Security Operations Scenarios Flashcards

1
Q

What term describes the search for an insider threat or shadow IT, which, until discovered, had been “Flying under the radar?”
A. Threat hunting
B. Threat emulation
C. Intelligence
D. Targeted Attack

A

A. Threat hunting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
1
Q

LoJax, Bad Rabbit, and NotPetya are three examples of what?
A. Zero-day threats
B. Malware
C. APTs
D. Competitors

A

B. Malware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You discover log entries that raise suspicion that a security incident might have occurred. You decide more investigation is needed. What describes what you found?
A. Vulnerabilities
B. ACLs
C. Threat intelligence types
D. Indicators of compromise

A

D. Indicators of compromise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a key strength the disgruntled employee has over an outsider?
A. Trust
B. Time
C. Money
D. Signature

A

A. Trust

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Your manager asks if you’ve noticed any abnormal volumes of network traffic or other network issues. What logs might help you answer those concerns?
A. FIM logs
B. NetFlow logs
C. Firewall logs
D. Access logs

A

B. NetFlow logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following alerts warns the security analyst or administrator of the likelihood that data was exfiltrated out of the network?
A. IoC
B. FIM
C. DLP
D. ICE

A

C. DLP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What intrusion detection processing technique is common for identifying a positive match but struggles to keep up with today’s traffic speeds and volumes?
A. SIEM
B. Regular expression
C. Singature-based
D. Anomaly or behavior

A

B. Regular expression

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following can block traffic based on the source and destination address?
A. The Deep Web
B. Script kiddie
C. ICS
D. ACL

A

D. ACL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

In the following example of an access control list, which of the following answers is true?

hostname R1
!
Interface ethernet0
Ip access-group 102 in
!
access-list 102 deny tcp any any eq 23
access-list 102 permit ip any any

A. TCP traffic bound for port 102 is permitted
B. TCP traffic bound for port 23 is blocked
C. TCP traffic bound for port 102 is blocked
D. TCP traffic bound for port 23 is permitted

A

B. TCP traffic bound for port 23 is blocked

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You got an alert that unusual changes were made to files in a customer directory. What type of alert was this?
A. DLP
B. IDS
C. FIM
D. IPS

A

C. FIM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following is not a label for the conceptual Diamond Model of Intrusion Analysis?
A. Capability
B. Attacks
C. Victim
D. Infrastructure

A

B. Attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

For the purpose of better understanding a company, an employee is tasked with browsing social media, listening to recorded speeches, and reading patents. What type of intelligence gather is this employee performing?
A. HUMINT
B. APT
C. OSINT
D. ATT&CK

A

C. OSINT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A determined security analyst discovered some evidence on a system that warranted more investigation. Ultimately, the analyst identified that advanced malware was resident and difficult to remove. The security analyst recommended the system be rebuilt from scratch. What is it the analyst had discovered?
A. IoC
B. ACL
C. DLP
D. APT

A

D. APT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What intelligence collection method is described as the personal side of spying or collecting intelligence?
A. Lessons learned report
B. Deep Web
C. HUMINT
D. OSINT

A

C. HUMINT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

If you needed to find out an organization’s technical contact or registration information about their domain, what OSINT resource might be helpful?
A. DNS records
B. Deep Web
C. TRA
D. WHOIS

A

D. WHOIS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Whether following the Cyber Kill Chain or the ATT&CK framework, which of the following tactics would occur first?
A. Reconnaissance
B. Command and control
C. Exfiltration
D. Discovery

A

A. Reconnaissance

16
Q

In the ATT&CK framework, which of the following tactics occurs last?
A. Initial access
B. Persistence
C. Discovery
D. Defense evasion

A

C. Discovery

17
Q

For the purpose of gaining access to a competitor’s property, you are tasked with befriending the competitor’s employees, using social media, conversations, and empathy to build personal trust. What type of intelligence gathering are you performing?
A. HUMINT
B. APT
C. OSINT
D. ATT&CK

A

A. HUMINT

18
Q

Which dangerous category of bad actors describes those seeking to compromise critical infrastructures such as nuclear power plants, power generation stations, and water treatment plants?
A. Script kiddie
B. Organized crime
C. Insider threat
D. Nation-state

A

D. Nation-state

19
Q

A few months after the legal firm Dewey, Cheatem, and Howe outsourced their accounts receivable department, the law firm suffered from hacked bank accounts. They are growing suspicious of an attack. Which of the following terms describes what likely happened?
A. Denial-of-service attack
B. SYN flood attack
C. Disgruntled employee
D. Supply chain attack

A

D. Supply chain attack