QUESTION 21
Which of the following uses simulated traffic to a website to evaluate performance?
A. Log analysis
B. War gaming
C. Synthetic monitoring
D. Packet inspection
Correct Answer: C
QUESTION 22
Which of the following is a reason an executive summary is important for incident response communication?
A. It uses quantifiable metrics to identify the root cause
B. It is a concise way for the leadership team to understand the event.
C. It is included as part of privacy disclosure statements.
D. It provides a detailed explanation of the incident.
Correct Answer: B
QUESTION 23
A security operations (SOC) manager develops response mechanisms as part of playbook development efforts. The SOC manager needs to accomplish the following:
1. Document adversarial activities.
2. Map adversarial activities to a linear progression of sequential phases.
3. Provide broad coverage of threat actions without addressing specific tactics, techniques, and procedures (TTPs).
Which of the following is the most reliable source for this information?
A. MITRE ATT&CK
B. Cyber COBRA
C. Diamond Model of Intrusion Analysis
D. Cyber Kill Chain
Correct Answer: D
QUESTION 24
An analyst prepares an after action report following an incident in which multiple systems were compromised over several days. The analyst provides raw event logs from each compromised system in the report and determines that a patient-zero system cannot be found. Which of the following should the analyst do to determine the patient-zero system?
A. Establish an accurate timeline of events.
B. Enable monitoring on the compromised systems.
C. Isolate the compromised systems before remediation.
D. Improve the content for incident updates during shift handoff.
E. Perform a reverse composition analysis on malware packages.
Correct Answer: A
QUESTION 25
After a risk assessment, a server was found hosting a vulnerable legacy system that has the following characteristics:
1. There is no patch or official fix available from the vendor.
2. There is no official support provided by the vendor.
3. Customers consider the system mission critical.
Which of the following actions will best decrease the risk posed by the legacy system?
A. Decommission the server immediately and find a new solution to replace the legacy system.
B. Implement firewall rules to block inbound connections and allow outbound traffic.
C. Install and configure a web application firewall tailored to the legacy server.
D. Apply compensating controls, including isolation, restricted access, and continuous monitoring.
Correct Answer: D
QUESTION 26
After conducting a risk analysis, a company decides to purchase cybersecurity insurance. Which of the following is this type of risk management strategy?
A. Avoidance
B. Acceptance
C. Mitigation
D. Transference
Correct Answer: D
QUESTION 27
During an incident handoff, an analyst receives a significant number of small artifacts. The analyst must verify artifact integrity before processing. The Chief Information Security Officer is requesting an update before the end of the day. Which of the following will best accomplish this task?
A. RACE Integrity Primitives Evaluation Message Digest 160 (RIPEMD-160)
B. Secure Hash Algorithm 1 (SHA-1)
C. Secure Hash Algorithm 256 (SHA-256)
D. Message Digest 5 (MD5)
Correct Answer: C
QUESTION 28
Which of the following activities should an organization perform to mitigate and manage an ongoing security incident? (Select two).
A. Conduct impact analysis.
B. Define roles and responsibilities.
C. Conduct a legal hold.
D. Initiate the Cyber Kill Chain.
E. Preserve evidence.
F. Conduct an after action review.
Correct Answer: AC
QUESTION 29
An incident response team identifies a malicious uniform resource locator (URL) associated with a required business process and performs the following activities:
1. Access to the URL has been restricted only to the necessary users through firewall rules and Cloud Security Group rules.
2. Additional monitoring has been enabled for traffic related to that site and the allowed users.
3. All application servers that need to access that site have been patched with the latest security and software updates.
4. Application owners have been notified of the severity and need to remediate this reported issue.
Which of the following best describes the overall mitigation the security team is performing?
A. Patching solutions
B. Configuration management
C. Compensating controls
D. Attack surface management
Correct Answer: C
QUESTION 30
Which of the following explains the importance of a root cause analysis during the post-incident phase?
A. Helping understand events related to the incident and finding the right tools to respond properly
B. Providing information for making decisions related to the event and helping define new playbooks for future exercises
C. Discovering what triggered the event in order to plan for further improvements and proper mitigation
D. Supporting the hypothesis creation process that will guide the investigation procedure through each phase
Correct Answer: C
QUESTION 31
Which of the following describes decoy data in real applications?
A. Data tokenization
B. Non-production devices
C. Sandbox accounts
D. Cyber deception
Correct Answer: D
QUESTION 32
A security analyst identifies a device on which different malware was detected multiple times even after the systems were scanned and cleaned several times. Which of the following actions would be most effective to ensure the device does not have residual malware?
A. Update the device and scan offline in safe mode.
B. Replace the hard drive and reimage the device.
C. Upgrade the device to the latest OS version.
D. Download a secondary scanner and rescan the device.
Correct Answer: B
QUESTION 33
A security analyst is identifying vulnerabilities in laptops. Users often take their laptops out of the office while traveling, and the vulnerabity scan metrics are inaccurate. Which of the following changes should the analyst propose to reduce the MTTD to fewer than four days?
A. Deploy agents to all endpoints to scan daily for vulnerabilities.
B. Configure the network vulnerability scan job to use credentials.
C. Change the vulnerability scanner configuration to perform network scans more than once per day.
D. Increase the scan maximum running time to four days to walt for missing endpoints.
Correct Answer: A
QUESTION 34
Which of the following activities during the preparation phase of the incident response process supports the detection phase?
A. Planning to help identify potential incidents
B. Defining types of communication to make reporting easier
C. Stakeholder identification to determine which solution to apply
D. Tuning the tools to eliminate excessive false positives
Correct Answer: D
QUESTION 35
During an incident response, an analyst discovers artifacts important to the investigation. These artifacts may need to be processed by law enforcement at a later time. Which of the following is the most important when handling the artifacts?
A. The artifacts must be immediately handed over to law enforcement officials to pursue legal action.
B. The artifacts must be preserved in their original state and maintained with a chain of custody.
C. The artifacts must be dissected as soon as possible to continue incident response operations.
D. The artifacts must be immedlately removed because they may be malicious and hindering recovery efforts.
Correct Answer: B
QUESTION 36
A security analyst is implementing a vulnerabiity scanning tool with new methodologies and processes. After tuning and rescanning, a large number of vulnerabities stil exist. The team verifies that the findings do not contain any false positives. Which of the following will best help with prioritization?
A. Provide a list of the top ten vulnerabilities.
B. Implement a bug bounty program.
C. Determine which security gaps are exploitable.
D. Perform a penetration test.
Correct Answer: C
QUESTION 37
Which of the following incident response processes should be applied to initially notify a leadership team?
A. Regulatory reporting
B. Post-incident reporting
C. Incident handover
D. Incident escalation
Correct Answer: D
QUESTION 38
A security analyst reruns infrastructure as code (IaC) to tear down and rebuild a new environment after a ransomware attack. Which of the following describes this phase?
A. Analysis
B. Post-incident
C. Detection
D. Containment
E. Recovery
Correct Answer: E
QUESTION 39
A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer has to jump between tools. Which of the following best describes what the security program did?
A. Data enrichment
B. Security control plane
C. Threat feed combination
D. Single pane of glass
Correct Answer: D
QUESTION 40
The vulnerability management team must scan the cloud environment to establish security baselines. Which of the following assessment tools should the team use to perform this task?
A. Metasploit
B. Prowler
C. Maltego
D. Caldera
Correct Answer: B
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.