Security Operations Scenarios Flashcards
What term describes the search for an insider threat or shadow IT, which, until discovered, had been “Flying under the radar?”
A. Threat hunting
B. Threat emulation
C. Intelligence
D. Targeted Attack
A. Threat hunting
LoJax, Bad Rabbit, and NotPetya are three examples of what?
A. Zero-day threats
B. Malware
C. APTs
D. Competitors
B. Malware
You discover log entries that raise suspicion that a security incident might have occurred. You decide more investigation is needed. What describes what you found?
A. Vulnerabilities
B. ACLs
C. Threat intelligence types
D. Indicators of compromise
D. Indicators of compromise
What is a key strength the disgruntled employee has over an outsider?
A. Trust
B. Time
C. Money
D. Signature
A. Trust
Your manager asks if you’ve noticed any abnormal volumes of network traffic or other network issues. What logs might help you answer those concerns?
A. FIM logs
B. NetFlow logs
C. Firewall logs
D. Access logs
B. NetFlow logs
Which of the following alerts warns the security analyst or administrator of the likelihood that data was exfiltrated out of the network?
A. IoC
B. FIM
C. DLP
D. ICE
C. DLP
What intrusion detection processing technique is common for identifying a positive match but struggles to keep up with today’s traffic speeds and volumes?
A. SIEM
B. Regular expression
C. Singature-based
D. Anomaly or behavior
B. Regular expression
Which of the following can block traffic based on the source and destination address?
A. The Deep Web
B. Script kiddie
C. ICS
D. ACL
D. ACL
In the following example of an access control list, which of the following answers is true?
hostname R1
!
Interface ethernet0
Ip access-group 102 in
!
access-list 102 deny tcp any any eq 23
access-list 102 permit ip any any
A. TCP traffic bound for port 102 is permitted
B. TCP traffic bound for port 23 is blocked
C. TCP traffic bound for port 102 is blocked
D. TCP traffic bound for port 23 is permitted
B. TCP traffic bound for port 23 is blocked
You got an alert that unusual changes were made to files in a customer directory. What type of alert was this?
A. DLP
B. IDS
C. FIM
D. IPS
C. FIM
Which of the following is not a label for the conceptual Diamond Model of Intrusion Analysis?
A. Capability
B. Attacks
C. Victim
D. Infrastructure
B. Attacks
For the purpose of better understanding a company, an employee is tasked with browsing social media, listening to recorded speeches, and reading patents. What type of intelligence gather is this employee performing?
A. HUMINT
B. APT
C. OSINT
D. ATT&CK
C. OSINT
A determined security analyst discovered some evidence on a system that warranted more investigation. Ultimately, the analyst identified that advanced malware was resident and difficult to remove. The security analyst recommended the system be rebuilt from scratch. What is it the analyst had discovered?
A. IoC
B. ACL
C. DLP
D. APT
D. APT
What intelligence collection method is described as the personal side of spying or collecting intelligence?
A. Lessons learned report
B. Deep Web
C. HUMINT
D. OSINT
C. HUMINT
If you needed to find out an organization’s technical contact or registration information about their domain, what OSINT resource might be helpful?
A. DNS records
B. Deep Web
C. TRA
D. WHOIS
D. WHOIS