The Answer to Everything in the universe Flashcards
Which element is part of an incident response plan?
organizational approach to incident response
Which of the following are examples of some of the responsibilities of a corporate CSIRT and the policies it helps create?
Incident classification and handling
Information classification and protection
Information dissemination
Record retentions and desctruction
In Microsoft Windows, as files are deleted the space they were allocated eventually is
considered available for use by other files. This creates alternating used and unused areas
of various sizes. What is this called?
Free Space Fragmentation
Which identifies both the source and destination location?
IP Address
You see confidential data being exfiltrated to an IP address that is attributed to a known
Advanced Persistent Threat group. Assume that this is part of a real attach and not a
network misconfiguration. Which category does this event fall under as defined in the
Diamond Model of Intrusion
reconnaissance
Which type of log is this an example of?
Netflow Log
Which source provides reports of vulnerabilities in software and hardware to a Security
Operations Center
Internal CSIRT
What is accomplished in the identification phase of incident handling
determining that a security event has occurred
Which option is a misuse variety per VERIS enumerations
snooping
Drag and Drop the element name from the left unto the correct piece of the Netflow v5 from a security event on the right
10.232.38.20 - Dest Address 3120 - Dest Port 80 - Source port 208.100.26.233 - Source Add 60 - Number of packets transmitted 39613-bytes transmitted TCP - protocol
Which regular expression matches “color” and “colour”
colou?r
Refer to the exhibit. Which packet contains a file that is extractable within Wireshark
2317 [TCP Segment]
During which phase of the forensic process are tools and techniques used to extract the
relevant information from the collective data
Examination
Explanation: Examinations involve forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest, while preserving the integrity of the data. Forensic tools and techniques appropriate to the types of data that were collected are executed to identify and extract the relevant information from the collected data while protecting its integrity. Examination may use a combination of automated tools and manual processes.
You receive an alert for malicious code that exploits Internet Explorer and runs arbitrary
code on the site visitor machine. The malicous code is on an external site that is being
visited by hosts on your network. Which user agent in the HTTP headers in the requests
from your internal hosts warrants further investigation?
Mozilla/5.0 (compatible, MSIE 10.0, Windows NT 6.2, Trident 6.0)
Refer to the exhibit. Which application protocol is in this PCAP file?
TCP. Just look at the protocol
Which information must be left out of a final incident report?
server hardware configurations
What mechanism does the Linux operating system provide to control access to files?
file permissions
Which element can be used by a threat actor to discover a possible opening into a target
network and can also be used by an analyst to determine the protocol of the malicious
traffic?
Ports
An organization has recently adjusted its security stance in response to online threats
made by a known hacktivist group. Which term defines the initial event in the NIST SP800-
61 r2?
Trigger
Which of the following is an example of a managed security offering where incident
response experts monitor and respond to security alerts in a security operations center
(SOC)?
Cisco’s Active Threat Analytics (ATA)
Which process is being utilized when IPS events are removed to improve data integrity
data availability
Which stakeholder group is responsible for containment, eradication, and recovery in
incident handling
facilitators
Which of the following can be identified by correlating DNS intelligence and other security
events?
Communication to CnC servers
Malicious domains based on reputation
Which CVSSv3 metric captures the level of access that is required for a successful attack?
privileges required
Refer to the exhibit. What can be determined from this ping result
The Cisco.com website is responding with an internal IP
Which of the following is not a metadata feature of the Diamond Model?
Devices
We have performed a malware detection on the Cisco website. Which statement about the
result is true
The website has been marked benign on all 68 checks
Which of the following steps in the kill chain would come before the others?
Delivery
Refer to the Exhibit. A customer reports that they cannot access your organization’s
website. Which option is a possible reason that the customer cannot access the website?
A vulnerability scanner has shown that 10.67.10.5 has been compromised.
Which option has a drastic impact on network traffic because it can cause legitimate traffic
to be blocked
false positive