The Answer to Everything in the universe

Question 1

Which element is part of an incident response plan?

Answer 1

organizational approach to incident response

Question 2

Which of the following are examples of some of the responsibilities of a corporate CSIRT and the policies it helps create?

Answer 2

Incident classification and handling
Information classification and protection
Information dissemination
Record retentions and desctruction

Question 3

In Microsoft Windows, as files are deleted the space they were allocated eventually is
considered available for use by other files. This creates alternating used and unused areas
of various sizes. What is this called?

Answer 3

Free Space Fragmentation

Question 4

Which identifies both the source and destination location?

Answer 4

IP Address

Question 5

You see confidential data being exfiltrated to an IP address that is attributed to a known
Advanced Persistent Threat group. Assume that this is part of a real attach and not a
network misconfiguration. Which category does this event fall under as defined in the
Diamond Model of Intrusion

Answer 5

reconnaissance

Question 6

Which type of log is this an example of?

Answer 6

Netflow Log

Question 7

Which source provides reports of vulnerabilities in software and hardware to a Security
Operations Center

Answer 7

Internal CSIRT

Question 8

What is accomplished in the identification phase of incident handling

Answer 8

determining that a security event has occurred

Question 9

Which option is a misuse variety per VERIS enumerations

Answer 9

snooping

Question 10

Drag and Drop the element name from the left unto the correct piece of the Netflow v5 from a security event on the right

Answer 10

10.232.38.20 - Dest Address
3120 - Dest Port
80 - Source port
208.100.26.233 - Source Add
60 - Number of packets transmitted 
39613-bytes transmitted
TCP - protocol

Question 11

Which regular expression matches “color” and “colour”

Answer 11

colou?r

Question 12

Refer to the exhibit. Which packet contains a file that is extractable within Wireshark

Answer 12

2317 [TCP Segment]

Question 13

During which phase of the forensic process are tools and techniques used to extract the
relevant information from the collective data

Answer 13

Examination
Explanation: Examinations involve forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest, while preserving the integrity of the data. Forensic tools and techniques appropriate to the types of data that were collected are executed to identify and extract the relevant information from the collected data while protecting its integrity. Examination may use a combination of automated tools and manual processes.

Question 14

You receive an alert for malicious code that exploits Internet Explorer and runs arbitrary
code on the site visitor machine. The malicous code is on an external site that is being
visited by hosts on your network. Which user agent in the HTTP headers in the requests
from your internal hosts warrants further investigation?

Answer 14

Mozilla/5.0 (compatible, MSIE 10.0, Windows NT 6.2, Trident 6.0)

Question 15

Refer to the exhibit. Which application protocol is in this PCAP file?

Answer 15

TCP. Just look at the protocol

Question 16

Which information must be left out of a final incident report?

Answer 16

server hardware configurations

Question 17

What mechanism does the Linux operating system provide to control access to files?

Answer 17

file permissions

Question 18

Which element can be used by a threat actor to discover a possible opening into a target
network and can also be used by an analyst to determine the protocol of the malicious
traffic?

Answer 18

Ports

Question 19

An organization has recently adjusted its security stance in response to online threats
made by a known hacktivist group. Which term defines the initial event in the NIST SP800-
61 r2?

Answer 19

Trigger

Question 20

Which of the following is an example of a managed security offering where incident
response experts monitor and respond to security alerts in a security operations center
(SOC)?

Answer 20

Cisco’s Active Threat Analytics (ATA)

Question 21

Which process is being utilized when IPS events are removed to improve data integrity

Answer 21

data availability

Question 22

Which stakeholder group is responsible for containment, eradication, and recovery in
incident handling

Answer 22

facilitators

Question 23

Which of the following can be identified by correlating DNS intelligence and other security
events?

Answer 23

Communication to CnC servers

Malicious domains based on reputation

Question 24

Which CVSSv3 metric captures the level of access that is required for a successful attack?

Answer 24

privileges required

Question 25

Refer to the exhibit. What can be determined from this ping result

Answer 25

The Cisco.com website is responding with an internal IP

Question 26

Which of the following is not a metadata feature of the Diamond Model?

Answer 26

Devices

Question 27

We have performed a malware detection on the Cisco website. Which statement about the
result is true

Answer 27

The website has been marked benign on all 68 checks

Question 28

Which of the following steps in the kill chain would come before the others?

Answer 28

Delivery

Question 29

Refer to the Exhibit. A customer reports that they cannot access your organization’s
website. Which option is a possible reason that the customer cannot access the website?

Answer 29

A vulnerability scanner has shown that 10.67.10.5 has been compromised.

Question 30

Which option has a drastic impact on network traffic because it can cause legitimate traffic
to be blocked

Answer 30

false positive

Question 31

What information from HTTP logs can be used to find a threat actor?

Answer 31

user-agent

Question 32

Which option filters a LibPCAP capture that used a host as a gateway?

Answer 32

gateway host <host></host>

Question 33

From a security perspective, why is it important to employ a clock synchronization protocol
on a network?

Answer 33

A. so that everyone knows the local time

Question 34

Which option allows a file to be extracted from a TCP stream within Wireshark?

Answer 34

File > Export Objects

Question 35

Which feature is used to find possible vulnerable services running on a server

Answer 35

listening ports

Question 36

Which two HTTP header fields relate to intrusion analysis?

Answer 36

Host, Connection

Question 37

Correct order of Elements of Incident Handling

Answer 37

1. Preparation
2. Detection and Analysis
3. Containment, eradication and recovery
4. Post-incident Analysis

Question 38

In the context of incident handling phases, which two activities fall under scoping? (Choose
two

Answer 38

• determining what and how much data may have been affected

* identifying the attackers that are associated with a security incident

Question 39

Which of the following is an example of a coordination center?

Answer 39

CERT division of the Software Engineering Institute (SEI)

Question 40

You see 100 HTTP GET and POST requests for various pages on one of your webservers.
The user agent in the requests contain php code that, if executed, creates and writes to a
new php file on the webserver. Which category does this event fall under as defined in the
Diamond Model of Intrusion?

Answer 40

installation

Question 41

Which data type is protected under the PCI compliance framework?

Answer 41

credit card type

Question 42

Which kind of evidence can be considered most reliable to arrive at an analytical assertion?

Answer 42

direct

Question 43

Which two options can be used by a threat actor to determine the role of a server? (Choose
two.)

Answer 43

running processes

applications

Question 44

Refer to the exhibit. Which type of log is this an example of

Answer 44

NetFlow log

Question 45

Which type of analysis allows you to see how likely an exploit could affect your network

Answer 45

probabilistic

Question 46

Which of the following are not components of the 5-tuple of a flow in NetFlow? (Select all
that apply.

Answer 46

Flow record ID

Gateway

Question 47

Which of the following has been used to evade IDS and IPS devices?

Answer 47

Fragmentation

Question 48

Which of the following is typically a responsibility of a PSIRT

Answer 48

Disclose vulnerabilities in the organization’s products and services

Question 49

Which of the following are the three metrics, or "scores," of the Common Vulnerability
Scoring System (CVSS)? (Select all that apply.)

Answer 49

Base score
Environmental score
Temporal score

Question 50

Which element is included in an incident response plan?

Answer 50

organization mission

Question 51

Which component of the NIST SP800-61 r2 incident handling strategy reviews data?

Answer 51

detection and analysis

Question 52

Which string matches the regular expression r(ege)+x?

Answer 52

rx

Question 53

assets of an organization. Which option contains the elements that every event is
comprised of according to VERIS incident model’

Answer 53

assets of an organization. Which option contains the elements that every event is
comprised of according to VERIS incident model’

Question 54

Which description of a retrospective maKvare detection is true?

Answer 54

You use historical information from one or more sources to identify the affected host or file.

Question 55

Which of the following is not an example of weaponization

Answer 55

Connecting to a command and control server

Question 56

Drag and drop the type of evidence from the left onto the correct descnption(s) of that
evidence on the right.

Answer 56

log that shows a command and control check-in from verified malware - DIRECT EVIDENCE

firewall log showing successful communication and threat intelligence stating an IP is known to host malware-INDIRECT EVIDECE

NetFlow-based spike in DNS Traffic-CORROBORATIVE EVIDENCE

Question 57

A CMS plugin creates two files that are accessible from the Internet myplugin.html and
exploitable.php. A newly discovered exploit takes advantage of an injection vulnerability in
exploitable.php. To exploit the vulnerability, one must send an HTTP POST with specific
variables to exploitable.php. You see traffic to your webserver that consists of only HTTP
GET requests to myplugin.html. Which category best describes this activity

Answer 57

exploitation

Question 58

Which of the following are core responsibilities of a national CSIRT and CERT

Answer 58

Protect their citizens by providing security vulnerability information, security awareness training, best practices, and other information

Question 59

Which CVSSv3 Attack Vector metric value requires the attacker to physically touch or
manipulate the vulnerable component?

Answer 59

local

Question 60

Which two components are included in a 5-tuple?

Answer 60

destination IP address

data packet

Question 61

Which network device creates and sends the initial packet of a session?

Answer 61

. source

Question 62

Refer to the exhibit. You notice that the email volume history has been abnormally high.
Which potential result is true?

Answer 62

Several hosts in your network may be compromised

Question 63

Which goal of data normalization is true?

Answer 63

Reduce data redundancy.

Question 64

A user on your network receives an email in their mailbox that contains a malicious
attachment. There is no indication that the file was run. Which category as defined in the
Diamond Model of Intrusion does this activity fall under?

Answer 64

delivery

Question 65

Which CVSSv3 metric value increases when attacks consume network bandwidth,
processor cycles, or disk space?

Answer 65

availability

Question 66

Which CVSSv3 metric value increases when the attacker is able to modify all files
protected by the vulnerable component

Answer 66

integrity

Question 67

Which of the following is one of the main goals of data normalization?

Answer 67

To purge redundant data while maintaining data integrity

Question 68

Which Security Operations Center’s goal is to provide incident handling to a country?

Answer 68

National CSIRT

Question 69

You have run a suspicious file in a sandbox analysis tool to see what the file does. The
analysis report shows that outbound callouts were made post infection. Which two pieces
of information from the analysis report are needed or required to investigate the callouts?
(Choose two.)

Answer 69

File Size, Host IP address

Question 70

During which phase of the forensic process is data that is related to a specific event labeled
and recorded to preserve its integrity

Answer 70

Collection

Question 71

Which option creates a display filter on Wireshark on a host IP address or name?

Answer 71

ip.addr == <addr> or ip.host == <host></host></addr>

Question 72

Which data element must be protected with regards to PCI?

Answer 72

recent payment amount

Question 73

Refer to the following packet capture. Which of the following statements is true about this
packet capture?
00:00:04.549138 IP omar.cisco.com.34548 > 93.184.216.34.telnet: Flags [S], seq
3152949738, win 29200,
options [mss 1460,sackOK,TS val 1193148797 ecr 0,nop,wscale 7], length 0
00:00:05.547084 IP omar.cisco.com.34548 > 93.184.216.34.telnet: Flags [S], seq
3152949738, win 29200,
options [mss 1460,sackOK,TS val 1193149047 ecr 0,nop,wscale 7], length 0
00:00:07.551078 IP omar.cisco.com.34548 > 93.184.216.34.telnet: Flags [S], seq
3152949738, win 29200,
options [mss 1460,sackOK,TS val 1193149548 ecr 0,nop,wscale 7], length 0
00:00:11.559081 IP omar.cisco.com.34548 > 93.184.216.34.telnet: Flags [S], seq
3152949738, win 29200,
options [mss 1460,sackOK,TS val 1193150550 ecr 0,nop,wscale 7], length 0

Answer 73

This is a Telnet transaction that is timing out and the server is not responding.

Question 74

Which statement about threat actors is true?

Answer 74

They are perpetrators of attacks.

Question 75

Which of the following is one of the main goals of the CSIRT?

Answer 75

To minimize and control the damage associated with incidents, provide guidance for mitigation, and work to prevent future incidents

Question 76

Which option is generated when a file is run through an algorithm and generates a string
specific to the contents of that file?

Answer 76

hash

Question 77

Which type of analysis assigns values to scenarios to see what the outcome might be in
each scenario?

Answer 77

deterministic