Which two elements are assets in the role of attribution in an investigation? (Choose two.) context session laptop firewall logs threat actor. An engineer runs a suspicious file in a sandbox analysis tool to see the outcome. The analysis report shows that outbound callouts were made post-infection. Which two pieces of information from the analysis report are needed to investigate the callouts? (Choose two.) signatures host IP addresses file size dropped files domain names. What is the difference between deep packet inspection and stateful inspection? Deep packet inspection is more secure than stateful inspection on Layer 4 Stateful inspection verifies contents at Layer 4, and deep packet inspection verifies connection at Layer 7 Stateful inspection is more secure than deep packet inspection on Layer 7 Deep packet inspection allows visibility on Layer 7 and stateful inspection allows visibility on Layer 4. Which process is used when IPS events are removed to improve data integrity? data availability data normalization data signature data protection. Which two elements of the incident response process are stated in NIST Special Publication 800-61 r2? (Choose two.) detection and analysis post-incident activity vulnerability management risk assessment vulnerability scoring. Which category relates to improper use or disclosure of PII data? legal compliance regulated contractual. Which piece of information is needed for attribution in an investigation? proxy logs showing the source RFC 1918 IP addresses RDP allowed from the Internet known threat actor behavior 802.1x RADIUS authentication pass arid fail logs. What is the function of a command and control server? It enumerates open ports on a network device. It drops the secondary payload into malware. It is used to regain control of the network after a compromise. It sends instructions to a compromised system. Which type of data collection requires the largest amount of storage space? alert data transaction data session data full packet capture. Which regular expression matches "color" and "colour"? colo?ur col[08]+our colou?r col[09]+our. What specific type of analysis is assigning values to the scenario to see expected outcomes? deterministic exploratory probabilistic descriptive. What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.) Untampered images are used in the security investigation process. Tampered images are used in the security investigation process. The image has tampered if the stored hash and the computed hash match. Tampered images are used in the incident recovery process. The image is untampered if the stored hash and the computed hash match. What is the practice of giving an employee access to only the resources needed to accomplish their job? Principle of least privilege Organizational separation Separation of duties Need to know principle. Which metric is used to capture the level of access needed to launch a successful attack? Privileges required User interaction Attack complexity Attack vector. Which principle is being followed when an analyst gathers information relevant to a security incident to determine the appropriate course of action? decision making rapid response data mining due diligence. What is rule-based detection when compared to statistical detection? proof of a user's identity proof of a user's action likelihood of the user's action falsification of a user's identity. Which evasion technique is a function of ransomware? extended sleep calls encryption resource exhaustion encoding. Which regex matches only on all lowercase letters? [az]+ [^az]+ az+ a*z+. An analyst discovers that a legitimate security alert has been dismissed. Which signature caused this impact on the network traffic? true negative false negative false positive true positive. Which metric in CVSS indicates an attack that takes a destination bank account number and replaces it with a different bank account number? integrity confidentiality availability scope. A security engineer has a video of a suspect entering a data center that was captured on the same day that files in the same data center were transferred to a competitor. Which type of evidence is this? best evidence prima facie evidence indirect evidence physical evidence. An intruder attempted malicious activity and exchanged emails with a user and received corporate information, including email distribution lists. The intruder asked the user to engage with a link in an email. When the fink launched, it infected machines and the intruder was able to access the corporate network. Which testing method did the intruder use? social engineering eavesdropping piggybacking tailgating. Which artifact is used to uniquely identify a detected file? file timestamp file extension file size file hash. How does an SSL certificate impact security between the client and the server? by enabling an authenticated channel between the client and the server by creating an integrated channel between the client and the server by enabling an authorized channel between the client and the server by creating an encrypted channel between the client and the server. Which system monitors local system operation and local network access for violations of a security policy? host-based intrusion detection systems-based sandboxing host-based firewall antivirus. What do the Security Intelligence Events within the FMC allow an administrator to do? See if a host is connecting to a known-bad domain. Check for host-to-server traffic within your network. View any malicious files that a host has downloaded. Verify host-to-host traffic within your network. What makes HTTPS traffic difficult to monitor? SSL interception packet header size signature detection time encryption. What causes events on a Windows system to show Event Code 4625 in the log messages? The system detected an XSS attack. Someone is trying a brute-force attack on the network. Another device is gaining root access to the system. A privileged user successfully logged into the system. A malicious file has been identified in a sandbox analysis tool. Which piece of information is needed to search for additional downloads of this file by other hosts? file type file size file name file hash value. What does cyber attribution identify in an investigation? exploit of an attack threat actors of an attack vulnerabilities exploited cause of an attack. What is the difference between an attack vector and attack surface? An attack surface identifies vulnerabilities that require user input or validation; an attack vector identifies vulnerabilities that are independent of user actions. An attack vector identifies components that can be exploited, and an attack surface specifies an attack's potential path to penetrate the network. An attack surface recognizes which network parts are vulnerable to an attack; and an attack vector identifies which attacks are possible with these vulnerabilities. An attack vector identifies the potential outcomes of an attack; and an attack surface launches an attack using several methods against the identified vulnerabilities. When trying to evade IDS/IPS devices, which mechanism allows the user to make the data incomprehensible without a specific key, certificate, or password? fragmentation pivoting encryption stenography. What is the difference between the ACK flag and the RST flag in the NetFlow log session? The RST flag confirms the beginning of the TCP connection, and the ACK flag responds when the data for the payload is complete. The ACK flag confirms the beginning of the TCP connection, and the RST flag responds when the data for the payload is complete. The RST flag confirms the receipt of the prior segment, and the ACK flag allows for the spontaneous termination of a connection. The ACK flag confirms the receipt of the prior segment, and the RST flag allows for the spontaneous termination of a connection. Which utility blocks a host portscan? HIDS sandboxing host-based firewall antimalware. Which security principle requires more than one person is required to perform a critical task? Least privilege Need to know Separation of duties Due diligence. Which list identifies the information that the client sends to the server in the negotiation phase of the TLS handshake? ClientStart, ClientKeyExchange, cipher-suites it supports, and suggested compression methods. ClientStart, TLS versions it supports, cipher suites it supports, and suggested compression methods. ClientHello, TLS versions it supports, cipher-suites it supports, and suggested compression methods. ClientHello, ClientKeyExchange, cipher-suites it supports, and suggested compression methods. Which security technology allows only a set of pre-approved applications to run on a system? application-level blacklisting host-based IPS application-level whitelisting antivirus. Which type of attack occurs when an attacker is successful in eavesdropping on a conversation between two IP phones? known-plaintext replay dictionary man-in-the-middle. A SOC analyst is investigating an incident that involves a Linux system that is identifying specific sessions. Which identifier tracks an active program? application identification number active process identification number runtime identification number process identification number. A network engineer discovers that a foreign government hacked one of the defense contractors in their home country and stole intellectual property. What is the threat agent in this situation? The intellectual property that was stolen The defense contractor who stored the intellectual property The method used to conduct the attack The foreign government that conducted the attack. Which event artifact is used to identify HTTP GET requests for a specific file? destination IP address URI HTTP status code TCP ACK. Which access control model does SELinux use? RBAC DAC MAC ABAC. What does cyber attribution identity in an investigation? Cause of an attack Exploit of an attack Vulnerabilities exploited Threat actors of an attack. What are two social engineering techniques? (Choose two.) privilege escalation DDoS attack phishing man-in-the-middle pharming. At which layer is deep packet inspection investigated on a firewall? Internet transport application data link. What is a difference between SOAR and SIEM? SOAR platforms are used for threat and vulnerability management, but SIEM applications are not SIEM applications are used for threat and vulnerability management, but SOAR platforms are not SOAR receives information from a single platform and delivers it to a SIEM SIEM receives information from a single platform and delivers it to a SOAR. How is NetFlow different than traffic mirroring? NetFlow collects metadata and traffic mirroring clones dat Traffic mirroring impacts switch performance and NetFlow does not Traffic mirroring costs less to operate than NetFlow NetFlow generates more data than traffic mirroring. Which two elements in the table are parts of the 5-tuple? (Choose two.) First Packet Initiator User Ingress Security Zone Source Port Initiator IP. In a SOC environment, what is a vulnerability management metric? code signing enforcement full assets scan internet exposed devices single-factor authentication. What is one difference between the client-server and peer-to-peer network models? A data transfer that uses a device serving in a client role requires a dedicated server. Every device in a peer-to-peer network can function as a client or a server. Only in the client-server model can file transfers occur. A peer-to-peer network transfers data faster than a transfer using a client-server network.
|