CYSA 5

A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to reduce risks associated with the application development?. Perform static analyses using an integrated development environment. Deploy compensating controls into the environment. Implement server-side logging and automatic updates. Conduct regular code reviews using OWASP best practices.

An analyst suspects cleartext passwords are being sent over the network. Which of the following tools would best support the analyst's investigation?. OpenVAS. Angry IP Scanner. Wireshark. Maltego.

Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure it will not be detected by the victim organization's endpoint security protections. Which of the following stages of the Cyber Kill Chain best aligns with the threat actor's actions?. Delivery. Reconnaissance. Exploitation. Weaponization.

An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with a secure template. Which of the following is the best resource to ensure secure configuration?. CIS Benchmarks. PCI DSS. OWASP Top Ten. ISO 27001.

A security analyst reviews the following Arachni scan results for a web application that stores PII data: Which of the following should be remediated first?. SQL injection. RFI. XSS. Code injection.

Which of the following stakeholders are most likely to receive a vulnerability scan report? (Choose two.). Executive management. Law enforcement. Marketing. Legal. Product owner. Systems administration.

Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triage?. Enrich the SIEM-ingested data to include all data required for triage. Schedule a task to disable alerting when vulnerability scans are executing. Filter all alarms in the SIEM with low seventy. Add a SOAR rule to drop irrelevant and duplicated notifications.

An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server. Which of the following is the most likely cause?. The finding is a false positive and should be ignored. A rollback had been executed on the instance. The vulnerability scanner was configured without credentials. The vulnerability management software needs to be updated.

A company has decided to expose several systems to the internet. The systems are currently available internally only. A security analyst is using a subset of CVSS3.1 exploitability metrics to prioritize the vulnerabilities that would be the most exploitable when the systems are exposed to the internet. The systems and the vulnerabilities are shown below: Which of the following systems should be prioritized for patching?. brown. grey. blane. sullivan.

During an incident in which a user machine was compromised, an analyst recovered a binary file that potentially caused the exploitation. Which of the following techniques could be used for further analysis?. Fuzzing. Static analysis. Sandboxing. Packet capture.

A leader on the vulnerability management team is trying to reduce the team's workload by automating some simple but time-consuming tasks. Which of the following activities should the team leader consider first?. Assigning a custom recommendation for each finding. Analyzing false positives. Rendering an additional executive report. Regularly checking agent communication with the central console.

The Chief Information Security Officer (CISO) of a large management firm has selected a cybersecurity framework that will help the organization demonstrate its investment in tools and systems to protect its data. Which of the following did the CISO most likely select?. PCI DSS. COBIT. ISO 27001. ITIL.

A high volume of failed RDP authentication attempts was logged on a critical server within a one-hour period. All of the attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following would be the most effective mitigating control to reduce the rate of success of this brute-force attack?. Enabling a user account lockout after a limited number of failed attempts. Installing a third-party remote access tool and disabling RDP on all devices. Implementing a firewall block for the remote system's IP address. Increasing the verbosity of log-on event auditing on all devices.

An incident response analyst is investigating the root cause of a recent malware outbreak. Initial binary analysis indicates that this malware disables host security services and performs cleanup routines on its infected hosts, including deletion of initial dropper and removal of event log entries and prefetch files from the host. Which of the following data sources would most likely reveal evidence of the root cause? (Choose two.). Creation time of dropper. Registry artifacts. EDR data. Prefetch files. File system metadata. Sysmon event log.

When undertaking a cloud migration of multiple SaaS applications, an organization's systems administrators struggled with the complexity of extending identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?. CASB. SASE. ZTNA. SWG.

A security analyst reviews the following extract of a vulnerability scan that was performed against the web server: Which of the following recommendations should the security analyst provide to harden the web server?. Remove the version information on http-server-header. Disable tcp_wrappers. Delete the /wp-login.php folder. Close port 22.

A security analyst is responding to an incident that involves a malicious attack on a network data closet. Which of the following best explains how the analyst should properly document the incident?. Back up the configuration file for all network devices. Record and validate each connection. Create a full diagram of the network infrastructure. Take photos of the impacted items.

A cybersecurity analyst is participating with the DLP project team to classify the organization's data. Which of the following is the primary purpose for classifying data?. To identify regulatory compliance requirements. To facilitate the creation of DLP rules. To prioritize IT expenses. To establish the value of data to the organization.

A security analyst observed the following activity from a privileged account: • Accessing emails and sensitive information • Audit logs being modified • Abnormal log-in times Which of the following best describes the observed activity?. Irregular peer-to-peer communication. Unauthorized privileges. Rogue devices on the network. Insider attack.

A vulnerability management team found four major vulnerabilities during an assessment and needs to provide a report for the proper prioritization for further mitigation. Which of the following vulnerabilities should have the highest priority for the mitigation process?. A vulnerability that has related threats and IoCs, targeting a different industry. A vulnerability that is related to a specific adversary campaign, with IoCs found in the SIEM. A vulnerability that has no adversaries using it or associated IoCs. A vulnerability that is related to an isolated system, with no IoCs.

A security analyst received an alert regarding multiple successful MFA log-ins for a particular user. When reviewing the authentication logs, the analyst sees the following: Which of the following are most likely occurring, base on the MFA logs? (Choose two.). Dictionary attack. Push phishing. Impossible geo-velocity. Subscriber identity module swapping. Rogue access point. Password spray.

A security analyst has identified a new malware file that has impacted the organization. The malware is polymorphic and has built-in conditional triggers that require a connection to the internet. The CPU has an idle process of at least 70%. Which of the following best describes how the security analyst can effectively review the malware without compromising the organization’s network?. Utilize an RDP session on an unused workstation to evaluate the malware. Disconnect and utilize an existing infected asset off the network. Create a virtual host for testing on the security analyst workstation. Subscribe to an online service to create a sandbox environment.

Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?. Review of security requirements. Compliance checks. Decomposing the application. Security by design.

Which of the following would an organization use to develop a business continuity plan?. A diagram of all systems and interdependent applications. A repository for all the software used by the organization. A prioritized list of critical systems defined by executive leadership. A configuration management database in print at an off-site location.

The management team requests monthly KPI reports on the company’s cybersecurity program. Which of the following KPIs would identify how long a security threat goes unnoticed in the environment?. Employee turnover. Intrusion attempts. Mean time to detect. Level of preparedness.

Which of the following best describes the key elements of a successful information security program?. Business impact analysis, asset and change management, and security communication plan. Security policy implementation, assignment of roles and responsibilities, and information asset classification. Disaster recovery and business continuity planning, and the definition of access control requirements and human resource policies. Senior management organizational structure, message distribution standards, and procedures for the operation of security management systems.

A systems administrator notices unfamiliar directory names on a production server. The administrator reviews the directory listings and files, and then concludes the server has been compromised. Which of the following steps should the administrator take next?. Inform the internal incident response team. Follow the company's incident response plan. Review the lessons learned for the best approach. Determine when the access started.

Which of the following is a nation-state actor least likely to be concerned with?. Detection by MITRE ATT&CK framework. Detection or prevention of reconnaissance activities. Examination of its actions and objectives. Forensic analysis for legal action of the actions taken.

Which of the following is a commonly used four-component framework to communicate threat actor behavior?. STRIDE. Diamond Model of Intrusion Analysis. Cyber Kill Chain. MITRE ATT&CK.

An employee downloads a freeware program to change the desktop to the classic look of legacy Windows. Shortly after the employee installs the program, a high volume of random DNS queries begin to originate from the system. An investigation on the system reveals the following: Add-MpPreference –ExclusionPath ‘%Program Files%\ksyconfig’ Which of the following is possibly occurring?. Persistence. Privilege escalation. Credential harvesting. Defense evasion.

An organization discovered a data breach that resulted in PII being released to the public. During the lessons learned review, the panel identified discrepancies regarding who was responsible for external reporting, as well as the timing requirements. Which of the following actions would best address the reporting issue?. Creating a playbook denoting specific SLAs and containment actions per incident type. Researching federal laws, regulatory compliance requirements, and organizational policies to document specific reporting SLAs. Defining which security incidents require external notifications and incident reporting in addition to internal stakeholders. Designating specific roles and responsibilities within the security team and stakeholders to streamline tasks.

During an incident, a security analyst discovers a large amount of PII has been emailed externally from an employee to a public email address. The analyst finds that the external email is the employee’s personal email. Which of the following should the analyst recommend be done first?. Place a legal hold on the employee’s mailbox. Enable filtering on the web proxy. Disable the public email access with CASB. Configure a deny rule on the firewall.

Which of the following can be used to learn more about TTPs used by cybercriminals?. ZenMAP. MITRE ATT&CK. National Institute of Standards and Technology. theHarvester.

Which of the following statements best describes the MITRE ATT&CK framework?. It provides a comprehensive method to test the security of applications. It provides threat intelligence sharing and development of action and mitigation strategies. It helps identify and stop enemy activity by highlighting the areas where an attacker functions. It tracks and understands threats and is an open-source project that evolves. It breaks down intrusions into a clearly defined sequence of phases.

A Chief Information Security Officer (CISO) is concerned that a specific threat actor who is known to target the company’s business type may be able to breach the network and remain inside of it for an extended period of time. Which of the following techniques should be performed to meet the CISO’s goals?. Vulnerability scanning. Adversary emulation. Passive discovery. Bug bounty.

A security analyst receives an alert for suspicious activity on a company laptop. An excerpt of the log is shown below: Which of the following has most likely occurred?. An Office document with a malicious macro was opened. A credential-stealing website was visited. A phishing link in an email was clicked. A web browser vulnerability was exploited.

During an incident, some IoCs of possible ransomware contamination were found in a group of servers in a segment of the network. Which of the following steps should be taken next?. Isolation. Remediation. Reimaging. Preservation.

An MSSP received several alerts from customer 1, which caused a missed incident response deadline for customer 2. Which of the following best describes the document that was violated?. KPI. SLO. SLA. MOU.

Which of the following is a reason proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident response?. To ensure the report is legally acceptable in case it needs to be presented in court. To present a lessons-learned analysis for the incident response team. To ensure the evidence can be used in a postmortem analysis. To prevent the possible loss of a data source for further root cause analysis.

An attacker has just gained access to the syslog server on a LAN. Reviewing the syslog entries has allowed the attacker to prioritize possible next targets. Which of the following is this an example of?. Passive network footprinting. OS fingerprinting. Service port identification. Application versioning.

A security analyst observed the following activities in chronological order: 1. Protocol violation alerts on external firewall 2. Unauthorized internal scanning activity 3. Changes in outbound network performance Which of the following best describes the goal of the threat actor?. Data exfiltration. Unusual traffic spikes. Rogue devices. Irregular peer-to-peer communication.

After reviewing the final report for a penetration test, a cybersecurity analyst prioritizes the remediation for input validation vulnerabilities. Which of the following attacks is the analyst seeking to prevent?. DNS poisoning. Pharming. Phishing. Cross-site scripting.

During a security test, a security analyst found a critical application with a buffer overflow vulnerability. Which of the following would be best to mitigate the vulnerability at the application level?. Perform OS hardening. Implement input validation. Update third-party dependencies. Configure address space layout randomization.

The SOC received a threat intelligence notification indicating that an employee’s credentials were found on the dark web. The user’s web and log-in activities were reviewed for malicious or anomalous connections, data uploads/ downloads, and exploits. A review of the controls confirmed multifactor authentication was enabled. Which of the following should be done first to mitigate impact to the business networks and assets?. Perform a forced password reset. Communicate the compromised credentials to the user. Perform an ad hoc AV scan on the user's laptop. Review and ensure privileges assigned to the user’s account reflect least privilege. Lower the thresholds for SOC alerting of suspected malicious activity.

A security analyst is working on a server patch management policy that will allow the infrastructure team to be informed more quickly about new patches. Which of the following would most likely be required by the infrastructure team so that vulnerabilities can be remediated quickly? (Choose two.). Hostname. Missing KPI. CVE details. POC availabilty. IoCs. POC availabilty.

Chief Information Security Officer (CISO) wants to disable a functionality on a business-critical web application that is vulnerable to RCE in order to maintain the minimum risk level with minimal increased cost. Which of the following risk treatments best describes what the CISO is looking for?. Transfer. Mitigate. Accept. Avoid.

A company has a primary control in place to restrict access to a sensitive database. However, the company discovered an authentication vulnerability that could bypass this control. Which of the following is the best compensating control?. Running regular penetration tests to identify and address new vulnerabilities. Conducting regular security awareness training of employees to prevent social engineering attacks. Deploying an additional layer of access controls to verify authorized indivduals. Implementing intrusion detection software to alert security teams of unauthorized access attempts.

An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy and firewall. Upon further investigation, it appears that the proxy and firewall rules that were in place were removed by a service account that is not recognized. Which of the following parts of the Cyber Kill Chain does this describe?. Delivery. Command and control. Reconnaissance. Weaponization.

An organization's email account was compromised by a bad actor. Given the following information: Which of the following is the length of time the team took to detect the threat?. 25 minutes. 40 minutes. 45 minutes. 2 hours.

A threat hunter seeks to identify new persistence mechanisms installed in an organization’s environment. In collecting scheduled tasks from all enterprise workstations, the following host details are aggregated: Which of the following actions should the hunter perform first based on the details above?. Acquire a copy of taskhw.exe from the impacted host. Scan the enterprise to identify other systems with taskhdw.exe present. Perform a public search for malware reports on the taskhw.exe. Change the account that runs the taskhw.exe scheduled task.

A SOC analyst is analyzing traffic on a network and notices an unauthorized scan. Which of the following types of activities is being observed?. Potential precursor to an attack. Unauthorized peer-to-peer communication. Rogue device on the network. System updates.

An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics for the most critical of the vulnerabilities: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:R Which of the following represents the exploit code maturity of this critical vulnerability?. E:U. S:C. RC:R. AV:N. AC:L.

A security analyst detects an email server that had been compromised in the internal network. Users have been reporting strange messages in their email inboxes and unusual network traffic. Which of the following incident response steps should be performed next?. Preparation. Validation. Containment. Eradication.

A SIEM alert is triggered based on execution of a suspicious one-liner on two workstations in the organization’s environment. An analyst views the details of these events below: Which of the following statements best describes the intent of the attacker, based on this one-liner?. Attacker is escalating privileges via JavaScript. Attacker is utilizing custom malware to download an additional script. Attacker is executing PowerShell script “AccessToken.ps1”. Attacker is attempting to install persistence mechanisms on the target machine.