CERTIFICATION CYBEROPS EXAM PRACTICE/REVISION

Question 1

Match the definition to the Microsoft Windows term. (Not all options are used.)

Answer 1

HANDLE – Provides access needed by the user space process.

REGISTRY – Database of hardware, software, users and settings.

THREAD – BLANK

WMI – Manages remote computers

Question 2

CASE 2 Match the definition to the Microsoft Windows term. (Not all options are used.)

Answer 2

PROCESS – Currently executing program

REGISTRY – BLANK

SERVICE – Runs in the background to support the operating system and applications

THREAD – Instructions executed by the processor

Question 3

What are two motivating factors for nation-state sponsored threat actors? (Choose two.)

Answer 3

Industrial espionage

AND

Disruption of trade or infrastructure

Explanation: Nation-state threat actors are not typically interested or motivated by financial gain. They are primarily involved in corporate espionage or disrupting international trade or critical infrastructure.

Question 4

Match the description to the Linux term. (Not all options are used.)

Answer 4

FORK – Creates a copy of a process due to multi-tasking

HANDLE – BLANK

PERMISSIONS – Determines user rights to a file

PROCESS – A running instance of a computer program.

Question 5

Match the antimalware approach to the description.

Answer 5

Recognises charactertistics of known malware files – signature-based

Recognises general features shared by types of malware – heuristics based

Recognises malware through types of suspicious actions – behaviour based

Question 6

Which type of data is used by Cisco Cognitive Intelligence to find malicious activity that has bypassed security controls, or entered through unmonitored channels, and is operating inside an enterprise network?

Answer 6

Statistical

Explanation: Cisco Cognitive Intelligence utilizes statistical data for statistical analysis in order to find malicious activity that has bypassed security controls, or entered through unmonitored channels (including removable media), and is operating inside the network of an organization.

Question 7

Which type of evasion technique splits malicious payloads into smaller packets in order to bypass security sensors that do not reassemble the payloads before scanning them?

Answer 7

Traffic fragmentation

Explanation: In order to keep the malicious payload from being recognized by security sensors, such as IPS or IDS, perpetrators fragment the data into smaller packets.These fragments can be passed by sensors that do not reassemble the data before scanning.

Question 8

Which type of cyber attack is a form of MiTM in which the perpetrator copies IP packets off the network without modifying them?

Answer 8

Eavesdropping

Explanation: An eavesdropping attack is a form of man-in-the-middle in which the perpetrator just reads or copies IP packets off the network but does not alter them.

Question 9

Which is an example of social engineering?

Answer 9

An unidentified person claiming to be a technician collecting user information from employees.

Explanation: A social engineer attempts to gain the confidence of an employee and convince that person to divulge confidential and sensitive information, such as usernames and passwords. DDoS attacks, pop-ups, and viruses are all examples of software based security threats, not social engineering.

Question 10

Which component is a pillar of the zero trust security approach that focuses on the secure access of devices, such as servers, printers, and other endpoints, including devices attached to IoT?

Answer 10

Workplace.

Explanation: The workplace pillar focuses on secure access for any and all devices, including devices on the internet of things (IoT), which connect to enterprise networks, such as user endpoints, physical and virtual servers, printers, cameras, HVAC systems, kiosks, infusion pumps, industrial control systems, and more.

Question 11

A security analyst is reviewing information contained in a Wireshark capture created during an attempted intrusion. The analyst wants to correlate the Wireshark information with the log files from two servers that may have been compromised. What type of information can be used to correlate the events found in these multiple data sets?

Answer 11

IP five-tuples.

Explanation: The source and destination IP address, ports, and protocol (the IP five-tuples) can be used to correlate different data sets when analyzing an intrusion.

Question 12

A security analyst is investigating a cyber attack that began by compromising one file system through a vulnerability in a custom software application. The attack now appears to be affecting additional file systems under the control of another security authority. Which CVSS v3.0 base exploitability metric score is increased by this attack characteristic?

Answer 12

Scope.

Explanation: The scope metric is impacted by an exploited vulnerability that can affect resources beyond the authorized privileges of the vulnerable component or that are managed by a different security authority.

Question 13

Which regular expression would match any string that contains 4 consecutive zeros?

Answer 13

0{4}

Explanation: The regular expression 0{4} matches any string that contains 4 repetitions of zero or 4 consecutive zeros.

Question 14

Refer to the exhibit. https://snipboard.io/VOiGWc.jpg Which technology generated the event log? :

Answer 14

Netflow.

Explanation: The source of the output is Netflow.

Question 15

Refer to the exhibit. https://snipboard.io/1W3ukp.jpg A security specialist is using Wireshark to review a PCAP file generated by tcpdump . When the client initiated a file download request, which source socket pair was used?

Answer 15

209.165.200.235:48598

Explanation: The combination of the source IP address and source port number, or the destination IP address and destination port number, is known as a socket. A socket is shown as the IP address and associated port number with a colon in between the two (IP_address:port_number).

Question 16

Match the security service with the description.

Answer 16

Allows administrators to manage network devices – (Simple Network Management Protocol) SNMP

A series of commands that control whether a device forwards or drops packets – (Access-control list) ACL

Allows a switch to make duplicate copies of traffic that is sent to a traffic analyzer – PORT MONITORING

Provides statistics on packets flowing through CISCO router or multi-layer switch - NETFLOW

Question 17

Using Tcpdump and Wireshark, a security analyst extracts a downloaded file from a pcap file. The analyst suspects that the file is a virus and wants to know the file type for further examination. Which Linux command can be used to determine the file type?

Answer 17

File

Explanation: The Linux file command can be used to determine a file type, such as whether it is executable, ASCII text, or zip.

Question 18

Match the IPS alarm with the description.

Answer 18

Normal traffic is correctly not identified as a threat – TRUE NEGATIVE

Malicious Traffic is correctly identified as a threat – TRUE POSITIVE

Malicious Traffic is not correctly ideantified as a threat – FALSE NEGATIVE

Normal Traffic is incorectly identified as a threat – FALSE POSITIVE

Question 19

What is a feature of an IPS?

Answer 19

It can stop malicious packets.

Explanation: An advantage of an intrusion prevention systems (IPS) is that it can identify and stop malicious packets. However, because an IPS is deployed inline, it can add latency to the network.

Question 20

Which three fields are found in both the TCP and UDP headers? (Choose three.)

Answer 20

• • Checksum
• • Destination port
• • Source port

Explanation: The UPD header has four fields. Three of these fields are in common with the TCP header. These three fields are the source port, destination port, and checksum.

Question 21

What will match the regular expression ^83?

Answer 21

any string that begins with 83

Question 22

What is a key difference between the data captured by NetFlow and data captured by Wireshark?

Answer 22

NetFlow collects metadata from a network flow whereas Wireshark captures full data packets.

NETFLOW - NETOWORK FLOW METADATA
WIRESHARK - FULL DATA PACKETS

Explanation: Wireshark captures the entire contents of a packet. NetFlow does not. Instead, NetFlow collects metadata, or data about the flow.

Question 23

Which three IPv4 header fields have no equivalent in an IPv6 header? (Choose three.)

Answer 23

• • Flag
• • Identification
• • Fragment offset

Explanation: Unlike IPv4, IPv6 routers do not perform fragmentation. Therefore, all three fields supporting fragmentation in the IPv4 header are removed and have no equivalent in the IPv6 header. These three fields are fragment offset, flag, and identification. IPv6 does support host packet fragmentation through the use of extension headers, which are not part of the IPv6 header.

Question 24

What classification is used for an alert that correctly identifies that an exploit has occurred?

Answer 24

True positive

Explanation: A true positive occurs when an IDS and IPS signature is correctly fired and an alarm is generated when offending traffic is detected.

Question 25

Match the NIST incident response life cycle phase with the description.

Answer 25

Identify, analyze, and validate incidents – DETECTION AND ANALYSIS

Conduct training on incident response – PREPARATION

Document how incidents are handled – POST INCIDENT ACTIVITIES

Implement procedures to eradicate the impact to organisational assets – CONTAINMENT, ERADICATION, AND RECOVERY

Question 26

Place the seven steps defined in the Cyber Kill Chain in the correct order.

Answer 26

1) RECONNAISSANCE
2) WEAPONIZATION
3) DELIVERY
4) EXPLOITATION
5) INSTALLATION
6) COMMAND AND CONTROL
7) ACTION ON OBJECTIVES

Question 27

During the detection and analysis phase of the NIST incident response process life cycle, which sign category is used to describe that an incident might occur in the future?

Answer 27

Precursor

Explanation: There are two categories for the signs of an incident:
Precursor – a sign that an incident might occur in the future.
Indicator – a sign that an incident might already have occurred or is currently occurring.

Question 28

According to the Cyber Kill Chain model, after a weapon is delivered to a targeted system, what is the next step that a threat actor would take?

Answer 28

Exploitation

Explanation: The Cyber Kill Chain specifies seven steps (or phases) and sequences that a threat actor must complete to accomplish an attack:

Reconnaissance – The threat actor performs research, gathers intelligence, and selects targets.
Weaponization – The threat actor uses the information from the reconnaissance phase to develop a weapon against specific targeted systems.
Delivery – The weapon is transmitted to the target using a delivery vector.
Exploitation – The threat actor uses the weapon delivered to break the vulnerability and gain control of the target.
Installation – The threat actor establishes a back door into the system to allow for continued access to the target.
Command and Control (CnC) – The threat actor establishes command and control (CnC) with the target system.
Action on Objectives – The threat actor is able to take action on the target system, thus achieving the original objective.

Question 29

A company is applying the NIST.SP800-61 r2 incident handling process to security events. What are two examples of incidents that are in the category of precursor? (Choose two.)

Answer 29

Log entries that show a response to a port scan

AND

A newly-discovered vulnerability in Apache web servers

Explanation: As an incident category, the precursor is a sign that an incident might occur in the future. Examples of precursors are log entries that show a response to a port scan or a newly-discovered vulnerability in web servers using Apache.

Question 30

A network administrator is creating a network profile to generate a network baseline. What is included in the critical asset address space element?

Answer 30

The IP addresses or the logical location of essential systems or data.

Explanation: A network profile should include some important elements, such as the following:
Total throughput – the amount of data passing from a given source to a given destination in a given period of time
Session duratio n – the time between the establishment of a data flow and its termination
Ports used – a list of TCP or UDP processes that are available to accept data
Critical asset address space – the IP addresses or the logical location of essential systems or data

Question 31

Which NIST-defined incident response stakeholder is responsible for coordinating incident response with other stakeholders and minimizing the damage of an incident?

Answer 31

Management

Explanation: The management team creates the policies, designs the budget, and is in charge of staffing all departments. Management is also responsible for coordinating the incident response with other stakeholders and minimizing the damage of an incident.

Question 32

What is defined in the policy element of the NIST incident response plan?

Answer 32

How to handle incidents based on the mission and functions of an organization.

Explanation: The policy element of the NIST incident response plan details how incidents should be handled based on the mission and function of the organization.

Question 33

What is the responsibility of the human resources department when handing a security incident as defined by NIST?

Answer 33

Perform disciplinary actions if an incident is caused by an employee.

Explanation: The human resources department may be called upon to perform disciplinary measures if an incident is caused by an employee.

Question 34

What is the benefit of a defense-in-depth approach?

Answer 34

The effectiveness of other security measures is not impacted when a security mechanism fails.

Explanation: The benefit of the defense-in-depth approach is that network defenses are implemented in layers so that failure of any single security mechanism does not impact other secuirty measures.

Question 35

Which type of analysis relies on predefined conditions and can analyze applications that only use well-known fixed ports?

Answer 35

Deterministic.

Explanation: Deterministic analysis uses predefined conditions to analyze applications that conform to specification standards, such as performing a port-based analysis.

Question 36

Which type of analysis relies on different methods to establish the likelihood that a security event has happened or will happen?

Answer 36

Probabilistic

Explanation: Probabilistic methods use powerful tools to create a probabilistic answer as a result of analyzing applications.

Question 37

Which access control model allows users to control access to data as an owner of that data?

Answer 37

Discretionary access control

Explanation: In the discretionary access control (DAC) model, users can control access to data as owners of the data.

Question 38

What are the three impact metrics contained in the CVSS 3.0 Base Metric Group? (Choose three.)

Answer 38

Confidentiality
Integrity
Availability

Explanation: The Common Vulnerability Scoring System (CVSS) is a vendor-neutral, industry standard, open framework for weighing the risks of a vulnerability using a variety of metrics. CVSS uses three groups of metrics to assess vulnerability, the Base Metric Group, Temporal Metric Group, and Environmental Metric Group. The Base Metric Group has two classes of metrics (exploitability and impact). The impact metrics are rooted in the following areas: confidentiality, integrity, and availability.

Question 39

Which access control model applies the strictest access control and is often used in military and mission critical applications?

Answer 39

Mandatory

Explanation: Military and mission critical applications typically use mandatory access control which applies the strictest access control to protect network resources.

Question 40

Match the security concept to the description.

Answer 40

The LIKELIHOOD of undesirable consequences – RISK

A MECHANISM used to compromise an asset – EXPLOIT

A WEAKNESS in a system – VULNERABILITY

A potential DANGER to an asset – THREAT

Question 41

What is the principle behind the nondiscretionary access control model?

Answer 41

It allows access decisions to be based on roles and responsibilities of a user within the organization.

Explanation: The nondiscretionary access control model used the roles and responsibilities of the user as the basis for access decisions.

Question 42

Match the information security component with the description.

Answer 42

Only authorized individuals, entities, or processes can access sensitive information – CONFIDENTIALITY

Data is protected from unauthorised alteration – INTEGRITY

Authorised users must have uninterrupted access to important resources and data – AVAILABILITY

Question 43

Which attack is integrated with the lowest levels of the operating system of a host and attempts to completely hide the activities of the threat actor on the local system?

Answer 43

Rootkit

Explanation: A rootkit is a complex attack tool and it integrates with the lowest levels of the operating system. The goal of the rootkit is to completely hide the activities of the threat actor on the local system.

Question 44

Which tool captures full data packets with a command-line interface only?

Answer 44

tcpdump

Explanation: The command-line tool tcpdump is a packet analyzer. Wireshark is a packet analyzer with a GUI interface.

Question 45

To which category of security attacks does man-in-the-middle belong?

Answer 45

Access

Explanation: With a man-in-the-middle attack, a threat actor is positioned in between two legitimate entities in order to read, modify, or redirect the data that passes between the two parties.

Question 46

What is an example of a local exploit?

Answer 46

A threat actor tries to gain the user password of a remote host by using a keyboard capture software installed on it by a Trojan.

Explanation: Vulnerability exploits may be remote or local. In a local exploit, the threat actor has some type of user access to the end system, either physically or through remote access. The exploitation activity is within the local network.

Question 47

Which Cisco appliance can be used to filter network traffic contents to report and deny traffic based on the web server reputation?

Answer 47

WSA

Explanation: The Cisco Web Security Appliance (WSA) acts as a web proxy for an enterprise network. WSA can provide many types of logs related to web traffic security including ACL decision logs, malware scan logs, and web reputation filtering logs. The Cisco Email Security Appliance (ESA) is a tool to monitor most aspects of email delivery, system functioning, antivirus, antispam operations, and blacklist and whitelist decisions. The Cisco ASA is a firewall appliance. The Cisco Application Visibility and Control (AVC) system combines multiple technologies to recognize, analyze, and control over 1000 applications.

Question 48

Which evasion method describes the situation that after gaining access to the administrator password on a compromised host, a threat actor is attempting to login to another host using the same credentials?

Answer 48

Pivoting

Explanation: Pivoting is an evasion method that assumes the threat actor has compromised an inside host and the actor wants to expand the access further into the compromised network.

Question 49

What are two examples of DoS attacks? (Choose two.)

Answer 49

Ping of death

AND

Buffer overflow

Explanation: The buffer overflow and ping of death DoS attacks exploit system memory-related flaws on a server by sending an unexpected amount of data or malformed data to the server.

Question 50

Which type of attack is carried out by threat actors against a network to determine which IP addresses, protocols, and ports are allowed by ACLs?

Answer 50

Reconnaissance

Explanation: Packet filtering ACLs use rules to filter incoming and outgoing traffic. These rules are defined by specifying IP addresses, port numbers, and protocols to be matched. Threat actors can use a reconnaissance attack involving port scanning or penetration testing to determine which IP addresses, protocols, and ports are allowed by ACLs.

Question 51

Refer to the exhibit. https://snipboard.io/ApSf5q.jpg A security analyst is reviewing an alert message generated by Snort. What does the number 2100498 in the message indicate?

Answer 51

The Snort rule that is triggered

Explanation: The sid field in a Snort alert message indicates the Snort security rule that is triggered.

Question 52

Which two attacks target web servers through exploiting possible vulnerabilities of input functions used by an application? (Choose two.)

Answer 52

SQL injection

AND

cross-site scripting

Explanation: When a web application uses input fields to collect data from clients, threat actors may exploit possible vulnerabilities for entering malicious commands. The malicious commands that are executed through the web application might affect the OS on the web server. SQL injection and cross-site scripting are two different types of command injection attacks.

Question 53

Which security function is provided by encryption algorithms?

Answer 53

Confidentiality

Explanation: Encryption algorithms are used to provide data confidentiality, which ensures that if data is intercepted in transit, it cannot be read.

Question 54

Match the Windows term to the description.

Answer 54

NTFS-generated timestaps for life activity – MACE

A legacy file system – FAT32

Most common file system – NTFS

Upgraded firmware that stores boot code in the firware – EFI

A method of adding information to an NTFS-based file – ALTERNATE DATA STREAMS

Question 55

Which security endpoint setting would be used by a security analyst to determine if a computer has been configured to prevent a particular application from running?

Answer 55

Blacklisting

Explanation: Blacklisting can be used on a local system or updated on security devices such as a firewall. Blacklists can be manually entered or obtained from a centralized security system. Blacklists are applications that are prevented from executing because they pose a security risk to the individual system and potentially the company.

Question 56

Refer to the exhibit. https://snipboard.io/axSwu0.jpg Which technology would contain information similar to the data shown for infrastructure devices within a company?

Answer 56

Syslog server

Explanation: A syslog server consolidates and maintains messages from infrastructure devices that have been configured to send logging information. Data from the syslog server can be analyzed to detect anomalies.

Question 57

At the request of investors, a company is proceeding with cyber attribution with a particular attack that was conducted from an external source. Which security term is used to describe the person or device responsible for the attack?

Answer 57

Threat actor

Explanation: Some people may use the common word of “hacker” to describe a threat actor. A threat actor is an entity that is involved with an incident that impacts or has the potential to impact an organization in such a way that it is considered a security risk or threat.

Question 58

Which Windows application is commonly used by a cybersecurity analyst to view Microsoft IIS access logs?

Answer 58

Event Viewer

Explanation: Event Viewer is an application on a Windows-based device used to view event logs including IIS access logs.

Question 59

Which two algorithms use a hashing function to ensure message integrity? (Choose two.)

Answer 59

– MD5

– SHA

Explanation: Hashing algorithms are used to provide data integrity, which ensures that the data has not changed during transmission. MD5 and SHA are commonly used hashing algorithms.

Question 60

Which type of evidence cannot prove an IT security fact on its own?

Answer 60

Indirect

Explanation: Indirect evidence cannot prove a fact on its own, but direct evidence can. Corroborative evidence is supporting information. Best evidence is most reliable because it is something concrete such as a signed contract.

Question 61

Refer to the exhibit. https://snipboard.io/ZFzAyD.jpg Approximately what percentage of the physical memory is still available on this Windows system?

Answer 61

68%

Explanation: The graphic shows that there is 5.1 GB (187 MB) of memory in use with 10.6 GB still available. Together this adds up to 16 GB of total physical memory. 5 GB is approximately 32% of 16 GB leaving 68% still available.

Question 62

Which Windows tool can be used by a cybersecurity administrator to secure stand-alone computers that are not part of an active directory domain?

Answer 62

Local Security Policy

Explanation: Windows systems that are not part of an Active Directory Domain can use the Windows Local Security Policy to enforce security settings on each stand-alone system.

Question 63

What are three benefits of using symbolic links over hard links in Linux? (Choose three.)

Answer 63

They can show the location of the original file.

They can link to a directory.

They can link to a file in a different file system.

Explanation: In Linux, a hard link is another file that points to the same location as the original file. A soft link (also called a symbolic link or a symlink) is a link to another file system name. Hard links are limited to the file system in which they are created and they cannot link to a directory; soft links are not limited to the same file system and they can link to a directory. To see the location of the original file for a symbolic link use the ls –l command.

Question 64

When attempting to improve system performance for Linux computers with a limited amount of memory, why is increasing the size of the swap file system not considered the best solution?

Answer 64

A swap file system uses hard disk space to store inactive RAM content.

Explanation: The swap file system is used by Linux when it runs out of physical memory. When needed, the kernel moves inactive RAM content to the swap partition on the hard disk. Storing and retrieving content in the swap partition is much slower than RAM is, and therefore using the swap partition should not be considered the best solution to improving system performance.

Question 65

Refer to the exhibit. https://snipboard.io/uiGJEX.jpg A security analyst is reviewing the logs of an Apache web server. Which action should the analyst take based on the output shown?

Answer 65

Notify the server administrator.

Explanation: An Apache web server is an open source server that delivers web pages. Security access logs for an Apache web server include a 3-digit HTTP code that represents the status of the web request. A code that begins with 2 indicates access success. A code that begins with 3 represents redirection. A code that begins with 4 represents a client error and a code that begins with 5 represents a server error. The server administrator should be alerted if a server error such as the 503 code occurs.

Question 66

A security professional is making recommendations to a company for enhancing endpoint security. Which security endpoint technology would be recommended as an agent-based system to protect hosts against malware?

Answer 66

HIDS

Explanation: A host-based intrusion detection systems (HIDS) is a comprehensive security application that provides antimalware applications, a firewall, and monitoring and reporting.

Question 67

Which technique could be used by security personnel to analyze a suspicious file in a safe environment?

Answer 67

Sandboxing

Explanation: Sandboxing allows suspicious files to be executed and analyzed in a safe environment. There are free public sandboxes that allow for malware samples to be uploaded or submitted and analyzed.

Question 68

A cybersecurity analyst has been called to a crime scene that contains several technology items including a computer. Which technique will be used so that the information found on the computer can be used in court?

Answer 68

Unaltered disk image

Explanation: A normal file copy does not recover all data on a storage device so an unaltered disk image is commonly made. An unaltered disk image preserves the original evidence, thus preventing inadvertent alteration during the discovery phase. It also allows recreation of the original evidence.

Question 69

Which SOC technology automates security responses by using predefined playbooks which require a minimum amount of human intervention?

Answer 69

SOAR

Explanation: SOAR technology goes a step further than SIEM by integrating threat intelligence and automating incident investigation and response workflows based on playbooks developed by the security team.

Question 70

What is the first line of defense when an organization is using a defense-in-depth approach to network security?

Answer 70

Edge router

Explanation: A defense-in-depth approach uses layers of security measures starting at the network edge, working through the network, and finally ending at the network endpoints. Routers at the network edge are the first line of defense and forward traffic intended for the internal network to the firewall.

Question 71

Which access control model assigns security privileges based on the position, responsibilities, or job classification of an individual or group within an organization?

Answer 71

role-based

Explanation: Role-based access control models assign privileges based on position, responsibilities, or job classification. Users and groups with the same responsibilities or job classification share the same assigned privileges. This type of access control is also referred to as nondiscretionary access control.

Question 72

Which metric in the CVSS Base Metric Group is used with an attack vector?

Answer 72

the proximity of the threat actor to the vulnerability

Explanation: The attack vector is one of several metrics defined in the Common Vulnerability Scoring System (CVSS) Base Metric Group Exploitability metrics. The attack vector is how close the threat actor is to the vulnerable component. The farther away the threat actor is to the component, the higher the severity because threat actors close to the network are easier to detect and mitigate.

Question 73

Which field in the IPv6 header points to optional network layer information that is carried in the IPv6 packet?

Answer 73

next header

Explanation: Optional Layer 3 information about fragmentation, security, and mobility is carried inside of extension headers in an IPv6 packet. The next header field of the IPv6 header acts as a pointer to these optional extension headers if they are present.

Question 74

Which data security component is provided by hashing algorithms?

Answer 74

software

Explanation: The SANS Institute describes three components of the attack surface:

Network Attack Surface – exploits vulnerabilities in networks
Software Attack Surface – delivered through the exploitation of vulnerabilities in web, cloud, or host-based software applications
Human Attack Surface – exploits weaknesses in user behavior

Question 75

What is the main goal of using different evasion techniques by threat actors?

Answer 75

To prevent detection by network and host defenses

Explanation: Many threat actors use stealthy evasion techniques to disguise an attack payload because the malware and attack methods are most effective if they are undetected. The goal is to prevent detection by network and host defenses.

Question 76

How can NAT/PAT complicate network security monitoring if NetFlow is being used?

Answer 76

It hides internal IP addresses by allowing them to share one or a few outside IP addresses.

Explanation: NAT/PAT maps multiple internal IP addresses with only a single or a few outside IP addresses breaking end-to-end flows. The result makes it difficult to log the inside device that is requesting and receiving the traffic. This is especially a problem with a NetFlow application because NetFlow flows are unidirectional and are defined by the addresses and ports that they share.

Question 77

Which statement describes the function provided by the Tor network?

Answer 77

It allows users to browse the Internet anonymously.

Explanation: Tor is a software platform and network of P2P hosts that function as Internet routers on the Tor network. The Tor network allows users to browse the Internet anonymously.

Question 78

When establishing a server profile for an organization, which element describes the type of service that an application is allowed to run on the server?

Answer 78

service account

Explanation: A server profile should contain some important elements including these:

Listening ports – the TCP and UDP daemons and ports that are allowed to be open on the server
User accounts – the parameters defining user access and behavior
Service accounts – the definitions of the type of service that an application is allowed to run on a server
Software environment – the tasks, processes, and applications that are permitted to run on the server

Question 79

What will a threat actor do to create a back door on a compromised target according to the Cyber Kill Chain model?

Answer 79

Add services and autorun keys.

Explanation: Once a target system is compromised, the threat actor will establish a back door into the system to allow for continued access to the target. Adding services and autorun keys is a way to create a point of persistent access.

Question 80

Which three things will a threat actor do to prepare a DDoS attack against a target system on the Internet? (Choose three.)

Answer 80

Establish two-way communications channels to the CnC infrastructure with zombies.

Compromise many hosts on the Internet.

Install attack software on zombies.

Explanation: To prepare for launching a DDoS attack, a threat actor will compromise many hosts on the Internet, called zombies. The threat actor will then install attack software on zombies and establish a two-way communications channel to CnC infrastructure with zombies. The threat actor will issue the command to zombies through the CnC to launch a DDoS attack against a target system.

Question 81

What is specified in the plan element of the NIST incident response plan?

Answer 81

metrics for measuring the incident response capability and effectiveness

Explanation: NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC. One component of the plan element is to develop metrics for measuring the incident response capability and its effectiveness.

Question 82

What is the responsibility of the IT support group when handing an incident as defined by NIST?

Answer 82

performs actions to minimize the effectiveness of the attack and preserve evidence

Explanation: IT support best understands the technology used in the organization and can perform the correct actions to minimize the effectiveness of the attack and preserve evidence.

Question 83

What is an example of privilege escalation attack?

Answer 83

A threat actor performs an access attack and gains the administrator password.

Explanation: With the privilege escalation exploit, vulnerabilities in servers or access control systems are exploited to grant an unauthorized user, or software process, higher levels of privilege than either should have. After the higher privilege is granted, the threat actor can access sensitive information or take control of a system.

Question 84

A threat hunter is concerned about a significant increase in TCP traffic sourced from port 53. It is suspected that malicious file transfer traffic is being tunneled out using the TCP DNS port. Which deep packet inspection tool can detect the type of application originating the suspicious traffic?

Answer 84

NBAR2

Explanation: NBAR2 is used to discover the applications that are responsible for network traffic. NBAR is a classification engine that can recognize a wide variety of applications, including web-based applications and client/server applications.

Question 85

Which type of evaluation includes the assessment of the likelihood of an attack, the type of threat actor likely to perpetrate such an attack, and what the consequences could be to the organization if the exploit is successful?

Answer 85

risk analysis

Question 86

When establishing a network profile for an organization, which element describes the time between the establishment of a data flow and its termination?

Answer 86

session duration

Explanation: A network profile should include some important elements, such as the following:

Total throughput – the amount of data passing from a given source to a given destination in a given period of time
Session duration – the time between the establishment of a data flow and its termination
Ports used – a list of TCP or UDP processes that are available to accept data
Critical asset address space – the IP addresses or the logical location of essential systems or data

Question 87

Which term describes a threat actor who has advanced skills and pursues a social agenda?

Answer 87

hacktivist

Question 88

Refer to the exhibit. https://snipboard.io/cDLyY1.jpg A security specialist is checking if files in the directory contain ADS data. Which switch should be used to show that a file has ADS attached?

Answer 88

/r

Explanation: By using NTFS, Alternate Data Streams (ADSs) can be connected to a file as an attribute called $DATA. The command dir /r can be used to see if a file contains ADS data.

Question 89

The SOC manager is reviewing the metrics for the previous calendar quarter and discovers that the MTTD for a breach of password security perpetrated through the Internet was forty days. What does the MTTD metric represent within the SOC?

Answer 89

The average time that it takes to identify valid security incidents that have occurred

Explanation: Cisco defines MTTD as the average time that it takes for the SOC personnel to identify that valid security incidents have occurred in the network.

Question 90

A cybersecurity analyst is performing a CVSS assessment on an attack where a web link was sent to several employees. Once clicked, an internal attack was launched. Which CVSS Base Metric Group Exploitability metric is used to document that the user had to click on the link in order for the attack to occur?

Answer 90

user interaction

Explanation: The CVSS Base Metric Group has the following metrics: attack vector, attack complexity, privileges required, user interaction, and scope. The user interaction metric expresses the presence or absence of the requirement for user interaction in order for an exploit to be successful.

Question 91

When a server profile for an organization is being established, which element describes the TCP and UDP daemons and ports that are allowed to be open on the server?

Answer 91

listening ports

Explanation: A server profile will often contain the following:

Listening ports – the TCP and UDP daemons and ports that are allowed to be open on the server
User accounts – the parameters defining user access and behavior
Service accounts – the definitions of the type of service that an application is allowed to run on a server
Software environment – the tasks, processes, and applications that are permitted to run on the server

Question 92

Which two actions should be taken during the preparation phase of the incident response life cycle defined by NIST? (Choose two.)

Answer 92

Acquire and deploy the tools that are needed to investigate incidents.

Create and train the CSIRT.

Explanation: According to the guideline defined in the NIST Incident Response Life Cycle, several actions should be taken during the preparation phase including (1) creating and training the CSIRT and (2) acquiring and deploying the tools needed by the team to investigate incidents.

Question 93

Match the NIST incident response stakeholder with the role.

Answer 93

Preserves Attack Evidence – IT SUPPORT

Designs the budget – Management

Reviews policies for local federal guideline violations – LEGAL DEPARTMENT

Performs disciplinary procedures – Human resources

Develops firewall rules – Information Assurance

Question 94

Match the file system term used in Linux to the function.

Answer 94

Supports increased file sizes – ext4

Minimizes file corruption risk in the event of power loss – journaling

Provides hard drive space that holds inactive RAM content – Swap file system

stores information about how the file system is organized – MBR