What is the second stage of an Advanced Persistent Threat (APT) attack?
- A . Exfiltration
- B . Incursion
- C . Discovery
- D . Capture
Which SEP technology does an Incident Responder need to enable in order to enforce blacklisting on an endpoint?
- A . System Lockdown
- B . Intrusion Prevention System
- C . Firewall
- D . SONAR
An Incident Responder wants to create a timeline for a recent incident using Syslog in addition to ATP for the After Actions Report.
What are two reasons the responder should analyze the information using Syslog? (Choose two.)
- A . To have less raw data to analyze
- B . To evaluate the data, including information from other systems
- C . To access expanded historical data
- D . To determine what policy settings to modify in the Symantec Endpoint Protection Manager (SEPM)
- E . To determine the best cleanup method
Which SEP technologies are used by ATP to enforce the blacklisting of files?
- A . Application and Device Control
- B . SONAR and Bloodhound
- C . System Lockdown and Download Insight
- D . Intrusion Prevention and Browser Intrusion Prevention
C
Explanation:
Reference: https://support.symantec.com/en_US/article.HOWTO101774.html
What is the role of Insight within the Advanced Threat Protection (ATP) solution?
- A . Reputation-based security
- B . Detonation/sandbox
- C . Network detection component
- D . Event correlation
A
Explanation:
Reference: https://www.symantec.com/content/dam/symantec/docs/brochures/atp-brochure-en.pdf
What are two policy requirements for using the Isolate and Rejoin features in ATP? (Choose two.)
- A . Add a Quarantine firewall policy for non-compliant and non-remediated computers.
- B . Add a Quarantine LiveUpdate policy for non-compliant and non-remediated computers.
- C . Add and assign an Application and Device Control policy in the Symantec Endpoint Protection Manager (SEPM).
- D . Add and assign a Host Integrity policy in the Symantec Endpoint Protection Manager (SEPM).
- E . Add a Quarantine Antivirus and Antispyware policy for non-compliant and non-remediated computers.
AD
Explanation:
Reference: https://support.symantec.com/en_US/article.HOWTO128427.html
Which section of the ATP console should an ATP Administrator use to evaluate prioritized threats within the environment?
- A . Search
- B . Action Manager
- C . Incident Manager
- D . Events
Which stage of an Advanced Persistent Threat (APT) attack does social engineering occur?
- A . Capture
- B . Incursion
- C . Discovery
- D . Exfiltration
Why is it important for an Incident Responder to analyze an incident during the Recovery phase?
- A . To determine the best plan of action for cleaning up the infection
- B . To isolate infected computers on the network and remediate the threat
- C . To gather threat artifacts and review the malicious code in a sandbox environment
- D . To access the current security plan, adjust where needed, and provide reference materials in the event of a similar incident
Which two database attributes are needed to create a Microsoft SQL SEP database connection? (Choose two.)
- A . Database version
- B . Database IP address
- C . Database domain name
- D . Database hostname
- E . Database name
How does an attacker use a zero-day vulnerability during the Incursion phase?
- A . To perform a SQL injection on an internal server
- B . To extract sensitive information from the target
- C . To perform network discovery on the target
- D . To deliver malicious code that breaches the target
D
Explanation:
Reference: https://www.symantec.com/connect/blogs/guide-zero-day-exploits
Why is it important for an Incident Responder to review Related Incidents and Events when analyzing an incident for an After Actions Report?
- A . It ensures that the Incident is resolved, and the responder can clean up the infection.
- B . It ensures that the Incident is resolved, and the responder can determine the best remediation method.
- C . It ensures that the Incident is resolved, and the threat is NOT continuing to spread to other parts of the environment.
- D . It ensures that the Incident is resolved, and the responder can close out the incident in the ATP manager.
Which best practice does Symantec recommend with the Endpoint Detection and Response feature?
- A . Create a unique Cynic account to provide to ATP
- B . Create a unique Symantec Messaging Gateway account to provide to ATP
- C . Create a unique Symantec Protection Manager (SEPM) administrator account to provide to ATP
- D . Create a unique Email Security.cloud portal account to provide to ATP
What is the role of Cynic within the Advanced Threat Protection (ATP) solution?
- A . Reputation-based security
- B . Event correlation
- C . Network detection component
- D . Detonation/sandbox
D
Explanation:
Reference: https://www.symantec.com/content/en/us/enterprise/fact_sheets/b-advanced-threat-protectionemail-DS-21349610.pdf
Which section of the ATP console should an ATP Administrator use to create blacklists and whitelists?
- A . Reports
- B . Settings
- C . Action Manager
- D . Policies
D
Explanation:
Reference: https://symwisedownload.symantec.com//resources/sites/SYMWISE/content/live/ DOCUMENTATION/10000/DOC10986/en_US/satp_administration_guide_3.1.pdf? __gda__=1541979133_5668f0b4c03c16ac1a30d54989313e76 (132)
How should an ATP Administrator configure Endpoint Detection and Response according to Symantec best practices for a SEP environment with more than one domain?
- A . Create a unique Symantec Endpoint Protection Manager (SEPM) domain for ATP
- B . Create an ATP manager for each Symantec Endpoint Protection Manager (SEPM) domain
- C . Create a Symantec Endpoint Protection Manager (SEPM) controller connection for each domain
- D . Create a Symantec Endpoint Protection Manager (SEPM) controller connection for the primary domain
C
Explanation:
Reference: https://symwisedownload.symantec.com//resources/sites/SYMWISE/content/live/ DOCUMENTATION/10000/DOC10986/en_US/satp_administration_guide_3.1.pdf? __gda__=1541979133_5668f0b4c03c16ac1a30d54989313e76 (46)
Which attribute is required when configuring the Symantec Endpoint Protection Manager (SEPM) Log Collector?
- A . SEPM embedded database name
- B . SEPM embedded database type
- C . SEPM embedded database version
- D . SEPM embedded database password
D
Explanation:
Reference: https://support.symantec.com/en_US/article.HOWTO125960.html
DRAG DROP
Which level of privilege corresponds to each ATP account type? Match the correct account type to the corresponding privileges.
An Incident Responder wants to run a database search that will list all client named starting with SYM.
Which syntax should the responder use?
- A . hostname like “SYM”
- B . hostname “SYM”
- C . hostname “SYM*”
- D . hostname like “SYM*”
A
Explanation:
Reference: https://support.symantec.com/en_US/article.HOWTO124805.html
What is the main constraint an ATP Administrator should consider when choosing a network scanner model?
- A . Throughput
- B . Bandwidth
- C . Link speed
- D . Number of users
Where can an Incident Responder view Cynic results in ATP?
- A . Events
- B . Dashboard
- C . File Details
- D . Incident Details
D
Explanation:
Reference: https://support.symantec.com/en_US/article.HOWTO128417.html
An Incident Responder wants to investigate whether msscrt.pdf resides on any systems.
Which search query and type should the responder run?
- A . Database search filename “msscrt.pdf”
- B . Database search msscrt.pdf
- C . Endpoint search filename like msscrt.pdf
- D . Endpoint search filename =“msscrt.pdf”
What is the earliest stage at which a SQL injection occurs during an Advanced Persistent Threat (APT) attack?
- A . Exfiltration
- B . Incursion
- C . Capture
- D . Discovery
What occurs when an endpoint fails its Host Integrity check and is unable to remediate?
- A . The endpoint automatically switches to using a Compliance location, where a Compliance policy is applied to the computer.
- B . The endpoint automatically switches to using a System Lockdown location, where a System Lockdown policy is applied to the computer.
- C . The endpoint automatically switches to using a Host Integrity location, where a Host Integrity policy is applied to the computer.
- D . The endpoint automatically switches to using a Quarantine location, where a Quarantine policy is applied to the computer.
Which two tasks should an Incident Responder complete when recovering from an incident? (Choose two.)
- A . Rejoin healthy endpoints back to the network
- B . Blacklist any suspicious files found in the environment
- C . Submit any suspicious files to Cynic
- D . Isolate infected endpoints to a quarantine network
- E . Delete threat artifacts from the environment
Which threat is an example of an Advanced Persistent Threat (APT)?
- A . Koobface
- B . Brain
- C . Flamer
- D . Creeper
An Incident Responder notices traffic going from an endpoint to an IRC channel. The endpoint is listed in an incident. ATP is configured in TAP mode.
What should the Incident Responder do to stop the traffic to the IRC channel?
- A . Isolate the endpoint with a Quarantine Firewall policy
- B . Blacklist the IRC channel IP
- C . Blacklist the endpoint IP
- D . Isolate the endpoint with an application control policy
Which prerequisite is necessary to extend the ATP: Network solution service in order to correlate email detections?
- A . Email Security.cloud
- B . Web security.cloud
- C . Skeptic
- D . Symantec Messaging Gateway
A
Explanation:
Reference: https://www.symantec.com/content/dam/symantec/docs/data-sheets/endpoint-detection-andresponse-atp-endpoint-en.pdf