QUESTION 181
A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?
A. Data enrichment
B. Security control plane
C. Threat feed combination
D. Single pane of glass
Correct Answer: D
QUESTION 182
A security analyst needs to support an organization’s legal case against a threat actor. Which of the following processes provides the best way to assist in the prosecution of the case?
A. Chain of custody
B. Evidence gathering
C. Securing the scene
D. Forensic analysis
Correct Answer: A
QUESTION 183
After a series of UEBA alerts, a company’s soc observes an extended period of suspicious outbound traffic all with the same destination. Which of the following steps of the Cyber Kill Chain has this attack completed?
A. Weaponization
B. Command and control
C. Reconnaissance
D. Exploitation
Correct Answer: B
QUESTION 184
Which of the following best defines “risk appetite” in regards to vulnerabilities and risks in a report?
A. A key factor that helps an organization determine if a vulnerability management process is a financially supportable business expense
B. An organization’s understanding and acceptance of the likelihood and impact of a specific threat on its systems or networks
C. The amount and kind of damage an organization is willing to accept in its information systems environment
D. An organization’s ability to withstand the effects of any events that adversely affect its business assets
Correct Answer: C
QUESTION 185
A threat intelligence analyst is updating a document according to the MITRE ATT&CK framework. “The malicious actor will attempt to achieve unauthorized access to the vulnerable system.” The analyst detects the following behavior from a malicious actor: In which of the following phases should the analyst include the detection?
A. Procedures
B. Techniques
C. Tactics
D. Subtechniques
Correct Answer: C
QUESTION 186
Which of the following does a security policy do?
A. Establishes a cost model for security activity
B. Identifies and clarifies security goals and objectives
C. Enables management to define system access rules
D. Allows management to define system recovery requirements
Correct Answer: B
QUESTION 187
Which of the following is the best reason an organization would mandate a security awareness program?
A. To prevent attackers from sending phishing emails
B. To train users on how to use application features on a computer
C. To certify each employee attended training related to their job duties
D. To protect the business and help employees understand threats
Correct Answer: D
QUESTION 188
An e-commerce organization recently experienced a cyberattack. During a lessons learned meeting, a cybersecurity analyst requests that the RTO is prioritized. Which of the following is the greatest concern?
A. Integrity
B. Availability
C. Non-repudiation
D. Confidentiality
Correct Answer: B
QUESTION 189
A SOC analyst observes reconnaissance activity from an IP address. The activity follows a pattern of short bursts toward a low number of targets. An open-source review shows that the IP has a bad reputation. The perimeter firewall logs indicate the inbound traffic was allowed. The destination hosts are high-value assets with EDR agents installed. Which of the following is the best action for the SOC to take to protect against any further activity from the source IP?
A. Add the IP address to the EDR deny list.
B. Create a SIEM signature to trigger on any activity from the source IP subnet detected by the web proxy or firewalls for immediate notification.
C. Implement a prevention policy for the IP on the WAF
D. Activate the scan signatures for the IP on the NGFWs.
Correct Answer: A
QUESTION 190
A user’s computer is performing slower than the day before, and unexpected windows continually open and close. The user did not install any new programs, and after the user restarted the desktop, the issue was not resolved. Which of the following incident response actions should be taken next?
A. Restart in safe mode and start a virus scan.
B. Disconnect from the network and leave the PC turned on.
C. Contain the device and implement a legal hold.
D. Reformat and reimage the OS.
Correct Answer: B
QUESTION 191
A user receives an email from a client that contains a link to a secure email platform. The prompt instructs users to register for an account and create a new password. The user is expecting sensitive documents from the client. However, the client usually sends password-protected files in an encrypted email. Which of the following is most likely occurring?
A. An organization is conducting a monthly phishing email test.
B. A hacker is trying to gain access through links that will redirect to command-and-control sites.
C. The user’s encryption failed to meet the client’s standards.
D. A credential harvesting campaign is underway via social engineering tactics.
Correct Answer: D
QUESTION 192
Which of the following best describes the benefit of implementing a PAM solution?
A. Measuring and validating the integrity of the database
B. Controlling and monitoring the use of administrative accounts
C. Storing and protecting PKI certificate private keys
D. Configuring and enforcing password complexity requirements
Correct Answer: D
QUESTION 193
Which of the following are process improvements that can be realized by implementing a SOAR solution? (Select two).
A. Minimize security attacks.
B. Itemize tasks for approval.
C. Reduce repetitive tasks.
D. Minimize setup complexity.
E. Define a security strategy.
F. Generate reports and metrics.
Correct Answer: CF
QUESTION 194
An analyst finds that duplicate entries may exist in the asset inventory, which is skewing vulnerability scan data. Which of the following is the best way for the analyst to improve the effectiveness of the vulnerability scan?
A. Device fingerprinting
B. Network mapping
C. Uncredentialed reports
D. Dynamic scans
Correct Answer: A
QUESTION 195
Which of the following explains the reason a security analyst would map an attack route?
A. To find critical paths that can be used to stop an adversary from advancing
B. To create an inventory of all IT assets to import into a database
C. To operationalize intelligence gathered from a previous step in the investigation
D. To categorize the tactics according to the MITRE ATT&CK framework
Correct Answer: A
QUESTION 196
Several incidents have occurred with a legacy web application that has had little development work completed. Which of the following is the most likely cause of the incidents?
A. Misconfigured web application firewall
B. Data integrity failure
C. Outdated libraries
D. Insufficient logging
Correct Answer: C
QUESTION 197
A company received a shipment of new network switches. Immediately after installing the switches, a security analyst notices suspicious traffic coming from one of the new switches. Which of the following best describes the threat actor?
A. Insider threat
B. Supply chain
C. Nation-state
D. Organized crime
Correct Answer: B
QUESTION 198
A systems administrator needs to gather security events with repeatable patterns from Linux log files. Which of the following would the administrator most likely use for this task?
A. A regular expression in Bash
B. Filters in the vi editor
C. Variables in a PowerShell script
D. A playbook in a SOAR tool
Correct Answer: A
QUESTION 199
A security analyst finds an application that cannot enforce the organization’s password policy. An exception is granted. As a compensating control, all users must confirm that their passwords comply with the organization’s policy. Which of the following types of compensating controls is the organization using?
A. Corrective
B. Managerial
C. Technical
D. Detective
Correct Answer: B
QUESTION 200
An organization wants to establish a disaster recovery plan for critical applications that are hosted on premises. Which of the following is the first step to prepare for supporting this new requirement?
A. Choose a vendor to utilize for the disaster recovery location.
B. Establish prioritization of continuity from data and business owners.
C. Negotiate vendor agreements to support disaster recovery capabilities.
D. Advise the leadership team that a geographical area for recovery must be defined.
Correct Answer: B
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.