslog entry contains a header, _____, and a message.

eXtensible Markup Language

tag

object

structured-data

Answer 95

structured-data

Question 96

Consider the following scenario:

A security analyst at a midsized company is tasked with installing and configuring a host-based intrusion detection system (HIDS) on a laptop. The security analyst installs the HIDS and wants to test whether it is working properly by simulating malicious activity. The security analyst runs unauthorized programs on the laptop, which the HIDS successfully detects and alerts on.

What is the laptop an example of?

An agent

A signature

An endpoint

A log forwarder

Answer 96

An endpoint

Question 97

What information is included in a signature’s header? Select all that apply.

IP address

Action

Port number

Protocol

Answer 97

IP address

Port number

Protocol

Question 98

Examine this Suricata signature:

alert http 167.215.72.95 any -> 156.150.71.141 80 (msg:”GET on wire”; flow:established,to_server; content:”GET”; sid:12345; rev:2;)

What is the destination port?

2

12345

80

141

Answer 98

80

Question 99

Fill in the blank: Suricata uses the _____ format for event and alert output.

CEF

HTTP

HTML

EVE JSON

Answer 99

EVE JSON

Question 100

Which querying language does Splunk use?

Search Processing Language

Structured Querying Language

SIEM Processing Language

Structured Processing Language

Answer 100

Search Processing Language

Question 101

Which Unified Data Model (UDM) field search specifies a security action?

security_result.action

metadata.event_type

action

block

Answer 101

security_result.action

Question 102

What are the steps in the SIEM process for data collection? Select three answers.

Collect

Index

Unify

Normalize

Answer 102

Collect

Index

Normalize