The Answer to Everything in the universe Flashcards
Which element is part of an incident response plan?
organizational approach to incident response
Which of the following are examples of some of the responsibilities of a corporate CSIRT and the policies it helps create?
Incident classification and handling
Information classification and protection
Information dissemination
Record retentions and desctruction
In Microsoft Windows, as files are deleted the space they were allocated eventually is
considered available for use by other files. This creates alternating used and unused areas
of various sizes. What is this called?
Free Space Fragmentation
Which identifies both the source and destination location?
IP Address
You see confidential data being exfiltrated to an IP address that is attributed to a known
Advanced Persistent Threat group. Assume that this is part of a real attach and not a
network misconfiguration. Which category does this event fall under as defined in the
Diamond Model of Intrusion
reconnaissance
Which type of log is this an example of?
Netflow Log
Which source provides reports of vulnerabilities in software and hardware to a Security
Operations Center
Internal CSIRT
What is accomplished in the identification phase of incident handling
determining that a security event has occurred
Which option is a misuse variety per VERIS enumerations
snooping
Drag and Drop the element name from the left unto the correct piece of the Netflow v5 from a security event on the right
10.232.38.20 - Dest Address 3120 - Dest Port 80 - Source port 208.100.26.233 - Source Add 60 - Number of packets transmitted 39613-bytes transmitted TCP - protocol
Which regular expression matches “color” and “colour”
colou?r
Refer to the exhibit. Which packet contains a file that is extractable within Wireshark
2317 [TCP Segment]
During which phase of the forensic process are tools and techniques used to extract the
relevant information from the collective data
Examination
Explanation: Examinations involve forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest, while preserving the integrity of the data. Forensic tools and techniques appropriate to the types of data that were collected are executed to identify and extract the relevant information from the collected data while protecting its integrity. Examination may use a combination of automated tools and manual processes.
You receive an alert for malicious code that exploits Internet Explorer and runs arbitrary
code on the site visitor machine. The malicous code is on an external site that is being
visited by hosts on your network. Which user agent in the HTTP headers in the requests
from your internal hosts warrants further investigation?
Mozilla/5.0 (compatible, MSIE 10.0, Windows NT 6.2, Trident 6.0)
Refer to the exhibit. Which application protocol is in this PCAP file?
TCP. Just look at the protocol
Which information must be left out of a final incident report?
server hardware configurations
What mechanism does the Linux operating system provide to control access to files?
file permissions
Which element can be used by a threat actor to discover a possible opening into a target
network and can also be used by an analyst to determine the protocol of the malicious
traffic?
Ports
An organization has recently adjusted its security stance in response to online threats
made by a known hacktivist group. Which term defines the initial event in the NIST SP800-
61 r2?
Trigger
Which of the following is an example of a managed security offering where incident
response experts monitor and respond to security alerts in a security operations center
(SOC)?
Cisco’s Active Threat Analytics (ATA)
Which process is being utilized when IPS events are removed to improve data integrity
data availability
Which stakeholder group is responsible for containment, eradication, and recovery in
incident handling
facilitators
Which of the following can be identified by correlating DNS intelligence and other security
events?
Communication to CnC servers
Malicious domains based on reputation
Which CVSSv3 metric captures the level of access that is required for a successful attack?
privileges required
Refer to the exhibit. What can be determined from this ping result
The Cisco.com website is responding with an internal IP
Which of the following is not a metadata feature of the Diamond Model?
Devices
We have performed a malware detection on the Cisco website. Which statement about the
result is true
The website has been marked benign on all 68 checks
Which of the following steps in the kill chain would come before the others?
Delivery
Refer to the Exhibit. A customer reports that they cannot access your organization’s
website. Which option is a possible reason that the customer cannot access the website?
A vulnerability scanner has shown that 10.67.10.5 has been compromised.
Which option has a drastic impact on network traffic because it can cause legitimate traffic
to be blocked
false positive
What information from HTTP logs can be used to find a threat actor?
user-agent
Which option filters a LibPCAP capture that used a host as a gateway?
gateway host <host></host>
From a security perspective, why is it important to employ a clock synchronization protocol
on a network?
A. so that everyone knows the local time
Which option allows a file to be extracted from a TCP stream within Wireshark?
File > Export Objects
Which feature is used to find possible vulnerable services running on a server
listening ports
Which two HTTP header fields relate to intrusion analysis?
Host, Connection
Correct order of Elements of Incident Handling
- Preparation
- Detection and Analysis
- Containment, eradication and recovery
- Post-incident Analysis
In the context of incident handling phases, which two activities fall under scoping? (Choose
two
- determining what and how much data may have been affected
* identifying the attackers that are associated with a security incident
Which of the following is an example of a coordination center?
CERT division of the Software Engineering Institute (SEI)
You see 100 HTTP GET and POST requests for various pages on one of your webservers.
The user agent in the requests contain php code that, if executed, creates and writes to a
new php file on the webserver. Which category does this event fall under as defined in the
Diamond Model of Intrusion?
installation
Which data type is protected under the PCI compliance framework?
credit card type
Which kind of evidence can be considered most reliable to arrive at an analytical assertion?
direct
Which two options can be used by a threat actor to determine the role of a server? (Choose
two.)
running processes
applications
Refer to the exhibit. Which type of log is this an example of
NetFlow log
Which type of analysis allows you to see how likely an exploit could affect your network
probabilistic
Which of the following are not components of the 5-tuple of a flow in NetFlow? (Select all
that apply.
Flow record ID
Gateway
Which of the following has been used to evade IDS and IPS devices?
Fragmentation
Which of the following is typically a responsibility of a PSIRT
Disclose vulnerabilities in the organization’s products and services
Which of the following are the three metrics, or "scores," of the Common Vulnerability Scoring System (CVSS)? (Select all that apply.)
Base score
Environmental score
Temporal score
Which element is included in an incident response plan?
organization mission
Which component of the NIST SP800-61 r2 incident handling strategy reviews data?
detection and analysis
Which string matches the regular expression r(ege)+x?
rx
assets of an organization. Which option contains the elements that every event is
comprised of according to VERIS incident model’
assets of an organization. Which option contains the elements that every event is
comprised of according to VERIS incident model’
Which description of a retrospective maKvare detection is true?
You use historical information from one or more sources to identify the affected host or file.
Which of the following is not an example of weaponization
Connecting to a command and control server
Drag and drop the type of evidence from the left onto the correct descnption(s) of that
evidence on the right.
log that shows a command and control check-in from verified malware - DIRECT EVIDENCE
firewall log showing successful communication and threat intelligence stating an IP is known to host malware-INDIRECT EVIDECE
NetFlow-based spike in DNS Traffic-CORROBORATIVE EVIDENCE
A CMS plugin creates two files that are accessible from the Internet myplugin.html and
exploitable.php. A newly discovered exploit takes advantage of an injection vulnerability in
exploitable.php. To exploit the vulnerability, one must send an HTTP POST with specific
variables to exploitable.php. You see traffic to your webserver that consists of only HTTP
GET requests to myplugin.html. Which category best describes this activity
exploitation
Which of the following are core responsibilities of a national CSIRT and CERT
Protect their citizens by providing security vulnerability information, security awareness training, best practices, and other information
Which CVSSv3 Attack Vector metric value requires the attacker to physically touch or
manipulate the vulnerable component?
local
Which two components are included in a 5-tuple?
destination IP address
data packet
Which network device creates and sends the initial packet of a session?
. source
Refer to the exhibit. You notice that the email volume history has been abnormally high.
Which potential result is true?
Several hosts in your network may be compromised
Which goal of data normalization is true?
Reduce data redundancy.
A user on your network receives an email in their mailbox that contains a malicious
attachment. There is no indication that the file was run. Which category as defined in the
Diamond Model of Intrusion does this activity fall under?
delivery
Which CVSSv3 metric value increases when attacks consume network bandwidth,
processor cycles, or disk space?
availability
Which CVSSv3 metric value increases when the attacker is able to modify all files
protected by the vulnerable component
integrity
Which of the following is one of the main goals of data normalization?
To purge redundant data while maintaining data integrity
Which Security Operations Center’s goal is to provide incident handling to a country?
National CSIRT
You have run a suspicious file in a sandbox analysis tool to see what the file does. The
analysis report shows that outbound callouts were made post infection. Which two pieces
of information from the analysis report are needed or required to investigate the callouts?
(Choose two.)
File Size, Host IP address
During which phase of the forensic process is data that is related to a specific event labeled
and recorded to preserve its integrity
Collection
Which option creates a display filter on Wireshark on a host IP address or name?
ip.addr == <addr> or ip.host == <host></host></addr>
Which data element must be protected with regards to PCI?
recent payment amount
Refer to the following packet capture. Which of the following statements is true about this
packet capture?
00:00:04.549138 IP omar.cisco.com.34548 > 93.184.216.34.telnet: Flags [S], seq
3152949738, win 29200,
options [mss 1460,sackOK,TS val 1193148797 ecr 0,nop,wscale 7], length 0
00:00:05.547084 IP omar.cisco.com.34548 > 93.184.216.34.telnet: Flags [S], seq
3152949738, win 29200,
options [mss 1460,sackOK,TS val 1193149047 ecr 0,nop,wscale 7], length 0
00:00:07.551078 IP omar.cisco.com.34548 > 93.184.216.34.telnet: Flags [S], seq
3152949738, win 29200,
options [mss 1460,sackOK,TS val 1193149548 ecr 0,nop,wscale 7], length 0
00:00:11.559081 IP omar.cisco.com.34548 > 93.184.216.34.telnet: Flags [S], seq
3152949738, win 29200,
options [mss 1460,sackOK,TS val 1193150550 ecr 0,nop,wscale 7], length 0
This is a Telnet transaction that is timing out and the server is not responding.
Which statement about threat actors is true?
They are perpetrators of attacks.
Which of the following is one of the main goals of the CSIRT?
To minimize and control the damage associated with incidents, provide guidance for mitigation, and work to prevent future incidents
Which option is generated when a file is run through an algorithm and generates a string
specific to the contents of that file?
hash
Which type of analysis assigns values to scenarios to see what the outcome might be in
each scenario?
deterministic
