CYSA**
A large oil filter manufacturer for mid-size sedans has noticed an unusual amount of network traffic leaving their systems to unfamiliar IP addresses. Upon further investigation, they discover that a group of attackers has been using a combination of spear-phishing emails and malware to infiltrate their network and exfiltrate sensitive data. The attackers are highly skilled and have been able to evade detection by traditional security measures. What type of attack is this an example of?
ATP
A cybersecurity analyst reviews the output of a web vulnerability assessment. The analyst notices some irregularities in the system and needs to determine the cause. Which of the following indicators should they focus on?
Abnormal operating system process behavior
A security analyst is investigating potential malicious activity associated with an IP address. Which of the following resources can the analyst use to gather information about the reputation of the IP address and determine if there are previous reports of malicious activities associated with it?
AbuseIPDB
A security analyst has identified a critical vulnerability in a server used by the company's finance department. What Common Vulnerability Scoring System (CVSS) metric is primarily affected by this finding?
Affected hosts
The Chief Information Security Officer (CISO) at XYZ Corporation received a legal request to preserve an employee's data under investigation for insider trading. The CISO has to ensure that the data is preserved and kept under legal hold until the company concludes its investigation. Which of the following is true regarding chain of custody in the scenario?
Chain of custody is the documentation of evidence movement from one person to another, including who had custody of the evidence, when and why they transferred it, and what they did with it.
The Chief Information Security Officer (CISO) of a large financial institution has tasked the security operations team with verifying the integrity of the data after receiving a report of potential data corruption and preserving any evidence related to the incident. Which techniques should the security operations team use to preserve data integrity during an investigation?
Hashing
A security analyst is evaluating the company's vulnerability management program in a mixed infrastructure environment. Which of the following infrastructure models requires the analyst to consider multiple environments when understanding vulnerability scoring concepts?
Hybrid cloud
Which of the following are the objectives of the Open Source Security Testing Methodology Manual (OSSTMM) and actions related to incident response and management? (Select the three best options.)
Identifying assets and critical systems; Evaluating network security; Conducting vulnerability assessments
An IT security administrator has the responsibility to identify all known web vulnerabilities. To accomplish this task, determine the best tool the administrator needs for identifying SQL injections and cross-site scripting vulnerabilities.
Nikto scanner
A security analyst identified a critical security incident on the company's network. The analyst believes the incident could impact the company's systems and data confidentiality, integrity, and availability. What should be the immediate next step for the security analyst
Notify the company's executive management team
A security administrator wants to scan the company's network for vulnerabilities. Which of these scanners is an open-source software developed from the Nessus codebase
OPenVAS
A large financial institution tasked its security analyst with ensuring the security of the institution's web applications. The analyst decides to use both the Open Source Security Testing Methodology Manual (OSSTMM) and the Open Web Application Security Project (OWASP) testing guide to conduct his security assessments. Which statements best describe why the analyst would use OSSTMM and the OWASP Testing Guide
OSSTMM and OWASP testing guide have a complementary relationship. OSSTMM provides a broad approach to security testing, while the OWASP Testing Guide provides specific guidance for web application security testing
The cybersecurity team at a large online retail organization, which uses various operating systems, applications, and hardware devices, is responsible for configuring these systems securely to prevent potential security breaches. As part of their investigations, they come across a framework for process improvement that helps organizations streamline and optimize their processes to deliver better products and services. Which option focuses on a community-driven approach to software security and helps organizations improve their security plan initiatives and meet compliance standards?
OWASP
A security analyst reviews logs from a compromised system and needs to extract relevant information efficiently and process large volumes of text data. Which programming language or technique is the best option for the analyst to use?
Python
A security administrator is reviewing the company's vulnerability reports and notices a continuing issue with outdated software on employee workstations. The administrator considers implementing a new process for vulnerability reporting and is looking for best practices. What is a common approach for maximizing the effectiveness of this practice?
Recurrence
A small business wants to identify, assess, and prioritize adverse events by filtering out data that isn't critically important. Which aspect of threat intelligence data should the cyber security team of the business maximize to handle these events and reduce the likelihood and impact of cyber-attacks?
Relevancy
A company's security operations team discovered that a malicious actor had compromised a workstation. The actor gained access through a phishing email. The team decided that remediation and re-imaging were necessary to remove the threat and prevent further damage. What is the difference between remediation and re-imaging in response to a malware attack in security operations?
Remediation involves removing the malware from the infected endpoint, while re-imaging involves wiping and reinstalling the operating system and applications.
The CIO (Chief Information Officer) for a modular dog furniture startup receives a report that an advanced persistent threat (APT) has compromised the startup's mail servers. What should be the CIO's top priority for preventing future incidents?
Reviewing the company's SLOs and incident response plan to ensure they are in keeping with industry best practices
A security administrator is conducting a vulnerability scan using Nessus on a Windows host. The scan results indicate that the system is vulnerable to the MS15-034 exploit. What is the best way to remediate this vulnerability?
Run Windows Update and ensure it is properly scheduled
Many industries use automated systems to manage the control of machinery and equipment, which is critical to a company's safety, productivity, and efficiency. What technology governs whole process automation systems?
SCADA
A security analyst is investigating an incident and needs to identify possible malicious activity within the network. Which technology should the analyst focus on to better manage network traffic and dynamically configure security policies?
SDN
A security administrator is conducting a digital forensic investigation for a company that suspects an employee has been stealing proprietary data. The administrator has found evidence on the employee's work computer that could be used in a legal case against the employee. What next step should the security administrator take in handling this evidence?
Secure the evidence and notify the legal department
A large tech company wants to design and implement secure systems and applications resilient to cyber-attacks. Which cybersecurity process should the company follow to implement secure features into its products and service
Security engineering
A major financial company is establishing a new IT security team to comply with legal and regulatory requirements for its environment. What frameworks and measures should the IT security team implement to ensure compliance and meet these regulations? (Select the three best options.)
Security framework; Controls checklist; Security framework
An IT team is struggling to manage its security and network infrastructure. They deployed multiple security tools and platforms, each with its own dashboard and management interface. This has made it difficult to fully understand their security posture. What technology can the team use to alleviate this issue?
Single pane of glass
An organization uses multiple security tools to protect its network, including SIEM, IDS, and firewalls. However, they need help managing these tools separately and would like a way to view all security data comprehensively. What technology or concept would allow them to achieve this goal?
Single pane of glass
A security analyst is using Burp Suite to analyze a web application's security. The analyst is running a vulnerability scan and notices that the scan has identified several injection vulnerabilities. Which Burp Suite feature can the analyst use to exploit these vulnerabilities?
Sniper
A gray hat hacker who desires to be ethical has discovered a critical vulnerability that could potentially compromise a glass bottle manufacturing company's user data. What should the gray hat hacker do next?
Submit the findings to the company's bug bounty program
A major retail corporation has outsourced a significant portion of its IT infrastructure to a third-party vendor. While the vendor's services have been effective, the corporation discovered that the vendor suffered a data breach. Which type of cybersecurity threat should the corporation prepare to possibly face?
Supply chains
A company's compliance team has identified a security vulnerability in the organization's network. The team has presented this finding to the risk management team, who, in turn, creates a response plan to address the vulnerability. What is the next best step in the process based on this scenar
The governance team approves and codifies the response plan in policy documents.
A company wants to automate its log aggregation and analysis procedures to increase efficiency and reduce errors. What is the underlying reason this process is suitable for automation?
The process is repeatable and does not require human interaction.
A security analyst has identified a potential incident involving unauthorized access to an organization's database. What aspect of the incident should the analyst focus on when determining the scope of the incident?
The type of access gained
A company implements a new security protocol that requires employees to use a two-factor authentication process to log into the system. However, one employee frequently forgets their password and shares it with colleagues. Which type of threat does this employee pose to the company's cybersecurity?
Unintentional insider threat
A supervisor tasked a security administrator with monitoring network activity on a subnet. Specifically, the supervisor is interested in all DNS requests incoming to the Windows Server 2016 domain controller on the domain controller's eth0 interface. What tool will provide the best results in accomplishing this task?
Wireshark
A security analyst is working with a company to mitigate the risk of successful attacks on their web application. The web application communicates with other systems using XML data. Which controls should the analyst recommend to ensure the integrity and confidentiality of the transmitted XML data?
XML Encryption and XML Signature
Political slogans have defaced the website of a large petroleum corporation. A group claiming to be responsible has posted a manifesto of their beliefs and reason for the attack. Upon further investigation, the system administrator discovers that the group used a simple SQL injection attack to gain access to the website's content management system. What type of attacker is most likely responsible for this attack?
hackvist
A security analyst is reviewing the results of a vulnerability scan on the company's network. They notice that there is an unusual amount of activity on unexpected ports and a high processor consumption on some devices. Which of the following vulnerability scanning methods would be the most effective in further investigating these issues?
host based
A security analyst is investigating a series of cyberattacks on their organization. They suspect the threat actors use a specific method to maintain communication with the compromised systems. Which method do the threat actors most likely use to control the systems?
C2
A security analyst needs to investigate a potential security incident on their network. They collected log data from several sources, including one threat intelligence source and their IDS. However, they need additional information to determine the scope and severity of the incident. What technology can automatically add relevant context to the raw log data
Data enrichment
A security team is analyzing their system and network architecture to improve their security posture. In the context of a potential security incident, which aspect should the team prioritize to effectively detect and respond to various types of unauthorized access to critical systems?
Analyzing anomalies in network traffic
A financial institution wants to take a proactive approach to potential cyber threats to its systems and data. However, despite the intensity of cyber attacks against the institution, cybersecurity analysts are having a hard time detecting any indicators of compromise in their security information and event management (SIEM) in the first place. Which of the following reasons is the LEAST likely to blame for this issue?
Application
A company has tasked a security administrator with configuring a vulnerability scanner to perform regular scans of its network. What should the administrator consider when performing vulnerability scans from a performance perspective? (Select the two best options.)
Authentication Identification of operating system
A security analyst is reviewing web vulnerability assessment output and needs to identify anomalies that indicate a possible data exfiltration attempt. Which activity would be most useful for detecting this type of behavior?
Beaconing
A large grass seed corporation wants to proactively monitor for potential cyber threats to its grass seed total management system containing customer payment information, the company's own bank accounts, and all historical orders. Which type of threat hunting focus area does this most closely represent
Business-critical assets and processes
A security analyst is looking to improve the company's vulnerability scanning methods. They are considering different options that will achieve better results. What is the most effective option for the security analyst to perform vulnerability scanning across the organization's infrastructure?
Cloud-based vulnerability scanning
A security administrator uses Arachni, an open-source web scanner application, to scan a web application for vulnerabilities. What type of vulnerabilities does this application actively test?
Code injection, SQL injection, XSS, CSRF, and others
During an incident response, a security analyst identified a suspicious log entry on a server that may be related to a security incident. How should the analyst analyze the log data?
Comparing log data from multiple sources
A paintbrush bristle supply company has a business-critical web server running old software on the internal network. Despite available updates, the new software versions would not communicate with the rest of the company's IT ecosystem. What type of controls should the company consider implementing to address this issue?
Compensating
An index-card marketing companys' login portal encounters a computer attempting to log in to the system administrator's web portal account. The portal then compares the username and hash of the user's password to the known credentials in its database. What is the login portal attempting to accomplish?
Conduct authentication activities
A mid-sized stuffed pumpkin manufacturer has hired a penetration testing consulting firm to conduct penetration testing on their network. As the penetration testing team begins testing, they notice DNS records pointing to public-facing devices for the manufacturer that they were not previously aware of. What should be their next step?
Conduct edge discovery to identify other potential targets and vulnerabilities
During a security breach, a security administrator identifies the stakeholders affected by the incident. What next step should the administrator take to ensure effective communication with the stakeholders?
Develop a communication plan based on stakeholder needs and interests
A security analyst has identified a compromised system on the network and needs to take action to prevent further damage. The analyst has decided to implement compensating controls to limit the potential damage. Which of the following is an example of a compensating control that the analyst could implement to prevent further damage to the compromised system while limiting the impact to normal operations?
Disabling the compromised system's network adapter
Which of the following tools is best suited for detecting and responding to advanced cyber threats on host devices that traditional antivirus solutions might miss?
EDR
A systems engineer hardens a system as a precaution from malicious port scans and probes. Which type of malicious activity does the engineer consider while hardening the systems?
External
What type of vulnerability scan focuses on the target from the outside of the network, broadly referring to the Internet?
External
Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) are essential security tools that detect malicious traffic, anomalous behavior, and network attacks. Which of the following statements about true negatives and false negatives within a network IPS/IDS is correct? (Select the three best options.)
False positives can be generated when performing vulnerability scans; True negative occurs when an IPS/IDS identifies normal traffic as normal; False negative occurs when an IPS/IDS identifies malicious traffic as normal.
An organization is reviewing its incident response plan and wants to improve its overall security posture by streamlining the authentication process for its employees during a security incident. Which of the following approaches can help achieve this goal without compromising security?
Federation
A large company has just undergone a series of layoffs, and several employees have lost their jobs. One of the disgruntled laid-off employees feels the company treated them unfairly. Which threat is this former employee most likely to pose to the company's cybersecurity?
Intentional insider threat
A security analyst at a large financial institution has recently received a report from the security operations center (SOC) team that indicates that there has been an increase in the number of incidents related to malware. The analyst is concerned about these incidents' impact on the organization. How does an indicator of compromise (IoC) primarily impact the organization's security operations?
It indicates that a security breach or malicious activity may have occurred.
A security administrator has identified a critical vulnerability in a computer system. The security administrator knows that they can fix the vulnerability by applying a patch but are hesitant. What could be the possible inhibitor to vulnerability remediation in this scenario?
Legacy systems
A security analyst validates a vulnerability by exploiting it. Which tool can best accomplish this task?
MSF
A security engineer utilizes the Common Vulnerability Scoring System (CVSS) to identify and calculate the likelihood of an exploit on a server. Several users log in locally to the server in question. Which metrics concern does the security engineer have when considering logon account properties? (Select the two best options.)
Privileges, Interaction
A security analyst has identified a critical vulnerability in the company's web server. The analyst was able to fix the vulnerability within 2 hours. What does this 2-hour time period represent?
Mean time to respond
A cloud operations engineer monitors and maintains visibility into an organization's serverless architecture. The engineer needs to ensure that the system is functioning optimally and efficiently. What action would be most helpful for the engineer to achieve this goal?
Monitor system processes
A security team is working to maintain operational visibility during a security incident involving potential indicators of compromise on a critical system. To effectively respond to the situation, what should be the primary focus of the team's investigation?
Monitoring and analyzing anomalous activity
A cybersecurity analyst needs to recommend a solution to detect ongoing attacks involving unauthorized data transfers to rogue devices within the company's network. Which control would be the most effective in identifying such attacks?
Monitoring irregular peer-to-peer communication
A large military contractor has recently experienced a series of cyber attacks targeting their systems, resulting in the theft of sensitive military technology. Upon investigation, the network administrator discovered that the attackers used highly sophisticated methods and had access to significant resources. What type of attacker is most likely responsible for this breach?
Nation State
Which of the following security control categories is primarily handled by people rather than systems?
Operational
An organization moves computing resources to the cloud. A team of security consultants performs penetration tests on a newly established install of AWS virtual machine instances. Which resource does the team deploy to gain unauthorized access to these cloud resource
PACU
A company experienced a security incident and has completed its incident response activities, including lessons-learned meetings. What post-incident activity should they perform next to determine the primary reason for the incident and improve future incident response?
Perform a root cause analysis
A Chief Executive Officer (CEO) receives an email that appears to be from the Chief Operations Officer (COO) discussing quarterly reports. The email includes a link to a nonsuspicious-looking website that allows unauthenticated persons to leave comments at the bottom of the form. One of the comments, in non-visible text, includes a Javascript code snippet and link <script src=https://totallylegitwebsite.com/notmalicious.js></script>. What kind of attack is this?
Persistent XSS
What is the most important consideration for sandboxing activities?
Physical or logical isolation of the sandbox host from the main network
A security analyst has identified a compromised system on the network and needs to take action to prevent further damage. The analyst has decided to implement compensating controls to limit the potential damage. After implementing compensating controls, the security analyst wants to isolate the compromised system from the network for further analysis. Which of the following is the best approach for isolating the system?
Physically disconnecting the system from the network
A security analyst wants to automate scanning new applications for vulnerabilities as they are connected to the network but does not want to add an entirely new software solution. Which solution should they consider to achieve this goal?
Plugins
A small company recently experienced a cyberattack. The attackers have accessed sensitive company data and have caused significant damage to the network. The company has an incident response plan and a business continuity/disaster recovery plan in place, but the company has not tested the plan in a real-world scenario. What best practice should a cyber security analyst use to ensure an incident response plan is effective for a real-world scenario?
Test the plan on a regular basis and update it as necessary
The lead security administrator of a diploma manufacturing and distribution company has discovered a vulnerability in the company's ordering software. Luckily, the software vendor has come out with a patch. The administrator would like to start work on this effort during the upcoming maintenance window. What is the best way to ensure that the patch does not cause any unintended consequences or disruptions to the system?
Testing
A cybersecurity analyst who works for a large corporation has been analyzing a recent cyber attack that targeted his company's network. The analyst is using both the Cyber Kill Chain and Open Source Security Testing Methodology Manual (OSSTMM) frameworks to analyze the attack. What is the main difference between the Cyber Kill Chain and OSSTMM frameworks in incident response and management?
The Cyber Kill Chain focuses on identifying and analyzing the stages of a cyber attack, while OSSTMM focuses on assessing the maturity level of an organization's security practices.
A security analyst who has discovered a data breach in an organization's network identified the source of the attack and now must remediate the issue. What is the best course of action for the analyst to take to remediate the issue?
The analyst should patch the affected system to prevent the vulnerability from being exploited again.
A company has a service-level agreement (SLA) with a third-party vendor for hosting its website. The SLA specifies that the vendor will maintain 99.9% uptime for the website. The vendor experiences a system outage that causes the website to be unavailable for several hours, resulting in a breach of the SLA. What is the most likely consequence of this breach
The company and vendor must renegotiate the service-level agreement (SLA) to address the breach.
A financial institution has recently experienced a cyber attack that has compromised sensitive customer data. The IT security team is investigating the incident using the cyber kill chain and MITRE Attack frameworks. Which of the following statements accurately describes the cyber kill chain and MITRE Attack frameworks?
The cyber kill chain focuses on identifying and analyzing the stages of a cyber attack, while MITRE ATT&CK focuses on the tactics, techniques, and procedures (TTPs) used by attackers.
A large corporation recently experienced a cyber attack, and the security team must analyze the incident and determine the appropriate response. They are using the Diamond Model of Intrusion Analysis and the cyber kill chain as part of the investigation. What is the difference between the Diamond Model of Intrusion Analysis and the cyber kill chain?
The cyber kill chain focuses on the stages of an attack, while the Diamond Model focuses on the tactics the attacker used.
A company's security team reviews its security policies and procedures to ensure they align with the company's current needs. What is the most likely reason for this review?
To adapt to changing business requirements
A company experiences a security incident where an attacker stole sensitive information from their servers. The incident response team investigates the issue and performs a root cause and forensic analysis to determine how the breach occurred and what data was affected. What can the company gain by performing a root cause analysis during this incident response?
To identify areas for improvement in the incident response plan
A large retail company recently experienced a security breach that resulted in the theft of customer data. The company decided to task a team with reviewing lessons learned from the recent breach. Why should the team review the lessons learned after the security incident?
To identify areas for improvement in the incident response plan
A security analyst working for a large financial institution became concerned about a security incident that could compromise sensitive customer information. As part of the incident response process, their team conducted a tabletop exercise. What is the primary objective for the team conducting a tabletop exercise?
To identify areas for improvement in the incident response plan
A breach occurred in a company's customer database due to an insider threat. The incident response team has concluded its investigation and is moving on to the lessons learned phase. The team is meeting with staff to review the incident and its response. What is the purpose of this meeting?
To improve procedures for incident response
Why are discovery scans useful for security teams, and how do they differ from fingerprint scans and network scans?
To locate rogue devices like employee equipment or IoT
A company has just discovered a breach in its network and is conducting an investigation. They collected all relevant data and logs and are preparing to analyze them. The company implemented a legal hold for this data during the response. What is the purpose of this legal hold during the incident response?
To prevent the accidental or intentional alteration or deletion of data that may be relevant to the investigation
A large retail company notified its incident response team in response to a recent security incident. The team then activated the incident response plan (IRP) and business continuity plan (BCP). After they resolved the incident, they conducted a lessons-learned review. What is the purpose of an incident response plan (IRP) and business continuity plan (BCP) in cybersecurity incident response and management?
To provide a step-by-step guide on how to respond to a security incident and ensure the continuity of critical business functions
A security analyst has just completed a vulnerability scan and identified several critical vulnerabilities that require immediate remediation. The report includes recommended mitigations, such as installing patches and reconfiguring settings. What is the purpose of these recommended mitigations?
To provide specific steps to address vulnerabilities
A security analyst investigates a potential intrusion into their organization's network. Which step involves the analyst using the Diamond Model of Intrusion Analysis to analyze the intrusion event?
Track the attacker's activity across the cyber kill chain and identify the attacker's tactics, techniques, and procedures
An animal shelter's web application allows users to schedule appointments to visit pets for adoption. The application runs on outdated software and represents a security risk, but the software is also critical for the animal shelter's operations. The animal shelter decides to obtain third-party cybersecurity insurance for the software. What kind of risk response does this represent?
Transference
A security administrator uses Maltego for an investigation and wants to identify relationships among different entities. What feature of Maltego would the administrator use
Transform
An onion processing factory has asked a facility security officer to implement a system or procedure that will regulate personnel entrance to a facility. Which of the following is a suitable control for this situation?
Turnstiles
A security administrator reviews a vulnerability report for the company's network infrastructure. What are the best practices for vulnerability reporting? (Select the three best options.)
Using appropriate tools to identify reporting needs and selecting the best tools for those needs; Developing policies and procedures for generating vulnerability reports on a regular schedule;; Using automation to make the process more consistent, reliable, efficient, and easy to maintain
A security analyst is evaluating the company's infrastructure to optimize security operations. How can the analyst best improve the company's security operations?
Utilize virtualization
A security analyst suspects a file on a company's server may be malicious. To determine if the file is known to be malicious or safe, which of the following tools would be most appropriate for the analyst to use?
Virus Total
A security team wants to automate its incident response process and ensure its systems receive real-time notifications of security events from other systems. Which technology would allow the team to achieve this goal?
Webhooks
A silicon valley-based technology startup recently suffered a cyber-attack targeting key intellectual property and defacing the company website, painting an impolite mustache on the picture of the CEO's face. The CEO is enraged and directs the cybersecurity team to 'hit the attackers hard!' What process is the CEO directing the cybersecurity team to undertake?
active defense
A government bureau experienced a major cyber attack that compromised its systems and data and need to respond quickly to recover from the incident. Which external organization can assist the bureau with incident response and handling?
cert
