QUESTION 61
A large load of data is being transferred to an external destination via UDP 53 port. Which obfuscation technique is used?
A. DNS tunneling
B. C&C connection
C. data masking
D. proxied traffic
Correct Answer: A
QUESTION 62
Which regular expression matches loopback IP address (127.0.0.1)?
A. &127%0%0%1
B. 127[.0.].0.1
C. 127.0.0.1
D. %127.0.0.1%
Correct Answer: C
QUESTION 63
An analyst see that this security alert “Default-Botnet-Communication-Detection-By-Endpoint” has been raised from the IPS. The analyst checks and finds that an endpoint communicates to the C&C. How must an impact from this event be categorized?
A. false negative
B. true positive
C. true negative
D. false positive
Correct Answer: B
QUESTION 64
What is the role of indicator of compromise in an investigation?
A. It helps answer the question of why the attack took place.
B. It is nonforensic data, which is easy to detect.
C. It describes what and why something happened.
D. It identifies potentially malicious activity on a system or network.
Correct Answer: D
QUESTION 65
What is a difference between intrusion rule-based detection and behavioral detection systems?
A. Rule-based detection is more efficient in detecting malware and other unknown threats due to its signatures.
B. Rule-based detection is vulnerable to encrypted traffic data bypass, and behavioral is not.
C. Behavioral detection uses attributes like source and destination IP addresses.
D. Behavioral detection uses IOCs, and rule-based detection uses Al and machine learning.
Correct Answer: B
QUESTION 66
Which management concept best describes developing, operating, maintaining, upgrading, and disposing of all resources?
A. asset
B. configuration
C. vulnerability
D. patch
Correct Answer: A
QUESTION 67
What is a difference between rule-based and role-based access control mechanisms?
A. Role-based are efficient in small workgroups, and rule-based are preferred in time-defined workgroups.
B. Rule-based are simple and easy to execute, and role-based are well-defined.
C. Rule-based are less granular, and role-based have time constraints.
D. Role-based are an appropriate choice in geographically diverse workgroups, and rule-based are for simply structured workgroups.
Correct Answer: B
QUESTION 68
An engineer received a ticket to investigate a potentially malicious file detected by a malware scanner that was trying to execute multiple commands. During the initial review, the engineer discovered that the file was created two days prior. Further analyses show that the file was downloaded from a known malicious domain after a successful phishing attempt on an asset owner. At which phase of the Cyber Kill Chain was this attack mitigated?
A. delivery
B. reconnaissance
C. exploitation
D. installation
Correct Answer: D
QUESTION 69
According to CVSS, which condition is required for attack complexity metrics?
A. man-in-the-middle attack
B. complete loss of protection
C. attackers altering any file
D. total loss of availability
Correct Answer: A
QUESTION 70
What is a difference between a threat and a vulnerability?
A. A vulnerability is a risk of unauthorized actions from a threat actor, and the threat is the actions that malicious actors perform for privilege escalation.
B. A threat is a weakness in an asset that an engineer is trying to mitigate, and a vulnerability is an existing risk of possible damage or loss of data.
C. A threat is what an engineer is trying to protect an asset against, and a vulnerability is a weakness in an asset that an engineer is trying to mitigate.
D. A vulnerability is an asset without hardened protection, and a threat is a weakness that is open to attackers due to misconfiguration.
Correct Answer: C
QUESTION 71
A security analyst reviews the firewall and observes the large number of frequent events. The analyst starts the packet capture with the Wireshark and identifies that TCP port reuse was detected incorrectly as a TCP split-handshake attack by the firewall. How must an impact from this event be categorized?
A. true negative
B. true positive
C. false negative
D. false positive
Correct Answer: D
QUESTION 72
What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.)
A. Untampered images are used in the security investigation process
B. Tampered images are used in the security investigation process
C. The image is tampered if the stored hash and the computed hash match
D. Tampered images are used in the incident recovery process
E. The image is untampered if the stored hash and the computed hash match
Correct Answer: BE
QUESTION 73
An OSINT team scans the target hosts, gathers information regarding the adversary online services, and equips the red team with the obtained information. Which step in the kill chain is this activity?
A. Weaponization
B. Delivery
C. Reconnaissance
D. Installation
Correct Answer: C
QUESTION 74
What is a comparison between rule-based and statistical detection?
A. Statistical is based on measured data while rule-based uses the evaluated probability approach.
B. Rule-based is based on assumptions and statistical uses data known beforehand.
C. Rule-based uses data known beforehand and statistical is based on assumptions.
D. Statistical uses the probability approach while rule-based is based on measured data.
Correct Answer: B
QUESTION 75
Which evasion method is being used when TLS is observed between two endpoints?
A. X.509 certificate authentication
B. traffic insertion
C. obfuscation
D. encryption
Correct Answer: D
QUESTION 76
An engineer must investigate suspicious connections. Data has been gathered using a tcpdump command on a Linux device and saved as sandboxmalware2022-12-22.pcaps file. The engineer is trying to open the tcpdump in the Wireshark tool. What is the expected result?
A. The tool does not support Linux.
B. The file is opened.
C. The file has an incorrect extension.
D. The file does not support the “-” character.
Correct Answer: C
QUESTION 77
A suspicious user opened a connection from a compromised host inside an organization. Traffic was going through a router and the network administrator was able to identify this flow. The admin was following 5-tuple to collect needed data. Which information was gathered based on this approach?
A. NAT
B. user name
C. direct path
D. protocol
Correct Answer: D
QUESTION 78
What is the difference between the ACK flag and the RST flag?
A. The ACK flag validates the next packets to be sent to a destination, and the RST flag is what the RST returns to indicate that the destination is reachable.
B. The RST flag establishes the communication, and the ACK flag cancels spontaneous connections that were not specifically sent to the expecting host.
C. The ACK flag validates the receipt of the previous packet in the stream, and the same session is being closed by the RST flag.
D. The RST flag identifies the connection as reliable and trustworthy within the handshake process, and the ACK flag prepares a response by opening a session between the source and destination.
Correct Answer: C
QUESTION 79
Which risk approach eliminates activities posing a risk exposure?
A. risk acknowledgment
B. risk avoidance
C. risk retention
D. risk reduction
Correct Answer: B
QUESTION 80
What is session data used for in network security?
A. It tracks cookies within each session initiated from user.
B. It contains the set of parameters used for fetching logs.
C. It is the transaction log between monitoring software.
D. It is the summary of the transmission between two network devices.
Correct Answer: D
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.