1) Ian wants to capture information about privilege escalation attacks on a Linux system. If he believes that an insider is going to exploit a flaw that allows them to use sudo to assume root privileges, where is he most likely to find log information about what occurred? a) The sudoers file b) /var/log/sudo c) /var/log/auth.log d) Root's .bash_log 2) What type of information can Gabby determine from Tripwire logs on a Linux system if it is configured to monitor a directory? a) How often the directory is accessed b) If files in the directory have changed c) If sensitive data was copied out of the directory d) Who has viewed files in the directory 3) While reviewing systems she is responsible for, Charlene discovers that a user has recently run the following command in a Windows console window. What has occurred? chrome_aKmA0m0vL8.png a) The user has opened a command prompt on their workstation. b) The user has opened a command prompt on the desktop of a remote workstation. c) The user has opened an interactive command prompt as administrator on a remote workstation. d) The user has opened a command prompt on their workstation as Administrator. 4) While reviewing tcpdump data, Kwame discovers that hundreds of different IP addresses are sending a steady stream of SYN packets to a server on his network. What concern should Kwame have about what is happening? a) A firewall is blocking connections from occurring. b) An IPS is blocking connections from occurring. c) A denial-of-service attack. d) An ACK blockage. 5) While reviewing Windows event logs for a Windows system with reported odd behavior, Kai discovers that the system she is reviewing shows Event ID 1005 MALWAREPROTECTION_SCAN_FAILED every day at the same time. What is the most likely cause of this issue? a) The system was shut down. b) Another antivirus program has interfered with the scan. c) The user disabled the scan. d) The scan found a file it was unable to scan. 6) Charles wants to use his SIEM to automatically flag known bad IP addresses. Which of the following capabilities is not typically used for this with SIEM devices? a) Blocklisting b) IP reputation c) Allowlisting d) Domain reputation 7) Gabby executes the following command. What is she doing? ps -aux | grep apache2 | grep root a) Searching for all files owned by root named apache2. b) Checking currently running processes with the word apache2 and root both appearing in the output of ps. c) Shutting down all apache2 processes run by root. d) There is not enough information to answer this question. 8) While reviewing email headers, Saanvi notices an entry that reads as follows: From: “John Smith, CIO” <jsmith@example.com> with a Received: parameter that shows mail.demo.com [10.74.19.11]. Which of the following scenarios is most likely if demo.com is not a domain belonging to the same owner as example.com? a) John Smith's email was forwarded by someone at demo.com. b) John Smith's email was sent to someone at demo.com. c) The headers were forged to make it appear to have come from John Smith. d) The mail.demo.com server is a trusted email forwarding partner for example.com. 9) Fiona wants to prevent email impersonation of individuals inside her company. What technology can best help prevent this? a) IMAP b) SPF c) DKIM d) DMARC 10) Which of the items from the following list is not typically found in an email header? a) Sender IP address b) Date c) Receiver IP address d) Private key 11) Ian wants to leverage multiple threat flows and is frustrated that they come in different formats. What type of tool might best assist him in combining this information and using it to further streamline his operations? a) IPS b) OCSP c) SOAR d) SAML 12) Cassandra is classifying a threat actor, and she describes the actor as wanting to steal nuclear research data. What term best describes this information? a) An alias b) A goal c) Their sophistication d) Their resource level 13) During a log review, Mei sees repeated firewall entries, as shown here: What service is the remote system most likely attempting to access? chrome_118NrXGeqk.png a) H.323 b) SNMP c) MS-SQL d) Oracle 14) While analyzing a malware file that she discovered, Tracy finds an encoded file that she believes is the primary binary in the malware package. Which of the following is <i>not</i> a type of tool that the malware writers may have used to obfuscate the code? a) A packer b) A crypter c) A shuffler d) A protector 15) While reviewing Apache logs, Nara sees the following entries as well as hundreds of others from the same source IP address. What should Nara report has occurred? chrome_ebC7J6HSS3.png a) A denial-of-service attack b) A vulnerability scan c) A port scan d) A directory traversal attack 16) Andrea needs to add a firewall rule that will prevent external attackers from conducting topology gathering reconnaissance on her network. Where in the following image should she add a rule intended to block this type of traffic? c01uf009.png a) The firewall b) The router c) The distribution switch d) The Windows 2019 server 17) Cormac needs to lock down a Windows workstation that has recently been scanned using Nmap on a Kali Linux–based system, with the results shown here. He knows that the workstation needs to access websites and that the system is part of a Windows domain. What ports should he allow through the system's firewall for externally initiated connections? c01uf010.png a) 80, 135, 139, and 445. b) 80, 445, and 3389. c) 135, 139, and 445. d) No ports should be open. 18) Frank's team uses the following query to identify events in their threat intelligence tool. Why would this scenario be of concern to the security team? chrome_Yrb2YZsXVN.png a) Processes other than explorer.exe typically do not launch command prompts. b) cmd.exe should never launch explorer.exe. c) explorer.exe provides administrative access to systems. d) cmd.exe runs as administrator by default when launched outside of Explorer. 19) Mark writes a script to pull data from his security data repository. The script includes the following query: What events will Mark see? chrome_4fMVZxG1f6.png a) Uses of explorer.exe where it is launched by cmd.exe b) Registry edits launched via the command line from Explorer c) Registry edits launched via explorer.exe that modify cmd.exe d) Uses of cmd.exe where it is launched by reg.exe 20) Mateo is responsible for hardening systems on his network, and he discovers that a number of network appliances have exposed services including telnet, FTP, and web servers. What is his best option to secure these systems? a) Enable host firewalls. b) Install patches for those services. c) Turn off the services for each appliance. d) Place a network firewall between the devices and the rest of the network. 21) Deepa wants to see the memory utilization for multiple Linux processes all at once. What command should she run? a) top b) ls -mem c) mem d) memstat 22) While reviewing a system she is responsible for, Amanda notices that the system is performing poorly and runs htop to see a graphical representation of system resource usage. She sees the information shown in the following image: c01uf011.png What issue should Amanda report to the system administrator? a) High network utilization b) High memory utilization c) Insufficient swap space d) High CPU utilization 23) While reviewing a system she is responsible for, Amanda notices that the system is performing poorly and runs htop to see a graphical representation of system resource usage. She sees the information shown in the following image: c01uf011.pngWhat command could Amanda run to find the process with the highest CPU utilization if she did not have access to htop? a) ps b) top c) proc d) load 24) While reviewing a system she is responsible for, Amanda notices that the system is performing poorly and runs htop to see a graphical representation of system resource usage. She sees the information shown in the following image: c01uf011.pngWhat command can Amanda use to terminate the process? a) term b) stop c) end d) kill 25) While reviewing output from the netstat command, John sees the following output. What should his next action be? chrome_8zMY8G91Q5.png a) Capture traffic to 151.101.2.69 using Wireshark. b) Initiate the organization's incident response plan. c) Check to see if 151.101.2.69 is a valid Microsoft address. d) Ignore it; this is a false positive. 26) What does EDR use to capture data for analysis and storage in a central database? a) A network tap b) Network flows c) Software agents d) Hardware agents 27) While reviewing the command history for an administrative user, Lakshman discovers a suspicious command that was captured: What action was this user attempting to perform? chrome_hhFnNu6eDM.png a) Enabling the Bash history b) Appending the contents of /dev/null to the Bash history c) Logging all shell commands to /dev/null d) Allowing remote access from the null shell 28) Charles wants to determine whether a message he received was forwarded by analyzing the headers of the message. How can he determine this? a) Reviewing the Message-ID to see if it has been incremented. b) Checking for the In-Reply-To field. c) Checking for the References field. d) You cannot determine if a message was forwarded by analyzing the headers. 29) While reviewing the filesystem of a potentially compromised system, Marta sees the following output when running ls -la. What should her next action be after seeing this? c01uf012.png a) Continue to search for other changes. b) Run diff against the password file. c) Immediately change her password. d) Check the passwd binary against a known good version. 30) Susan wants to check a Windows system for unusual behavior. Which of the following persistence techniques is not commonly used for legitimate purposes? a) Scheduled tasks b) Service replacement c) Service creation d) Autostart registry keys 31) Matt is reviewing a query that his team wrote for their threat-hunting process. What will the following query warn them about? chrome_UzLZn0RAIf.png a) Users who log in more than once a day b) Users who are logged in to more than one machine within four hours c) Users who do not log in for more than four hours d) Users who do not log in to more than one machine in four hours 32) Ben wants to quickly check a suspect binary file for signs of its purpose or other information that it may contain. What Linux tool can quickly show him potentially useful information contained in the file? a) grep b) more c) less d) strings 33) Lucas believes that an attacker has successfully compromised his web server. Using the following output of ps, identify the process ID he should focus on: chrome_qf2tC4omRM.png a) 508 b) 617 c) 846 d) 714 34) Damian has discovered that systems throughout his organization have been compromised for more than a year by an attacker with significant resources and technology. After a month of attempting to fully remove the intrusion, his organization is still finding signs of compromise despite their best efforts. How would Damian best categorize this threat actor? a) Criminal b) Hacktivist c) APT d) Unknown 35) While investigating a compromise, Glenn encounters evidence that a user account has been added to the system he is reviewing. He runs a diff of /etc/shadow and /etc/passwd and sees the following output. What has occurred? chrome_wsy3WBO9Rr.png a) The root account has been compromised. b) An account named daemon has been added. c) The shadow password file has been modified. d) /etc/shadow and /etc/passwd cannot be diffed to create a useful comparison. 36) Bruce wants to integrate a security system to his SOAR. The security system provides real-time query capabilities, and Bruce wants to take advantage of this to provide up-to-the-moment data for his SOAR tool. What type of integration is best suited to this? a) CSV b) Flat file c) API d) Email 37) Carol wants to analyze email as part of her antispam and antiphishing measures. Which of the following is least likely to show signs of phishing or other email-based attacks? a) The email's headers b) Embedded links in the email c) Attachments to the email d) The email signature block 38) Juliette wants to decrease the risk of embedded links in email. Which of the following solutions is the most common method for doing this? a) Removing all links in email b) Redirecting links in email to a proxy c) Scanning all email using an antimalware tool d) Using a DNS blackhole and IP reputation list 39) James wants to use an automated malware signature creation tool. What type of environment do tools like this unpack and run the malware in? a) A sandbox b) A physical machine c) A container d) A DMARC 40) Luis discovers the following entries in /var/log/auth.log. What is most likely occurring? chrome_djLZEAdZ2n.png a) A user has forgotten their password. b) A brute-force attack against the root account. c) A misconfigured service. d) A denial-of-service attack against the root account. 41) Singh wants to prevent remote login attacks against the root account on a Linux system. What method will stop attacks like this while allowing normal users to use SSH? a) Add an iptables rule blocking root logins. b) Add root to the sudoers group. c) Change sshd_config to deny root login. d) Add a network IPS rule to block root logins. 42) Azra's network firewall denies all inbound traffic but allows all outbound traffic. While investigating a Windows workstation, she encounters a script that runs the following command: What does it do? chrome_fHHr4tKRsm.png a) It opens a reverse shell for host 10.1.2.3 using netcat every Friday at 8:30 p.m. b) It uses the AT command to dial a remote host via NetBIOS. c) It creates an HTTPS session to 10.1.2.3 every Friday at 8:30 p.m. d) It creates a VPN connection to 10.1.2.3 every five days at 8:30 p.m. GST. 43) While reviewing the auth.log file on a Linux system she is responsible for, Tiffany discovers the following log entries: Which of the following has not occurred? chrome_nPOV35fTQj.png a) A user has attempted to reauthenticate too many times. b) PAM is configured for three retries and will reject any additional retries in the same session. c) Fail2ban has blocked the SSH login attempts. d) Root is attempting to log in via SSH from the local host. 44) Naomi wants to analyze malware by running it and capturing what it does. What type of tool should she use? a) A containerization tool b) A virtualization tool c) A sandbox tool d) A packet analyzer 45) While reviewing logs from users with root privileges on an administrative jump box, Alex discovers the following suspicious command: What happened? C:\Users\zechc\Documents\ShareX\Screenshots\2023-09\chrome_q0qq4bnWkS.png a) The user set up a reverse shell running as example.zip. b) The user set up netcat as a listener to push example.zip. c) The user set up a remote shell running as example.zip. d) The user set up netcat to receive example.zip. 46) Susan is hunting threats and performs the following query against her database of event lots. What type of threat is she looking for? C:\Users\zechc\Documents\ShareX\Screenshots\2023-09\chrome_mAr0G2nR3X.png a) SSH b) MySQL c) RDP d) IRC 47) Lukas wants to prevent users from running a popular game on Windows workstations he is responsible for. How can Lukas accomplish this for Windows workstations? a) Using application allowlisting to prevent all prohibited programs from running. b) Using Windows Defender and adding the game to the blocklist file. c) Listing it in the Blocked Programs list via secpol.msc. d) You cannot blocklist applications in Windows 10 without a third-party application. 48) Ian lists the permissions for a Linux file that he believes may have been modified by an attacker. What do the permissions shown here mean? C:\Users\zechc\Documents\ShareX\Screenshots\2023-09\chrome_ECAL8YtZvG.png a) User chuck has read and write rights to the file; the Administrators group has read, write, and execute rights; and all other users only have read rights. b) User admingroup has read rights; group chuck has read and write rights; and all users on the system can read, write, and execute the file. c) User chuck has read, write, and execute rights on the file. Members of admingroup group can read and write to the file but cannot execute it, and all users on the system can read the file. d) User admingroup has read, write, and execute rights on the file; user chuck has read and write rights; and all other users have read rights to the file. 49) While reviewing web server logs, Danielle notices the following entry. What occurred? C:\Users\zechc\Documents\ShareX\Screenshots\2023-09\chrome_zUIAARCvQB.png a) A theme was changed. b) A file was not found. c) An attempt to edit the 404 page. d) The 404 page was displayed. 50) Melissa wants to deploy a tool to coordinate information from a wide range of platforms so that she can see it in a central location and then automate responses as part of security workflows. What type of tool should she deploy? a) UEBA b) SOAR c) SIEM d) MDR 51) While reviewing the Wireshark packet capture shown here, Ryan notes an extended session using the ESP protocol. When he clicks the packets, he is unable to make sense of the content. What should Ryan look for on the workstation with IP address 10.0.0.1 if he investigates it in person? c01uf013.png a) An encrypted RAT b) A VPN application c) A secure web browser d) A base64-encoded packet transfer utility 52) While reviewing indicators of compromise, Dustin notices that notepad.exe has opened a listener port on the Windows machine he is investigating. What is this an example of? a) Anomalous behavior b) Heuristic behavior c) Entity behavior d) Known-good behavior 53) How does data enrichment differ from threat feed combination? a) Data enrichment is a form of threat feed combination for security insights, focuses on adding more threat feeds together for a full picture, and removes third-party data to focus on core data elements rather than adding together multiple data sources. b) Data enrichment uses events and nonevent information to improve security insights, instead of just combining threat information. c) Threat feed combination is more useful than data enrichment because of its focus on only the threats. d) Threat feed combination techniques are mature, and data enrichment is not ready for enterprise use. 54) Which of the following capabilities is not a typical part of a SIEM system? a) Alerting b) Performance management c) Data aggregation d) Log retention 55) Kathleen wants to verify on a regular basis that a file has not changed on the system that she is responsible for. Which of the following methods is best suited to this? a) Use sha1sum to generate a hash for the file and write a script to check it periodically. b) Install and use Tripwire. c) Periodically check the MAC information for the file using a script. d) Encrypt the file and keep the key secret so the file cannot be modified. 56) Alaina has configured her SOAR system to detect irregularities in geographical information for logins to her organization's administrative systems. The system alarms, noting that an administrator has logged in from a location that they do not typically log in from. What other information would be most useful to correlate with this to determine if the login is a threat? a) Anomalies in privileged account usage b) Time-based login information c) A mobile device profile change d) DNS request anomalies 57) Megan wants to check memory utilization on a macOS-based system. What Apple tool can she use to do this? a) Activity Monitor b) MemControl c) Running memstat from the command line d) Running memctl from the command line 58) Fiona is considering a scenario in which components that her organization uses in its software that come from public GitHub repositories are Trojaned. What should she do first to form the basis of her proactive threat-hunting effort? a) Search for examples of a similar scenario. b) Validate the software currently in use from the repositories. c) Form a hypothesis. d) Analyze the tools available for this type of attack. 59) Tracy has reviewed the CrowdStrike writeup for an APT group known as HELIX KITTEN, which notes that the group is known for creating “thoroughly researched and structured spear-phishing messages relevant to the interests of targeted personnel.” What types of defenses are most likely to help if she identifies HELIX KITTEN as a threat actor of concern for her organization? a) DKIM b) An awareness campaign c) Blocking all email from unknown senders d) SPF 60) Micah wants to use the data he has collected to help with his threat-hunting practice. What type of approach is best suited to using large volumes of log and analytical data? a) Hypothesis-driven investigation b) Investigation based on indicators of compromise c) Investigation based on indications of attack d) AI/ML-based investigation 61) Dani wants to analyze a malware package that calls home. What should she consider before allowing the malware to “phone home”? a) Whether the malware may change behavior. b) Whether the host IP or subnet may become a target for further attacks. c) Attacks may be staged by the malware against other hosts. d) All of the above. 62) As part of her threat-hunting activities, Olivia bundles her critical assets into groups. Why would she choose to do this? a) To increase the complexity of analysis b) To leverage the similarity of threat profiles c) To mix sensitivity levels d) To provide a consistent baseline for threats 63) Unusual outbound network traffic, abnormal HTML response sizes, DNS request anomalies, and mismatched ports for application traffic are all examples of what? a) Threat hunting b) SCAP c) Indicators of compromise d) Continuous threat feeds 64) Naomi wants to improve the detection capabilities for her security environment. A major concern for her company is the detection of insider threats. What type of technology can she deploy to help with this type of proactive threat detection? a) IDS b) UEBA c) SOAR d) SIEM 65) Ling wants to use her SOAR platform to handle phishing attacks more effectively. What elements of potential phishing emails should she collect as part of her automation and workflow process to triage and assign severity indicators? a) Subject lines b) Email sender addresses c) Attachments d) All of the above 66) Isaac wants to write a script to query the BotScout forum bot blocklisting service. What data should he use to query the service based on the following image? c01uf014.png a) Email address b) Name c) IP address d) Date 67) Syslog, APIs, email, STIX/TAXII, and database connections are all examples of what for a SOAR? a) IOCs b) Methods of data ingestion c) SCAP connections d) Attack vectors 68) Yaan uses multiple data sources in his security environment, adding contextual information about users from Active Directory, geolocation data, multiple threat data feeds, as well as information from other sources to improve his understanding of the security environment. What term describes this process? a) Data drift b) Threat collection c) Threat centralization d) Data enrichment 69) Mila is reviewing feed data from the MISP open-source threat intelligence tool and sees the following entry: How does the Reaver malware maintain persistence? C:\Users\zechc\Documents\ShareX\Screenshots\2023-09\chrome_T6c13CnejW.png a) A blog post b) Inserts itself into the Registry c) Installs itself as a runonce key d) Requests user permission to start up 70) Isaac's organization has deployed a security tool that learns how network users typically behave and then searches for differences that match attack behaviors. What type of system can automatically analyze this data to build detection capability like this? a) Signature-based analysis b) A Babbage machine c) Machine learning d) Artificial network analysis 71) What is the advantage of a SOAR system over a traditional SIEM system? a) SOAR systems are less complex to manage. b) SOAR systems handle large log volumes better using machine learning. c) SOAR systems integrate a wider range of internal and external systems. d) SOAR logs are transmitted only over secure protocols. 72) Fiona has continued her threat-hunting efforts and has formed a number of hypotheses. What key issue should she consider when she reviews them? a) The number of hypotheses b) Her own natural biases c) Whether they are strategic or operational d) If the attackers know about them 73) Nathan wants to determine which systems are sending the most traffic on his network. What low-overhead data-gathering methodology can he use to view traffic sources, destinations, and quantities? a) A network sniffer to view all traffic b) Implementing NetFlow c) Implementing SDWAN d) Implementing a network tap 74) Adam is reviewing a Wireshark packet capture in order to perform protocol analysis, and he notes the following data in the Wireshark protocol hierarchy statistics. What percentage of traffic is most likely encrypted web traffic? c01uf015.png a) 85.9 percent b) 1.7 percent c) 20.3 percent d) 1.9 percent 75) Annie is reviewing a packet capture that she believes includes the download of malware. What host should she investigate further as the source of the malware based on the activity shown in the following image from her packet analysis efforts? c01uf016.png a) 172.17.8.8 b) 49.51.172.56 c) 172.17.8.172 d) 56.172.51.49 76) Steve uploads a malware sample to an analysis tool and receives the following messages: If he wanted to observe the download behavior himself, what is the best tool to capture detailed information about what occurs? C:\Users\zechc\Documents\ShareX\Screenshots\2023-09\chrome_NDB01ush0t.png a) An antimalware tool b) Wireshark c) An IPS d) Network flows 77) Abdul is analyzing proxy logs from servers that run in his organization and notices two proxy log servers have entries for similar activities that always occur one hour apart from each other. Both proxy servers are in the same datacenter, and the activity is part of a normal evening process that runs at 7 p.m. One proxy server records the data at 7 p.m., and one records the entry at 6 p.m. What issue has Abdul likely encountered? a) A malware infection emulating a legitimate process b) An incorrect time zone setting c) A flaw in the automation script d) A log entry error 78) Eric is performing threat intelligence work and wants to characterize a threat actor that his organization has identified. The threat actor is similar to the group known as Anonymous and has targeted organizations for political reasons in the past. How should he characterize this threat actor? a) Unwitting insiders b) Unknown c) APT d) Hacktivist 79) What do DLP systems use to classify data and to ensure that it remains protected? a) Data signatures b) Business rules c) Data egress filters d) Data at rest 80) Benicio wants to implement a tool for all the workstations and laptops in his company that can combine behavioral detection attack indicators based on current threat intelligence with real-time visibility into the systems. What sort of tool should he select? a) An IPS b) An EDR c) A CRM d) A UEBA 81) Eric wants to analyze a malware binary in the safest way possible. Which of the following methods has the least likelihood of allowing the malware to cause problems? a) Running the malware on an isolated VM b) Performing dynamic analysis of the malware in a sandbox c) Performing static analysis of the malware d) Running the malware in a container service 82) Tom wants to improve his detection capabilities for his software-as-a-service (SaaS) environment. What technology is best suited to give him a view of usage, data flows, and other details for cloud environments? a) EDR b) CASB c) IDS d) SIEM 83) Juan wants to audit filesystem activity in Windows and configures Windows filesystem auditing. What setting can he set to know if a file was changed or not using Windows file auditing? a) Set Detect Change b) Set Validate File Versions c) Set Audit Modifications d) None of the above 84) Naomi wants to analyze URLs found in her passive DNS monitoring logs to find domain generation algorithm (DGA)–generated command-and-control links. What techniques are most likely to be useful for this? a) WHOIS lookups and NXDOMAIN queries of suspect URLs b) Querying URL allowlists c) DNS probes of command-and-control networks d) Natural language analysis of domain names 85) Kathleen wants to ensure that her team of security analysts sees important information about the security status of her organization whenever they log in to the SIEM. What part of a SIEM is designed to provide at-a-glance status information using the “single pane of glass” approach? a) The reporting engine b) Email reports c) The dashboard d) The ruleset 86) Lucca is reviewing bash command history logs on a system that he suspects may have been used as part of a breach. He discovers the following grep command run inside of the /users directory by an administrative user. What will the command find? C:\Users\zechc\Documents\ShareX\Screenshots\2023-09\chrome_zAcYowyeTX.png a) All occurrences of the sudo command on the system b) All occurrences of root logins by users c) All occurrences of the sudo command in bash log files in user home directories d) All lines that do not contain the word sudo or bash.log in user directories 87) Cynthia wants to build scripts to detect malware beaconing behavior. Which of the following is not a typical means of identifying malware beaconing behavior on a network? a) Persistence of the beaconing b) Beacon protocol c) Beaconing interval d) Removal of known traffic 88) Eric has access to a full suite of network monitoring tools and wants to use appropriate tools to monitor network bandwidth consumption. Which of the following is not a common method of monitoring network bandwidth usage? a) SNMP b) Portmon c) Packet sniffing d) NetFlow 89) Kelly sees high CPU utilization in the Windows Task Manager, as shown here, while reviewing a system's performance issues. If she wants to get a detailed view of the CPU usage by application, with PIDs and average CPU usage, what native Windows tool can she use to gather that detail? c01uf017.png a) Resource Monitor b) Task Manager c) iperf d) Perfmon 90) Roger's monitoring system provides Windows memory utilization reporting. Use the chart shown here to determine what actions Roger should take based on his monitoring. c01uf018.png a) The memory usage is stable and can be left as it is. b) The memory usage is high and must be addressed. c) Roger should enable automatic memory management. d) There is not enough information to make a decision. 91) NIST defines five major types of threat information in NIST SP 800-150, “Guide to Cyber Threat Information Sharing.” 1)Indicators, which are technical artifacts or observables that suggest an attack is imminent, currently underway, or compromise may have already occurred. 2)Tactics, techniques, and procedures that describe the behavior of an actor. 3)Security alerts like advisories and bulletins. 4)Threat intelligence reports that describe actors, systems, and information being targeted and the methods being used. 5)Tool configurations that support collection, exchange, analysis, and use of threat information. Which of these should Frank seek out to help him best protect the midsize organization he works for against unknown threats? a) 1, 2, and 5 b) 1, 3, and 5 c) 2, 4, and 5 d) 1, 2, and 4 92) Deepa is diagnosing major network issues at a large organization and sees the following graph in her PRTG console on the “outside” interface of her border router. What can Deepa presume has occurred? c01uf019.png a) The network link has failed. b) A DDoS is in progress. c) An internal system is transferring a large volume of data. d) The network link has been restored. 93) Angela wants to use her network security device to detect potential beaconing behavior. Which of the following options is best suited to detecting beaconing using her network security device? a) Antivirus definitions b) File reputation c) IP reputation d) Static file analysis 94) A server in the datacenter that Chris is responsible for monitoring unexpectedly connects to an offsite IP address and transfers 9 GB of data to the remote system. What type of monitoring should Chris enable to best assist him in detecting future events of this type? a) Flow logs with heuristic analysis b) SNMP monitoring with heuristic analysis c) Flow logs with signature-based detection d) SNMP monitoring with signature-based detection 95) While reviewing his network for rogue devices, Dan notes that for three days a system with MAC address D4:BE:D9:E5:F9:18 has been connected to a switch in one of the offices in his building. What information can this provide Dan that may be helpful if he conducts a physical survey of the office? a) The operating system of the device b) The user of the system c) The vendor that built the system d) The type of device that is connected 96) While checking for bandwidth consumption issues, Bohai uses the ifconfig command on the Linux box that he is reviewing. He sees that the device has sent less than 4 GB of data, but his network flow logs show that the system has sent more than 20 GB. What problem has Bohai encountered? a) A rootkit is concealing traffic from the Linux kernel. b) Flow logs show traffic that does not reach the system. c) ifconfig resets traffic counters at 4 GB. d) ifconfig only samples outbound traffic and will not provide accurate information. 97) Vlad believes that an attacker may have added accounts and attempted to obtain extra rights on a Linux workstation. Which of the following is not a common way to check for unexpected accounts like this? a) Review /etc/passwd and /etc/shadow for unexpected accounts. b) Check /home/ for new user directories. c) Review /etc/sudoers for unexpected accounts. d) Check /etc/groups for group membership issues. 98) Ben wants to coordinate with other organizations in the information security community to share data and current events as well as warnings of new security issues. What type of organization should he join? a) An ISAC b) A CSIRT c) A VPAC d) An IRT 99) While investigating a spam email, Adam is able to capture headers from one of the email messages that was received. He notes that the sender was Carmen Victoria Garci. What facts can he gather from the headers shown here? c01uf020.png a) Victoria Garci's email address is tntexpress819@yahoo.com. b) The sender sent via Yahoo. c) The sender sent via a system in Japan. d) The sender sent via Gmail. 100) After submitting a suspected malware package to VirusTotal, Damian receives the following results. What does this tell Damian? c01uf021.png a) The submitted file contains more than one malware package. b) Antivirus vendors use different names for the same malware. c) VirusTotal was unable to specifically identify the malware. d) The malware package is polymorphic, and matches will be incorrect.

CySA+ Chapter 1b

podle
Tisk
Vložit

Výsledková tabule/Žebříček

Vizuální styl

Možnosti

Přepnout šablonu

Obnovit automatické uložení: ?