Security Operations Flashcards
Which type of threat intelligence source is most likely available without a subscription
Open source.
What term best describes the intelligence source that uses tools like Cisco Talos to automatically look up information about the past activity of IP addresses sending emails?
Reputation data.
What cloud tier best describes AWS Lambda, a serverless computing service that allows developers to write and execute functions directly on the cloud platform?
Function-as-a-Service (FaaS).
function-as-a-service (FaaS) computing. A service like Lambda
could also be described as platform-as-a-service (PaaS), because FaaS is a subset of
PaaS. However, the term FaaS is the one that best describes this service.
What is the user attempting to do with the command:
./john -wordfile:/home/user12/mylist.txt -format:lm hash.txt?
Answer Choices:
A. They are attempting to hash a file.
B. They are attempting to crack hashed passwords.
C. They are attempting to crack encrypted passwords.
D. They are attempting a pass-the-hash attack.
B. They are attempting to crack hashed passwords.
Explanation:
The command uses John the Ripper, a password-cracking tool, along with a wordlist (mylist.txt) and a file containing password hashes (hash.txt) in LAN Manager (LM) format. This setup is designed to reverse the hashing process and discover plaintext passwords, indicating a password-cracking attempt.
What is Geoff’s best option to secure network appliances that have exposed services such as Telnet, FTP, and web servers?
Answer Choices:
A. Enable host firewalls.
B. Install patches for those services.
C. Turn off the services for each appliance.
D. Place a network firewall between the devices and the rest of the network.
D. Place a network firewall between the devices and the rest of the network.
Explanation:
Placing a network firewall between the devices and the rest of the network allows control over access to the exposed services. This approach is particularly effective if disabling services on the appliances is not feasible due to operational requirements. A network firewall can filter traffic, limit exposure, and mitigate risks associated with vulnerable or unnecessary services while maintaining device functionality.
This ensures security without directly modifying the configuration of the appliances.
What issue should Ian report to management upon discovering that multiple certificates in his organization are self-signed?
Answer Choices:
A. Self-signed certificates do not provide secure encryption for site visitors.
B. Self-signed certificates can be revoked only by the original creator.
C. Self-signed certificates will cause warnings or error messages.
D. None of the above.
C. Self-signed certificates will cause warnings or error messages.
Explanation:
Self-signed certificates are not inherently insecure in terms of encryption but are not trusted by default because they lack validation from a trusted Certificate Authority (CA). This leads to warnings or error messages for users, reducing trust and potentially indicating a misconfigured or insecure system. Reporting this issue highlights the need for proper certificates issued by trusted CAs to maintain security and usability.
TCP port 636 is often used for?
LDAP
What does the network flow entry most likely show if the destination IP address (10.2.2.3) is not a system on Cynthia’s network?
A. A web browsing session
B. Data exfiltration
C. Data infiltration
D. A vulnerability scan
Data exfiltration
Explanation:
The network flow indicates a large amount of data transfer (9.1 GB sent from the internal system 10.1.1.1 to an external IP 10.2.2.3). This volume and direction of traffic strongly suggest data exfiltration, where sensitive data is being transferred out of the organization to an unknown or unauthorized destination. Since 10.2.2.3 is not recognized as a valid system on the network, it likely represents a threat actor’s system collecting stolen data.
During a regularly scheduled PCI compliance scan, Fred discovers that port 3389 is open on one of the point-of-sale terminals he manages. What service should he expect to find enabled on the system?
Answer Choices:
A. MySQL
B. RDP
C. TOR
D. Jabber
B. RDP
Explanation:
Port 3389 is the default port for Remote Desktop Protocol (RDP), which is used for remote access to Windows-based systems. If this port is open on a point-of-sale terminal, it suggests that remote desktop access is enabled on the system, which may pose a security risk. This should be addressed immediately to prevent unauthorized remote access.
A. MySQL typically uses port 3306.
C. TOR typically operates on random or dynamic ports.
D. Jabber typically uses port 5222 for XMPP-based communication.
Saanvi discovers services running on ports 8080 and 8443 as part of her intelligence-gathering process. What services are most likely running on these ports?
A. Botnet C&C
B. Nginx
C. Microsoft SQL Server instances
D. Web servers
D. Web servers
Explanation:
Ports 8080 and 8443 are commonly used by web servers:
Port 8080 is often used as an alternative HTTP port, typically for web servers or proxy servers running on non-standard ports.
Port 8443 is frequently used for HTTPS traffic, especially for web servers offering secure connections over HTTP (HTTPS) on a non-default port.
While services like Nginx (B) could use these ports, they are more associated with web server traffic in general, so D. Web servers is the best choice.
A. Botnet C&C and C. Microsoft SQL Server instances typically use other ports (such as port 1433 for Microsoft SQL Server).
Angela wants to gather network traffic from systems on her network. What tool can she use to best achieve this goal?
A. Nmap
B. Wireshark
C. Sharkbait
D. Dradis
B. Wireshark
Explanation:
Wireshark is a powerful network protocol analyzer that allows users to capture and inspect network traffic in real-time. It provides detailed information about the data packets traveling across the network, making it the best tool for gathering network traffic.
A. Nmap is primarily a network scanning tool used for discovering hosts and services on a network but not for capturing traffic.
C. Sharkbait is not a widely recognized or relevant tool for network traffic capture.
D. Dradis is a collaboration and reporting tool used for penetration testing and vulnerability assessments, not for capturing network traffic.
Wang submits a suspected malware file to malwr.com and receives information about its behavior. What type of tool is malwr.com?
A. A reverse-engineering tool
B. A static analysis sandbox
C. A dynamic analysis sandbox
D. A decompiler sandbox
C. A dynamic analysis sandbox
Explanation:
Malwr.com is an online malware analysis service that performs dynamic analysis. This means it executes the suspected file in a controlled environment (a sandbox) to observe its behavior in real-time. The service reports on actions such as file creation, registry changes, network connections, and other activities, which help identify malicious behavior.
A. A reverse-engineering tool typically focuses on disassembling and analyzing the code, but doesn’t observe live behavior.
B. A static analysis sandbox analyzes the file without executing it, usually examining the file’s structure and code.
D. A decompiler sandbox is used to transform compiled code back into higher-level code, which isn’t the primary function of malwr.com.
Sarah has been asked to assess the technical impact of suspected reconnaissance performed against her organization. She is informed that a reliable source has discovered that a third party has been performing reconnaissance by querying WHOIS data. How should Sarah categorize the technical impact of this type of reconnaissance?
A. High.
B. Medium.
C. Low.
D. She cannot determine this from the information given.
C. Low.
Explanation:
Querying WHOIS data is a common method used for gathering public information about domain names and IP addresses. This type of reconnaissance typically involves looking up details such as domain ownership, registration details, and contact information. While it can provide useful intelligence to attackers, the information obtained from WHOIS queries is generally publicly available and does not directly expose critical vulnerabilities or weaknesses in the network or systems. Therefore, the technical impact of this type of reconnaissance is typically considered low.
However, it can still be part of a larger reconnaissance effort, but on its own, it doesn’t pose an immediate or high technical threat.
The flow logs show ICMP Echo request (ping) packets sent from a source IP (10.1.1.1) to a range of destination IPs (10.2.2.6 to 10.2.2.11), with ICMP replies received in return. This indicates that the system is performing a?
A. A port scan
B. A failed three-way handshake
C. A ping sweep
D. A traceroute
C. A ping sweep
where the device is sending ICMP requests to multiple hosts to check their availability and get responses.
A. A port scan would involve scanning specific ports (not ICMP Echo requests).
B. A failed three-way handshake would involve TCP traffic, not ICMP.
D. A traceroute would involve ICMP packets with time-to-live (TTL) expiration, but this log shows simple ping requests and responses rather than TTL-based probes.
A tarpit, or a system that looks vulnerable but is actually intended to slow down attackers, is an example of what type of technique?
A. A passive defense
B. A sticky defense
C. An active defense
D. A reaction-based defense
C. An active defense
Explanation:
A tarpit is an example of an active defense technique. It deliberately slows down or traps attackers, making it harder for them to achieve their goals by engaging with them in a way that consumes their resources (such as time and bandwidth). It doesn’t passively observe or simply block attacks; it actively engages with the attacker by making them believe they are making progress, thus slowing their efforts.
A. A passive defense typically involves methods like monitoring or detection without direct interaction with the attacker.
B. A sticky defense is not a standard term in cybersecurity defense strategies.
D. A reaction-based defense refers to defensive measures taken in response to an event or attack, such as activating a response mechanism. However, a tarpit is preemptively designed to delay or trap attackers.
Susan needs to test thousands of submitted binaries. She needs to ensure that the applications do not contain malicious code. What technique is best suited to this need?
A. Sandboxing
B. Implementing a honeypot
C. Decompiling and analyzing the application code
D. Fagan testing
A. Sandboxing
Explanation:
Sandboxing is the best technique for testing applications in a controlled environment. It allows you to run the binaries in isolation from the rest of the system, observing their behavior without the risk of them affecting the underlying host. This method is ideal for ensuring that the applications do not contain malicious code because it allows for both static and dynamic analysis while preventing any harmful actions from affecting the actual network or system.
B. Implementing a honeypot is used to attract and study attackers, not to test submitted binaries.
C. Decompiling and analyzing the application code can be useful for static analysis, but it’s not the best method when dealing with thousands of binaries, as it can be very time-consuming.
D. Fagan testing refers to a formal code review methodology, typically used for checking software quality, but it is not designed for identifying malicious code in binaries.
During his analysis of a malware sample, Sahib reviews the malware files and binaries without running them. What type of analysis is this?
A. Automated analysis
B. Dynamic analysis
C. Static analysis
D. Heuristic analysis
C. Static analysis
Static analysis involves examining the malware code or binaries without executing them. This can include techniques like disassembling or decompiling the code to inspect its structure, behavior, and any embedded malicious payloads. In this case, Sahib is reviewing the files without running them, which is the definition of static analysis.
A. Automated analysis refers to the use of automated tools to analyze malware, but the key aspect here is the method (reviewing without execution), not automation.
B. Dynamic analysis involves running the malware in a controlled environment to observe its behavior, such as system modifications or network communication.
D. Heuristic analysis involves looking for patterns or behaviors that are typical of known malware but doesn’t specifically refer to the method of analyzing the binaries.
Susan is reviewing files on a Windows workstation and believes that cmd.exe has been replaced with a malware package. Which of the following is the best way to validate her theory?
A. Submit cmd.exe to VirusTotal.
B. Compare the hash of cmd.exe to a known good version.
C. Check the file using the National Software Reference Library.
D. Run cmd.exe to make sure its behavior is normal.
A. Submit cmd.exe to VirusTotal.
Explanation:
Submitting the file to a tool like VirusTotal is Susan’s best option because it can quickly scan the file for known malware signatures and virus-like behaviors. This approach not only identifies whether the file has been altered but also checks for any malicious code embedded in it.
B. Compare the hash of cmd.exe to a known good version will indicate whether the file matches an unaltered version but won’t detect unknown or newly modified malware.
C. Check the file using the National Software Reference Library can help verify the file’s authenticity but does not provide insight into whether the file is malicious.
D. Run cmd.exe to make sure its behavior is normal is unsafe and could further compromise the system if the file is indeed malicious.
Bobbi is deploying a single system to manage a sensitive industrial control process. The system will operate independently without any network connections. What security strategy is being deployed?
A. Network segmentation
B. VLAN isolation
C. Airgapping
D. Logical isolation
C. Airgapping
Explanation:
Airgapping is a security strategy where a system is completely isolated from any external or internal networks, including the internet. This ensures maximum security by preventing any potential network-based attacks. Unlike network segmentation or VLAN isolation, which still allow some level of communication, airgapping involves full physical disconnection.
Ian needs to deploy a secure wireless network alongside a public wireless network in his organization without adding additional costs and complexity. What type of segmentation should he implement?
Answer Choices:
A. SSID segmentation
B. Logical segmentation
C. Physical segmentation
D. WPA segmentation
Correct Answer:
B. Logical segmentation
Explanation:
Logical segmentation involves using the same physical access points to create separate networks by logically isolating them. This approach minimizes costs and complexity compared to physical segmentation, which would require additional access points. By logically segmenting the networks, Ian can meet the needs of both secure and public wireless networks without the conflicts or costs associated with physical segmentation. SSID and WPA segmentation are not valid segmentation techniques in this context
Barbara has segmented her virtualized servers using VMware to ensure that the networks remain secure and isolated. What type of attack could defeat her security design?
A. VLAN hopping
B. 802.1q trunking vulnerabilities
C. Compromise of the underlying VMware host
D. BGP route spoofing
Correct Answer:
C. Compromise of the underlying VMware host
Explanation:
The security of virtualized environments like VMware depends heavily on the underlying host. If an attacker compromises the VMware host, they could potentially gain access to all the virtualized servers and bypass the network segmentation. While VLAN hopping and 802.1q trunking vulnerabilities are concerns for physical network isolation, the virtualized nature of VMware makes the host the most critical point of failure. BGP route spoofing pertains to routing attacks and is not directly related to VMware security.
What major issue would Charles face if he relied on hashing malware packages to identify malware packages?
Answer Choices:
A. Hashing can be spoofed.
B. Collisions can result in false positives.
C. Hashing cannot identify unknown malware.
D. Hashing relies on unencrypted malware samples.
Correct Answer:
C. Hashing cannot identify unknown malware.
Explanation:
Hashing is effective for identifying known malware, but it cannot detect new or unknown malware samples because these samples will not have existing hash values in the database. Malware authors can modify the code to create entirely new hashes, making it impossible for a hash-based approach to identify them unless the specific version of the malware has already been seen.
Noriko wants to ensure that attackers cannot access his organization’s building automation control network. Which of the following segmentation options provides the strongest level of assurance that this will not happen?
Answer Choices:
A. Air gap
B. VLANs
C. Network firewalls
D. Host firewalls
Correct Answer:
A. Air gap
Explanation:
An air gap is the strongest form of network segmentation, as it physically isolates a network from all other networks, including the internet. This means that the building automation control network would be completely disconnected from any other network, ensuring that attackers cannot access it remotely or via any other compromised network. VLANs, network firewalls, and host firewalls offer segmentation but do not provide the same level of isolation as an air gap.
Angela has decided to roll out a multifactor authentication system. What are the two most common factors used in MFA systems?
Answer Choices:
A. Location and knowledge
B. Knowledge and possession
C. Knowledge and biometric
D. Knowledge and location
Correct Answer:
B. Knowledge and possession
Explanation:
The two most common factors used in multifactor authentication (MFA) systems are knowledge (something the user knows, such as a password or PIN) and possession (something the user has, such as a mobile device, smart card, or token). Biometric factors (like fingerprints or facial recognition) are also used but are not as common as knowledge and possession in typical MFA setups.
What purpose does the OpenFlow protocol serve in software-defined networks?
Answer Choices:
A. It captures flow logs from devices.
B. It allows software-defined network controllers to push changes to devices to manage the network.
C. It sends flow logs to flow controllers.
D. It allows devices to push changes to SDN controllers to manage the network.
Correct Answer:
B. It allows software-defined network controllers to push changes to devices to manage the network.
Explanation:
The OpenFlow protocol is a key component in Software-Defined Networking (SDN). It enables the SDN controller to communicate directly with the network devices (such as switches and routers), pushing updates and configurations to those devices to manage the flow of network traffic. It allows network management to be centralized and programmable, making network configuration more flexible and dynamic.
Rick’s security research company wants to gather data about current attacks and sets up a number of intentionally vulnerable systems that allow his team to log and analyze exploits and attack tools. What type of environment has Rick set up?
Answer Choices:
A. A tarpit
B. A honeypot
C. A honeynet
D. A blackhole
Correct Answer:
C. A honeynet
Explanation:
A honeynet is a network of intentionally vulnerable systems designed to attract and trap attackers. It provides a broader scope than a single honeypot (which is just one vulnerable system), allowing security teams to gather detailed information about attack tools and techniques across multiple systems. This makes honeynets valuable for research and threat intelligence gathering.
Kalea wants to prevent DoS attacks against her serverless application from driving up her costs when using a cloud service. What technique is not an appropriate solution for her need?
Answer Choices:
A. Horizontal scaling
B. API keys
C. Setting a cap on API invocations for a given timeframe
D. Using timeouts
Correct Answer:
A. Horizontal scaling
Explanation:
Horizontal scaling involves adding more resources (e.g., additional instances or functions) to handle increased traffic, which may lead to higher costs, especially during a DoS attack. While it can help handle load, it doesn’t necessarily prevent malicious traffic from reaching the application, and it might increase costs in the event of an attack. The other techniques, like API keys, setting caps on API invocations, and timeouts, are more directly focused on limiting or controlling access to prevent abuse and cost escalation during attacks.
Brandon is designing the hosting environment for containerized applications. Application group A has personally identifiable information, application group B has health information with different legal requirements for handling, and application group C has business-sensitive data handling requirements. What is the most secure design for his container orchestration environment given the information he has?
Answer Choices:
A. Run a single, highly secured container host with encryption for data at rest.
B. Run a container host for each application group and secure them based on the data they contain.
C. Run a container host for groups A and B, and run a lower-security container host for group C.
D. Run a container host for groups A and C, and run a health information–specific container host for group B due to the health information it contains.
Correct Answer:
B. Run a container host for each application group and secure them based on the data they contain.
Explanation:
The most secure design is to separate the container hosts by application group based on the sensitivity of the data they contain. Application groups with stricter legal or regulatory requirements, such as group A (personally identifiable information) and group B (health information), should be isolated in their own environments with appropriate security measures, such as encryption, access control, and network isolation. This ensures that each group’s specific data handling and security requirements are met while minimizing the risk of unauthorized access or data leakage.
What is the best security option to prevent attacks like keyloggers from compromising user credentials?
Answer Choices:
A. Multifactor authentication
B. Password complexity rules
C. Password lifespan rules
D. Prevent the use of USB devices
Correct Answer:
A. Multifactor authentication
Explanation:
Multifactor authentication (MFA) adds an additional layer of security by requiring more than just a password to authenticate users. Even if a keylogger captures a password, the attacker would still need to bypass the second authentication factor (e.g., text message code, app code, or biometric verification) to gain access, significantly reducing the risk of exploitation.
What type of technology are Facebook Connect, CAS, Shibboleth, and AD FS examples of?
Answer Choices:
A. Kerberos implementations
B. Single sign-on implementations
C. Federation technologies
D. OAuth providers
Correct Answer:
B. Single sign-on implementations
Explanation:
Facebook Connect, CAS, Shibboleth, and AD FS are all examples of Single Sign-On (SSO) implementations, which allow users to authenticate once and gain access to multiple systems or applications without needing to log in again.
What is OAuth ?
Open Authorization is an open standard for authorization, not authentication. It allows a user to grant third-party applications access to their resources (such as data or services) without sharing their username and password. OAuth is often used to allow users to log into one application using their credentials from another (e.g., signing into a website using your Google or Facebook account).
OAuth is focused on authorization, enabling users to give limited access to their data to third-party applications without sharing login credentials.
SSO (Single Sign-On), on the other hand, is focused on authentication, allowing users to log into multiple applications or services with a single set of credentials.
A user logs into a new photo-editing app using their Google account. Instead of entering their Google username and password, they authenticate with Google (via OAuth) and grant the app access to their photos stored in Google Photos. The app receives an access token that allows it to interact with Google Photos on the user’s behalf, but it cannot access anything beyond the granted scope (such as emails or calendar events).
What term describes defenses that obfuscate the attack surface by deploying decoys and attractive targets to slow down or distract an attacker?
Answer Choices:
A. An active defense
B. A honeyjar
C. A bear trap
D. An interactive defense
Correct Answer:
A. An active defense
Explanation:
Active defense involves deploying dynamic measures such as decoys (e.g., honeypots and honeynets) to mislead attackers, slow down their progress, and gather intelligence about malicious activities.
Which web service security measure reduces the likelihood of a successful on-path (man-in-the-middle) attack?
Answer Choices:
A. Use TLS.
B. Use XML input validation.
C. Use XML output validation.
D. Virus-scan files received by the web service.
Correct Answer:
A. Use TLS.
Explanation:
TLS (Transport Layer Security) encrypts data in transit, ensuring confidentiality and integrity, which protects against on-path (man-in-the-middle) attacks. Other options like XML validation and virus scanning enhance security in different ways but do not address data interception during transmission.
What type of access is typically required to compromise a physically isolated and air-gapped system?
Answer Choices:
A. Wired network access
B. Physical access
C. Wireless network access
D. None of the above, because an isolated, air-gapped system cannot be accessed
Correct Answer:
B. Physical access
Explanation:
Physically isolated and air-gapped systems are disconnected from any network. To compromise them, physical access is generally required, such as using external storage devices to introduce malware.
Which of the following parties directly communicate with the end user during a SAML transaction?
Answer Choices:
A. The relying party
B. The SAML identity provider
C. Both the relying party and the identity provider
D. Neither the relying party nor the identity provider
Correct Answer:
C. Both the relying party and the identity provider
Explanation:
In a SAML transaction, the identity provider (IdP) authenticates the user and communicates with them during login, while the relying party (RP) interacts with the user to provide access to the requested service. Both parties are involved in communication with the user.
What is SAML?
SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties, specifically:
An identity provider (IdP) that authenticates a user.
A service provider (SP) that provides the service or resource the user wants to access.
SAML allows a user to authenticate once and access multiple services without needing to log in again (a concept called single sign-on, or SSO).
How SAML Works:
Frodo (user) logs into SSO first thing in the morning.
Frodo then tries to open the webpage to his CRM.
The CRM – the service provider – checks Frodo’s credentials with the identity provider.
The identity provider sends authorization and authentication messages back to the service provider, which allows Frodo to log into the CRM.
Frodo can use the CRM and get work done.
“Need 8 volunteers for a tough project…”
Which of the following is not a benefit of physical segmentation?
A. Easier visibility into traffic
B. Improved network security
C. Reduced cost
D. Increased performance
Correct Answer:
C. Reduced cost
Explanation:
Physical segmentation involves isolating network traffic using separate hardware, which increases visibility, security, and performance by limiting congestion and lateral movement of attackers. However, it does not reduce costs—in fact, it tends to increase costs due to the need for additional infrastructure and maintenance.
What three layers make up a software-defined network?
A. Application, Datagram, and Physical layers
B. Application, Control, and Infrastructure layers
C. Control, Infrastructure, and Session layers
D. Data link, Presentation, and Transport layers
Correct Answer:
B. Application, Control, and Infrastructure layers
Explanation:
A Software-Defined Network (SDN) consists of three key layers:
Application Layer: The top layer where network services (like firewalls and load balancers) are defined.
Control Layer: The middle layer, responsible for managing and controlling the network flow and decisions.
Infrastructure Layer: The bottom layer, which consists of the physical network devices (like switches and routers) controlled by the control layer.
Which of the following is not a common use case for network segmentation?
A. Creating a VoIP network
B. Creating a shared network
C. Creating a guest wireless network
D. Creating trust zones
Correct Answer:
B. Creating a shared network
Explanation:
Network segmentation is typically used to separate different parts of a network to improve security, performance, and management. Common use cases include:
Creating a VoIP network (A): Segregating voice traffic from other network traffic.
Creating a guest wireless network (C): Isolating guest devices from the main internal network.
Creating trust zones (D): Segmenting the network into different trust levels, such as separating critical systems from less-sensitive systems.
Creating a shared network (B) goes against the idea of segmentation, as it involves grouping all devices together, which could lead to security and performance issues.
Camille wants to integrate with a federation. What will she need to authenticate her users to the federation?
A. An IDP
B. An SP
C. An API gateway
D. An SSO server
Correct Answer:
A. An IDP
Explanation:
In a federated identity system, IDP (Identity Provider) is responsible for authenticating users and providing their identity to other systems.
IDP (A) is the system that holds and verifies the user’s credentials.
SP (B) refers to the Service Provider, which relies on the IDP for authentication.
API gateway (C) is used to manage and secure APIs, but not for authentication in a federation.
SSO server (D) provides single sign-on capabilities, but it is not the core component for federated authentication.
What issues should Brandon consider before choosing to use the vulnerability management tools he has in his non-container-based security environment?
A. Vulnerability management tools may make assumptions about host durability.
B. Vulnerability management tools may make assumptions about update mechanisms and frequencies.
C. Both A and B.
D. Neither A nor B.
A non-container-based security environment refers to a traditional infrastructure setup where applications are deployed directly onto physical or virtual machines, rather than being run in isolated containers.
Correct Answer:
C. Both A and B.
Explanation:
When using vulnerability management tools, especially in a non-containerized environment, Brandon should consider both host durability and update mechanisms.
Host durability: Some vulnerability management tools may expect a stable, long-term presence of hosts, which may not be the case in non-containerized environments where hosts might be decommissioned or replaced frequently.
Update mechanisms and frequencies: Vulnerability management tools may also assume a specific update frequency or patching schedule for hosts, and if the system deviates from these assumptions, vulnerabilities might not be addressed in time.
What open standard should Amira use if she wants to deploy a single sign-on (SSO) solution that supports both authentication and authorization, and allows federating with a variety of identity providers and service providers?
Answer Choices:
A. LDAP
B. SAML
C. OAuth
D. OpenID Connect
Correct Answer:
B. SAML
Explanation:
SAML (Security Assertion Markup Language) is an open standard used for single sign-on (SSO) that supports both authentication and authorization. It is commonly used for federating between identity providers (IdPs) and service providers (SPs), allowing users to authenticate once and access multiple services without needing to log in to each separately. It is widely supported for federated authentication across different systems.
Why not the others?
A. LDAP (Lightweight Directory Access Protocol): LDAP is a protocol used to query and modify directory services, not for SSO or federated authentication.
C. OAuth: OAuth is an open standard for authorization (not authentication) that allows third-party services to access a user’s resources without exposing the user’s credentials. While OAuth is part of the modern identity landscape, it doesn’t inherently provide SSO.
D. OpenID Connect: OpenID Connect is an authentication protocol built on top of OAuth 2.0. While it supports user authentication, it is typically used more for web and mobile applications, and is not as broadly supported in federated environments as SAML.
Nathan is designing the logging infrastructure for his company and wants to ensure that a compromise of a system will not result in the loss of that system’s logs. What should he do to protect the logs?
Answer Choices:
A. Limit log access to administrators.
B. Encrypt the logs.
C. Rename the log files from their common name.
D. Send the logs to a remote server.
Correct Answer:
D. Send the logs to a remote server.
Explanation:
Sending logs to a remote server ensures that even if a system is compromised, the logs will not be lost. Storing logs centrally provides greater security and makes it more difficult for attackers to tamper with or delete logs. Other options like limiting access, encrypting, or renaming files could help in some cases but do not fully protect logs from being lost or altered in the event of a system compromise.
Ansel knows he wants to use federated identities in a project he is working on. Which of the following should not be among his choices for a federated identity protocol?
Answer Choices:
A. OpenID
B. SAML
C. OAuth
D. Authman
Correct Answer:
D. Authman
Explanation:
Authman is not a recognized or standard protocol for federated identity management.
OpenID, SAML, and OAuth are all widely used protocols for federated identity systems.
OpenID is a decentralized protocol for single sign-on (SSO).
SAML (Security Assertion Markup Language) is used for exchanging authentication and authorization data between parties, commonly used in enterprise environments.
OAuth is an authorization framework that allows access delegation, often used alongside OpenID Connect for federated authentication and authorization.
Abul wants to identify typical behavior on a Windows system using a built-in tool to understand memory, CPU, and disk utilization. What tool can he use to see both real-time performance and over a period of time?
A. sysmon
B. sysgraph
C. resmon
D. resgraph
Answer:
C. resmon (Resource Monitor)
Explanation: Resource Monitor is a built-in Windows tool that provides detailed real-time data on system performance, including memory, CPU, and disk utilization. It allows users to monitor both real-time and historical system performance.
Not A:
A. sysmon: Sysmon (System Monitor) is a Windows Sysinternals tool that provides detailed information about system activity, such as process creation, network connections, and file creation. While it’s great for security and forensic analysis, it doesn’t provide a graphical interface for real-time performance metrics like CPU, memory, or disk utilization.
What does execution of wmic.exe, powershell.exe, or winrm.vbs most likely indicate if you discover one or more was run on a typical end user’s workstation?
Answer Choices:
A. A scripted application installation
B. Remote execution of code
C. A scripted application uninstallation
D. A zero-day attack
Correct Answer:
B. Remote execution of code
Explanation:
These tools (wmic.exe, powershell.exe, and winrm.vbs) are often used for remote management and administration. If discovered running on an end user’s workstation, it most likely indicates that an attacker is executing commands remotely on the system, potentially as part of a lateral movement or remote code execution attack. They are typically not used in normal user activities.
While Lucy is monitoring the SIEM, she notices that all of the log sources from her organization’s New York branch have stopped reporting for the past 24 hours. What type of detection rules or alerts should she configure to make sure she is aware of this sooner next time?
Answer Choices:
A. Heuristic
B. Behavior
C. Availability
D. Anomaly
Correct Answer:
C. Availability
Explanation:
Availability detection rules are designed to alert when a system, service, or data source becomes unavailable. In this case, since the log sources from the New York branch have stopped reporting, an availability alert would trigger as soon as the logs stop being received, allowing Lucy to be aware of the issue promptly.
Why not the rest:
A. Heuristic: Detects patterns of behavior, not log availability, so it wouldn’t alert you to missing logs.
B. Behavior: Focuses on deviations in actions, not the absence of data.
D. Anomaly: Detects outliers in data, but not the lack of data itself.
Lucy is tasked with configuring alerts that are
sent to system administrators. She builds a rule that can be represented in pseudocode as
follows:
Send an SMS alert every 30 seconds when systems do not send logs for more than
1 minute.
The average administrator at Lucy’s organization is responsible for 150–300 machines.
What danger does Lucy’s alert create?
A. A DDoS that causes administrators to not be able to access systems
B. A network outage
C. Administrators may ignore or filter the alerts
D. A memory spike
Answer: C. Administrators may ignore or filter the alerts
Explanation:
If Lucy configures an alert that sends an SMS every 30 seconds when systems don’t send logs for more than 1 minute, the administrators may become overwhelmed by the constant barrage of alerts. Given their high workload (150-300 machines), they may start ignoring or filtering out the alerts due to alert fatigue, which would defeat the purpose of the monitoring system.
Why not the others:
A. A DDoS that causes administrators to not be able to access systems: This isn’t a DDoS attack. The alerts would overwhelm the administrators, but not affect system access.
B. A network outage: The alerting system itself doesn’t cause network outages.
D. A memory spike: This wouldn’t cause a memory spike in the system; it only causes alert overload.
Disabling unneeded services is an example of what type of activity?
A. Threat modeling
B. Incident remediation
C. Proactive risk assessment
D. Reducing the threat attack surface area
Answer: D. Reducing the threat attack surface area
Explanation:
Disabling unneeded services is a proactive security measure aimed at minimizing the potential points of entry for attackers. By removing or disabling unnecessary services, you reduce the “attack surface” — the number of services and vulnerabilities that could potentially be exploited by malicious actors.
Why not the others:
A. Threat modeling: This involves identifying and understanding potential threats, but disabling services is more of a preventive action than part of a threat modeling process.
B. Incident remediation: This typically refers to responding to and fixing issues after an incident has occurred, not a proactive step.
C. Proactive risk assessment: While disabling services reduces risk, risk assessment itself involves identifying, evaluating, and mitigating risks, which is broader than just disabling services.
What type of information can Gabby determine from Tripwire logs on a Linux system if it.
is configured to monitor a directory?
A. How often the directory is accessed
B. If files in the directory have changed
C. If sensitive data was copied out of the directory
D. Who has viewed files in the directory
Answer: B. If files in the directory have changed
Explanation: Tripwire is a file integrity monitoring tool that checks for changes to files and directories. It logs alterations such as file modifications, deletions, and additions. If Tripwire is configured to monitor a directory, it can detect and log any changes to the files within that directory.
Why not the others:
A. How often the directory is accessed: Tripwire does not track access times or access frequency. It focuses on detecting changes to files, not access patterns.
C. If sensitive data was copied out of the directory: Tripwire cannot track file transfers or copying. It can only detect changes to files within the monitored directory, not how or where they are used or copied.
D. Who has viewed files in the directory: Tripwire does not monitor file access by specific users. It focuses on changes to file contents and attributes, not who accessed or viewed a file.
While reviewing tcpdump data, Kwame discovers that hundreds of different IP addresses
are sending a steady stream of SYN packets to a server on his network. What concern
should Kwame have about what is happening?
A. A firewall is blocking connections from occurring.
B. An IPS is blocking connections from occurring.
C. A denial-of-service attack.
D. An ACK blockage
Answer: C. A denial-of-service attack.
Explanation: The behavior Kwame is seeing—hundreds of different IP addresses sending SYN packets to a server—indicates a SYN flood attack, which is a form of Denial of Service (DoS) attack. In a SYN flood, the attacker sends a large number of SYN requests to a target server, but never completes the handshake (by sending the final ACK), causing the server to wait for connections and eventually become overwhelmed or unavailable.
Why not the others:
A. A firewall blocking connections: Firewalls block traffic, but don’t generate SYN packets.
B. An IPS blocking connections: IPS would drop malicious traffic, not cause SYN floods.
D. An ACK blockage: ACK blockage affects connection completion, not SYN flooding.
While reviewing email headers, Saanvi notices an entry that reads as follows:
From: “John Smith, CIO” jsmith@example.com with a Received: parameter that
shows mail.demo.com [10.74.19.11].
Which of the following scenarios is most likely if demo.com is not a domain belonging to
the same owner as example.com?
A. John Smith’s email was forwarded by someone at demo.com.
B. John Smith’s email was sent to someone at demo.com.
C. The headers were forged to make it appear to have come from John Smith.
D. The mail.demo.com server is a trusted email forwarding partner for example.com.
Answer: C. The headers were forged to make it appear to have come from John Smith.
Explanation:
A. John Smith’s email was forwarded by someone at demo.com: If the email were forwarded, demo.com would appear in the Received field, but it wouldn’t necessarily show up as the originating server.
B. John Smith’s email was sent to someone at demo.com: If the email was sent to someone at demo.com, there would be no reason for demo.com to appear in the Received header as a sending server.
D. The mail.demo.com server is a trusted email forwarding partner for example.com: If this were the case, the domain demo.com would be part of the example.com infrastructure, but it’s not mentioned as being a trusted partner.
Thus, the most likely scenario is that the email headers were forged to make it appear that the email came from John Smith when it may not have.
Fiona wants to prevent email impersonation of individuals inside her company. What technology can best help prevent this?
A. IMAP
B. SPF
C. DKIM
D. DMARC
Answer: D. DMARC
A. IMAP (Internet Message Access Protocol): This is a protocol used for retrieving and storing emails on a mail server. It is not a security technology designed to prevent email impersonation. It simply allows email clients to access emails stored on a server, but it does not provide protection against spoofing or impersonation.
B. SPF (Sender Policy Framework): SPF helps prevent email spoofing by verifying that the sender’s IP address is authorized to send emails on behalf of a domain. It helps, but not as fully as DMARC.
C. DKIM (DomainKeys Identified Mail): DKIM provides a way for sending mail servers to digitally sign emails, verifying their authenticity, but it requires DMARC for enforcement.
D. DMARC (Domain-based Message Authentication, Reporting, and Conformance): DMARC is the most effective of these options as it combines SPF and DKIM to ensure email authenticity, prevent spoofing, and provide reporting. It helps prevent email impersonation
While analyzing a malware file that she discovered, Tracy finds an encoded file that shebelieves is the primary binary in the malware package. Which of the following is not a typeof tool that the malware writers may have used to obfuscate the code?
A. A packer
B. A crypter
C. A shuffler
D. A protector
the answer is C. A shuffler.
Explanation:
A. A packer: As mentioned earlier, a packer is a tool used to compress or encrypt files to obscure their true contents, commonly used in malware to make detection and analysis more difficult.
B. A crypter: A crypter is designed to encrypt or obfuscate malware code, making it harder for antivirus software to detect and for analysts to reverse engineer the malicious behavior.
C. A shuffler: While the term “shuffler” might sound like something related to obfuscation, it is not commonly used in malware analysis or for obfuscating the actual binary code. It’s not a standard tool in malware development, making it the correct answer for “not a type of tool used to obfuscate code.”
D. A protector: Protectors are used to prevent tampering or reverse engineering of software, and they are used in both malware and legitimate software to prevent cracking and analysis.
So, C. A shuffler is the correct answer because it’s not a typical tool used for obfuscating malware code.
Frank’s team uses the following query to identify events in their threat intelligence tool.
Why would this scenario be of concern to the security team?
select * from network-events where data.process.image.file = ‘cmd.exe’ AND
data.process.parentImage.file != ‘explorer.exe’ AND data.process.action =
‘launch’
A. Processes other than explorer.exe typically do not launch command prompts.
B. cmd.exe should never launch explorer.exe.
C. explorer.exe provides administrative access to systems.
D. cmd.exe runs as administrator by default when launched outside of Explorer
The correct answer is A. Processes other than explorer.exe typically do not launch command prompts.
Explanation:
A. A cmd.exe process launched by something other than explorer.exe could indicate suspicious behavior, such as malware trying to invoke cmd.exe outside normal usage.
B. cmd.exe can legitimately launch explorer.exe, so this isn’t a concern.
C. explorer.exe doesn’t provide administrative access by default.
D. cmd.exe doesn’t run as administrator by default unless specifically invoked with elevated privileges.
While reviewing the command history for an administrative user, Lakshman discovers a
suspicious command that was captured:
ln /dev/null ~/.bash_history
What action was this user attempting to perform?
A. Enabling the Bash history
B. Appending the contents of /dev/null to the Bash history
C. Logging all shell commands to /dev/null
D. Allowing remote access from the null shell
Correct Answer:
C. Logging all shell commands to /dev/null.
Why? The command ln /dev/null ~/.bash_history links the history file to /dev/null, discarding all command logs to hide activity.
Why Not Others?
A. It disables history, not enables it.
B. It replaces the file, not appends to it.
D. Unrelated to remote access or shells
Charles wants to determine whether a message he received was forwarded by analyzing the
headers of the message. How can he determine this?
A. Reviewing the Message-ID to see if it has been incremented.
B. Checking for the In-Reply-To field.
C. Checking for the References field.
D. You cannot determine if a message was forwarded by analyzing the headers
Correct Answer:
D. You cannot determine if a message was forwarded by analyzing the headers.
Why? Email headers do not reliably indicate if a message was forwarded; forwarding can appear as a new message from the forwarder.
Why Not Others?
A. Message-ID does not increment with forwarding.
B. In-Reply-To is used for replies, not forwarding.
C. References track message threads, not forwarding.
Susan wants to check a Windows system for unusual behavior. Which of the following persistence techniques is not commonly used for legitimate purposes?
A. Scheduled tasks
B. Service replacement
C. Service creation
D. Autostart registry keys
Correct Answer:
B. Service replacement
Why?
Service replacement involves replacing legitimate system services with malicious ones, a technique almost exclusively used for malicious purposes.
Why Not Others?
A. Scheduled tasks: Often used for legitimate automation.
C. Service creation: Commonly used for installing new services.
D. Autostart registry keys: Frequently employed for legitimate software that needs to run on startup.
- Ben wants to quickly check a suspect binary file for signs of its purpose or other
information that it may contain. What Linux tool can quickly show him potentially useful
information contained in the file?
A. grep
B. more
C. less
D. strings
Correct Answer:
D. strings
Why?
strings extracts human-readable strings from binary files, which can help Ben identify text, such as URLs, file paths, or other hints about the file’s purpose.
Why Not Others?
A. grep: Used for searching specific patterns in text files, not for extracting readable strings from binary files.
B. more: A pager used to view the contents of a file one screen at a time, but it doesn’t specifically analyze binary files for readable strings.
C. less: Similar to more, it’s a pager tool but does not extract strings from binary files.
Carol wants to analyze email as part of her antispam and antiphishing measures. Which of the following is least likely to show signs of phishing or other email-based attacks?
A. The email’s headers
B. Embedded links in the email
C. Attachments to the email
D. The email signature block
Correct Answer:
D. The email signature block
Why?
The email signature block is least likely to reveal phishing signs.
Why Not Others?
A. Email headers show sender info, useful for spotting spoofing.
B. Embedded links may lead to malicious sites.
C. Attachments often carry malware.
Lukas wants to prevent users from running a popular game on Windows workstations he is responsible for. How can Lukas accomplish this for Windows workstations?
A. Using application allowlisting to prevent all prohibited programs from running.
B. Using Windows Defender and adding the game to the blocklist file.
C. Listing it in the Blocked Programs list via secpol.msc.
D. You cannot blocklist applications in Windows 10 without a third-party application.
Correct Answer:
A. Using application allowlisting to prevent all prohibited programs from running.
Why Not Others:
B. Windows Defender is for malware, not game blocking.
C. Secpol.msc isn’t effective for specific program blocking.
D. Windows 10 can block apps without third-party software.
Naomi wants to analyze malware by running it and capturing what it does. What type of
tool should she use?
A. A containerization tool
B. A virtualization tool
C. A sandbox tool
D. A packet analyzer
Correct Answer:
C. A sandbox tool
Explanation:
A sandbox tool is designed to run potentially dangerous files, such as malware, in an isolated environment. This allows the analyst to observe the behavior of the malware without risk to the host system.
Ian lists the permissions for a Linux file that he believes may have been modified by an
attacker. What do the permissions shown here mean?
-rwxrw-r&—1 chuck admingroup 1232 Feb 28 16:22 myfile.txt
A. User chuck has read and write rights to the file; the Administrators group has read,
write, and execute rights; and all other users only have read rights.
B. User admingroup has read rights; group chuck has read and write rights; and all
users on the system can read, write, and execute the file.
C. User chuck has read, write, and execute rights on the file. Members of admingroup
group can read and write to the file but cannot execute it, and all users on the system
can read the file.
D. User admingroup has read, write, and execute rights on the file;
Correct Answer:
C. User chuck has read, write, and execute rights on the file. Members of admingroup group can read and write to the file but cannot execute it, and all users on the system can read the file.
Explanation:
The permissions -rwxrw-r– can be broken down as follows:
rwx: User (chuck) has read, write, and execute permissions.
rw-: Group (admingroup) has read and write permissions, but no execute permissions.
r–: Others (everyone else) have read-only permissions.
While reviewing web server logs, Danielle notices the following entry. What occurred?
10.11.210.6 - GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme=
total 200
A. A theme was changed.
B. A file was not found.
C. An attempt to edit the 404 page.
D. The 404 page was displayed.
Correct Answer:
C. An attempt to edit the 404 page.
Explanation:
The log entry indicates a GET request made to the theme-editor.php script within the WordPress admin panel. This script is commonly used to edit themes, and the query parameters suggest that the file being targeted is 404.php. This suggests that the user was trying to edit or modify the 404 error page.
GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme=: This shows an attempt to access the theme editor for the file 404.php within a WordPress theme.
The status code 200 indicates a successful request, meaning the page was accessible, but it doesn’t directly indicate that the file was changed.
Melissa wants to deploy a tool to coordinate information from a wide range of platforms
so that she can see it in a central location and then automate responses as part of security
workflows. What type of tool should she deploy?
A. UEBA
B. SOAR
C. SIEM
D. MDR
Answer:
B. SOAR
Explanation:
SOAR (Security Orchestration, Automation, and Response) tools centralize security data and automate responses across platforms, which fits Melissa’s need to coordinate and automate security workflows.
UEBA detects anomalies but doesn’t automate workflows.
SIEM monitors and logs but lacks automation.
How does data enrichment differ from threat feed combination?
A. Data enrichment is a form of threat feed combination for security insights, focuses on
adding more threat feeds together for a full picture, and removes third-party data to
focus on core data elements rather than adding together multiple data sources.
B. Data enrichment uses events and nonevent information to improve security insights,
instead of just combining threat information.
C. Threat feed combination is more useful than data enrichment because of its focus on
only the threats.
D. Threat feed combination techniques are mature, and data enrichment is not ready for
enterprise use.
Answer:
B. Data enrichment uses events and non-event information to improve security insights, instead of just combining threat information.
Explanation:
Data enrichment involves enhancing existing data by adding additional context, such as information from non-event sources (e.g., user data, asset data), to provide more comprehensive security insights.
Threat feed combination simply integrates multiple threat intelligence sources to form a fuller picture of the threat landscape.
Option A is incorrect because data enrichment focuses on enhancing data rather than just focusing on core data elements.
Option C is incorrect because data enrichment adds value by including more contextual information, not just focusing on threats.
Option D is incorrect because data enrichment is already widely used in enterprise environments.
Kathleen wants to verify on a regular basis that a file has not changed on the system that
she is responsible for. Which of the following methods is best suited to this?
A. Use sha1sum to generate a hash for the file and write a script to check it periodically.
B. Install and use Tripwire.
C. Periodically check the MAC information for the file using a script.
D. Encrypt the file and keep the key secret so the file cannot be modified.
Answer:
B. Install and use Tripwire.
Explanation:
Tripwire is a file integrity monitoring tool specifically designed to detect changes to files and directories. It regularly checks the integrity of the system’s files and alerts administrators if changes are detected, making it the best choice for Kathleen’s needs.
Option A (using sha1sum): While using sha1sum to generate a hash and checking it periodically could work, it’s less efficient and reliable compared to a specialized tool like Tripwire.
Option C (checking MAC information): While checking the file’s MAC (Modification, Access, and Change) times could indicate changes, it’s not as comprehensive or reliable as Tripwire for file integrity monitoring.
Option D (encrypting the file): Encrypting the file will prevent unauthorized modifications, but it does not address Kathleen’s goal of verifying the file’s integrity on a regular basis.
Fiona is considering a scenario in which components that her organization uses in its software that come from public GitHub repositories are Trojaned. What should she do first to
form the basis of her proactive threat-hunting effort?
A. Search for examples of a similar scenario.
B. Validate the software currently in use from the repositories.
C. Form a hypothesis.
D. Analyze the tools available for this type of attack
C. Forming a hypothesis should be Fiona’s next step. Once she starts to consider a scenario,
she needs to identify the target and likely adversary techniques and determine how she
would verify the hypothesis.
. Tracy has reviewed the CrowdStrike writeup for an APT group known as HELIX KITTEN,
which notes that the group is known for creating “thoroughly researched and structured
spear-phishing messages relevant to the interests of targeted personnel.” What types of
defenses are most likely to help if she identifies HELIX KITTEN as a threat actor of concern for her organization?
A. DKIM
B. An awareness campaign
C. Blocking all email from unknown senders
D. SPF
. B. Awareness campaigns are among the most effective ways to counter spear phishing.
A well-resourced APT organization will send email from legitimate email addresses, thus
bypassing most DKIM and SPF defenses. Blocking email from all unknown senders is not
acceptable to most organizations.
Micah wants to use the data he has collected to help with his threat-hunting practice. What
type of approach is best suited to using large volumes of log and analytical data?
A. Hypothesis-driven investigation
B. Investigation based on indicators of compromise
C. Investigation based on indications of attack
D. AI/ML-based investigation
he correct answer is D. AI/ML-based investigation.
Explanation: AI/ML-based investigations are best for handling large datasets, as they can quickly analyze and detect patterns or anomalies in massive volumes of data, adapting over time.
Why not the others?
A. Hypothesis-driven investigation: Involves testing theories, but doesn’t scale well for large data volumes.
B. Indicators of compromise (IoC): Focuses on known threats but is limited for large, diverse datasets.
C. Indications of attack (IoA): Detects behaviors of attacks but is less efficient without AI/ML for large data.
Naomi wants to improve the detection capabilities for her security environment. A major
concern for her company is the detection of insider threats. What type of technology can
she deploy to help with this type of proactive threat detection?
A. IDS
B. UEBA
C. SOAR
D. SIEM
The correct answer is B. UEBA (User and Entity Behavior Analytics).
Explanation:
UEBA is specifically designed to identify unusual or suspicious behaviors that might indicate insider threats by analyzing user and entity activities. It uses machine learning and analytics to detect deviations from normal behavior.
Why not the others?
A. IDS (Intrusion Detection System): Primarily detects external attacks, not specifically tailored for insider threat detection.
C. SOAR (Security Orchestration, Automation, and Response): Automates incident response but doesn’t focus directly on proactive threat detection.
D. SIEM (Security Information and Event Management): Collects and analyzes log data but doesn’t specialize in detecting insider threats through behavioral analysis.
Ling wants to use her SOAR platform to handle phishing attacks more effectively. What elements of potential phishing emails should she collect as part of her automation and workflow process to triage and assign severity indicators?
A. Subject lines
B. Email sender addresses
C. Attachments
D. All of the above
The correct answer is D. All of the above.
Explanation:
For effective triage and severity assignment of phishing emails, it is important to collect various elements that can indicate the authenticity or malicious nature of an email. These elements include:
Subject lines: Often, phishing emails use misleading or urgent subject lines to trick recipients.
Email sender addresses: Phishing emails often use forged or suspicious sender addresses.
Attachments: Malicious attachments can contain malware or links to phishing websites.
Mila is reviewing feed data from the MISP open-source threat intelligence tool and sees the
following entry:
“Unit 42 has discovered a new malware family we’ve named
“Reaver” with ties to attackers who use SunOrcal malware.
SunOrcal activity has been documented to at least 2013, and
based on metadata surrounding some of the C2s, may have been
active as early as 2010. The new family appears to have been in
the wild since late 2016 and to date we have only identified 10
unique samples, indicating it may be sparingly used. Reaver is
also somewhat unique in the fact that its final payload is in
the form of a Control panel item, or CPL file. To date, only
0.006% of all malware seen by Palo Alto Networks employs this
technique, indicating that it is in fact fairly rare.”, “Tag”:
[{“colour”: “#00223b”, “exportable”: true, “name”:
“osint:source-type="blog-post"”}], “disable_correlation”:
false, “object_relation”: null, “type”: “comment”}, {“comment”:
“”, “category”: “Persistence mechanism”, “uuid”: “5a0a9d47-
1c7c-4353-8523-440b950d210f”, “timestamp”: “1510922426”,
“to_ids”: false, “value”: “%COMMONPROGRAMFILES%\services\”,
“disable_correlation”: false, “object_relation”: null, “type”:
“regkey”}, {“comment”: “”, “category”: “Persistence mechanism”,
“uuid”: “5a0a9d47-808c-4833-b739-43bf950d210f”, “timestamp”:
“1510922426”, “to_ids”: false, “value”:
“%APPDATA%\microsoft\mmc\”, “disable_correlation”: false,
“object_relation”: null, “type”: “regkey”}, {“comment”: “”,
“category”: “Persistence mechanism”, “uuid”: “5a0a9d47-91e0-
4fea-8a8d-48ce950d210f”, “timestamp”: “1510922426”, “to_ids”:
false, “value”:
“HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
Shell Folders\Common Startup”
How does the Reaver malware maintain persistence?
A. A blog post
B. Inserts itself into the Registry
C. Installs itself as a runonce key
D. Requests user permission to start up
The correct answer is B. Inserts itself into the Registry.
Explanation:
The persistence mechanism described in the MISP feed includes registry keys that are associated with the Reaver malware. Specifically, the entries mentioned are:
“%COMMONPROGRAMFILES%\services"
“%APPDATA%\microsoft\mmc"
“HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup”
These paths indicate that Reaver malware inserts itself into the Windows Registry, a common technique for ensuring persistence on the system. By adding these registry keys, Reaver can ensure that it is executed each time the system starts, thus maintaining its presence on the infected machine.
Fiona has continued her threat-hunting efforts and has formed a number of hypotheses.
What key issue should she consider when she reviews them?
A. The number of hypotheses
B. Her own natural biases
C. Whether they are strategic or operational
D. If the attackers know about them
The correct answer is B. Her own natural biases.
Explanation:
When reviewing hypotheses, it’s crucial for Fiona to be aware of her own natural biases, as they can influence how she interprets data or the conclusions she draws. Biases could lead her to focus too heavily on certain types of threats while overlooking others, which could result in ineffective or incomplete threat-hunting efforts. Being aware of these biases allows her to approach the review process more objectively and consider all possibilities.
Nathan wants to determine which systems are sending the most traffic on his network.
What low-overhead data-gathering methodology can he use to view traffic sources, destinations, and quantities?
A. A network sniffer to view all traffic
B. Implementing NetFlow
C. Implementing SDWAN
D. Implementing a network tap
The correct answer is B. Implementing NetFlow.
Explanation: NetFlow is a network protocol developed by Cisco that collects IP traffic data, which provides insights into network traffic flow.
A. Network sniffer: Resource-intensive and captures excessive data, causing performance issues.
C. SD-WAN: Primarily for managing and optimizing WAN traffic, not for detailed traffic analysis.
D. Network tap: Hardware-based, more complex, and expensive compared to software solutions like NetFlow.
What do DLP systems use to classify data and to ensure that it remains protected?
A. Data signatures
B. Business rules
C. Data egress filters
D. Data at rest
The correct answer is:
B. Business rules
Explanation: DLP (Data Loss Prevention) systems use business rules to classify data, ensuring it remains protected based on the organization’s specific policies, such as data types, sensitive information, and where it can be accessed or shared.
Benicio wants to implement a tool for all the workstations and laptops in his company that
can combine behavioral detection attack indicators based on current threat intelligence with
real-time visibility into the systems. What sort of tool should he select?
A. An IPS
B. An EDR
C. A CRM
D. A UEBA
B. An EDR (Endpoint Detection and Response)
Explanation: An EDR (Endpoint Detection and Response) tool is designed to provide real-time visibility into endpoint activities, monitor for behavioral indicators of compromise (IoCs), and integrate with current threat intelligence. It combines detection and response capabilities to help identify and mitigate threats on workstations and laptops.
Eric wants to analyze a malware binary in the safest way possible. Which of the following
methods has the least likelihood of allowing the malware to cause problems?
A. Running the malware on an isolated VM
B. Performing dynamic analysis of the malware in a sandbox
C. Performing static analysis of the malware
D. Running the malware in a container service
The correct answer is:
C. Performing static analysis of the malware
Explanation: Performing static analysis of the malware involves examining the malware’s code without executing it, thus preventing it from running and potentially causing harm. This is the safest method, as it does not allow the malware to execute and spread.
A. Isolated VM: VMs still run the malware, which poses a risk of escape or damage if isolation fails.
B. Dynamic analysis in a sandbox: Allows malware to run, which could lead to it escaping or causing harm if the sandbox isn’t secure.
D. Running in a container: Containers are less isolated than VMs, increasing the risk of malware escaping.
Tom wants to improve his detection capabilities for his software-as-a-service (SaaS) environment. What technology is best suited to give him a view of usage, data flows, and other
details for cloud environments?
A. EDR
B. CASB
C. IDS
D. SIEM
The best option for Tom to improve detection capabilities in his SaaS environment is B. CASB (Cloud Access Security Broker).
A CASB provides visibility and control over data and user activity in cloud services, helping to monitor usage, data flows, and other cloud-specific details.
Here’s why the others aren’t the best fit:
A. EDR (Endpoint Detection and Response): Primarily focuses on endpoint monitoring, not cloud services.
C. IDS (Intrusion Detection System): Monitors for network intrusions but doesn’t specifically address cloud environments.
D. SIEM (Security Information and Event Management): Collects and analyzes security data from across an organization’s network, but CASBs provide specialized cloud-focused security features.
