QUESTION 1
While performing a dynamic analysis of a malicious file, a security analyst notices that the memory address changes every time the process runs. Which of the following controls is most likely preventing the analyst from finding the proper memory address of the piece of malicious code?
A. Address space layout randomization
B. Data execution prevention
C. Stack canary
D. Code obfuscation
Correct Answer: A
QUESTION 2
An analyst discovers unusual outbound connections to an IP that was previously blocked by the web proxy and firewall, Upon further investigation, it appears that the proxy and firewall rules that were in place were removed by a service account that is not recognized. Which of the following parts of the Cyber Kill Chain does this describe?
A. Delivery
B. Command and control
C. Reconnaissance
D. Weaponization
Correct Answer: B
QUESTION 3
An analyst receives an alert that malware was detected on a system responsible for a critical function. Which of the following is the most likely reason to delay remediation efforts?
A. Business process interruption
B. Legal hold
C. Legacy system
D. Patch availability
Correct Answer: A
QUESTION 4
A security analyst observes a high volume of SYN flags from an unexpected source toward a web application server within one hour. The traffic is not flagging for any exploit signatures. Which of the following scenarios best describes this activity?
A. A legitimate connection is continuously attempting to establish a connection with a downed web server.
B. A script kiddie is attempting to execute a DDoS through a ping flood attack.
C. An attacker is executing reconnaissance activities by mapping which ports are open and closed.
D. A web exploit attempt is likely occurring and the security analyst is not seeing it.
Correct Answer: C
QUESTION 5
A DevOps analyst implements a webhook to trigger code vulnerability scanning for submissions to the repository. Which of the following is the primary benefit of this enhancement?
A. To increase coverage by making the process occur automatically with uploads
B. To create a single pane of glass dashboard for the vulnerability management process
C. To include a threat feed component into the software development life cycle
D. To employ data enrichment for new code commits to enhance project documentation
Correct Answer: A
QUESTION 6
A security analyst is scanning an ICS host (192.168.1.5) in an industrial plant for insecure ports while minimizing the impact to uptime or performance. Which of following commands should the analyst use to perform the task?
A. nmap 192.168.1.5 -T1 -P 21
B. nmap 192.168.1.5 -T2 -P 3389
C. nmap 192.168.1.5 -T3 -P 22
D. nmap 192.168.1.5 -T5 -P 80
Correct Answer: A
QUESTION 7
A security operations analyst observes an attacker scanning network ports and systems. Which of the following describes this phase of the Cyber Kill Chain?
A. Reconnaissance
B. Exploitation
C. Installation
D. Weaponization
E. Actions on objectives
Correct Answer: A
QUESTION 8
A security team needs to demonstrate how prepared the team is in the event of a cyberattack. Which of the following would best demonstrate a real-world incident without impacting operations?
A. Review lessons-learned documentation and create a playbook.
B. Gather all internal incident response party members and perform a simulation.
C. Deploy known malware and document the remediation process.
D. Schedule a system recovery to the DR site for a few applications
Correct Answer: B
QUESTION 9
After several tabletop exercises, the cybersecurity team is underperforming against MTTR and MTTD. Which of the following would help the team achieve improved performance?
A. Alert volume
B. Impact analysis
C. Lessons learned
D. Compensating controls
Correct Answer: C
QUESTION 10
Which of the following best describes the reason a root cause analysis is an important part of the incident response process?
A. Compliance teams can be legally required to conduct a post-incident root cause analysis to satisfy regulatory requirements.
B. Response teams can use the analysis to isolate a system while the incident is ongoing to prevent further contamination.
C. The organization can use the results of the analysis to provide stakeholders with assurances that customer data was not disclosed.
D. The leadership team can better allocate resources to address systemic issues that span multiple groups in an organization.
Correct Answer: C
QUESTION 11
Which of the following groups should the security team notify first if employee personally identifiable information (PII) is leaked?
A. All affected employees
B. The human resources department
C. The legal team
D. The public relations department
Correct Answer: C
QUESTION 12
Which of the following is used to help centrally display certain metrics and usage reports from various tools and applications?
A. Infrastructure as code (IaC)
B. Playbook
C. Dashboard
D. Webhooks
Correct Answer: C
QUESTION 13
A security operations center (SOC) manager makes significant updates to the incident response plan and wants to test these updates with all stakeholders collaboratively. Which of the following is the best way to accomplish this task?
A. Red-teaming event
B. Tabletop exercise
C. Security awareness training
D. Penetration test
Correct Answer: B
QUESTION 14
A security analyst is conducting a vulnerability assessment of a company’s online store. The analyst discovers a critical vulnerability in the payment processing system that could be exploited, allowing attackers to steal customer payment information. Which of the following should the analyst do next?
A. Leave the vulnerability unpatched until the next scheduled maintenance window to avoid potential disruption to business.
B. Perform a risk assessment to evaluate the potential impact of the vulnerability and determine whether additional security measures are needed.
C. Ignore the vulnerability since the company recently passed a payment system compliance audit.
D. Isolate the payment processing system from production and schedule for reimaging.
Correct Answer: B
QUESTION 15
A security analyst receives an alert that a user has rejected a multifactor authentication (MFA) push notification. The analyst reviews the log entry and the events that surround it. Which of the following should the analyst look for first?
A. Increased network activity for the user’s host
B. Unusual source IP addresses for the user’s login attempt
C. The last password change date for the user
D. Recent Domain Name Service (DNS) queries the user has made
Correct Answer: B
QUESTION 16
Which of the following best describes why operational technology (OT) devices use compensating controls?
A. Industrial control systems use significant network bandwidth.
B. Outage windows are usually scheduled.
C. Traditional IT security solutions may not be compatible.
D. OT devices are typically not encrypted.
Correct Answer: C
QUESTION 17
A new security operations center (SOC) manager joins a team that struggles to meet service-level agreements (SLAs). The alert backlog continues to increase daily. Which of the following will the manager most likely need to do?
A. Automate escalation.
B. Improve the triage processes.
C. Upgrade threat intelligence.
D. Enhance the customer service response.
Correct Answer: B
QUESTION 18
An organization has issues with too many individuals participating in each incident response. Which of the following concepts is the best way to determine the level of involvement for a given incident?
A. Severity
B. Phone tree
C. On-call rotation
D. Data type
Correct Answer: A
QUESTION 19
An analyst is configuring a security information and event management system to capture fileless malware execution events. Which of the following log files requires additional configuration to accomplish this task?
A. Microsoft-Windows-Crypto-DPAPI/Operational
B. Microsoft-Windows-PowerShell/Operational
C. Microsoft-Windows-UserPnp/DeviceInstall
D. Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Correct Answer: B
QUESTION 20
Which of the following are the most relevant factors related to vulnerability management reporting and communication within an organization?
A. Risk assessment, asset inventory, business impact analysis, and business continuity plans
B. Patch availability, mean time to remediate, dependencies, and disaster recovery plans
C. False-positive rates, alert volume and characteristics, mean time to detect, and skills inventory
D. Risk severity levels, timelines, dependencies, and remediation ownership
Correct Answer: D
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.