Security Operations

Question 1

Which type of threat intelligence source is most likely available without a subscription

Answer 1

Open source.

Question 2

What term best describes the intelligence source that uses tools like Cisco Talos to automatically look up information about the past activity of IP addresses sending emails?

Answer 2

Reputation data.

Question 3

What cloud tier best describes AWS Lambda, a serverless computing service that allows developers to write and execute functions directly on the cloud platform?

Answer 3

Function-as-a-Service (FaaS).

function-as-a-service (FaaS) computing. A service like Lambda
could also be described as platform-as-a-service (PaaS), because FaaS is a subset of
PaaS. However, the term FaaS is the one that best describes this service.

Question 4

What is the user attempting to do with the command:
./john -wordfile:/home/user12/mylist.txt -format:lm hash.txt?

Answer Choices:
A. They are attempting to hash a file.
B. They are attempting to crack hashed passwords.
C. They are attempting to crack encrypted passwords.
D. They are attempting a pass-the-hash attack.

Answer 4

B. They are attempting to crack hashed passwords.

Explanation:
The command uses John the Ripper, a password-cracking tool, along with a wordlist (mylist.txt) and a file containing password hashes (hash.txt) in LAN Manager (LM) format. This setup is designed to reverse the hashing process and discover plaintext passwords, indicating a password-cracking attempt.

Question 5

What is Geoff’s best option to secure network appliances that have exposed services such as Telnet, FTP, and web servers?

Answer Choices:
A. Enable host firewalls.
B. Install patches for those services.
C. Turn off the services for each appliance.
D. Place a network firewall between the devices and the rest of the network.

Answer 5

D. Place a network firewall between the devices and the rest of the network.

Explanation:
Placing a network firewall between the devices and the rest of the network allows control over access to the exposed services. This approach is particularly effective if disabling services on the appliances is not feasible due to operational requirements. A network firewall can filter traffic, limit exposure, and mitigate risks associated with vulnerable or unnecessary services while maintaining device functionality.

This ensures security without directly modifying the configuration of the appliances.

Question 6

What issue should Ian report to management upon discovering that multiple certificates in his organization are self-signed?

Answer Choices:
A. Self-signed certificates do not provide secure encryption for site visitors.
B. Self-signed certificates can be revoked only by the original creator.
C. Self-signed certificates will cause warnings or error messages.
D. None of the above.

Answer 6

C. Self-signed certificates will cause warnings or error messages.

Explanation:
Self-signed certificates are not inherently insecure in terms of encryption but are not trusted by default because they lack validation from a trusted Certificate Authority (CA). This leads to warnings or error messages for users, reducing trust and potentially indicating a misconfigured or insecure system. Reporting this issue highlights the need for proper certificates issued by trusted CAs to maintain security and usability.

Question 7

TCP port 636 is often used for?

Answer 7

LDAP

Question 8

What does the network flow entry most likely show if the destination IP address (10.2.2.3) is not a system on Cynthia’s network?

A. A web browsing session
B. Data exfiltration
C. Data infiltration
D. A vulnerability scan

Answer 8

Data exfiltration

Explanation:
The network flow indicates a large amount of data transfer (9.1 GB sent from the internal system 10.1.1.1 to an external IP 10.2.2.3). This volume and direction of traffic strongly suggest data exfiltration, where sensitive data is being transferred out of the organization to an unknown or unauthorized destination. Since 10.2.2.3 is not recognized as a valid system on the network, it likely represents a threat actor’s system collecting stolen data.

Question 9

During a regularly scheduled PCI compliance scan, Fred discovers that port 3389 is open on one of the point-of-sale terminals he manages. What service should he expect to find enabled on the system?

Answer Choices:
A. MySQL
B. RDP
C. TOR
D. Jabber

Answer 9

B. RDP

Explanation:
Port 3389 is the default port for Remote Desktop Protocol (RDP), which is used for remote access to Windows-based systems. If this port is open on a point-of-sale terminal, it suggests that remote desktop access is enabled on the system, which may pose a security risk. This should be addressed immediately to prevent unauthorized remote access.

A. MySQL typically uses port 3306.
C. TOR typically operates on random or dynamic ports.
D. Jabber typically uses port 5222 for XMPP-based communication.

Question 10

Saanvi discovers services running on ports 8080 and 8443 as part of her intelligence-gathering process. What services are most likely running on these ports?

A. Botnet C&C
B. Nginx
C. Microsoft SQL Server instances
D. Web servers

Answer 10

D. Web servers

Explanation:
Ports 8080 and 8443 are commonly used by web servers:

Port 8080 is often used as an alternative HTTP port, typically for web servers or proxy servers running on non-standard ports.
Port 8443 is frequently used for HTTPS traffic, especially for web servers offering secure connections over HTTP (HTTPS) on a non-default port.

While services like Nginx (B) could use these ports, they are more associated with web server traffic in general, so D. Web servers is the best choice.

A. Botnet C&C and C. Microsoft SQL Server instances typically use other ports (such as port 1433 for Microsoft SQL Server).

Question 11

Angela wants to gather network traffic from systems on her network. What tool can she use to best achieve this goal?

A. Nmap
B. Wireshark
C. Sharkbait
D. Dradis

Answer 11

B. Wireshark

Explanation:
Wireshark is a powerful network protocol analyzer that allows users to capture and inspect network traffic in real-time. It provides detailed information about the data packets traveling across the network, making it the best tool for gathering network traffic.

A. Nmap is primarily a network scanning tool used for discovering hosts and services on a network but not for capturing traffic.

C. Sharkbait is not a widely recognized or relevant tool for network traffic capture.

D. Dradis is a collaboration and reporting tool used for penetration testing and vulnerability assessments, not for capturing network traffic.

Question 12

Wang submits a suspected malware file to malwr.com and receives information about its behavior. What type of tool is malwr.com?

A. A reverse-engineering tool
B. A static analysis sandbox
C. A dynamic analysis sandbox
D. A decompiler sandbox

Answer 12

C. A dynamic analysis sandbox

Explanation:

Malwr.com is an online malware analysis service that performs dynamic analysis. This means it executes the suspected file in a controlled environment (a sandbox) to observe its behavior in real-time. The service reports on actions such as file creation, registry changes, network connections, and other activities, which help identify malicious behavior.

A. A reverse-engineering tool typically focuses on disassembling and analyzing the code, but doesn’t observe live behavior.

B. A static analysis sandbox analyzes the file without executing it, usually examining the file’s structure and code.

D. A decompiler sandbox is used to transform compiled code back into higher-level code, which isn’t the primary function of malwr.com.

Question 13

Sarah has been asked to assess the technical impact of suspected reconnaissance performed against her organization. She is informed that a reliable source has discovered that a third party has been performing reconnaissance by querying WHOIS data. How should Sarah categorize the technical impact of this type of reconnaissance?

A. High.
B. Medium.
C. Low.
D. She cannot determine this from the information given.

Answer 13

C. Low.

Explanation:
Querying WHOIS data is a common method used for gathering public information about domain names and IP addresses. This type of reconnaissance typically involves looking up details such as domain ownership, registration details, and contact information. While it can provide useful intelligence to attackers, the information obtained from WHOIS queries is generally publicly available and does not directly expose critical vulnerabilities or weaknesses in the network or systems. Therefore, the technical impact of this type of reconnaissance is typically considered low.

However, it can still be part of a larger reconnaissance effort, but on its own, it doesn’t pose an immediate or high technical threat.

Question 14

The flow logs show ICMP Echo request (ping) packets sent from a source IP (10.1.1.1) to a range of destination IPs (10.2.2.6 to 10.2.2.11), with ICMP replies received in return. This indicates that the system is performing a?

A. A port scan
B. A failed three-way handshake
C. A ping sweep
D. A traceroute

Answer 14

C. A ping sweep

where the device is sending ICMP requests to multiple hosts to check their availability and get responses.

A. A port scan would involve scanning specific ports (not ICMP Echo requests).

B. A failed three-way handshake would involve TCP traffic, not ICMP.

D. A traceroute would involve ICMP packets with time-to-live (TTL) expiration, but this log shows simple ping requests and responses rather than TTL-based probes.

Question 15

A tarpit, or a system that looks vulnerable but is actually intended to slow down attackers, is an example of what type of technique?

A. A passive defense
B. A sticky defense
C. An active defense
D. A reaction-based defense

Answer 15

C. An active defense

Explanation:
A tarpit is an example of an active defense technique. It deliberately slows down or traps attackers, making it harder for them to achieve their goals by engaging with them in a way that consumes their resources (such as time and bandwidth). It doesn’t passively observe or simply block attacks; it actively engages with the attacker by making them believe they are making progress, thus slowing their efforts.

A. A passive defense typically involves methods like monitoring or detection without direct interaction with the attacker.

B. A sticky defense is not a standard term in cybersecurity defense strategies.

D. A reaction-based defense refers to defensive measures taken in response to an event or attack, such as activating a response mechanism. However, a tarpit is preemptively designed to delay or trap attackers.

Question 16

Susan needs to test thousands of submitted binaries. She needs to ensure that the applications do not contain malicious code. What technique is best suited to this need?

A. Sandboxing
B. Implementing a honeypot
C. Decompiling and analyzing the application code
D. Fagan testing

Answer 16

A. Sandboxing

Explanation:
Sandboxing is the best technique for testing applications in a controlled environment. It allows you to run the binaries in isolation from the rest of the system, observing their behavior without the risk of them affecting the underlying host. This method is ideal for ensuring that the applications do not contain malicious code because it allows for both static and dynamic analysis while preventing any harmful actions from affecting the actual network or system.

B. Implementing a honeypot is used to attract and study attackers, not to test submitted binaries.

C. Decompiling and analyzing the application code can be useful for static analysis, but it’s not the best method when dealing with thousands of binaries, as it can be very time-consuming.

D. Fagan testing refers to a formal code review methodology, typically used for checking software quality, but it is not designed for identifying malicious code in binaries.

Question 17

During his analysis of a malware sample, Sahib reviews the malware files and binaries without running them. What type of analysis is this?

A. Automated analysis
B. Dynamic analysis
C. Static analysis
D. Heuristic analysis

Answer 17

C. Static analysis

Static analysis involves examining the malware code or binaries without executing them. This can include techniques like disassembling or decompiling the code to inspect its structure, behavior, and any embedded malicious payloads. In this case, Sahib is reviewing the files without running them, which is the definition of static analysis.

A. Automated analysis refers to the use of automated tools to analyze malware, but the key aspect here is the method (reviewing without execution), not automation.

B. Dynamic analysis involves running the malware in a controlled environment to observe its behavior, such as system modifications or network communication.

D. Heuristic analysis involves looking for patterns or behaviors that are typical of known malware but doesn’t specifically refer to the method of analyzing the binaries.

Question 18

Susan is reviewing files on a Windows workstation and believes that cmd.exe has been replaced with a malware package. Which of the following is the best way to validate her theory?

A. Submit cmd.exe to VirusTotal.

B. Compare the hash of cmd.exe to a known good version.

C. Check the file using the National Software Reference Library.

D. Run cmd.exe to make sure its behavior is normal.

Answer 18

A. Submit cmd.exe to VirusTotal.

Explanation:
Submitting the file to a tool like VirusTotal is Susan’s best option because it can quickly scan the file for known malware signatures and virus-like behaviors. This approach not only identifies whether the file has been altered but also checks for any malicious code embedded in it.

B. Compare the hash of cmd.exe to a known good version will indicate whether the file matches an unaltered version but won’t detect unknown or newly modified malware.

C. Check the file using the National Software Reference Library can help verify the file’s authenticity but does not provide insight into whether the file is malicious.

D. Run cmd.exe to make sure its behavior is normal is unsafe and could further compromise the system if the file is indeed malicious.