QUESTION 141
Which option describes indicators of attack?
A. virus detection by the AV software
B. spam emails on an employee workstation
C. malware reinfection within a few minutes of removal
D. blocked phishing attempt on a company
Correct Answer: C
QUESTION 142
Why should an engineer use a full packet capture to investigate a security breach?
A. It reconstructs the event allowing the engineer to identify the root cause by seeing what took place during the breach.
B. It provides the full TCP streams for the engineer to follow the metadata to identify the incoming threat
C. It captures the TCP flags set within each packet for the engineer to focus on suspicious packets to identify malicious activity.
D. It collects metadata for the engineer to analyze, including IP traffic packet data that is sorted, parsed, and indexed.
Correct Answer: A
QUESTION 143
A SOC analyst detected connections to known C&C and port scanning activity to main HR database servers from one of the HR endpoints, via Cisco StealthWatch. What are the two next steps of the SOC team according to the NIST.SP800-61 incident handling process? (Choose two.)
A. Provide security awareness training to HR managers and employees.
B. Block connection to this C&C server on the perimeter next-generation firewall.
C. Isolate affected endpoints and take disk images for analysis.
D. Update antivirus signature databases on affected endpoints to block connections to C&C.
E. Detect the attack vector and analyze C&C connections.
Correct Answer: BC
QUESTION 144
What matches the regular expression c(rgr)+e?
A. crgrrgre
B. c(rgr)e
C. ce
D. crgr+e
Correct Answer: A
QUESTION 145
Which action matches the weaponization step of the Cyber Kill Chain model?
A. Construct the appropriate malware and deliver it to the victim.
B. Test and construct the appropriate malware to launch the attack.
C. Scan a host to find open ports and vulnerabilities.
D. Research data on a specific vulnerability.
Correct Answer: B
QUESTION 146
Which technique is a low-bandwidth attack?
A. phishing
B. social engineering
C. session hijacking
D. evasion
Correct Answer: D
QUESTION 147
According to CVSS, what is a description of the attack vector score?
A. It depends on how many physical and logical manipulations are possible on a vulnerable component.
B. The metric score will be larger when a remote attack is more likely.
C. The metric score will be larger when it is easier to physically touch or manipulate the vulnerable component.
D. It depends on how far away the attacker is located and the vulnerable component.
Correct Answer: B
QUESTION 148
After a large influx of network traffic to externally facing devices, a security engineer begins investigating what appears to be a denial of service attack. When the packet capture data is reviewed, the engineer notices that the traffic is a single SYN packet to each port. Which type of attack is occurring?
A. traffic fragmentation
B. host profiling
C. port scanning
D. SYN flood
Correct Answer: D
QUESTION 149
What is the communication channel established from a compromised machine back to the attacker?
A. IDS evasion
B. port scanning
C. command and control
D. man-in-the-middle
Correct Answer: C
QUESTION 150
What is the difference between a threat and an exploit?
A. An exploit is caused by misconfiguration, and the threat can be any vulnerability.
B. An exploit is an attack vector for a threat actor, and the threat is a possibility of the attack
C. A threat is a vulnerability, and an exploit is a weakness in the system.
D. A threat is a possibility of attack, and the exploit is an attack that takes advantage of a particular vulnerability.
Correct Answer: D
QUESTION 151
An engineer is working on a ticket for an incident from the incident management team. A week ago, an external web application was targeted by a DDoS attack. Server resources were exhausted and after two hours, it crashed. An engineer was able to identify the attacker and technique used. Three hours after the attack, the server was restored and the engineer recommended implementing mitigation by Blackhole filtering and transferred the incident ticket back to the IR team. According to NIST.SP800-61, at which phase of the incident response did the engineer finish work?
A. post-incident activity
B. preparation
C. containment, eradication, and recovery
D. detection and analysis
Correct Answer: C
QUESTION 152
What is the purpose of command and control for network-aware malware?
A. It takes over the user account for analysis.
B. It controls and shuts down services on the infected host.
C. It contacts a remote server for commands and updates.
D. It helps the malware to profile the host
Correct Answer: C
QUESTION 153
What is the difference between attack surface and vulnerability?
A. A vulnerability describes how software or a system is exposed to potential attacks, and an attack surface is an actual weakness that exposesthe potential risk.
B. An attack surface is a way of taking advantage of a system or resource, and a vulnerability is a specific technique utilized by the vulnerability.
C. An attack surface describes how software or a system is exposed to potential attacks, and a vulnerability is an actual weakness that exposes the potential risk
D. A vulnerability is a way of taking advantage of a system or resource, and an attack surface is a specific technique utilized by the vulnerability.
Correct Answer: C
QUESTION 154
Endpoint logs indicate that a machine has obtained an unusual gateway address and unusual DNS servers via DHCP. Which type of attack is occurring?
A. man in the middle attack
B. evasion methods
C. command injection
D. phishing
Correct Answer: A
QUESTION 155
Which classification of cross-site scripting attack executes the payload without storing it for repeated use?
A. stored
B. reflective
C. DOM
D. CSRF
Correct Answer: C
QUESTION 156
Which process represents the application-level allow list?
A. allowing everything and denying specific applications protocols
B. allowing everything and denying specific executable files
C. allowing specific format files and deny executable files
D. allowing specific files and deny everything else
Correct Answer: D
QUESTION 157
Which two measures are used by the defense-in-depth strategy? (Choose two.)
A. Reduce the load on network devices.
B. Divide the network into parts.
C. Implement the patch management process.
D. Split packets into pieces.
E. Bridge the single connection into multiple.
Correct Answer: BC
QUESTION 158
What are two differences and benefits of packet filtering, stateful firewalling, and deep packet inspections? (Choose two.)
A. Stateful inspection is capable of TCP state tracking, and deep packet inspection checks only TCP source and destination ports.
B. Stateful inspection is capable of packet data inspections, and deep packet inspection is not.
C. Deep packet inspection is capable of malware blocking, and packet filtering is not.
D. Packet filtering is capable of UDP state monitoring only, and stateful inspection can provide monitoring of TCP sessions.
E. Deep packet inspection operates up to Layer 7, and packet filtering operates on Layer 3 and 4 of OSI model.
Correct Answer: CE
QUESTION 159
What is the virtual address space for a Windows process?
A. physical location of an object in memory.
B. set of pages that reside in the physical memory.
C. system-level memory protection feature built into the operating system.
D. set of virtual memory addresses that can be used.
Correct Answer: D
QUESTION 160
A user received an email attachment named “Hr-report-empl.exe” but did not run it. Which category of the cyber kill chain should be assigned to this type of event?
A. installation
B. weaponization
C. delivery
D. reconnaissance
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.