CERTIFICATION CYBEROPS EXAM PRACTICE/REVISION Flashcards
Match the definition to the Microsoft Windows term. (Not all options are used.)
HANDLE – Provides access needed by the user space process.
REGISTRY – Database of hardware, software, users and settings.
THREAD – BLANK
WMI – Manages remote computers
CASE 2 Match the definition to the Microsoft Windows term. (Not all options are used.)
PROCESS – Currently executing program
REGISTRY – BLANK
SERVICE – Runs in the background to support the operating system and applications
THREAD – Instructions executed by the processor
What are two motivating factors for nation-state sponsored threat actors? (Choose two.)
Industrial espionage
AND
Disruption of trade or infrastructure
Explanation: Nation-state threat actors are not typically interested or motivated by financial gain. They are primarily involved in corporate espionage or disrupting international trade or critical infrastructure.
Match the description to the Linux term. (Not all options are used.)
FORK – Creates a copy of a process due to multi-tasking
HANDLE – BLANK
PERMISSIONS – Determines user rights to a file
PROCESS – A running instance of a computer program.
Match the antimalware approach to the description.
Recognises charactertistics of known malware files – signature-based
Recognises general features shared by types of malware – heuristics based
Recognises malware through types of suspicious actions – behaviour based
Which type of data is used by Cisco Cognitive Intelligence to find malicious activity that has bypassed security controls, or entered through unmonitored channels, and is operating inside an enterprise network?
Statistical
Explanation: Cisco Cognitive Intelligence utilizes statistical data for statistical analysis in order to find malicious activity that has bypassed security controls, or entered through unmonitored channels (including removable media), and is operating inside the network of an organization.
Which type of evasion technique splits malicious payloads into smaller packets in order to bypass security sensors that do not reassemble the payloads before scanning them?
Traffic fragmentation
Explanation: In order to keep the malicious payload from being recognized by security sensors, such as IPS or IDS, perpetrators fragment the data into smaller packets.These fragments can be passed by sensors that do not reassemble the data before scanning.
Which type of cyber attack is a form of MiTM in which the perpetrator copies IP packets off the network without modifying them?
Eavesdropping
Explanation: An eavesdropping attack is a form of man-in-the-middle in which the perpetrator just reads or copies IP packets off the network but does not alter them.
Which is an example of social engineering?
An unidentified person claiming to be a technician collecting user information from employees.
Explanation: A social engineer attempts to gain the confidence of an employee and convince that person to divulge confidential and sensitive information, such as usernames and passwords. DDoS attacks, pop-ups, and viruses are all examples of software based security threats, not social engineering.
Which component is a pillar of the zero trust security approach that focuses on the secure access of devices, such as servers, printers, and other endpoints, including devices attached to IoT?
Workplace.
Explanation: The workplace pillar focuses on secure access for any and all devices, including devices on the internet of things (IoT), which connect to enterprise networks, such as user endpoints, physical and virtual servers, printers, cameras, HVAC systems, kiosks, infusion pumps, industrial control systems, and more.
A security analyst is reviewing information contained in a Wireshark capture created during an attempted intrusion. The analyst wants to correlate the Wireshark information with the log files from two servers that may have been compromised. What type of information can be used to correlate the events found in these multiple data sets?
IP five-tuples.
Explanation: The source and destination IP address, ports, and protocol (the IP five-tuples) can be used to correlate different data sets when analyzing an intrusion.
A security analyst is investigating a cyber attack that began by compromising one file system through a vulnerability in a custom software application. The attack now appears to be affecting additional file systems under the control of another security authority. Which CVSS v3.0 base exploitability metric score is increased by this attack characteristic?
Scope.
Explanation: The scope metric is impacted by an exploited vulnerability that can affect resources beyond the authorized privileges of the vulnerable component or that are managed by a different security authority.
Which regular expression would match any string that contains 4 consecutive zeros?
0{4}
Explanation: The regular expression 0{4} matches any string that contains 4 repetitions of zero or 4 consecutive zeros.
Refer to the exhibit. https://snipboard.io/VOiGWc.jpg Which technology generated the event log? :
Netflow.
Explanation: The source of the output is Netflow.
Refer to the exhibit. https://snipboard.io/1W3ukp.jpg A security specialist is using Wireshark to review a PCAP file generated by tcpdump . When the client initiated a file download request, which source socket pair was used?
209.165.200.235:48598
Explanation: The combination of the source IP address and source port number, or the destination IP address and destination port number, is known as a socket. A socket is shown as the IP address and associated port number with a colon in between the two (IP_address:port_number).
Match the security service with the description.
Allows administrators to manage network devices – (Simple Network Management Protocol) SNMP
A series of commands that control whether a device forwards or drops packets – (Access-control list) ACL
Allows a switch to make duplicate copies of traffic that is sent to a traffic analyzer – PORT MONITORING
Provides statistics on packets flowing through CISCO router or multi-layer switch - NETFLOW
Using Tcpdump and Wireshark, a security analyst extracts a downloaded file from a pcap file. The analyst suspects that the file is a virus and wants to know the file type for further examination. Which Linux command can be used to determine the file type?
File
Explanation: The Linux file command can be used to determine a file type, such as whether it is executable, ASCII text, or zip.
Match the IPS alarm with the description.
Normal traffic is correctly not identified as a threat – TRUE NEGATIVE
Malicious Traffic is correctly identified as a threat – TRUE POSITIVE
Malicious Traffic is not correctly ideantified as a threat – FALSE NEGATIVE
Normal Traffic is incorectly identified as a threat – FALSE POSITIVE
What is a feature of an IPS?
It can stop malicious packets.
Explanation: An advantage of an intrusion prevention systems (IPS) is that it can identify and stop malicious packets. However, because an IPS is deployed inline, it can add latency to the network.
Which three fields are found in both the TCP and UDP headers? (Choose three.)
- Checksum
- Destination port
- Source port
Explanation: The UPD header has four fields. Three of these fields are in common with the TCP header. These three fields are the source port, destination port, and checksum.
What will match the regular expression ^83?
any string that begins with 83
What is a key difference between the data captured by NetFlow and data captured by Wireshark?
NetFlow collects metadata from a network flow whereas Wireshark captures full data packets.
NETFLOW - NETOWORK FLOW METADATA
WIRESHARK - FULL DATA PACKETS
Explanation: Wireshark captures the entire contents of a packet. NetFlow does not. Instead, NetFlow collects metadata, or data about the flow.
Which three IPv4 header fields have no equivalent in an IPv6 header? (Choose three.)
- Flag
- Identification
- Fragment offset
Explanation: Unlike IPv4, IPv6 routers do not perform fragmentation. Therefore, all three fields supporting fragmentation in the IPv4 header are removed and have no equivalent in the IPv6 header. These three fields are fragment offset, flag, and identification. IPv6 does support host packet fragmentation through the use of extension headers, which are not part of the IPv6 header.
What classification is used for an alert that correctly identifies that an exploit has occurred?
True positive
Explanation: A true positive occurs when an IDS and IPS signature is correctly fired and an alarm is generated when offending traffic is detected.
Match the NIST incident response life cycle phase with the description.
Identify, analyze, and validate incidents – DETECTION AND ANALYSIS
Conduct training on incident response – PREPARATION
Document how incidents are handled – POST INCIDENT ACTIVITIES
Implement procedures to eradicate the impact to organisational assets – CONTAINMENT, ERADICATION, AND RECOVERY
Place the seven steps defined in the Cyber Kill Chain in the correct order.
1) RECONNAISSANCE
2) WEAPONIZATION
3) DELIVERY
4) EXPLOITATION
5) INSTALLATION
6) COMMAND AND CONTROL
7) ACTION ON OBJECTIVES
During the detection and analysis phase of the NIST incident response process life cycle, which sign category is used to describe that an incident might occur in the future?
Precursor
Explanation: There are two categories for the signs of an incident:
Precursor – a sign that an incident might occur in the future.
Indicator – a sign that an incident might already have occurred or is currently occurring.
According to the Cyber Kill Chain model, after a weapon is delivered to a targeted system, what is the next step that a threat actor would take?
Exploitation
Explanation: The Cyber Kill Chain specifies seven steps (or phases) and sequences that a threat actor must complete to accomplish an attack:
Reconnaissance – The threat actor performs research, gathers intelligence, and selects targets. Weaponization – The threat actor uses the information from the reconnaissance phase to develop a weapon against specific targeted systems. Delivery – The weapon is transmitted to the target using a delivery vector. Exploitation – The threat actor uses the weapon delivered to break the vulnerability and gain control of the target. Installation – The threat actor establishes a back door into the system to allow for continued access to the target. Command and Control (CnC) – The threat actor establishes command and control (CnC) with the target system. Action on Objectives – The threat actor is able to take action on the target system, thus achieving the original objective.
A company is applying the NIST.SP800-61 r2 incident handling process to security events. What are two examples of incidents that are in the category of precursor? (Choose two.)
Log entries that show a response to a port scan
AND
A newly-discovered vulnerability in Apache web servers
Explanation: As an incident category, the precursor is a sign that an incident might occur in the future. Examples of precursors are log entries that show a response to a port scan or a newly-discovered vulnerability in web servers using Apache.
A network administrator is creating a network profile to generate a network baseline. What is included in the critical asset address space element?
The IP addresses or the logical location of essential systems or data.
Explanation: A network profile should include some important elements, such as the following:
Total throughput – the amount of data passing from a given source to a given destination in a given period of time
Session duratio n – the time between the establishment of a data flow and its termination
Ports used – a list of TCP or UDP processes that are available to accept data
Critical asset address space – the IP addresses or the logical location of essential systems or data
Which NIST-defined incident response stakeholder is responsible for coordinating incident response with other stakeholders and minimizing the damage of an incident?
Management
Explanation: The management team creates the policies, designs the budget, and is in charge of staffing all departments. Management is also responsible for coordinating the incident response with other stakeholders and minimizing the damage of an incident.
What is defined in the policy element of the NIST incident response plan?
How to handle incidents based on the mission and functions of an organization.
Explanation: The policy element of the NIST incident response plan details how incidents should be handled based on the mission and function of the organization.
What is the responsibility of the human resources department when handing a security incident as defined by NIST?
Perform disciplinary actions if an incident is caused by an employee.
Explanation: The human resources department may be called upon to perform disciplinary measures if an incident is caused by an employee.
What is the benefit of a defense-in-depth approach?
The effectiveness of other security measures is not impacted when a security mechanism fails.
Explanation: The benefit of the defense-in-depth approach is that network defenses are implemented in layers so that failure of any single security mechanism does not impact other secuirty measures.
Which type of analysis relies on predefined conditions and can analyze applications that only use well-known fixed ports?
Deterministic.
Explanation: Deterministic analysis uses predefined conditions to analyze applications that conform to specification standards, such as performing a port-based analysis.
Which type of analysis relies on different methods to establish the likelihood that a security event has happened or will happen?
Probabilistic
Explanation: Probabilistic methods use powerful tools to create a probabilistic answer as a result of analyzing applications.
Which access control model allows users to control access to data as an owner of that data?
Discretionary access control
Explanation: In the discretionary access control (DAC) model, users can control access to data as owners of the data.
What are the three impact metrics contained in the CVSS 3.0 Base Metric Group? (Choose three.)
Confidentiality
Integrity
Availability
Explanation: The Common Vulnerability Scoring System (CVSS) is a vendor-neutral, industry standard, open framework for weighing the risks of a vulnerability using a variety of metrics. CVSS uses three groups of metrics to assess vulnerability, the Base Metric Group, Temporal Metric Group, and Environmental Metric Group. The Base Metric Group has two classes of metrics (exploitability and impact). The impact metrics are rooted in the following areas: confidentiality, integrity, and availability.
Which access control model applies the strictest access control and is often used in military and mission critical applications?
Mandatory
Explanation: Military and mission critical applications typically use mandatory access control which applies the strictest access control to protect network resources.
Match the security concept to the description.
The LIKELIHOOD of undesirable consequences – RISK
A MECHANISM used to compromise an asset – EXPLOIT
A WEAKNESS in a system – VULNERABILITY
A potential DANGER to an asset – THREAT
What is the principle behind the nondiscretionary access control model?
It allows access decisions to be based on roles and responsibilities of a user within the organization.
Explanation: The nondiscretionary access control model used the roles and responsibilities of the user as the basis for access decisions.
Match the information security component with the description.
Only authorized individuals, entities, or processes can access sensitive information – CONFIDENTIALITY
Data is protected from unauthorised alteration – INTEGRITY
Authorised users must have uninterrupted access to important resources and data – AVAILABILITY
Which attack is integrated with the lowest levels of the operating system of a host and attempts to completely hide the activities of the threat actor on the local system?
Rootkit
Explanation: A rootkit is a complex attack tool and it integrates with the lowest levels of the operating system. The goal of the rootkit is to completely hide the activities of the threat actor on the local system.
Which tool captures full data packets with a command-line interface only?
tcpdump
Explanation: The command-line tool tcpdump is a packet analyzer. Wireshark is a packet analyzer with a GUI interface.
To which category of security attacks does man-in-the-middle belong?
Access
Explanation: With a man-in-the-middle attack, a threat actor is positioned in between two legitimate entities in order to read, modify, or redirect the data that passes between the two parties.
What is an example of a local exploit?
A threat actor tries to gain the user password of a remote host by using a keyboard capture software installed on it by a Trojan.
Explanation: Vulnerability exploits may be remote or local. In a local exploit, the threat actor has some type of user access to the end system, either physically or through remote access. The exploitation activity is within the local network.
Which Cisco appliance can be used to filter network traffic contents to report and deny traffic based on the web server reputation?
WSA
Explanation: The Cisco Web Security Appliance (WSA) acts as a web proxy for an enterprise network. WSA can provide many types of logs related to web traffic security including ACL decision logs, malware scan logs, and web reputation filtering logs. The Cisco Email Security Appliance (ESA) is a tool to monitor most aspects of email delivery, system functioning, antivirus, antispam operations, and blacklist and whitelist decisions. The Cisco ASA is a firewall appliance. The Cisco Application Visibility and Control (AVC) system combines multiple technologies to recognize, analyze, and control over 1000 applications.
Which evasion method describes the situation that after gaining access to the administrator password on a compromised host, a threat actor is attempting to login to another host using the same credentials?
Pivoting
Explanation: Pivoting is an evasion method that assumes the threat actor has compromised an inside host and the actor wants to expand the access further into the compromised network.
What are two examples of DoS attacks? (Choose two.)
Ping of death
AND
Buffer overflow
Explanation: The buffer overflow and ping of death DoS attacks exploit system memory-related flaws on a server by sending an unexpected amount of data or malformed data to the server.
Which type of attack is carried out by threat actors against a network to determine which IP addresses, protocols, and ports are allowed by ACLs?
Reconnaissance
Explanation: Packet filtering ACLs use rules to filter incoming and outgoing traffic. These rules are defined by specifying IP addresses, port numbers, and protocols to be matched. Threat actors can use a reconnaissance attack involving port scanning or penetration testing to determine which IP addresses, protocols, and ports are allowed by ACLs.
Refer to the exhibit. https://snipboard.io/ApSf5q.jpg A security analyst is reviewing an alert message generated by Snort. What does the number 2100498 in the message indicate?
The Snort rule that is triggered
Explanation: The sid field in a Snort alert message indicates the Snort security rule that is triggered.
Which two attacks target web servers through exploiting possible vulnerabilities of input functions used by an application? (Choose two.)
SQL injection
AND
cross-site scripting
Explanation: When a web application uses input fields to collect data from clients, threat actors may exploit possible vulnerabilities for entering malicious commands. The malicious commands that are executed through the web application might affect the OS on the web server. SQL injection and cross-site scripting are two different types of command injection attacks.
Which security function is provided by encryption algorithms?
Confidentiality
Explanation: Encryption algorithms are used to provide data confidentiality, which ensures that if data is intercepted in transit, it cannot be read.
Match the Windows term to the description.
NTFS-generated timestaps for life activity – MACE
A legacy file system – FAT32
Most common file system – NTFS
Upgraded firmware that stores boot code in the firware – EFI
A method of adding information to an NTFS-based file – ALTERNATE DATA STREAMS
Which security endpoint setting would be used by a security analyst to determine if a computer has been configured to prevent a particular application from running?
Blacklisting
Explanation: Blacklisting can be used on a local system or updated on security devices such as a firewall. Blacklists can be manually entered or obtained from a centralized security system. Blacklists are applications that are prevented from executing because they pose a security risk to the individual system and potentially the company.
Refer to the exhibit. https://snipboard.io/axSwu0.jpg Which technology would contain information similar to the data shown for infrastructure devices within a company?
Syslog server
Explanation: A syslog server consolidates and maintains messages from infrastructure devices that have been configured to send logging information. Data from the syslog server can be analyzed to detect anomalies.
At the request of investors, a company is proceeding with cyber attribution with a particular attack that was conducted from an external source. Which security term is used to describe the person or device responsible for the attack?
Threat actor
Explanation: Some people may use the common word of “hacker” to describe a threat actor. A threat actor is an entity that is involved with an incident that impacts or has the potential to impact an organization in such a way that it is considered a security risk or threat.
Which Windows application is commonly used by a cybersecurity analyst to view Microsoft IIS access logs?
Event Viewer
Explanation: Event Viewer is an application on a Windows-based device used to view event logs including IIS access logs.
Which two algorithms use a hashing function to ensure message integrity? (Choose two.)
– MD5
– SHA
Explanation: Hashing algorithms are used to provide data integrity, which ensures that the data has not changed during transmission. MD5 and SHA are commonly used hashing algorithms.
Which type of evidence cannot prove an IT security fact on its own?
Indirect
Explanation: Indirect evidence cannot prove a fact on its own, but direct evidence can. Corroborative evidence is supporting information. Best evidence is most reliable because it is something concrete such as a signed contract.
Refer to the exhibit. https://snipboard.io/ZFzAyD.jpg Approximately what percentage of the physical memory is still available on this Windows system?
68%
Explanation: The graphic shows that there is 5.1 GB (187 MB) of memory in use with 10.6 GB still available. Together this adds up to 16 GB of total physical memory. 5 GB is approximately 32% of 16 GB leaving 68% still available.
Which Windows tool can be used by a cybersecurity administrator to secure stand-alone computers that are not part of an active directory domain?
Local Security Policy
Explanation: Windows systems that are not part of an Active Directory Domain can use the Windows Local Security Policy to enforce security settings on each stand-alone system.
What are three benefits of using symbolic links over hard links in Linux? (Choose three.)
They can show the location of the original file.
They can link to a directory.
They can link to a file in a different file system.
Explanation: In Linux, a hard link is another file that points to the same location as the original file. A soft link (also called a symbolic link or a symlink) is a link to another file system name. Hard links are limited to the file system in which they are created and they cannot link to a directory; soft links are not limited to the same file system and they can link to a directory. To see the location of the original file for a symbolic link use the ls –l command.
When attempting to improve system performance for Linux computers with a limited amount of memory, why is increasing the size of the swap file system not considered the best solution?
A swap file system uses hard disk space to store inactive RAM content.
Explanation: The swap file system is used by Linux when it runs out of physical memory. When needed, the kernel moves inactive RAM content to the swap partition on the hard disk. Storing and retrieving content in the swap partition is much slower than RAM is, and therefore using the swap partition should not be considered the best solution to improving system performance.
Refer to the exhibit. https://snipboard.io/uiGJEX.jpg A security analyst is reviewing the logs of an Apache web server. Which action should the analyst take based on the output shown?
Notify the server administrator.
Explanation: An Apache web server is an open source server that delivers web pages. Security access logs for an Apache web server include a 3-digit HTTP code that represents the status of the web request. A code that begins with 2 indicates access success. A code that begins with 3 represents redirection. A code that begins with 4 represents a client error and a code that begins with 5 represents a server error. The server administrator should be alerted if a server error such as the 503 code occurs.
A security professional is making recommendations to a company for enhancing endpoint security. Which security endpoint technology would be recommended as an agent-based system to protect hosts against malware?
HIDS
Explanation: A host-based intrusion detection systems (HIDS) is a comprehensive security application that provides antimalware applications, a firewall, and monitoring and reporting.
Which technique could be used by security personnel to analyze a suspicious file in a safe environment?
Sandboxing
Explanation: Sandboxing allows suspicious files to be executed and analyzed in a safe environment. There are free public sandboxes that allow for malware samples to be uploaded or submitted and analyzed.
A cybersecurity analyst has been called to a crime scene that contains several technology items including a computer. Which technique will be used so that the information found on the computer can be used in court?
Unaltered disk image
Explanation: A normal file copy does not recover all data on a storage device so an unaltered disk image is commonly made. An unaltered disk image preserves the original evidence, thus preventing inadvertent alteration during the discovery phase. It also allows recreation of the original evidence.
Which SOC technology automates security responses by using predefined playbooks which require a minimum amount of human intervention?
SOAR
Explanation: SOAR technology goes a step further than SIEM by integrating threat intelligence and automating incident investigation and response workflows based on playbooks developed by the security team.
What is the first line of defense when an organization is using a defense-in-depth approach to network security?
Edge router
Explanation: A defense-in-depth approach uses layers of security measures starting at the network edge, working through the network, and finally ending at the network endpoints. Routers at the network edge are the first line of defense and forward traffic intended for the internal network to the firewall.
Which access control model assigns security privileges based on the position, responsibilities, or job classification of an individual or group within an organization?
role-based
Explanation: Role-based access control models assign privileges based on position, responsibilities, or job classification. Users and groups with the same responsibilities or job classification share the same assigned privileges. This type of access control is also referred to as nondiscretionary access control.
Which metric in the CVSS Base Metric Group is used with an attack vector?
the proximity of the threat actor to the vulnerability
Explanation: The attack vector is one of several metrics defined in the Common Vulnerability Scoring System (CVSS) Base Metric Group Exploitability metrics. The attack vector is how close the threat actor is to the vulnerable component. The farther away the threat actor is to the component, the higher the severity because threat actors close to the network are easier to detect and mitigate.
Which field in the IPv6 header points to optional network layer information that is carried in the IPv6 packet?
next header
Explanation: Optional Layer 3 information about fragmentation, security, and mobility is carried inside of extension headers in an IPv6 packet. The next header field of the IPv6 header acts as a pointer to these optional extension headers if they are present.
Which data security component is provided by hashing algorithms?
software
Explanation: The SANS Institute describes three components of the attack surface:
Network Attack Surface – exploits vulnerabilities in networks Software Attack Surface – delivered through the exploitation of vulnerabilities in web, cloud, or host-based software applications Human Attack Surface – exploits weaknesses in user behavior
What is the main goal of using different evasion techniques by threat actors?
To prevent detection by network and host defenses
Explanation: Many threat actors use stealthy evasion techniques to disguise an attack payload because the malware and attack methods are most effective if they are undetected. The goal is to prevent detection by network and host defenses.
How can NAT/PAT complicate network security monitoring if NetFlow is being used?
It hides internal IP addresses by allowing them to share one or a few outside IP addresses.
Explanation: NAT/PAT maps multiple internal IP addresses with only a single or a few outside IP addresses breaking end-to-end flows. The result makes it difficult to log the inside device that is requesting and receiving the traffic. This is especially a problem with a NetFlow application because NetFlow flows are unidirectional and are defined by the addresses and ports that they share.
Which statement describes the function provided by the Tor network?
It allows users to browse the Internet anonymously.
Explanation: Tor is a software platform and network of P2P hosts that function as Internet routers on the Tor network. The Tor network allows users to browse the Internet anonymously.
When establishing a server profile for an organization, which element describes the type of service that an application is allowed to run on the server?
service account
Explanation: A server profile should contain some important elements including these:
Listening ports – the TCP and UDP daemons and ports that are allowed to be open on the server User accounts – the parameters defining user access and behavior Service accounts – the definitions of the type of service that an application is allowed to run on a server Software environment – the tasks, processes, and applications that are permitted to run on the server
What will a threat actor do to create a back door on a compromised target according to the Cyber Kill Chain model?
Add services and autorun keys.
Explanation: Once a target system is compromised, the threat actor will establish a back door into the system to allow for continued access to the target. Adding services and autorun keys is a way to create a point of persistent access.
Which three things will a threat actor do to prepare a DDoS attack against a target system on the Internet? (Choose three.)
Establish two-way communications channels to the CnC infrastructure with zombies.
Compromise many hosts on the Internet.
Install attack software on zombies.
Explanation: To prepare for launching a DDoS attack, a threat actor will compromise many hosts on the Internet, called zombies. The threat actor will then install attack software on zombies and establish a two-way communications channel to CnC infrastructure with zombies. The threat actor will issue the command to zombies through the CnC to launch a DDoS attack against a target system.
What is specified in the plan element of the NIST incident response plan?
metrics for measuring the incident response capability and effectiveness
Explanation: NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC. One component of the plan element is to develop metrics for measuring the incident response capability and its effectiveness.
What is the responsibility of the IT support group when handing an incident as defined by NIST?
performs actions to minimize the effectiveness of the attack and preserve evidence
Explanation: IT support best understands the technology used in the organization and can perform the correct actions to minimize the effectiveness of the attack and preserve evidence.
What is an example of privilege escalation attack?
A threat actor performs an access attack and gains the administrator password.
Explanation: With the privilege escalation exploit, vulnerabilities in servers or access control systems are exploited to grant an unauthorized user, or software process, higher levels of privilege than either should have. After the higher privilege is granted, the threat actor can access sensitive information or take control of a system.
A threat hunter is concerned about a significant increase in TCP traffic sourced from port 53. It is suspected that malicious file transfer traffic is being tunneled out using the TCP DNS port. Which deep packet inspection tool can detect the type of application originating the suspicious traffic?
NBAR2
Explanation: NBAR2 is used to discover the applications that are responsible for network traffic. NBAR is a classification engine that can recognize a wide variety of applications, including web-based applications and client/server applications.
Which type of evaluation includes the assessment of the likelihood of an attack, the type of threat actor likely to perpetrate such an attack, and what the consequences could be to the organization if the exploit is successful?
risk analysis
When establishing a network profile for an organization, which element describes the time between the establishment of a data flow and its termination?
session duration
Explanation: A network profile should include some important elements, such as the following:
Total throughput – the amount of data passing from a given source to a given destination in a given period of time Session duration – the time between the establishment of a data flow and its termination Ports used – a list of TCP or UDP processes that are available to accept data Critical asset address space – the IP addresses or the logical location of essential systems or data
Which term describes a threat actor who has advanced skills and pursues a social agenda?
hacktivist
Refer to the exhibit. https://snipboard.io/cDLyY1.jpg A security specialist is checking if files in the directory contain ADS data. Which switch should be used to show that a file has ADS attached?
/r
Explanation: By using NTFS, Alternate Data Streams (ADSs) can be connected to a file as an attribute called $DATA. The command dir /r can be used to see if a file contains ADS data.
The SOC manager is reviewing the metrics for the previous calendar quarter and discovers that the MTTD for a breach of password security perpetrated through the Internet was forty days. What does the MTTD metric represent within the SOC?
The average time that it takes to identify valid security incidents that have occurred
Explanation: Cisco defines MTTD as the average time that it takes for the SOC personnel to identify that valid security incidents have occurred in the network.
A cybersecurity analyst is performing a CVSS assessment on an attack where a web link was sent to several employees. Once clicked, an internal attack was launched. Which CVSS Base Metric Group Exploitability metric is used to document that the user had to click on the link in order for the attack to occur?
user interaction
Explanation: The CVSS Base Metric Group has the following metrics: attack vector, attack complexity, privileges required, user interaction, and scope. The user interaction metric expresses the presence or absence of the requirement for user interaction in order for an exploit to be successful.
When a server profile for an organization is being established, which element describes the TCP and UDP daemons and ports that are allowed to be open on the server?
listening ports
Explanation: A server profile will often contain the following:
Listening ports – the TCP and UDP daemons and ports that are allowed to be open on the server User accounts – the parameters defining user access and behavior Service accounts – the definitions of the type of service that an application is allowed to run on a server Software environment – the tasks, processes, and applications that are permitted to run on the server
Which two actions should be taken during the preparation phase of the incident response life cycle defined by NIST? (Choose two.)
Acquire and deploy the tools that are needed to investigate incidents.
Create and train the CSIRT.
Explanation: According to the guideline defined in the NIST Incident Response Life Cycle, several actions should be taken during the preparation phase including (1) creating and training the CSIRT and (2) acquiring and deploying the tools needed by the team to investigate incidents.
Match the NIST incident response stakeholder with the role.
Preserves Attack Evidence – IT SUPPORT
Designs the budget – Management
Reviews policies for local federal guideline violations – LEGAL DEPARTMENT
Performs disciplinary procedures – Human resources
Develops firewall rules – Information Assurance
Match the file system term used in Linux to the function.
Supports increased file sizes – ext4
Minimizes file corruption risk in the event of power loss – journaling
Provides hard drive space that holds inactive RAM content – Swap file system
stores information about how the file system is organized – MBR
