JasonDion Practice Exam 4 Flashcards

Question 1

Q

You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server?

A. Unauthorized sessions.
B. Failed logins.
C. Malicious processes.
D. Off-hours usage.

Answer

A

C. Malicious processes.

A malicious process is one that is running on a system and is outside the norm. This is a host-based indicator of compromise (IOC) and not directly associated with an account-based IOC. Off-hours usage, unauthorized sessions, and failed logins are all account-based examples of an IOC. Off-hours usage occurs when an account is observed to log in during periods outside of normal business hours. An attacker often uses this to avoid detection during business hours. Unauthorized sessions occur when a device or service is accessed without authorization. For example, if a limited privilege user is signed into a domain controller. A failed login might be normal if a user forgets or incorrectly types their password, but repeated failures for one account could also be an indication of an attacked to crack a user’s password.

Question 2

Q

Which role validates the user’s identity when using SAML for authentication?

A. User agent
B. IdP
C. SP
D. RP

Answer

A

B. IdP

The IdP provides the validation of the user’s identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal’s User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal’s credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.

Question 3

Q

Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company?

A. Registrar checks.
B. Banner grabbing.
C. BGP looking glass usage.
D. WHOIS lookups.

Answer

A

B. Banner grabbing.

Banner grabbing requires a connection to the host to grab the banner successfully. This is an active reconnaissance activity. All other options are considered passive processes and typically use information retrieved from third-parties that do not directly connect to an organization’s remote host.

Question 4

Q

You are searching a Linux server for a possible backdoor during a forensic investigation. Which part of the file system should you search for evidence of a backdoor related to a Linux service?

A. /etc/passwd
B. /etc/shadow/
C. $HOME/.ssh/
D. /etc/xinetd.conf

Answer

A

D. /etc/xinetd.conf

Linux services are started by xinetd, but some new versions use sytemctl. Therefore, the /etc/xinetd.conf should be analyzed for any evidence of a backdoor being started as part of the Linux services. Both the /etc/passwd and /etc/shadow files contain configurations specifically associated with individual user accounts. The /home/.ssh directory contains SSH keys for SSH-based logins.

Question 5

Q

Barrett needs to verify settings on a macOS computer to ensure that the configuration he expects is currently set on the system. What type of file is commonly used to store configuration settings for a macOS system?

A. .profile files
B. plists
C. .config files
D. The registry

Answer

A

B. plists

Preference and configuration files in macOS use property lists (plists) to specify the attributes, or properties, of an app or process. An example is the preferences plist for the Finder in the Library/Preferences/ folder of a user’s home folder. The file is named com.apple.finder.plist. The registry is used to store registration configuration settings on Windows systems. A profile (.profile) file is a UNIX user’s start-up file, like the autoexec.bat file of DOS. A configuration (.config) file is a configuration file used by various applications containing plain text parameters that define settings or preferences for building or running a program. This is commonly used in Windows systems.

Question 6

Q

You have been given access to a Windows system located on an Active Directory domain as part of a white box penetration test. Which of the following commands would provide information about other systems on this network?

A. net use
B. net config
C. net group
D. net user

Answer

A

A. net use

The net use command will list network shares that the workstation is using. This will help to identify file servers and print servers on the network. The net group command can only be used on domain controllers. The net config command will allow servers and workstations services to be controlled once they have already been identified. The net user command would show any user accounts on the local Windows workstation you are using.

Question 7

Q

In order to improve efficiency in your security operations, you want to minimize human engagement. Which of the following actions would be most effective in achieving this goal?

A. Implementing automation for routine tasks.
B. Increasing the number of security platforms.
C. Reducing staff training.
D. Limiting access to systems.

Answer

A

A. Implementing automation for routine tasks.

Automating routine tasks can help reduce the need for human engagement in security operations. It also allows staff to focus on higher-level tasks that require human judgment. Reducing staff training might lead to more errors and lower efficiency, as staff may not be up-to-date on latest trends and threats. Using multiple security platforms can lead to siloed information and an increased need for human engagement to manage and coordinate between the platforms. Limiting access can improve security but might not necessarily reduce the need for human engagement. In fact, it might increase the need for human oversight to manage access control.

Question 8

Q

You are analyzing the following network utilization report because you suspect one of the servers has been compromised.

-=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=-
IP Address Name Uptime Historical Current
192.168.20.2 web01 7D 12H 32M 06S 42.6 GB 44.1 GB
192.168.20.3 webdev02 4D 07H 12M 45S 1.95 GB 2.13 GB
192.168.20.4 dbsvr01 12D 02H 46M 14S 3.15 GB 24.6 GB
192.168.20.5 marketing01 2D 17H 18M 41S 5.2 GB 4.9 GB
-=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=–=-=-=-=-=-

Based on the report above, which of the following servers do you suspect has been compromised and should be investigated further?

A. webdev02
B. web01
C. dbsvr01
D. marketing01

Answer

A

C. dbsvr01

Due to the considerable increase in network utilization on dbsvr01, it should be suspected of compromise and further investigated. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This increase is nearly 8x more than the previous month when all of the other servers stayed relatively constant. This indicates a possible compromise of the database server (dbsvr01) and a data breach or data exfiltration.

Question 9

Q

Considering a scenario where an international space station’s proprietary operational software is discovered to have numerous zero-day and critical vulnerabilities, why would the unique implications of these specific vulnerabilities in such a high-stakes and isolated environment necessitate an immediate and expedited response?

A. Multiple zero-day and critical vulnerabilities implies a need for staff training on new software.
B. To empathize the need for higher internet bandwidth.
C. A large number of zero-day and critical vulnerabilities means that the system is becoming more secure.
D. These type of vulnerabilities pose the highest risk to the environment.

Answer

A

D. These type of vulnerabilities pose the highest risk to the environment.

These vulnerabilities are often exploitable, posing a severe threat to the system, and therefore require immediate remediation efforts. In reality, these vulnerabilities represent significant security risks and should be addressed immediately. While sufficient internet bandwidth is important, the discovery of critical vulnerabilities requires immediate security actions, not bandwidth upgrades. While staff training is a crucial aspect of maintaining a secure environment, the urgent need in this situation is to address the vulnerabilities.

Question 10

Q

You’re examining system logs for potential security incidents when you encounter the following command: nc -lvnp 4444 -e /bin/bash What does this command suggest?

A. SQL Injection
B. Potential Reverse Shell
C. XSS Attack
D. Directory Traversal

Answer

A

B. Potential Reverse Shell

The command represents a potential reverse shell using Netcat (nc). It listens (-l) verbosely (-v) on port 4444 (-p 4444) and executes the /bin/bash shell when a connection is made (-e /bin/bash). Cross-Site Scripting (XSS) involves injecting malicious scripts into trusted websites. This scenario involves shell commands, not web-based script injection. Directory traversal involves navigating through a filesystem and is not represented in this command. SQL injection involves the exploitation of a security vulnerability in an application’s database layer. This situation involves shell commands, not SQL statements.

Question 11

Q

During your review of the firewall logs, you notice that an IP address from within your company’s server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address overnight each day. You have determined this has been occurring for approximately 5 days, and the affected server has since been taken offline for forensic review. Which of the following is MOST likely to increase the impact assessment of the incident?

A. Forensic review of the server required fallback to a less efficient service.
B. PII of company employees and customers was exfiltrated.
C. IP addresses and other network-related configurations were exfiltrated.
D. Raw financial information about the company was accessed.

Answer

A

B. PII of company employees and customers was exfiltrated.

If the PII (Personally Identifiable Information) of the company’s employees or customers were exfiltrated or stolen during the compromise, this would increase the incident’s impact assessment. Loss of PII is a big issue for corporations and one that might garner media attention. While all of the options presented here are bad things that could increase the impact of the assessment, loss of PII is considered the MOST likely to increase the impact dramatically. Depending on the company’s size or organization, there may also be mandatory reporting requirements, fines, or restitution that must be paid.

Question 12

Q

Your organization is preparing for its required quarterly PCI DSS external vulnerability scan. Who is authorized to perform this scan?

A. Only employees of the company.
B. Any qualified individual.
C. Anyone.
D. Only an approved scanning vendor.

Answer

A

D. Only an approved scanning vendor.

The Payment Card Industry Data Security Standard (PCI DSS) is a prescriptive framework. It is not a law but a formal policy created by the credit card industry that organizations must follow to accept credit and bank cards for payment. Quarterly required external vulnerability scans must be run by a PCI DSS approved scanning vendor (ASV). This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!

Question 13

Q

You are troubleshooting a network connectivity issue and need to determine the packet’s flow path from your system to the remote server. Which of the following tools would best help you identify the path between the two systems?

A. tracert
B. nbtstat
C. netstat
D. ipconfig

Answer

A

A. tracert

The TRACERT (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, TRACERT uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP “Time Exceeded” message back to the source computer. The ICMP “Time Exceeded” messages that intermediate routers send back show the route. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The netstat tool is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and some network interface and network protocol statistics on a single system. The nbtstat command is a diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems.

Question 14

Q

Your security team is analyzing a recent cyber attack on your organization’s network. They want to understand the attacker’s behavior, tactics, techniques, and procedures. Which framework is BEST suited for this purpose?

A. MITRE ATT&CK
B. OWASP Testing Guide
C. Diamond Model of Intrusion Analysis
D. Cyber Kill Chain

Answer

A

A. MITRE ATT&CK

The MITRE ATT&CK framework provides a comprehensive matrix of tactics, techniques, and procedures (TTPs) used by attackers, making it a powerful tool for understanding attacker behavior. The Diamond Model focuses on the relationship between the adversary, victim, infrastructure, and capability, rather than the detailed tactics, techniques, and procedures used by the attacker. While the Cyber Kill Chain can provide some insight into an attacker’s actions, it primarily describes the linear progression of a cyberattack, not the detailed tactics, techniques, and procedures used. The OWASP Testing Guide is focused on web application security testing, not on understanding attacker behavior.

Question 15

Q

Which of the following types of capabilities would an adversary need to identify and exploit zero-day vulnerabilities?

A. Developed
B. Integrated
C. Advanced
D. Acquired and augmented

Answer

A

A. Developed

According to the MITRE ATT&CK framework, developed capabilities can identify and exploit zero-day vulnerabilities. Acquired and augmented refers to the utilization of commodity malware and techniques (i.e., script kiddies). Advanced capabilities refer to those that can introduce vulnerabilities through the supply chain in proprietary and open-source products. Integrated capabilities involve non-cyber tools such as political or military assets.

Question 16

Q

Which of the following roles should be assigned to the incident response team? (SELECT FOUR)

A. Human resources
B. Legal
C. Public relations
D. Facility maintenance
E. Accounting
F. Management

Answer

A

A. Human resources
B. Legal
C. Public relations
F. Management

Human Resources has a role to play in that the discoveries made during incident handling may affect employees and employment law. Privacy concerns regarding how to intercept and monitor data may also necessitate HR and Legal involvement. For various reasons, the company may decide to go public with the knowledge of the breach. Therefore, public relations personnel are needed. Management has a crucial role to play in being able to allocate resources to remediate the incident. System administrators and security analysts should also be on the team since they know what constitutes a normal baseline for the systems. In general, positions such as facility maintenance and accounting are not required as part of the core incident response team. In special circumstances, though, they may be asked to augment the team. For example, if a breach of a SCADA/ICS system occurs, the facility maintenance employee who operates and services the machine might be a useful addition. Similarly, if a payroll or accounting system was breached, having an accounting department representative could help the response and remediation efforts.

Question 17

Q

Which of the following techniques would allow an attacker to get a full listing of your internal DNS information if your DNS server is not properly secured?

A. Split horizon
B. DNS poisoning
C. Zone transfers
D. FQDN resolution

Answer

A

C. Zone transfers

A DNS zone transfer provides a full listing of DNS information. If your organization’s internal DNS server is improperly secured, an attacker can gather this information by performing a zone transfer. Fully qualified domain name (FQDN) resolution is a normal function of DNS that converts a domain name like www.diontraining.com to its corresponding IP address. Split horizon is a method of preventing a routing loop in a network. DNS poisoning is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites.

Question 18

Q

What is a buffer overflow vulnerability?

A. A weakness allowing an attacker to overflow an application’s buffer, causing it to crash or execute arbitrary code.
B. An issue with a website’s user interface.
C. A problem with the encryption of data.
D. An issue with the database query operation.

Answer

A

A. A weakness allowing an attacker to overflow an application’s buffer, causing it to crash or execute arbitrary code.

A buffer overflow vulnerability indeed allows an attacker to overflow the buffer, possibly leading to a crash or the execution of arbitrary code. Database query operations might be vulnerable to SQL Injection, not buffer overflows. While important for user experience and potential phishing attacks, user interface issues are not directly related to buffer overflow vulnerabilities. Encryption problems are related to cryptography, not buffer overflow vulnerabilities.

Question 19

Q

You are analyzing the logs of a forensic analyst’s workstation and see the following:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
root@DionTraining:/home# dd if=/dev/sdc of=/dev/sdb bs=1M count=1000
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What does the bs=1M signify in the command list above?

A. Removes error messages and other incorrect data.
B. Sends output to a blank sector.
C. Sets the block size.
D. Sets the beginning sector.

Answer

A

C. Sets the block size.

The dd command is used in forensic data acquisition to forensically create a bit by bit copy of a hard drive to a disk image. The bs operator sets the block size when using the Linux dd command. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!

Question 20

Q

Dion Training wants to require students to logon using multifactor authentication in an effort to increase the security of the authorization and authentication process. Currently, students login to diontraining.com using a username and password. What proposed solution would best meet the goal of enabling multifactor authentication for the student login process?

A. Require students to create a unique pin that is entered after their username and password are accepted.
B. Require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password.
C. Require students to enter a cognitive password requirement (such as ‘What is your dog’s name?’).
D. Require students to choose an image to serve as a secondary password after logon.

Answer

A

B. Require students to enter a unique six-digit number that is sent to them by SMS after entering their username and password.

All of the options presented are knowledge factors (something you know) except the six-digit number sent by SMS to your smartphone. This SMS sent number is an example of a possession factor or something you have. In this case, it verifies you have your smartphone. By combining this possession factor with the already in use knowledge factor (username and password), you can establish multifactor security for the login process.

Question 21

Q

Which of the following type of solutions would you classify an FPGA as?

A. Root of trust.
B. Hardware security module.
C. Anti-tamper.
D. Trusted platform module.

Answer

A

C. Anti-tamper.

A field-programmable gate array (FPGA) is an anti-tamper mechanism that makes use of a type of programmable controller and a physically unclonable function (PUF). The PUF generates a digital fingerprint based on the unique features of the device. This means that tampering with a device, such as removing the chip or adding an unknown input/output mechanism, can be detected. A remedial action like using zero-filling cryptographic keys can be performed automatically. A hardware security module (HSM) is an appliance for generating and storing cryptographic keys. It is a solution that may be less susceptible to tampering and insider threats than a traditional software-based storage solution. A trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, hashed passwords, and other user and platform identification information. A hardware root of trust (RoT) or trust anchor is a secure subsystem that can provide attestation to declare something as true.

Question 22

Q

During a vulnerability scan, you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on this information, which of the following do you suspect is true?

A. The scan will not produce any useful information.
B. The server assumes you are conducting a DDoS attack.
C. You are scanning a CDN-hosted copy of the site.
D. Nothing can be determined about this site with the information provided.

Answer

A

C. You are scanning a CDN-hosted copy of the site.

This result is due to the company using a distributed server model that hosts content on Edge servers worldwide as part of a CDN. A content delivery network (CDN) is a geographically distributed network of proxy servers and their data centers that provide high availability and performance by distributing the service spatially relative to end-users. The requested content may be served from the Edge server’s cache or pull the content from the main diontraining.com servers. If you are scanning a web server or application hosted with a CDN, you need to be aware that you might be scanning an edge copy of the site and not receive accurate results. While an edge server usually maintains static content, it is still useful to determine if any vulnerabilities exist in that portion of the site content. Distributed denial-of-service (DDoS) attacks range from small and sophisticated to large and bandwidth-busting. While Akamai does provide excellent DDoS protection capabilities, nothing in this question indicates that the server is attempting to stop your scans or is assuming you are conducting a DDoS attack against it.

Question 23

Q

Which party in a federation provides services to members of the federation?

A. SAML
B. SSO
C. RP
D. IdP

Answer

A

C. RP

Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or a relying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this question.

Question 24

Q

In the Colonial Pipeline ransomware attack, the DarkSide ransomware group fulfilled their intent by encrypting files and demanding a ransom. Which phase of the Cyber Kill Chain does this represent?

A. Command and Control
B. Reconnaissance
C. Actions and Objectives
D. Weaponization

Answer

A

C. Actions and Objectives

The Actions and Objectives phase of the Cyber Kill Chain involves fulfilling the adversary’s intent, such as data exfiltration, data destruction, or encryption for ransom. This is represented in the Colonial Pipeline attack by the DarkSide ransomware group encrypting files and demanding a ransom. Reconnaissance involves gathering information about the target system, not fulfilling the adversary’s intent. Weaponization involves creating a malicious payload, not fulfilling the adversary’s intent. Command and Control involves maintaining communication with the compromised system, not fulfilling the adversary’s intent.

Question 25

Q

Your company has noticed a significant increase in the mean time to detect (MTTD) and mean time to respond (MTTR) to incidents. What is a potential impact of these increased metrics?

A. It improves the company’s public image.
B. It increases the legal protection against cyber attacks.
C. It results in a decrease in security alert volume.
D. It might lead to a greater impact of security incidents.

Answer

A

D. It might lead to a greater impact of security incidents.

An increase in MTTD and MTTR suggests a slower reaction to incidents, which can allow threats to cause more damage before they are detected and addressed. These metrics don’t provide legal protection. They measure organizational effectiveness in detecting and responding to incidents. MTTD and MTTR metrics don’t directly impact the volume of security alerts. They measure the speed of detection and response. Increased MTTD and MTTR are unlikely to improve a company’s public image; in fact, they might harm the company’s reputation if they result in a significant breach.

Question 26

Q

Your organization has experienced a cyber attack that exploited a zero-day vulnerability. After the incident, what action would provide the MOST valuable insights to prevent similar attacks in the future?

A. Immediate public disclosure of the incident.
B. Increased frequency of law enforcement communication.
C. Increased alert volume.
D. Root cause analysis.

Answer

A

D. Root cause analysis.

Conducting a root cause analysis can help understand how the vulnerability was exploited, which is key to preventing similar attacks in the future. While transparency is important, immediate public disclosure without a comprehensive understanding of the situation might not prevent future attacks and could even lead to additional issues. Merely increasing the alert volume may not help prevent future attacks. It’s more important to understand the nature of the attack and take targeted actions. Communicating with law enforcement might help with the investigation but wouldn’t necessarily prevent similar attacks in the future.

Question 27

Q

You are investigating traffic involving three separate IP addresses (192.168.66.6, 10.66.6.10, and 172.16.66.1). Which REGEX expression would you use to be able to capture ONLY those three IP addresses in a single statement?

A. \b[192.168.66.6]|[10.66.6.10]|[172.16.66.1]\b
B. \b(192.168.66.6)+(10.66.6.10)+(172.16.66.1)\b
C. \b[192.168.66.6]+[10.66.6.10]+[172.16.66.1]\b
D. \b(192.168.66.6)|(10.66.6.10)|(172.16.66.1)\b

Answer

A

D. \b(192.168.66.6)|(10.66.6.10)|(172.16.66.1)\b

The correct option is \b(192.168.66.6)|(10.66.6.10)|(172.16.66.1)\b, which uses parenthesis and “OR” operators (|) to delineate the possible whole-word variations of the three IP addresses. Using square braces indicates that any of the letters contained in the square braces are matching criteria. Using the + operator indicates an allowance for one more instance of the preceding element. In all cases, the period must have an escape () sequence preceding it as the period is a reserved operator internal to REGEX.

Question 28

Q

John is a cybersecurity consultant that wants to sell his services to an organization. In preparation for his first meeting with the client, John wants to conduct a vulnerability scan of their network to show the client how much they need his services. What is the most significant issue with John conducting this scan of the organization’s network?

A. John does not have permission to perform the scan.
B. The client’s infrastructure design is unknown to John.
C. John does not know what operating systems and applications are in use.
D. The IP range of the client systems is unknown by John.

Answer

A

A. John does not have permission to perform the scan.

All options listed are an issue, but the most significant issue is that John does not have the client’s permission to perform the scan. A vulnerability scan may be construed as a form of reconnaissance, penetration testing, or even an attack on the organization’s systems. A cybersecurity analyst should never conduct a vulnerability scan on another organization’s network without explicit written permission. In some countries, a vulnerability scan against an organization’s network without their permission is considered a cybercrime and could result in jail time for the consultant.

Question 29

Q

Which of the following Wireshark filters should be applied to a packet capture to detect applications that send passwords in cleartext to a REST API located at 10.1.2.3?

A. http.request.method==”POST”
B. ip.proto==tcp
C. ip.dst==10.1.2.3
D. http.request.method==”POST” && ip.dst==10.1.2.3

Answer

A

D. http.request.method==”POST” && ip.dst==10.1.2.3

Filtering the available PCAP with just the http “post” methods would display any data sent when accessing a REST API, regardless of the destination IP. Filtering the available PCAP with just the desired IP address would show all traffic to that host (10.1.2.3). Combining both of these can minimize the data displayed to only show things posted to the API located at 10.1.2.3. The ip.proto==tcp filter would display all TCP traffic on a network, regardless of the port, IP address, or protocol being used. It would simply produce too much information to analyze.

Question 30

Q

Which term defines the collection of all points from which an adversary could interact with a system and cause it to function in a way other than how it was designed?

A. Attack surface
B. Threat model
C. Adversary capability set
D. Attack vector

Answer

A

A. Attack surface

The collection of all points from which an adversary may attack is considered the attack surface. The attack vector represents the specific points an adversary has chosen for a particular attack. The threat model defines the behavior of the adversary. An adversary capability set is the list of items an adversary can use to conduct their attack.

Question 31

Q

You are an analyst and have been asked to review and categorize the following output from a packet analysis in Wireshark:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Source Destination Protocol Length Info

192.168.3.145 4.4.2.2 DNS 74 Standard query 0xaed A test.diontraining.com

4.4.2.2 192.168.3.145 DNS 90 Standard query response 0x3aed A test.diontraining.com A 173.12.15.23

192.168.3.145 173.12.15.23 TCP 78 48134 -80 [SYN] seq=0 Win=65635 Len=0 MSS=1426 WS=16 TSVal=486234134 Tsecr=0 SACK_PERM=1

173.12.15.23 192.168.3.145 TCP 78 80-48134 [SYN,ACK] seq=0 Ack=1 Win=65535 Len=0 MSS=1426 WS=4 TSVal=0 Tsecr=0 SACK_PERM=1 a1=486234134 Tsecr=240612

192.168.3.145 192.168.3.255 NBNS 92 Namequery NB WORKGROUP

34.250.23.14 192.168.3.145 TCP 60 443 - 48134 [RST] Seq=1 Win=0 Len=0

Based on your review, what does this scan indicate?

A. 192.168.3.145 might be infected with malware.
B. 173.12.15.23 might be infected with malware.
C. 192.168.3.145 might be infected and beaconing to a C2 server.
D. 173.12.15.23 might be infected and beaconing to a C2 server.
E. This appears to be normal network traffic.

Answer

A

E. This appears to be normal network traffic.

This appears to be normal network traffic. The first line shows that a DNS lookup was performed for a website (test.diontraining.com). The second line shows the response from the DNS server with the IP address of the website. The third line begins a three-way handshake between an internal host and the website. The fourth line is the SYN-ACK response from the website to the internal host as part of this handshake. The fifth line is a standard Windows NetBIOS query within the local area network to translate human-readable names to local IP addresses. The sixth and seventh lines appear to be inbound requests to port 443 and port 8080, both of which were sent the RST by the internal host’s firewall since it is not running those services on the host. None of this network traffic appears to be suspicious.

Question 32

Q

An independent cybersecurity researcher has contacted your company to prove a buffer overflow vulnerability exists in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development?

A. Pair programming
B. Dynamic code analysis
C. Static code analysis
D. Manual Peer Review

Answer

A

C. Static code analysis

Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on a human to human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively.

Question 33

Q

Matt is creating a scoping worksheet for an upcoming penetration test for his organization. Which of the following techniques is NOT usually included in a penetration test?

A. Denial-of-service attacks
B. Reverse Engineering
C. Social Engineering
D. Physical penetration attempts

Answer

A

A. Denial-of-service attacks

A denial-of-service or DoS attack isn’t usually included as part of a penetration test. This type of attack contains too much risk for an organization to allow it to be included in an assessment scope. Social engineering, physical penetration attempts, and reverse engineering are all commonly included in a penetration test’s scope.

Question 34

Q

Your company was recently the victim of a cross-site scripting attack. The system administrators claim this wasn’t possible since they performed input validation using REGEX to alert on any strings that contain the term “[Ss]cript” in them. Which of the following statements concerning this attack is true?

A. The attacker has modified the logs to cover their tracks and prevent a successful investigation.
B. An SQL injection must have occurred since their input validation would have prevented.
C. The REGEX expression to filter using “[Ss]cript” is insufficient. As an attacker could use SCRIPT or SCRipt or %53CrIPT to evaded it.
D. The server has insufficient logging and monitoring configured.

Answer

A

C. The REGEX expression to filter using “[Ss]cript” is insufficient. As an attacker could use SCRIPT or SCRipt or %53CrIPT to evaded it.

The most likely explanation is that the REGEX filter was insufficient to eliminate every single possible cross-site scripting attack that could occur. Since cross-site scripting relies on the HTML tags to launch, the system administrators had a good idea of creating input validation using a REGEX for those keywords. Unfortunately, they forgot to include a more inclusive version of this REGEX to catch all variants. For example, simply using [Ss][Cc][Rr][Ii][Pp][Tt] would have been much more secure, but even this would miss %53CrIPT would evade this filter. To catch all the letter S variants, you would need to use [%53%%73Ss], which includes the capital S in hex code, the lower case s in hex code, the capital S, and the lowercase s. While it is possible that an attacker used an SQL injection instead, their REGEX input validation would still have allowed a cross-site scripting attack to occurs, so this option must be eliminated. As for the logging options, both are possible in the real world, but they do not adequately answer this scenario. The obvious flaw in their input validation is their REGEX filter.

Question 35

Q

Upper management at DionTech Innovations has noticed that its employees frequently download potentially harmful attachments from phishing emails. What should the company do to mitigate this risk?

A. Purchase new email software.
B. Make employees sign a liability waiver for potential damages from phishing attacks.
C. Conduct regular training sessions to teach employees how to recognize and avoid phishing emails.
D. Fire all employees who download harmful attachments.

Answer

A

C. Conduct regular training sessions to teach employees how to recognize and avoid phishing emails.

Regular training plays a crucial role in mitigating the risk of employees falling victim to phishing attacks. By providing ongoing education and awareness programs, employees can become more knowledgeable about the tactics and techniques used in phishing attempts. This training equips them with the skills to recognize and report suspicious emails, links, or requests, thereby reducing the likelihood of falling for phishing scams. While this might discourage careless behavior, it does not equip employees with the knowledge to avoid phishing attempts. While this may seem like a direct solution, it is not practical or effective in the long term. Education is a more effective approach. While certain software may offer better spam filters, it cannot fully prevent phishing attempts, which often rely on social engineering.

Question 36

Q

What is the significance of root cause analysis in the aftermath of a security incident?

A. It is used for assigning blame for the incident.
B. It helps in recovering data lost during the incident.
C. It provides a basis for communicating with the media.
D. It aids in understanding the factors that led to the incident, helping to prevent occurrences in the future.

Answer

A

D. It aids in understanding the factors that led to the incident, helping to prevent occurrences in the future.

Root cause analysis is crucial for understanding what caused the incident, enabling organizations to implement measures to prevent similar incidents from happening in the future. The main goal of root cause analysis is not to assign blame, but to understand what led to the incident so that similar issues can be prevented. Root cause analysis does not directly assist in data recovery. It focuses on understanding the cause of the incident. While findings from root cause analysis may be used to inform communications, its primary purpose is not to provide a basis for media interaction.

Question 37

Q

You are reverse engineering a piece of malware recovered from a retailer’s network for analysis. They found that the malicious code was extracting track data from their customer’s credit cards during processing. Which of the following types of threats would you classify this malware as?

A. Keylogger
B. Rootkit
C. POS malware
D. Ransomware

Answer

A

C. POS malware

Point-of-sale malware (POS malware) is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card’s track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. Ransomware is a type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. Keyloggers are a type of monitoring software designed to record keystrokes made by a user. These keyloggers can record the information you type into a website or application and send to back to an attacker. A rootkit is a malware class that modifies system files, often at the kernel level, to conceal its presence.

Question 38

Q

You are working as a junior cybersecurity analyst and utilize a SIEM to support investigations into ongoing incidents. The SIEM is configured to collect data from numerous sources across the network, including network sensors, routers, switches, firewalls, hosts, and servers. Unfortunately, due to the number of data sources, you have data about a particular event being detected by different sensors and devices. Which of the following must you ensure to make sense of all the data being collected by your SIEM before analyzing it?

A. Data recovery
B. Data correlation
C. Data sanitization
D. Data retention

Answer

A

B. Data correlation

Data correlation is the first step in making sense of data from across numerous sensors. This will ensure the data is placed concerning other pieces of data within the system. For example, if your IDS detected an incident, host logs were collected, and your packet capture system collected the network traffic, the SIEM could be used to correlate all three pieces of information from these different systems to allow an analyst to understand the event better. By conducting data correlation, it allows an analyst to identify a pattern more clearly and take action. Data correlation should be performed as soon as the SIEM indexes the data.

Question 39

Q

How could a company’s reluctance to interrupt its business processes potentially impact its vulnerability management?

A. Enhancing the effectiveness of the company’s marketing strategies.
B. Boosting employee productivity during work hours.
C. Leading to postponed or overlooked system updates and patches.
D. Increasing the company’s overall market share.

Answer

A

C. Leading to postponed or overlooked system updates and patches.

Avoiding interruptions could cause delays or oversights in system maintenance, including the application of important updates and patches. While avoiding interruptions may maintain productivity, it doesn’t directly impact vulnerability management. Business process continuity does not have a direct correlation with the effectiveness of marketing strategies. While uninterrupted operations may contribute to business success, this is not directly related to vulnerability management.

Question 40

Q

As a cybersecurity analyst conducting vulnerability scans, you have just completed your first scan of an enterprise network comprising over 10,000 workstations. As you examine your findings, you note that you have less than 1 critical finding per 100 workstations. Which of the following statement does BEST explain these results?

A. The network has an exceptionally strong security posture.
B. The scanner failed to connect with the majority of workstations.
C. An uncredentialled scan of the network was performed.
D. The scanner was not compatible with the devices on your network.

Answer

A

C. An uncredentialled scan of the network was performed.

Uncredentialled scans are generally unable to detect many vulnerabilities on a device. When conducting an internal assessment, you should perform an authenticated (credentialed) scan of the environment to most accurately determine the network’s vulnerability posture. In most enterprise networks, if a vulnerability exists on one machine, it also exists on most other workstations since they use a common baseline or image. If the scanner failed to connect to the workstations, an error would have been generated in the report.

Question 41

Q

A company has recently experienced a data breach and has lost nearly 1 GB of personally identifiable information about its customers. You have been assigned as part of the incident response team to identify how the data was leaked from the network. Your team has conducted an extensive investigation, and so far, the only evidence of a large amount of data leaving the network is from the email server. One user has sent numerous large attachments out of the network to their personal email address. Upon closer inspection, those emails only contain pictures of that user’s recent trip to Australia. What is the most likely explanation for how the data left the network?

A. The data was encrypted and emailed it to their spouse’s email account.
B. Steganography was used to hide the leaked data inside the user’s photos.
C. The files were downloaded from home while connected to the corporate VPN.
D. The data was hashed and then emailed to their personal email account.

Answer

A

B. Steganography was used to hide the leaked data inside the user’s photos.

The most likely explanation is that the user utilized steganography to hide the leaked data inside their trip photos. Steganography is the process of hiding one message inside another. By hiding the customer’s information within the digital photos, the incident response team would not see the data being hidden without knowing to look for it inside the seemingly benign pictures from the trip. The scenario did not mention whether or not the user connected to the corporate VPN from their home, and the company should log all VPN connections, so this is not the correct answer. Additionally, the user could not hash the data and email it to themselves without losing the information since hashes are a one-way algorithm. Therefore, even if the user had the hash value, they still would not have the customers’ personal information. Finally, according to the scenario, the user’s email showed no evidence of encrypted files being sent

Question 42

Q

Taylor needs to sanitize hard drives from some leased workstations before returning them to a supplier at the end of the lease period. The workstations’ hard drives contained sensitive corporate data. Which is the most appropriate choice to ensure that data exposure doesn’t occur during this process?

A. Clear, validate, and document the sanitization of the drives.
B. Purge, validate, and document the sanitization of the drives.
C. The drives must be destroyed to ensure no data loss.
D. Clear the drives.

Answer

A

B. Purge, validate, and document the sanitization of the drives.

Purging the drives, validating that the purge was effective, and documenting the sanitization is the best response. Purging includes methods that eliminate information from being feasibly recovered even in a lab environment. For example, performing a cryptographic erasure (CE) would sanitize and purge the drives’ data without harming the drives themselves. Clearing them leaves the possibility that some tools would allow data recovery. Since the scenario indicates that these were leased drives that must be returned at the end of a lease, they cannot be destroyed.

Question 43

Q

What type of malware changes its binary pattern in its code on specific dates or times to avoid detection by antimalware software?

A. Polymorphic virus
B. Ransomware
C. Trojan
D. Logic bomb

Answer

A

A. Polymorphic virus

A polymorphic virus alters its binary code to avoid detection by antimalware scanners that rely on signature-based detection. By changing its signature, the virus can avoid detection.

Question 44

Q

During which phase of the Cyber Kill Chain would an attacker transmit the malicious payload to the victim, typically via email, web, or USB?

A. Command and Control
B. Delivery
C. Installation
D. Reconnaissance

Answer

A

B. Delivery

The delivery phase of the Cyber Kill Chain involves transmitting the malicious payload to the victim. Command and Control involves maintaining communication with the compromised system, not delivering the malicious payload. Reconnaissance involves gathering information about the target system, not delivering the malicious payload. Installation involves the payload setting up a foothold on the compromised system, not delivering the malicious payload.

Question 45

Q

You are a security analyst at Dion Training Labs and have noticed an employee logging into the company’s secure system from Tokyo, then again from Paris just 30 minutes later. What security alert does this scenario best represent?

A. Impossible Travel
B. Pattern Recognition
C. Interpreting Suspicious Commands
D. AbuseIPDB

Answer

A

A. Impossible Travel

This alert indicates that a user’s account has been used to log in from two distant locations within a time frame shorter than the possible travel time between the locations, signaling potential unauthorized access. AbuseIPDB is a tool used to check IP addresses for reported malicious activity, it would not necessarily detect geographically improbable logins based on the information available. Interpreting suspicious commands is a useful skill for identifying potentially malicious actions on a system, but it’s not directly related to detecting geographically improbable logins. Pattern recognition involves identifying repeating trends or anomalies in data, which might not directly relate to this specific scenario of geographically improbable logins.

Question 46

Q

CIO has recently made a purchasing decision to install a new security appliance that will automatically sandbox all attachments as they enter the enterprise network to run dynamic and static code analysis on them. Which of the following questions about the appliance should you consider as the SOC manager responsible for operating this new appliance for the company? (SELECT FOUR)

A. Will the device inadvertently alter anyone’s data when it is analyzed in the sandbox?
B. How will the appliance receive updated signatures and scanning engines?
C. How will the appliance receive security patches and updates?
D. Will the security appliance violate your employee’s right to privacy?
E. Do you have security personnel and procedures in place to review the output from this appliance and take action where appropriate?
F. Does the new appliance provide a detailed report or alert showing why it believes an attachment is malicious?

Answer

A

B. How will the appliance receive updated signatures and scanning engines?
C. How will the appliance receive security patches and updates?
E. Do you have security personnel and procedures in place to review the output from this appliance and take action where appropriate?
F. Does the new appliance provide a detailed report or alert showing why it believes an attachment is malicious?

Often, cybersecurity professionals fall in love with a new technological solution without fully considering the true cost of ownership and risks it poses to their organization. Even if this is the perfect security mechanism, the organization must plan for how they will respond to the alerts provided by this appliance. Additionally, you must consider if you have the right people and procedures to use the new application effectively. The appliance will also need to receive security patches, feature updates, and signature definition files routinely to remain effective and secure. At later stages of analysis, your security team may need to determine why a false-positive or false-negative occurred, which requires detailed alerts or reports from the machine. In corporate environments, privacy is limited for employees as most companies have a “right to monitor” included as part of their AUP and access policies. Therefore privacy is a minimal area of concern in this case. The appliance cannot manipulate the information passing through it since it will analyze the information by placing a copy into a sandbox. This allows it to make a allow or deny decision and will not modify the original data is processed.

Question 47

Q

According to the Center for Internet Security’s system design recommendation, which of the following control categories would contain information on the best security practices to implement within the SDLC?

A. Application software security.
B. Inventory of authorized/unauthorized devices.
C. Controlled use of administrative privileges.
D. Malware defenses.

Answer

A

A. Application software security.

Since the software development lifecycle (SDLC) is focused on building software applications, the best control category would be application software security. While all other documents hosted by the Center for Internet Security contain useful information, the application software security control is most likely to contain relevant information relating to best practices to implement in the SDLC.

Question 48

Q

A software development company has discovered the ProxyNotShell vulnerability in its product that it cannot fix immediately due to resource constraints. What measures can the company take to mitigate the risk associated with the vulnerability? (Choose TWO)

A. Use a web application firewall (WAF) to block malicious traffic.
B. Hire additional developers.
C. Use a firewall to restrict access to the affected systems.
D. Develop a new software product.

Answer

A

A. Use a web application firewall (WAF) to block malicious traffic.
C. Use a firewall to restrict access to the affected systems.

To mitigate the risk associated with the ProxyNotShell vulnerability, the software development company can configure a Web Application Firewall (WAF) to block traffic related to the vulnerability. By implementing specific rules within the WAF, any malicious traffic attempting to exploit the vulnerability can be identified and blocked, thereby preventing attackers from successfully exploiting the vulnerability. To mitigate the risk associated with the vulnerability, the software development company can configure a firewall to restrict access to the affected systems exclusively for authorized users. By implementing proper firewall rules, the company can control and limit network traffic, preventing unauthorized access and minimizing the potential for attackers to exploit the vulnerability. Creating a new product does not directly address the vulnerability in the existing one. While having more developers might eventually help fix the vulnerability, it does not provide an immediate solution.

Question 49

Q

While monitoring the health of her organization’s systems, Lisa notices that a system’s processes are using an unusually high amount of memory. What is Lisa checking?

A. Data encryption
B. Memory resource management
C. Memory consumption
D. Data storage

Answer

A

C. Memory consumption

Memory consumption refers to the precise measurement of the quantity of memory that is being actively utilized by the various processes within a system. It serves as a crucial indicator of the system’s resource allocation and utilization efficiency. Consequently, when the analyst identifies a discernibly elevated level of memory usage within the system, they are effectively overseeing and scrutinizing the specific aspect of memory consumption. Data encryption, while important for data security, doesn’t involve monitoring the amount of memory used by a system’s processes. Memory resource management is about efficiently utilizing a system’s memory. Data storage is about holding data, not about monitoring the memory usage of a system’s processes.

Question 50

Q

Tony works for a company as a cybersecurity analyst. His company runs a website that allows public postings. Recently, users have started complaining about the website having pop-up messages asking for their username and password. Simultaneously, your security team has noticed a large increase in the number of compromised user accounts on the system. What type of attack is most likely the cause of both of these events?

A. Cross-site request forgery
B. Rootkit
C. SQL injection
D. Cross-site scripting

Answer

A

D. Cross-site scripting

This scenario is a perfect example of the effects of a cross-site scripting (XSS) attack. If your website’s HTML code does not perform input validation to remove scripts that may be entered by a user, then an attacker can create a popup window that collects passwords and uses that information to compromise other accounts further. A cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. An XSS will allow an attacker to execute arbitrary JavaScript within the victim’s browser (such as creating pop-ups). A CSRF would allow an attack to induce a victim to perform actions they do not intend to perform. A rootkit is a set of software tools that enable an unauthorized user to control a computer system without being detected. SQL injection is the placement of malicious code in SQL statements via web page input. None of the things described in this scenario would indicate a CSRF, rootkit, or SQL injection.

Question 51

Q

Which of the following commands would NOT provide domain name information and details about a host?

A. sc [ip address]
B. nslookup [ip address]
C. host [ip address]
D. dig -x [ip address]

Answer

A

A. sc [ip address]

Service control (sc) is a Windows command that allows you to create, start, stop, query, or delete a Windows service. The dig command will give you information on when a query was performed, the details that were sent, and what flags were sent. In most cases, host and nslookup will also provide similar information.

Question 52

Q

Your company’s cybersecurity team has been tracking vulnerability data over time. What might be the significance of observing a consistent upward trend in the discovery of new vulnerabilities?

A. The company’s servers are becoming more efficient.
B. It could indicate a need for improved security measures or updated software.
C. There is a decreased need for vulnerability scanning.
D. The company’s network bandwidth is being utilized efficiently.

Answer

A

B. It could indicate a need for improved security measures or updated software.

An upward trend in vulnerabilities may signal a need to enhance cybersecurity defenses. On the contrary, an upward trend would indicate an increased need for thorough vulnerability scanning. Network bandwidth usage isn’t directly related to the trend in vulnerability discoveries. While efficiency is important, an upward trend in vulnerability discoveries is not an indicator of server efficiency.

Question 53

Q

Your organization is a financial services company. You have a team of security analysts who are responsible for gathering and analyzing intelligence about potential threats to your organization. The analysts recently published a report that identifies a new threat actor who is targeting financial services companies. The report includes information about the threat actor’s tactics, techniques, and procedures (TTPs). In which phase of the security intelligence cycle will this information be provided to those who need to act on it?

A. Collection
B. Feedback
C. Analysis
D. Dissemination

Answer

A

D. Dissemination

The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights. The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. The analysis phase focuses on converting collected data into useful information or actionable intelligence. The final phase of the security intelligence cycle is feedback and review, which utilizes both intelligence producers and intelligence consumers’ input. This phase aims to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle is developed.

Question 54

Q

Which of the following proprietary tools is used to create forensic disk images without making changes to the original evidence?

A. Autospy
B. FTK Imager
C. Memdump
D. dd

Answer

A

B. FTK Imager

FTK Imager can create perfect copies or forensic images of computer data without making changes to the original evidence. The forensic image is identical in every way to the original, including file slack and unallocated space or drive free space. The dd tool can also create forensic images, but it is not a proprietary tool since it is open-source. Memdump is used to collect the content within RAM on a given host. Autopsy is a cross-platform, open-source forensic tool suite.

Question 55

Q

Among the following vulnerabilities, which one was reported as a “Top 10” due to its common occurrence and the potential severity of its impact?

A. SolarWinds SUNBURST Attack
B. Poodle Attack
C. Spectre Attack
D. Cross-Site Scripting (XSS)

Answer

A

D. Cross-Site Scripting (XSS)

XSS vulnerabilities are widespread across web applications and can lead to serious consequences, such as user data theft, making this the correct answer. The SolarWinds SUNBURST was a severe, targeted supply chain attack, not a common vulnerability like XSS. The Spectre attack was an impactful hardware vulnerability, but it’s not typically categorized as a top 10 vulnerability. While the Poodle Attack was significant and impacted SSL 3.0 protocol, it is not categorized as a top 10 widespread vulnerability.

Question 56

Q

As part of the preparation phase of the incident management lifecycle, which component involves regularly educating the workforce about potential incidents, how to recognize them, and how to respond?

A. Incident response plan
B. Playbooks
C. Business continuity disaster recovery planning
D. Training

Answer

A

D. Training

Regular training is crucial to equip the workforce with the necessary knowledge to recognize and respond to potential incidents. An incident response plan is a set of procedures to manage and handle an incident. It outlines how the organization will respond to an incident but does not involve the regular education of the workforce. While playbooks provide detailed, step-by-step guides on how to respond to specific types of incidents, they do not involve the regular education of the workforce. While business continuity disaster recovery planning is an essential part of incident management preparation, it does not directly involve workforce education on recognizing and responding to incidents.

Question 57

Q

Why is stakeholder identification and communication crucial during an incident response?

A. Stakeholders analyze the root cause of the incident.
B. Stakeholders take on the responsibility of resolving the incident.
C. Stakeholders provide the necessary support and resources for effective incident management.
D. Stakeholders handle communication with the public.

Answer

A

C. Stakeholders provide the necessary support and resources for effective incident management.

Stakeholders are individuals or groups with a vested interest in the security of an organization. Their support and resources can help effectively manage and mitigate incidents. While stakeholders play a vital role in the incident response process, their main function is not to resolve the incident but to support the incident response team that does. While certain stakeholders may have a role in communicating with the public, it is not their primary responsibility in the incident response process. The task of analyzing the root cause of an incident typically falls to the incident response team or forensic experts, not stakeholders.

Question 58

Q

After a security incident has been handled, what post-incident activity involves the detailed examination of the incident to identify the primary cause or causes, often using tools to analyze logs, network traffic, and other data?

A. Lessons learned
B. Incident response plan
C. Root cause analysis
D. Forensic analysis

Answer

A

C. Root cause analysis

Root cause analysis is the process of determining the initial cause(s) of a problem or issue, with the intent to fix the issue by addressing these underlying causes. Lessons learned is a process that follows an incident, where all stakeholders reflect on what happened, what was done well, and what needs to be improved for future incidents. It is broader and less technically focused than root cause analysis. The incident response plan is a strategic document outlining the procedures for handling and managing an incident, not a post-incident activity. While forensic analysis also involves a detailed examination of an incident, it typically goes beyond root cause analysis to include a detailed and systematic examination of all aspects of an incident, often with an eye to legal requirements and implications.

Question 59

Q

A cybersecurity analyst notices the following XML transaction while reviewing the communication logs for a public-facing application that receives XML input directly from its clients:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
<?xml version=”1.0” encoding=”ISO-8859-1”?>
<!DOCTYPE xyz [
<!ELEMENT xyz ANY >
<!ENTITY abc SYSTEM “file:///etc/passwd” >]>

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Based on the output above, which of the following is true?

A. An XML External Entity (XXE) vulnerability has been exploited and its possible that the password has downloaded the file “/etc/passwd”.
B. ISO-8859-1 only covers the Latin alphabet and may preclude other languages from being used.
C. There is no concern since “/etc/passwd” does not contain any system passwords.
D. The application is using parameterized queries to prevent XML injections.

Answer

A

A. An XML External Entity (XXE) vulnerability has been exploited and its possible that the password has downloaded the file “/etc/passwd”.

This is an example of an XML External Entity (XXE) vulnerability. Any references to document abc of type xyz may now be replaced with /etc/passwd, which would allow the user to harvest the data contained within the file. Although in modern Linux operating systems, the /etc/passwd only contains the usernames resident on the system and not the passwords, this is still valuable information for an attacker. The ‘/etc/passwd’ file has been better secured in recent systems by using a shadow file (which contains hashed values for the passwords). Without an input validation step is added to the process, there is nothing to stop the attacker from gathering other potentially sensitive files from the server. While ISO-8859-1 does indeed cover the Latin alphabet and is standard throughout XML, it has no significance from a cybersecurity perspective. A parameterized query is a form of output encoding that defends against SQL and XML injections. This code does not contain a parameterized query.

Question 60

Q

Which type of threat will patches NOT effectively combat as a security control?

A. Discovered software bugs.
B. Known vulnerabilities.
C. Zero-day attacks.
D. Malware with defined indicators of compromise.

Answer

A

C. Zero-day attacks.

Zero-day attacks have no known fix, so patches will not correct them. A zero-day vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software). If a discovered software bug or known vulnerability is found, a patch or mitigation is normally available. If a piece of malware has well-defined indicators of compromise, a patch or signature can be created to defend against it, as well.

Question 61

Q

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of attack has likely occurred?

A. Directory traversal
B. Buffer overflow
C. SQL injection
D. XML injection

Answer

A

A. Directory traversal

This is an example of a directory traversal. A directory traversal attack aims to access files and directories that are stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. SQL injection is the placement of malicious code in SQL statements via web page input.

Question 62

Q

An SNMP sweep is being conducted, but the sweep receives no-response replies from multiple addresses that are believed to belong to active hosts. What does this indicate to a cybersecurity analyst?

A. The machines are not running SNMP servers.
B. The community string being used is invalid.
C. The machines are unreachable.
D. Any listed answers may be true.

Answer

A

D. Any listed answers may be true.

The best option is all of the answers listed. SNMP doesn’t report closed UDP ports, and SNMP servers don’t respond to invalid information requests. The “no response” can mean that the systems cannot be reached (either internally or externally). If you entered an invalid community string, then SNMP will be unable to provide a response or report its findings.

Question 63

Q

You work as the incident response team lead at Fail to Pass Systems. Sierra, a system administrator, believes an incident has occurred on the network and contacts the SOC. At 2:30 am, you are woken up by a phone call from the CEO of Fail to Pass stating an incident has occurred and that you need to solve this immediately. As you are getting dressed to drive into the office, your phone rings again. This time, the CIO starts asking you a lot of technical questions about the incident. The first you heard of this incident was 5 minutes ago from the CEO, so you obviously don’t have the answers to the CIO’s questions. Based on this scenario, which of the following issues needs to be documented in your lessons learned report once this incident is resolved?

A. A call list/escalation list.
B. A robust method of incident detection.
C. An offline incident response jump bag or kit.
D. An established incident response form for all employees to use to collect data.

Answer

A

A. A call list/escalation list.

To maintain a disciplined approach to incident response, the organization needs to document and follow procedures developed during the preparation phase. The SOC should have a call list or an escalation list as part of those procedures. This list should detail who should be called, what order, and how high up the organizational leadership chart a particular issue would reach. In almost every case, the incident response team lead should be contacted before the CEO or CIO is notified of the incident. When companies go “right to the top” of the leadership chart, the CEO and CIO will be acting on half-true or unverified information during the start of an incident response process. Instead, an established form for incident detail collection should be performed, the right technical leads should be notified of the incident, and the incident response team should be called in to analyze the information and provide a quick “stand up” report to leadership on what the issue is, what has already been done, and what they recommend doing from here to resolve the incident. All of the other options are best practices to consider and develop in the preparation phase. Still, they would not have solved the issue in this scenario of senior leadership being notified before the incident response team lead.

Question 64

Q

After an unexpected data breach, the cybersecurity team at a financial institution analyzed logs and found suspicious traffic originating from an IP address known to be linked with the WannaCry ransomware attack. In this scenario, what incident response activity is being performed by the cybersecurity team?

A. Recovery
B. Data and log analysis
C. Eradication
D. Containment

Answer

A

B. Data and log analysis

The cybersecurity team is performing data and log analysis, a key incident response activity. They are analyzing logs to identify the cause of the data breach and determine the extent of the intrusion. Recovery involves restoring systems to normal operation and implementing measures to prevent future similar attacks. The team hasn’t reached this stage yet; they are still analyzing logs to understand what happened. Containment is the process of limiting the extent of an intrusion and preventing it from spreading further. In this scenario, the team is analyzing data and logs, not containing the breach. Eradication involves eliminating the threat from the network, which can’t be done until the threat is fully understood. The team is still at the analysis stage

Answer 65

A

A. May lead to delays in performing system maintenance and patching.

Interruption concerns may push organizations to delay necessary vulnerability remediation, prolonging system exposure to risks. Fear of interruption does not directly enhance system functionality. Fear of interruption might in fact delay necessary actions, not accelerate them. Fear of interruption does not inherently reduce vulnerabilities; it may delay their remediation.

Answer 66

A

A. Prioritizing the risk level associated with each vulnerability.

Risk prioritization is an essential part of vulnerability management, focusing on the most significant threats in a cybersecurity landscape. It involves assessing potential vulnerabilities, considering their likelihood of exploitation, and the potential impact of such an event. After prioritizing vulnerabilities, the highest-risk ones are addressed first, using methods such as software patching or security policy enhancement. This process is continuously revisited and adjusted as new threats and vulnerabilities emerge. The type of vulnerabilities may provide some context, but it is the risk associated with each that should primarily drive prioritization. The number alone does not give an accurate picture of prioritization. Not all vulnerabilities pose the same level of risk. While knowing where vulnerabilities reside is important, it’s not the main factor in prioritization. The risk each vulnerability carries is more critical.

Answer 67

A

A. Prioritization

When prioritizing vulnerabilities, several factors come into play. The severity of a vulnerability determines its potential impact, with high-impact vulnerabilities, like those granting system control, given higher priority. The likelihood of exploitation also plays a role, favoring vulnerabilities with higher probabilities, such as publicly disclosed ones. Additionally, the cost of remediation influences prioritization, as expensive fixes may require allocation within the organization’s budget. By considering these factors, informed decisions can be made on vulnerability prioritization, leading to benefits such as saved resources, improved security, and compliance with regulations. Ultimately, prioritizing vulnerabilities enhances security posture and reduces the risk of attack. This is a process of setting up a firewall’s settings to control network traffic, not the process of deciding which vulnerabilities to address first. Intrusion detection refers to the methods used to detect unauthorized access to a system or network. This refers to the process of delivering patches or updates to systems, not determining the order in which vulnerabilities are addressed.

Answer 68

A

D. Cyber Kill Chain

The Cyber Kill Chain, developed by Lockheed Martin, describes the stages of a cyber attack. The steps taken by the red team align with this model, from the identification of vulnerabilities (reconnaissance), through exploitation and installation, to achieving their objectives (exfiltration). The OWASP Testing Guide provides a methodology for testing the security of web applications. It doesn’t describe the stages of a cyber attack. The Diamond Model focuses on the relationship between four elements of an attack: the adversary, the victim, the infrastructure, and the capability. It doesn’t represent a sequential progression of an attack. The MITRE ATT&CK framework provides a matrix of tactics, techniques, and procedures (TTPs) used by cyber adversaries. While it’s useful for detailing attacker behavior, it doesn’t provide a linear progression of an attack.

Answer 69

A

B. Security, Pre-EFI initialization, Driver Execution Environment, Boot Device Select, Transient System Load, Runtime.

The security must first prevent any potential contamination from advanced malware from affecting the system as it proceeds into its startup process. The security consists of initializing the code that the system executes after powering on the EFI system. Pre-EFI initialization initializes the CPU, temporary memory, and boot firmware volume (BFV). Driver Execution Environment initializes the entire system’s physical memory, I/O, and MIMO (Memory Mapped Input Output) resources. Finally, it begins dispatching DXE Drivers present in the system Firmware Volumes (given in the HOBL). Boot Device Select interprets the boot configuration data and selects the Boot Policy for later implementation. Runtime focuses on clearing the UEFI program from memory and transferring control to the operating system.

Answer 70

A

B. Alerting the incident response team and working with them to mitigate any potential harm.

In the face of a potential threat like this, the threat intelligence team would generally alert the incident response team and work with them to protect the organization and its customers. It is not generally advisable, or often legal, for an organization to engage directly with threat actors. Professional security teams should be involved in these situations. Retaliatory cyber attacks are both legally and ethically problematic and could lead to serious consequences. This is not the right course of action. Ignoring a potential threat, particularly one that involves customer data, would not be a safe or responsible course of action.

Answer 71

A

A. Direct action against public-facing servers.
B. Release of malicious email.
F. Deliberate social media interactions with the target’s personnel.

During the delivery phase, the adversary is firing whatever exploits they have prepared during the weaponization phase. At this stage, they still do not have access to their target, though. Therefore, taking direct action against a public-facing web server, sending a spear-phishing email, placing a USB drive with malware, or starting a conversation on social media all fit within this phase. internet-facing servers were enumerated during reconnaissance. Selecting a decoy document to present to the victim occurs during weaponization. Collecting press releases, contract awards, and conference attendee lists occur during the reconnaissance phase.

Answer 72

A

D. ESTABLISHED

The ESTABLISH message indicates that an active and established connection is created between two systems. The LISTENING message indicates that the socket is waiting for an incoming connection from the second system. The LAST_ACK message indicates that the remote end has shut down the connection, and the socket is closed and waiting for an acknowledgment. The CLOSE_WAIT message indicates that the remote end has shut down the connection and is waiting for the socket to close. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goals aren’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!

Answer 73

A

C. Incident response plan

The incident response plan outlines the procedures and processes to handle and manage a security incident. It’s an essential part of preparation for potential incidents. Tabletop exercises are a method of testing an organization’s incident response plan and team, not establishing procedures for managing incidents. While training is an important part of preparation, it involves educating the workforce about potential incidents and how to respond, not outlining procedures for managing potential incidents. Business continuity disaster recovery planning focuses on how an organization can continue operations during and recover after a disruptive incident, not on outlining procedures for handling potential incidents.

Answer 74

A

B. Discovering potential threats before they impact your organization.

Gathering threat intelligence from the deep web and dark web can help your organization identify emerging threats or planned attacks before they affect your network. While gathering intelligence can help identify and mitigate threats, it does not guarantee the elimination of all cyber threats. Gathering threat intelligence is a part of a broader security strategy and should be used in conjunction with other security measures, not in lieu of them. Gathering threat intelligence from the deep web and dark web is not related to increasing an organization’s web presence; it’s about identifying potential cyber threats.

Answer 75

A

B. Process Monitor

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. Autoruns shows you what programs are configured to run during system bootup or login. ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. DiskMon is an application that logs and displays all hard disk activity on a Windows system. This question may seem beyond the scope of the exam. Still, the objectives allow for “other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered” in the objectives’ bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination’s content. Therefore, questions like this are fair game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don’t let questions like this throw you off on test day. If you aren’t sure, take your best guess and move on!

Answer 76

A

C. Fuzzing

Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User Acceptance Testing is the process of verifying that a created solution/software works for the user. Security regression testing ensures that changes made to a system do not harm its security, are therefore of high significance, and the interest in such approaches has steadily increased. Stress testing verifies the system’s stability and reliability by measuring its robustness and error handling capabilities under heavy load conditions.

Answer 77

A

A. Weaponization

In the context of the WannaCry ransomware attack, the NSA tool, EternalBlue, was used during the weaponization phase to exploit a known vulnerability in Microsoft’s SMB protocol. Command and control refers to the phase where the attacker establishes a channel to control the compromised system. Actions and Objectives phase would be when the attackers actually encrypted the files and demanded the ransom. The delivery phase involves the transmission of the malicious payload to the victim, not the creation of it.

Answer 78

A

A. Utilizing an operating system SCAP plugin.

Security Content Automation Protocol (SCAP) is a multi-purpose framework of specifications supporting automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. It is an industry-standard and support testing for compliance. The other options will not allow for a truly repeatable process since individual scans would occur each time instead of comparing against a known good baseline.

Answer 79

A

A. Application hardening

Application hardening involves taking actions to best secure the application from attack. This involves removing any default or sample configurations, properly configuring settings, and updating the application to the latest and more secure version. Patch management is incorrect because only updating the software falls under patch management, not the configuration portions of her actions. Vulnerability scanning involves scanning a device for known vulnerabilities to update the device and prevent a future attack. Input validation is a technique to verify user-provided data meets the expected length and type before allowing a program to utilize it.

Answer 80

A

C. Plugins

Plugins are software components that can extend the functionality of Burp Suite, including automated security tasks and additional vulnerability scanning options. While drivers enable hardware-software communication, they do not extend the functionality of Burp Suite. APIs (Application Programming Interfaces) allow different software applications to communicate but do not inherently extend the functionality of a specific tool like plugins. While scripts can automate certain tasks, they do not inherently extend the functionality of a specific tool like plugins.

Answer 81

A

A. Dion
B. DION
C. dion
D. Dion
E. DIOn

The grep (global search for regular expressions and print) is one of Linux’s powerful search tools. The general syntax for the grep command is “grep [options] pattern [files]. The command searches within the specified files (in this case, the Names.txt file). When the command is issued with the -i optional flag, it treats the specified pattern as case insensitive. Therefore, all uppercase and lowercase variations of the word “DION” will be presented from the file and displayed as the command output. By default, grep uses case sensitivity, so “grep DION Names.txt” would only display the output as “DION” and ignore the other variations. As a cybersecurity analyst, grep is one of your most important tools. You can use regular expressions (regex) to quickly find indicators of compromise within your log files using grep.

Answer 82

A

A. User and entity behavior analytics.

Since ICS, SCADA, and IoT devices often run proprietary, inaccessible, or unpatchable operating systems, the traditional tools used to detect the presence of malicious cyber activity in normal enterprise networks will not function properly. Therefore, user and entity behavior analytics (UEBA) is best suited to detect and classify known-good behavior from these systems to create a baseline. Once a known-good baseline is established, deviations can be detected and analyzed. UEBA may be heavily dependent on advanced computing techniques like artificial intelligence and machine learning and may have a higher false-positive rate. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services. Entity refers to machine accounts, such as client workstations or virtualized server instances, and embedded hardware, such as the Internet of Things (IoT) devices. Traditional technologies include anti-virus tools, host-based IDS and IPS, and endpoint protection platforms.

Answer 83

A

A. Compliance with data breach notification laws.

Legal considerations primarily involve complying with local, national, or international data breach notification laws and regulations, which typically require the organization to notify affected parties within a certain timeframe. While internal policies are important, they do not typically carry the legal weight that breach notification laws do. Compliance with these laws should be a primary consideration. While managing public relations is a crucial aspect of breach communication, it does not directly involve legal considerations. While important, contractual obligations are specific to individual relationships and may not have the broad legal implications that breach notification laws do.

Answer 84

A

D. Intrusion prevention system

Since this question is focused on the ICS/SCADA network, the best solution would be implementing an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won’t prevent an issue and therefore isn’t the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches. Often, patches will break ICS/SCADA functionality. Antivirus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.

Brainscape's Knowledge GenomeTM

JasonDion Practice Exam 4 Flashcards

Brainscape's Knowledge Genome^TM