Deck1

Question 1

Which of the following is not a metadata feature of the Diamond Model?
A. Direction
B. Result
C. Devices
D. Resources

Answer 1

C. Devices

Question 2

Which data type is protected under the PCI compliance framework?
A. credit card type
B. primary account number
C. health conditions
D. provision of individual care

Answer 2

B. primary account number

Question 3

Which of the following are core responsibilities of a national CSIRT and CERT?
A. Provide solutions for bug bounties
B. Protect their citizens by providing security vulnerability information, security awareness
training, best practices, and other information
C. Provide vulnerability brokering to vendors within a country
D. Create regulations around cybersecurity within the country

Answer 3

B. Protect their citizens by providing security vulnerability information, security awareness
training, best practices, and other information

Question 4

REFER TO EXHIBIT
A customer reports that they cannot access your organization’s website. Which option is a
possible reason that the customer cannot access the website?
A. The server at 10.33.1.5 is using up too much bandwidth causing a denial- of-service.
B. The server at 10.67.10.5 has a virus.
C. A vulnerability scanner has shown that 10.67.10.5 has been compromised.
D. Web traffic sent from 10.67.10.5 has been identified as malicious by Internet sensors.

Answer 4

D. Web traffic sent from 10.67.10.5 has been identified as malicious by Internet sensors.

Question 5

In addition to cybercrime and attacks, evidence found on a system or network may be presented in a court of law to support accusations of crime or civil action, including which of the following?
A. Fraud, money laundering, and theft
B. Drug-related crime
C. Murder and acts of violence
D. All of the above

Answer 5

D. All of the above

Question 6

An organization has recently adjusted its security stance in response to online threats made by a known hacktivist group. Which term defines the initial event in the NIST SP800-61 r2?
A. instigator
B. precursor
C. online assault
D. trigger

Answer 6

B. precursor

Question 7

Which of the following is an example of a managed security offering where incident response experts monitor and respond to security alerts in a SOC?
A. Cisco CloudLock
B. Cisco’s Active Threat Analytics (ATA)
C. Cisco Managed Firepower Service
D. Cisco Jasper

Answer 7

B. Cisco’s Active Threat Analytics (ATA)

Question 8

Which kind of evidence can be considered most reliable to arrive at an analytical assertion?
A. direct
B. corroborative
C. indirect
D. circumstantial
E. textual

Answer 8

A. direct

Question 9

What is NAC?
A. Non-Admin Closure
B. Network Access Control
C. Nepal Airline Corporations
D. Network Address Control

Answer 9

B. Network Access Control

Question 10

Which data element must be protected with regards to PCI?
A. past health condition
B. geographic location
C. full name / full account number
D. recent payment amount

Answer 10

C. full name / full account number

Question 11

What is the process of remediation the system from attack so that responsible threat actor can be revealed?
A. Validating the Attacking Host’s IP Address
B. Researching the Attacking Host through Search Engines.
C. Using Incident Databases.
D. Monitoring Possible Attacker Communication Channels.

Answer 11

A. Validating the Attacking Host’s IP Address

Question 12

Which CVSSv3 metric value increases when attacks consume network bandwidth, processor cycles, or disk space?
A. confidentiality
B. integrity
C. availability
D. complexity

Answer 12

C. availability

Question 13

Which regular expression matches "color" and "colour"?
A. col[0-9]+our
B. colo?ur
C. colou?r
D. ]a-z]{7}

Answer 13

C. colou?r

Question 14

Which option filters a LibPCAP capture that used a host as a gateway?
A. tcp|udp] [src|dst] port 
B. [src|dst] net  [{mask }|{len }]
C. ether [src|dst] host 
D. gateway host

Answer 14

D. gateway host

Question 15

What protocol is related to NAC?
A. 802.1Q
B. 802.1X (EAP-TLS, EAP-PEAP or EAP-MSCHAP)
C. 802.1E
D. 802.1F

Answer 15

B. 802.1X (EAP-TLS, EAP-PEAP or EAP-MSCHAP)

Question 16

A CMS plugin creates two files that are accessible from the Internet myplugin.html and exploitable.php. A newly discovered exploit takes advantage of an injection vulnerability in exploitable.php. To exploit the vulnerability, one must send an HTTP POST with specific
variables to exploitable.php. You see traffic to your webserver that consists of only HTTP GET requests to myplugin.html. Which category best describes this activity?
A. weaponization
B. exploitation
C. installation
D. reconnaissance

Answer 16

D. reconnaissance

Question 17

From a security perspective, why is it important to employ a clock synchronization protocol on a network?
A. so that everyone knows the local time
B. to ensure employees adhere to work schedule
C. to construct an accurate timeline of events when responding to an incident
D. to guarantee that updates are pushed out according to schedule

Answer 17

C. to construct an accurate timeline of events when responding to an incident

Question 18

Which option is generated when a file is run through an algorithm and generates a string specific to the contents of that file?
A. URL
B. hash
C. IP address
D. destination port

Answer 18

B. hash

Question 19

Which identifies both the source and destination location?
A. IP address
B. URL
C. ports
D. MAC address

Answer 19

A. IP address
Explanation:
The IP Address is used to uniquely identify the desired host we need to contact. This information is not shown in the above packet because it exists in the IP header
section located right above the TCP header we are analysing. If we were to expand the IP header, we would (certainly) find the source and destination IP Address fields in there.

Question 20

What mechanism does the Linux operating system provide to control access to files?
A. privileges required
B. user interaction
C. file permissions
D. access complexity

Answer 20

C. file permissions

Question 21

Which of the following are the three broad categories of cybersecurity investigations?
A. Public, private, and individual investigations
B. Judiciary, private, and individual investigations
C. Public, private, and corporate investigations
D. Government, corporate, and private investigations

Answer 21

A. Public, private, and individual investigations

Question 22

Which source provides reports of vulnerabilities in software and hardware to a Security Operations Center?
A. Analysis Center
B. National CSIRT
C. Internal CSIRT
D. Physical Security

Answer 22

C. Internal CSIRT

Question 23

Which netstat command show ports? (Choose two)
A. netstat –a
B. netstat -l
C. netstat -v
D. netstat -g

Answer 23

A. netstat –a

B. netstat -l

Question 24

During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve its integrity?
A. collection
B. examination
C. reporting
D. investigation

Answer 24

A. collection

Question 25

Choose the option that best describes NIST data integrity
A. use only sha-1
B. use only md5
C. you must hash data & backup and compare hashes
D. no need to hash data & backup and compare hashes

Answer 25

C. you must hash data & backup and compare hashes

Question 26

Which option allows a file to be extracted from a TCP stream within Wireshark?
A. File > Export Objects
B. Analyze > Extract
C. Tools > Export > TCP
D. View > Extract

Answer 26

A. File > Export Objects

Question 27

What information from HTTP logs can be used to find a threat actor?
A. referer
B. IP address
C. user-agent
D. URL

Answer 27

B. IP address

Question 28

ping cisco.com
Reply from 2001:420:1101:1::a: time=145ms
What can be determined from this ping result?
A. The public IP address of cisco.com is 2001:420:1101:1::a.
B. The Cisco.com website is down.
C. The Cisco.com website is responding with an internal IP.
D. The public IP address of cisco.com is an IPv4 address.

Answer 28

A. The public IP address of cisco.com is 2001:420:1101:1::a.

Question 29

Refer to the following packet capture. Which of the following statements is true about this packet capture?
A. The host with the IP address 93.184.216.34 is the source.
B. The host omar.cisco.com is the destination.
C. This is a Telnet transaction that is timing out and the server is not responding.
D. The server omar.cisco.com is responding to 93.184.216.34 with four data packets.

Answer 29

C. This is a Telnet transaction that is timing out and the server is not responding.

Question 30

What attribute belonging VERIS schema?
A. confidentiality/possession
B. integrity/authenticity
C. availability/utility

Answer 30

A. confidentiality/possession
B. integrity/authenticity
C. availability/utility

Question 31

According to NIST what option is unnecessary for containment strategy?
A. The delayed containment
B. Monitoring with methods other than sandboxing

Answer 31

A. The delayed containment

B. Monitoring with methods other than sandboxing

Question 32

Which network device creates and sends the initial packet of a session?
A. source
B. origination
C. destination
D. network

Answer 32

A. source

Question 33

Which two options can be used by a threat actor to determine the role of a server? (Choose two.)
A. PCAP
B. tracert
C. running processes
D. hard drive configuration
E. applications

Answer 33

C. running processes

E. applications

Question 34

Which of the following has been used to evade IDS and IPS devices?
A. SNMP
B. HTTP
C. TNP
D. Fragmentation

Answer 34

D. Fragmentation

Question 35

Based on nistsp800-61R2 what are the recommended protections against malware?

Answer 35

Malware prevention software

Question 36

Filtering ports in wireshark?
A. tcp.port == 80
B. tcp port equals 80
C. tcp.port 80
D. port 80

Answer 36

A. tcp.port == 80

Question 37

Which CVSSv3 Attack Vector metric value requires the attacker to physically touch or manipulate the vulnerable component?
A. local
B. physical
C. network
D. adjacent

Answer 37

B. physical

Question 38

Which of the following steps in the kill chain would come before the others?
A. C2
B. Delivery
C. Installation
D. Exploitation

Answer 38

B. Delivery

Question 39

In Microsoft Windows, as files are deleted the space they were allocated eventually is considered available for use by other files. This creates alternating used and unused areas of various sizes. What is this called?
A. network file storing
B. free space fragmentation
C. alternate data streaming
D. defragmentation

Answer 39

B. free space fragmentation

Question 40

Which two HTTP header fields relate to intrusion analysis? (Choose two).
A. user-agent
B. host
C. connection
D. language
E. handshake type

Answer 40

A. user-agent

B. host

Question 41

Which process is being utilized when IPS events are removed to improve data integrity?
A. data normalization
B. data availability
C. data protection
D. data signature

Answer 41

A. data normalization

Explanation: Data normalization is the process of intercepting and storing incoming
data so it exists in one form only. This eliminates redundant data and protects the
data’s integrity.

Question 42

Which of the following is one of the main goals of data normalization?
A. To save duplicate logs for redundancy
B. To purge redundant data while maintaining data integrity
C. To correlate IPS and IDS logs with DNS
D. To correlate IPS/IDS logs with firewall logs

Answer 42

B. To purge redundant data while maintaining data integrity

Question 43

When performing threat hunting against a DNS server, which traffic toward the affected
domain is considered a starting point?
A. HTTPS traffic
B. TCP traffic
C. HTTP traffic
D. UDP traffic

Answer 43

D. UDP traffic

Question 44

Which two components are included in a 5-tuple? (Choose two.)
A. port number
B. destination IP address
C. data packet
D. user name
E. host logs

Answer 44

A. port number
B. destination IP address

Explanation: The source and destination addresses are primary 5-tuple components. The
source address is the IP address of the network that creates and sends a data packet, and
the destination address is the recipient.

Question 45

What is the definition of confidentiality according to CVSSv3 framework?

Answer 45

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

Question 46

In the context of incident handling phases, which two activities fall under scoping? (Choose two.)
A. determining the number of attackers that are associated with a security incident
B. ascertaining the number and types of vulnerabilities on your network
C. identifying the extent that a security incident is impacting protected resources on the network
D. determining what and how much data may have been affected
E. identifying the attackers that are associated with a security incident

Answer 46

C. identifying the extent that a security incident is impacting protected resources on the network
E. identifying the attackers that are associated with a security incident

Question 47

Which feature is used to find possible vulnerable services running on a server?
A. CPU utilization
B. security policy
C. temporary internet files
D. listening ports

Answer 47

D. listening ports

Question 48

Which type of analysis assigns values to scenarios to see what the outcome might be in
each scenario?
A. deterministic
B. exploratory
C. probabilistic
D. descriptive

Answer 48

A. deterministic
Explanation: Deterministic Versus Probabilistic Analysis
In deterministic analysis, all data used for the analysis is known beforehand. Probabilistic analysis, on the other hand, is done assuming the likelihood that something will or has happened, but you don’t know exactly when or how. Probabilistic methods institute powerful tools for use in many kinds of decision making problems—in this case, cybersecurity event analysis. In this type of
analysis, the analysis components suggest a
“probabilistic answer” to the results of the investigation, which is not a definitive result. Deterministic analysis, you know and obtain “facts” about the incident, breach,
affected applications, and so on. For instance, by analyzing applications using portbased analysis and similar methods, you can assume that the process is
deterministic—especially when applications conform to the specifications of the standards.

Question 49

Exhibit shows HTTP/1.1 200 OK Message
Which packet contains a file that is extractable within Wireshark?
A. 1986
B. 2318
C. 2542
D. 2317

Answer 49

C. 2542

Question 50

Which of the following are examples of some of the responsibilities of a corporate CSIRT and the policies it helps create? (Select all that apply.)
A. Scanning vendor customer networks
B. Incident classification and handling
C. Information classification and protection
D. Information dissemination
E. Record retentions and destruction

Answer 50

B. Incident classification and handling
C. Information classification and protection
D. Information dissemination
E. Record retentions and destruction

Question 51

We have performed a malware detection on the Cisco website. Which statement about the
result is true?
A. The website has been marked benign on all 68 checks.
B. The threat detection needs to run again.
C. The website has 68 open threats.
D. The website has been marked benign on 0 checks.

Answer 51

A. The website has been marked benign on all 68 checks.

Question 52

Which Security Operations Center's goal is to provide incident handling to a country?
A. Coordination Center
B. Internal CSIRT
C. National CSIRT
D. Analysis Center

Answer 52

C. National CSIRT

Question 53

At which stage attacking the vulnerability belongs in Cyber kill chain?

Answer 53

Exploitation

Question 54

What is a listening port?

Answer 54

A port that remains open and waiting for incoming connections

Question 55

Which type of analysis allows you to see how likely an exploit could affect your network?
A. descriptive
B. casual
C. probabilistic
D. inferential

Answer 55

C. probabilistic

Question 56

Which of the following is an example of a managed security offering where incident response experts monitor and respond to security alerts in a security operations center (SOC)?
A. Cisco CloudLock
B. Cisco's Active Threat Analytics (ATA)
C. Cisco Managed Firepower Service
D. Cisco Jasper

Answer 56

B. Cisco’s Active Threat Analytics (ATA)

Question 57

Which of the following can be identified by correlating DNS intelligence and other security events? (Choose two.)
A. Communication to CnC servers
B. Configuration issues
C. Malicious domains based on reputation
D. Routing problems

Answer 57

A. Communication to CnC servers

C. Malicious domains based on reputation

Question 58

Which of the following is not an example of weaponization?
A. Connecting to a CnC server
B. Wrapping software with a RAT
C. Creating a backdoor in an application
D. Developing an automated script to inject commands on a USB device

Answer 58

A. Connecting to a CnC server

Question 59

Which of the following are the three metrics, or "scores," of the Common Vulnerability Scoring System (CVSS)? (Select all that apply.)
A. Baseline score
B. Base score
C. Environmental score
D. Temporal score

Answer 59

B. Base score
C. Environmental score
D. Temporal score

Question 60

Which stakeholder group is responsible for containment, eradication, and recovery in incident handling?
A. facilitators
B. practitioners
C. leaders and managers
D. decision makers

Answer 60

C. leaders and managers

Question 61

Which of the following is typically a responsibility of a PSIRT?
A. Configure the organization’s firewall
B. Monitor security logs
C. Investigate security incidents in a security operations center (SOC)
D. Disclose vulnerabilities in the organization’s products and services

Answer 61

D. Disclose vulnerabilities in the organization’s products and services

Question 62

Refer to the exhibit. Which type of log is this an example of?
A. IDS log
B. proxy log
C. NetFlow log
D. syslog

Answer 62

C. NetFlow log

Question 63

Which string matches the regular expression r(ege)+x?
A. rx
B. regeegex
C. r(ege)x
D. rege+x

Answer 63

B. regeegex

Question 64

Which of the following is one of the main goals of the CSIRT?
A. To configure the organization’s firewalls
B. To monitor the organization’s IPS devices
C. To minimize and control the damage associated with incidents, provide guidance for mitigation, and work to prevent future incidents
D. To hire security professionals who will be part of the InfoSec team of the organization.

Answer 64

C. To minimize and control the damage associated with incidents, provide guidance for mitigation, and work to prevent future incidents

Question 65

What is accomplished in the identification phase of incident handling?
A. determining the responsible user
B. identifying source and destination IP addresses
C. defining the limits of your authority related to a security event
D. determining that a security event has occurred

Answer 65

D. determining that a security event has occurred

Question 66

Which option can be addressed when using retrospective security techniques?
A. if the affected host needs a software update
B. how the malware entered our network
C. why the malware is still in our network
D. if the affected system needs replacement

Answer 66

B. how the malware entered our network

Question 67

Which option creates a display filter on Wireshark on a host IP address or name?
A. ip.address == <address> or ip.network ==
B. [tcp|udp] ip.[src|dst] port
C. ip.addr == or ip.name ==
D. ip.addr == or ip.host == </address>

Answer 67

D. ip.addr == or ip.host ==

Question 68

Which description of a retrospective malware detection is true?
A. You use Wireshark to identify the malware source.
B. You use historical information from one or more sources to identify the affected host or file.
C. You use information from a network analyzer to identify the malware source.
D. You use Wireshark to identify the affected host or file.

Answer 68

B. You use historical information from one or more sources to identify the affected host or file.

Question 69

Incident Handling Order
Preparation
Detection and analysis
Containment, eradication and recovery
Post incident analysis

Answer 69

Preparation
Detection and analysis
Containment, eradication and recovery
Post incident analysis

Question 70

Which CVSSv3 metric value increases when the attacker is able to modify all files protected by the vulnerable component?
A. confidentiality
B. integrity
C. availability
D. complexity

Answer 70

B. integrity

Question 71

Which of the following is the team that handles the investigation, resolution, and disclosure of security vulnerabilities in vendor products and services?
A. CSIRT
B. ICASI
C. USIRP
D. PSIRT

Answer 71

D. PSIRT

Question 72

Which of the following is an example of a coordination center?
A. Cisco PSIRT
B. Microsoft MSRC
C. CERT division of the Software Engineering Institute (SEI)
D. FIRST

Answer 72

C. CERT division of the Software Engineering Institute (SEI)

Question 73

Which option has a drastic impact on network traffic because it can cause legitimate traffic to be blocked?
A. true positive
B. true negative
C. false positive
D. false negative

Answer 73

C. false positive

Question 74

Which of the following is not true about listening ports?
A. A listening port is a port held open by a running application in order to accept inbound
connections.
B. Seeing traffic from a known port will identify the associated service.
C. Listening ports use values that can range between 1 and 65535.
D. TCP port 80 is commonly known for Internet traffic.

Answer 74

B. Seeing traffic from a known port will identify the associated service.

Question 75

Which CVSSv3 metric captures the level of access that is required for a successful attack?
A. attack vector
B. attack complexity
C. privileges required
D. user interaction

Answer 75

C. privileges required

Question 76

A user on your network receives an email in their mailbox that contains a malicious attachment. There is no indication that the file was run. Which category as defined in the Diamond Model of Intrusion does this activity fall under?
A. reconnaissance
B. weaponization
C. delivery
D. installation

Answer 76

C. delivery

Question 77

Which element can be used by a threat actor to discover a possible opening into a target
network and can also be used by an analyst to determine the protocol of the malicious traffic?
A. TTLs
B. ports
C. SMTP replies
D. IP addresses

Answer 77

B. ports

Question 78

You notice that the email volume history has been abnormally high. Which potential result is true?
A. Email sent from your domain might be filtered by the recipient.
B. Messages sent to your domain may be queued up until traffic dies down.
C. Several hosts in your network may be compromised.
D. Packets may be dropped due to network congestion.

Answer 78

C. Several hosts in your network may be compromised.

Question 79

Which of the following are examples of some of the responsibility of a corporate CSIRT and the policies it helps create? (Choose four)
A. Scanning vendor customer network
B. incident classification and handling
C. Information classification and protection
D. Information dissemination
E. Record retentions and destruction

Answer 79

B. incident classification and handling
C. Information classification and protection
D. Information dissemination
E. Record retentions and destruction

Question 80

You see confidential data being exfiltrated to an IP address that is attributed to a known Advanced Persistent Threat group. Assume that this is part of a real attach and not a network misconfiguration. Which category does this event fall under as defined in the
Diamond Model of Intrusion?
A. reconnaissance
B. weaponization
C. delivery
D. action on objectives

Answer 80

D. action on objectives

Explanation: It is an Advanced Persistent Threat group that being exfiltrated confidential data, and Action and Objectives says that adversary is inside the network and starting to achieve his or her objective for launching the attack. An adversary could use this opportunity to steal data.

Question 81

What is the difference between deterministic and probabilistic assessment method?(Choose 2)
A. At deterministic method we know the facts before hand and at probabilistic method we make assumptions
B. At probabilistic method we know the facts before hand and at deterministic method we make assumptions
C. Probabilistic method has an absolute nature
D. Deterministc method has an absolute nature

Answer 81

A. At deterministic method we know the facts before hand and at probabilistic method we make assumptions
D. Deterministc method has an absolute nature

Question 82

You have run a suspicious file in a sandbox analysis tool to see what the file does. The analysis report shows that outbound callouts were made post infection. Which two pieces of information from the analysis report are needed or required to investigate the callouts?
(Choose two.)
A. file size
B. domain names
C. dropped files
D. signatures
E. host IP addresses

Answer 82

B. domain names

E. host IP addresses

Question 83

Which statement about threat actors is true?
A. They are any company assets that are threatened.
B. They are any assets that are threatened.
C. They are perpetrators of attacks.
D. They are victims of attacks.

Answer 83

C. They are perpetrators of attacks.

Question 84

Direct Evidence - Log that shows a command and control check-in from verified malware.
Corroborative Evidence - Firewall log showing successful communication and threat intelligence stating an IP is known to host Malware
Indirect Evidence - NetFlow based spike in DNS Traffic

Answer 84

Direct Evidence - Log that shows a command and control check-in from verified malware.
Corroborative Evidence - Firewall log showing successful communication and threat intelligence stating an IP is known to host Malware
Indirect Evidence - NetFlow based spike in DNS Traffic

Question 85

During which phase of the forensic process are tools and techniques used to extract the relevant information from the collective data?
A. examination
B. reporting
C. collection
D. investigation

Answer 85

A. examination

Question 86

You see 100 HTTP GET and POST requests for various pages on one of your web servers. The user agent in the requests contain php code that, if executed, creates and writes to a new php file on the webserver. Which category does this event fall under as defined in the Diamond Model of Intrusion?
A. delivery
B. reconnaissance
C. action on objectives
D. installation
E. exploitation

Answer 86

A. delivery

Question 87

Which of the following is not an example of the VERIS main schema categories?
A. Incident tracking
B. Victim demographics
C. Incident descriptions
D. Incident forensics ID

Answer 87

D. Incident forensics ID

Question 88

Which goal of data normalization is true?
A. Reduce data redundancy.
B. Increase data redundancy.
C. Reduce data availability.
D. Increase data availability

Answer 88

A. Reduce data redundancy.

Question 89

You receive an alert for malicious code that exploits Internet Explorer and runs arbitrary code on the site visitor machine. The malicous code is on an external site that is being visited by hosts on your network. Which user agent in the HTTP headers in the requests
from your internal hosts warrants further investigation?
A. Mozilla/5.0 (compatible, MSIE 10.0, Windows NT 6.2, Trident 6.0)
B. Mozilla/5.0 (XII; Linux i686; rv: 1.9.2.20) Gecko/20110805
C. Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 4O0) Gecko/20100101
D. Opera/9.80 (XII; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16

Answer 89

A. Mozilla/5.0 (compatible, MSIE 10.0, Windows NT 6.2, Trident 6.0)

Question 90

Which information must be left out of a final incident report?
A. server hardware configurations
B. exploit or vulnerability used
C. impact and/or the financial loss
D. how the incident was detected

Answer 90

A. server hardware configurations

Question 91

Which option is a misuse variety per VERIS enumerations?
A. snooping
B. hacking
C. theft
D. assault

Answer 91

B. hacking

Question 92

What is Data mapping used for? (Choose two)
A. data accuracy (integrity)
B. data availability
C. data normalization
D. data confidentiality
E. data visualization

Answer 92

A. data accuracy (integrity)

E. data visualization

Question 93

PCAP shows port 443 as destination port
Which application protocol is in this PCAP file?
A. TCP
B. SSH
C. HTTP
D. SSL

Answer 93

D. SSL

Question 94

In VERIS, an incident is viewed as a series of events that adversely affects the information assets of an organization. Which option contains the elements that every event is comprised of according to VERIS incident model’?
A. victim demographics, incident description, incident details, discovery & response
B. victim demographics, incident details, indicators of compromise, impact assessment
C. actors, attributes, impact, remediation
D. actors, actions, assets, attributes

Answer 94

D. actors, actions, assets, attributes

Question 95

Which element is included in an incident response plan?
A. organization mission
B. junior analyst approval
C. day-to-day firefighting
D. siloed approach to communications

Answer 95

A. organization mission
Explanation: The incident response plan should include the following elements:
– Mission– Strategies and goals– Senior management approval– Organizational approach to incident response– How the incident response team will communicate with the rest of the organization and with other organizations– Metrics for measuring the incident response capability and its effectiveness– Roadmap for maturing the incident response capability– How the program fits into the overall organization.

Question 96

Which component of the NIST SP800-61 r2 incident handling strategy reviews data?
A. preparation
B. detection and analysis
C. containment, eradication, and recovery
D. post-incident analysis

Answer 96

D. post-incident analysis

Question 97

Which element is part of an incident response plan?
A. organizational approach to incident response
B. organizational approach to security
C. disaster recovery
D. backups

Answer 97

A. organizational approach to incident response

Question 98

Which of the following are not components of the 5-tuple of a flow in NetFlow? (Choose two.)
A. Source IP address
B. Flow record ID
C. Gateway
D. Source port
E. Destination port

Answer 98

B. Flow record ID

C. Gateway