The Answer to Everything in the universe Flashcards

1
Q

Which element is part of an incident response plan?

A

organizational approach to incident response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following are examples of some of the responsibilities of a corporate CSIRT and the policies it helps create?

A

Incident classification and handling
Information classification and protection
Information dissemination
Record retentions and desctruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

In Microsoft Windows, as files are deleted the space they were allocated eventually is
considered available for use by other files. This creates alternating used and unused areas
of various sizes. What is this called?

A

Free Space Fragmentation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which identifies both the source and destination location?

A

IP Address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You see confidential data being exfiltrated to an IP address that is attributed to a known
Advanced Persistent Threat group. Assume that this is part of a real attach and not a
network misconfiguration. Which category does this event fall under as defined in the
Diamond Model of Intrusion

A

reconnaissance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which type of log is this an example of?

A

Netflow Log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which source provides reports of vulnerabilities in software and hardware to a Security
Operations Center

A

Internal CSIRT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is accomplished in the identification phase of incident handling

A

determining that a security event has occurred

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which option is a misuse variety per VERIS enumerations

A

snooping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Drag and Drop the element name from the left unto the correct piece of the Netflow v5 from a security event on the right

A
10.232.38.20 - Dest Address
3120 - Dest Port
80 - Source port
208.100.26.233 - Source Add
60 - Number of packets transmitted 
39613-bytes transmitted
TCP - protocol
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which regular expression matches “color” and “colour”

A

colou?r

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Refer to the exhibit. Which packet contains a file that is extractable within Wireshark

A

2317 [TCP Segment]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

During which phase of the forensic process are tools and techniques used to extract the
relevant information from the collective data

A

Examination
Explanation: Examinations involve forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest, while preserving the integrity of the data. Forensic tools and techniques appropriate to the types of data that were collected are executed to identify and extract the relevant information from the collected data while protecting its integrity. Examination may use a combination of automated tools and manual processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You receive an alert for malicious code that exploits Internet Explorer and runs arbitrary
code on the site visitor machine. The malicous code is on an external site that is being
visited by hosts on your network. Which user agent in the HTTP headers in the requests
from your internal hosts warrants further investigation?

A

Mozilla/5.0 (compatible, MSIE 10.0, Windows NT 6.2, Trident 6.0)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Refer to the exhibit. Which application protocol is in this PCAP file?

A

TCP. Just look at the protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which information must be left out of a final incident report?

A

server hardware configurations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What mechanism does the Linux operating system provide to control access to files?

A

file permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which element can be used by a threat actor to discover a possible opening into a target
network and can also be used by an analyst to determine the protocol of the malicious
traffic?

A

Ports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

An organization has recently adjusted its security stance in response to online threats
made by a known hacktivist group. Which term defines the initial event in the NIST SP800-
61 r2?

A

Trigger

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of the following is an example of a managed security offering where incident
response experts monitor and respond to security alerts in a security operations center
(SOC)?

A

Cisco’s Active Threat Analytics (ATA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which process is being utilized when IPS events are removed to improve data integrity

A

data availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which stakeholder group is responsible for containment, eradication, and recovery in
incident handling

A

facilitators

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following can be identified by correlating DNS intelligence and other security
events?

A

Communication to CnC servers

Malicious domains based on reputation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which CVSSv3 metric captures the level of access that is required for a successful attack?

A

privileges required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Refer to the exhibit. What can be determined from this ping result

A

The Cisco.com website is responding with an internal IP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which of the following is not a metadata feature of the Diamond Model?

A

Devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

We have performed a malware detection on the Cisco website. Which statement about the
result is true

A

The website has been marked benign on all 68 checks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which of the following steps in the kill chain would come before the others?

A

Delivery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Refer to the Exhibit. A customer reports that they cannot access your organization’s
website. Which option is a possible reason that the customer cannot access the website?

A

A vulnerability scanner has shown that 10.67.10.5 has been compromised.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Which option has a drastic impact on network traffic because it can cause legitimate traffic
to be blocked

A

false positive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What information from HTTP logs can be used to find a threat actor?

A

user-agent

32
Q

Which option filters a LibPCAP capture that used a host as a gateway?

A

gateway host <host></host>

33
Q

From a security perspective, why is it important to employ a clock synchronization protocol
on a network?

A

A. so that everyone knows the local time

34
Q

Which option allows a file to be extracted from a TCP stream within Wireshark?

A

File > Export Objects

35
Q

Which feature is used to find possible vulnerable services running on a server

A

listening ports

36
Q

Which two HTTP header fields relate to intrusion analysis?

A

Host, Connection

37
Q

Correct order of Elements of Incident Handling

A
  1. Preparation
  2. Detection and Analysis
  3. Containment, eradication and recovery
  4. Post-incident Analysis
38
Q

In the context of incident handling phases, which two activities fall under scoping? (Choose
two

A
  • determining what and how much data may have been affected

* identifying the attackers that are associated with a security incident

39
Q

Which of the following is an example of a coordination center?

A

CERT division of the Software Engineering Institute (SEI)

40
Q

You see 100 HTTP GET and POST requests for various pages on one of your webservers.
The user agent in the requests contain php code that, if executed, creates and writes to a
new php file on the webserver. Which category does this event fall under as defined in the
Diamond Model of Intrusion?

A

installation

41
Q

Which data type is protected under the PCI compliance framework?

A

credit card type

42
Q

Which kind of evidence can be considered most reliable to arrive at an analytical assertion?

A

direct

43
Q

Which two options can be used by a threat actor to determine the role of a server? (Choose
two.)

A

running processes

applications

44
Q

Refer to the exhibit. Which type of log is this an example of

A

NetFlow log

45
Q

Which type of analysis allows you to see how likely an exploit could affect your network

A

probabilistic

46
Q

Which of the following are not components of the 5-tuple of a flow in NetFlow? (Select all
that apply.

A

Flow record ID

Gateway

47
Q

Which of the following has been used to evade IDS and IPS devices?

A

Fragmentation

48
Q

Which of the following is typically a responsibility of a PSIRT

A

Disclose vulnerabilities in the organization’s products and services

49
Q
Which of the following are the three metrics, or "scores," of the Common Vulnerability
Scoring System (CVSS)? (Select all that apply.)
A

Base score
Environmental score
Temporal score

50
Q

Which element is included in an incident response plan?

A

organization mission

51
Q

Which component of the NIST SP800-61 r2 incident handling strategy reviews data?

A

detection and analysis

52
Q

Which string matches the regular expression r(ege)+x?

A

rx

53
Q

assets of an organization. Which option contains the elements that every event is
comprised of according to VERIS incident model’

A

assets of an organization. Which option contains the elements that every event is
comprised of according to VERIS incident model’

54
Q

Which description of a retrospective maKvare detection is true?

A

You use historical information from one or more sources to identify the affected host or file.

55
Q

Which of the following is not an example of weaponization

A

Connecting to a command and control server

56
Q

Drag and drop the type of evidence from the left onto the correct descnption(s) of that
evidence on the right.

A

log that shows a command and control check-in from verified malware - DIRECT EVIDENCE

firewall log showing successful communication and threat intelligence stating an IP is known to host malware-INDIRECT EVIDECE

NetFlow-based spike in DNS Traffic-CORROBORATIVE EVIDENCE

57
Q

A CMS plugin creates two files that are accessible from the Internet myplugin.html and
exploitable.php. A newly discovered exploit takes advantage of an injection vulnerability in
exploitable.php. To exploit the vulnerability, one must send an HTTP POST with specific
variables to exploitable.php. You see traffic to your webserver that consists of only HTTP
GET requests to myplugin.html. Which category best describes this activity

A

exploitation

58
Q

Which of the following are core responsibilities of a national CSIRT and CERT

A

Protect their citizens by providing security vulnerability information, security awareness training, best practices, and other information

59
Q

Which CVSSv3 Attack Vector metric value requires the attacker to physically touch or
manipulate the vulnerable component?

A

local

60
Q

Which two components are included in a 5-tuple?

A

destination IP address

data packet

61
Q

Which network device creates and sends the initial packet of a session?

A

. source

62
Q

Refer to the exhibit. You notice that the email volume history has been abnormally high.
Which potential result is true?

A

Several hosts in your network may be compromised

63
Q

Which goal of data normalization is true?

A

Reduce data redundancy.

64
Q

A user on your network receives an email in their mailbox that contains a malicious
attachment. There is no indication that the file was run. Which category as defined in the
Diamond Model of Intrusion does this activity fall under?

A

delivery

65
Q

Which CVSSv3 metric value increases when attacks consume network bandwidth,
processor cycles, or disk space?

A

availability

66
Q

Which CVSSv3 metric value increases when the attacker is able to modify all files
protected by the vulnerable component

A

integrity

67
Q

Which of the following is one of the main goals of data normalization?

A

To purge redundant data while maintaining data integrity

68
Q

Which Security Operations Center’s goal is to provide incident handling to a country?

A

National CSIRT

69
Q

You have run a suspicious file in a sandbox analysis tool to see what the file does. The
analysis report shows that outbound callouts were made post infection. Which two pieces
of information from the analysis report are needed or required to investigate the callouts?
(Choose two.)

A

File Size, Host IP address

70
Q

During which phase of the forensic process is data that is related to a specific event labeled
and recorded to preserve its integrity

A

Collection

71
Q

Which option creates a display filter on Wireshark on a host IP address or name?

A

ip.addr == <addr> or ip.host == <host></host></addr>

72
Q

Which data element must be protected with regards to PCI?

A

recent payment amount

73
Q

Refer to the following packet capture. Which of the following statements is true about this
packet capture?
00:00:04.549138 IP omar.cisco.com.34548 > 93.184.216.34.telnet: Flags [S], seq
3152949738, win 29200,
options [mss 1460,sackOK,TS val 1193148797 ecr 0,nop,wscale 7], length 0
00:00:05.547084 IP omar.cisco.com.34548 > 93.184.216.34.telnet: Flags [S], seq
3152949738, win 29200,
options [mss 1460,sackOK,TS val 1193149047 ecr 0,nop,wscale 7], length 0
00:00:07.551078 IP omar.cisco.com.34548 > 93.184.216.34.telnet: Flags [S], seq
3152949738, win 29200,
options [mss 1460,sackOK,TS val 1193149548 ecr 0,nop,wscale 7], length 0
00:00:11.559081 IP omar.cisco.com.34548 > 93.184.216.34.telnet: Flags [S], seq
3152949738, win 29200,
options [mss 1460,sackOK,TS val 1193150550 ecr 0,nop,wscale 7], length 0

A

This is a Telnet transaction that is timing out and the server is not responding.

74
Q

Which statement about threat actors is true?

A

They are perpetrators of attacks.

75
Q

Which of the following is one of the main goals of the CSIRT?

A

To minimize and control the damage associated with incidents, provide guidance for mitigation, and work to prevent future incidents

76
Q

Which option is generated when a file is run through an algorithm and generates a string
specific to the contents of that file?

A

hash

77
Q

Which type of analysis assigns values to scenarios to see what the outcome might be in
each scenario?

A

deterministic