QUESTION 141
A security analyst is trying to analyze a suspicious file and receives the following error message from a SOAR integration:
Submission error! Environment for behavior analysis unavailable.
Which of the following actions should the analyst perform to securely complete the analysis?
A. A manual upload to Joe Sandbox
B. A Python script to parse the file
C. A local installation of Immunity debugger
D. A new integration to a FIM solution
Correct Answer: A
QUESTION 142
An after-action review of a ransomware attack on a company identified deficiencies in responsiveness and consistency. Which of the following choices would best facilitate improvement of these deficiencies?
A. Leverage a SIEM.
B. Utilize threat intelligence sharing.
C. Source multiple threat feeds.
D. Implement SOAR.
Correct Answer: D
QUESTION 143
A web server and associated services cannot be upgraded due to a legacy application. The analyst determines it would be best to move the web server to a perimeter network subnet, apply geoblocking to the firewall, and require MFA for any administrative access on the web server. Which of the following best describes the approach the analyst is using to address the issue?
A. Compensating controls
B. Due diligence
C. Vulnerability management
D. Incident response
Correct Answer: A
QUESTION 144
Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure that it will not be detected by the victim organization’s endpoint security protections. Which of the following stages of the cyber kill chain best aligns with the threat actor’s actions?
A. Delivery
B. Reconnaissance
C. Exploitation
D. Weaponization
Correct Answer: D
QUESTION 145
Which of the following can a software provider use to implement secure authentication and authorization mechanisms that leverage existing controls in-place on their customers’ environments?
A. SSO
B. SASE
C. PAM
D. CASB
Correct Answer: A
QUESTION 146
A security analyst gathers the following data while reviewing malicious messages that contributed to security issues last year:
1. Messages had a spam score between 3-4 out of 10.
2. Message validation checks show SPF: PASS, DKIM: PASS, DMARC:PASS.
3. WHOIS database shows that the domain was registered days before the attacks.
4. Messages were well-crafted to appear legitimate
Which of the following actions will best reduce the success rate of attacks while minimizing business impact? (Select two).
A. Implement geolocation restrictions that limit email access to known locations.
B. Include key partners and customers on a protection solution that detects look-alike registrations.
C. Configure the mail security solution to block messages with a lower spam score.
D. Share an allow list of senders with important users in the organization.
E. Increase security awareness training for employees with email access.
F. Enforce a consistent MFA policy across email users to validate access.
Correct Answer: BE
QUESTION 147
Which of the following stakeholders should be involved in developing the business continuity plan within an organization?
A. Senior executives
B. Everyone in the organization
C. Employees with specific roles in the organization
D. The incident response team
Correct Answer: C
QUESTION 148
A security analyst discovers multiple log entries from a recently acquired tool that was bundled as a YUM package. Those entries point to attempts of privilege escalation. Which of the following is the most likely explanation?
A. The package was modified during installation.
B. The package was missing critical DLL files.
C. The package got corrupted while being downloaded
D. The package was installed without a GPG check.
Correct Answer: D
QUESTION 149
A vulnerability scan shows no critical findings. Later in the day, another scan discovers critical vulnerabilities. Which of the following is the most likely reason for the different results?
A. The endpoints did not report accurate data because there were processing bandwidth issues.
B. The second scan had new plug-ins for recent exploits that were not included in the first scan.
C. The first scan was non-credentialed and, therefore, had less visibility into actual configurations.
D. The assets with critical vulnerabilities were offline and were not reviewed during the first scan.
Correct Answer: C
QUESTION 150
When undertaking a cloud migration of multiple SaaS applications, an organization’s systems administrators struggled with the complexity of extending identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?
A. RADIUS
B. SDN
C. ZTNA
D. SWG
Correct Answer: C
QUESTION 151
Which of the following is the best option for an IT administrator to deploy to ensure standardized permissions to a cloud environment?
A. Automated onboarding tasks
B. Threat feed correlation
C. SaaS log enrichment
D. Zero Trust platform APIs
Correct Answer: D
QUESTION 152
Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure that it will not be detected by the victim organization’s endpoint security protections. Which of the following stages of the Cyber Kill Chain best aligns with the threat actor’s actions?
A. Delivery
B. Reconnaissance
C. Exploitation
D. Weaponization
Correct Answer: D
QUESTION 153
To comply with regulatory requirements, the Chief Executive Officer (CEO) must lead the company through simulations to find which steps are missing in emergency situations or incident processes. Which of the following should the CEO do?
A. Implement the incident response plan.
B. Leverage the appropriate playbook.
C. Develop a business continuity plan.
D. Perform a tabletop exercise.
Correct Answer: D
QUESTION 154
Which of the following best explains the importance of effective customer communication during a data breach?
A. To ensure that customers receive detailed, technical explanations about how the breach occurred to prevent them from taking legal action
B. To demonstrate accountability and transparency, helping rebuild trust while providing customers with actionable steps to protect themselves
C. To shit focus from the organization’s internal failures to external factors, such as sophisticated attackers, to avoid reputational damage
D. To guarantee that affected customers do not terminate their relationships with the organization or switch to competitors
Correct Answer: B
QUESTION 155
A security analyst is investigating a group of SIEM alerts about the installation of a potentially unwanted program on multiple devices. Due to the number of alerts, the analyst is concerned that the program may not be safe. Which of the following actions should the analyst take to determine whether an incident is occuring?
A. Place the devices on an isolated VLAN with no external access.
B. Use packet captures to analyze traffic for communications to command-and-control destinations.
C. Run manual virus scans on all devices and quarantine any findings.
D. Reimage the devices immediately and instruct the users to avoid installing the program in the future.
Correct Answer: B
QUESTION 156
During the rollout of a patch to the production environment, it was discovered that required connections to remote systems are no longer possible. Which of the following steps would have most likely revealed this gap?
A. Implementation
B. Developmental testing
C. Validation
D. Rollback
Correct Answer: C
QUESTION 157
The architecture team has been given a mandate to reduce the triage time of phishing incidents by 20%. Which of the following solutions will most likely help with this effort?
A. Integrate a SOAR platform.
B. Increase the budget to the security awareness program.
C. Implement an EDR tool.
D. Install a button in the mail clients to report phishing.
Correct Answer: D
QUESTION 158
Which of the following is the appropriate phase in the incident response process to perform a vulnerability scan to determine the effectiveness of corrective actions?
A. Lessons learned
B. Reporting
C. Recovery
D. Root cause analysis
Correct Answer: D
QUESTION 159
An organization is preparing for a disaster recovery exercise. Which of the following actions should be implemented first?
A. Gather all internal stakeholders and review the actions according to the defined incident playbook.
B. Coordinate the supporting staff for the recovery process to ensure availability at the recovery site.
C. Ensure that the vendor for the disaster recovery site is scheduled to support the recovery.
D. Identify a business-critical system and test by failing over to the disaster recovery location.
Correct Answer: A
QUESTION 160
A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server logs for evidence of exploitation of that particular vulnerability?
A. /etc/shadow
B. curl localhost
C. ; printenv
D. cat /proc/self/
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.