Chapter 8 and 9
Listen to simulation instructions You are the security analyst for a small corporate network. Recently, several of your computers were infected by a Trickbot virus. It appears they got the virus from a spreadsheet. Various versions of spreadsheets had different requests for the virus files from different servers. You are using Security Onion Hunter to analyze the attack. In this lab, your task is to: Log in to Security Onion and access Hunt.Security Onion server: 192.168.0.101Email address: [email protected]: password From Hunt:Examine the ET MALWARE Win32/Trickbot Data Exfiltration alert event.Answer Questions 1 and 2.Expand and examine the ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2 alert event.Answer Questions 3 and 4.Examine the ET USER_AGENTS Suspicious User-Agent (contains loader) alert event.Answer Question 5.Examine the ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response alert e
Access Security Onion.From the Favorites bar, select Google Chrome.In the address field, enter 192.168.0.101 and press Enter to access Security Onion.Log in to Security Onion using the following:Email address: [email protected]: passwordSelect LOGIN. Access Hunt.Select the hamburger menu and then click Hunt.Maximize the window for better viewing. Examine the ET MALWARE Win32/Trickbot Data Exfiltration alert event.Under Events, locate and expand the ET MALWARE Win32/Trickbot Data Exfiltration event.Examine the various fields, especially destination.geo.country_name and network.data.decoded.In the top right, select Answer Questions.Answer Questions 1 and 2. Expand and examine the ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2 alert event.Under Events, locate and expand the ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2 event.Examine the various fields, especially destination.port and network.data.decoded.In the top right, select Answer Questions.Answer Questions 3 and 4. Examine the ET USER_AGENTS Suspicious User-Agent (contains loader) alert event.Under Events, expand the ET USER_AGENTS Suspicious User-Agent (contains loader) event.Examine the various fields, especially network.data.decoded.Answer Question 5. Examine the ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response alert event.Under Events, expand the ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response event.Examine the various fields, especially network.data.decoded.Answer Question 6.Select Score Lab.
Which of the following components are the SIEM's way of letting the IT team know that a pre-established parameter is not within the acceptable range? Answer Sensors Trends Alerts Dashboard
Alerts
Which of the following are commonly maintained incident response documents? (Select three.) Answer Corporate information Individual financial information Correct Answer: Escalation list Sensitive personal information (SPI) Intellectual property Correct Answer: Incident checklist Correct Answer: Incident form
Escalation list Incident checklist Incident form
You have just completed an IR (incident response) report. Which part of the report provides a brief overview of the document, including the purpose, key points, and conclusion? Answer Chain of custody Correct Answer: Executive summary Lessons learned Charts and graphs
Executive summary
Which of the following BEST describes a SIEM system? Answer Is an open-source intrusion detection system Is sold as a software application or as a stand-alone security appliance Is long-term storage of collected data for meeting government compliance requirements Is always generated when a specified event occurs on a network device
Is sold as a software application or as a stand-alone security appliance
Which of the following mobile data acquisition types copies the entire flash memory, including deleted files and data remnants? AnswerCorrect Answer: Physical acquisition File system acquistion Manual acquisition Logical acquisition
Physical acquisition
Which SIEM function provides long-term storage of collected data to meet government compliance requirements? Retention Event deduplication Automated alerts Correlation
Retention
Which of the following is true about rule-writing? You should only use customized rules and not preconfigured ones. Rules could be as simple as looking for unsuccessful logins or could include more complex behavioral patterns. Rules should be generalized to capture as much information as possible. Security analysts are not tasked with rule-writing. This responsibility is reserved for network and security administrators.
Rules could be as simple as looking for unsuccessful logins or could include more complex behavioral patterns.
Restarts, crashes, frozen applications, and intermittent stopping are examples of which application-based indicator of compromise (IoC)? Answer Unexpected output Unexpected outbound communication Correct Answer: Service interruption Introduction of new accounts
Service interruption
Which of the following is a SIEM collection tool that's used to search and analyze large collections of data in multiple formats? Answer Burp Suite Splunk Security Onion Snort
Splunk
As a community outreach employee, you want to begin using machine learning as part of your process. Which of the following might you use machine learning for as a way to further your company's goals? Answer You can authenticate users with a third-party site. You can tailor the company's social media feed. You can run a list of commands automatically. You can create a memory dump for a computer that crashes.
You can tailor the company's social media feed.
Which of the following BEST describes workflow orchestration? Answer An approach that seeks to provide a complete solution for delivering a particular service. An approach that uses cloud tools to provision, start, or decommission servers. A collection of tasks that are performed in a logical sequence as efficiently as possible. A group of tools that works together to create deployment automation.
A collection of tasks that are performed in a logical sequence as efficiently as possible.
A security analyst working for a financial institution notices abnormal behavior in a workstation's operating system (OS) and identifies multiple unauthorized scheduled tasks and file system anomalies on the affected workstation. Which of the following options is the MOST likely explanation for these issues? Answer The security analyst is experiencing false positives from their security tools, and there are no actual anomalies present. The operating system of the workstation is outdated, and the security patches have not been applied, leading to system vulnerabilities that have been exploited. A virus has infected the workstation, allowing remote attackers to execute arbitrary code and run malicious tasks. An insider threat with access to the workstation is intentionally creating these abnormalities to sabotage the company's security posture.
A virus has infected the workstation, allowing remote attackers to execute arbitrary code and run malicious tasks.
You are the security analyst for a small corporate network. Recently, your network became extremely slow. You have decided to use Security Onion to see if you can determine the cause. In this lab, your task is to: Log in to Security Onion and access Kibana.Email address: [email protected]: password From Kibana, examine the Discover and Dashboard pages for possible issues. Answer the questions.
Access Security Onion.From the Favorites bar, select Google Chrome.In the address field, enter 192.168.0.101 and press Enter to access Security Onion.Log in to Security Onion using the following:Email address: [email protected]: passwordSelect LOGIN. Access Kibana and examine the Discover and Dashboard pages for possible issues.Select the hamburger menu and then click Kibana.(Kibana opens by default to the Discover page.)Maximize the window for better viewing.From the Discover page, examine the charts and graphs.Select the hamburger menu and then click Dashboard.Examine the charts and graphs on the Dashboard page. Answer the question.In the top right, select Answer Questions.Answer the question.Select Score Lab.
An organization has implemented an incident response plan and regularly trains its employees to respond to security incidents. During a recent training session, an employee asked the trainer why playbooks are necessary when the incident response plan already exists. How would the trainer explain the difference between an incident response plan and playbooks? Answer An incident response plan focuses on restoring business operations after an incident, while playbooks focus on containing and resolving the incident. Correct Answer: An incident response plan is a general framework for responding to any incident, while playbooks provide detailed procedures for responding to specific incidents. An incident response plan is flexible and adaptable, while playbooks are fixed procedures for specific types of incidents. An incident response plan is a step-by-step guide for responding to an incident, while playbooks provide guide
An incident response plan is a general framework for responding to any incident, while playbooks provide detailed procedures for responding to specific incidents.
A company's cybersecurity leadership team reviews its incident response plan (IRP) and wants to ensure it is fully prepared for potential disruptions to its business operations. The team considers the role of business continuity (BC) and disaster recovery (DR) in their IRP. Which options would be the most appropriate way for the team to integrate BC/DR in their IRP? Answer Train employees on phishing awareness and prevention techniques. Correct Answer: Develop and test BC/DR plans to ensure operational resilience. Establish an incident response team. Conduct regular tabletop exercises to evaluate incident response procedures.
Develop and test BC/DR plans to ensure operational resilience.
Which of the following is the science of gathering and analyzing digital data in relation to a computer crime or cyber attack? Answer Static analysis Dynamic analysis Correct Answer: Digital forensics Hashing
Digital forensics
Which of the following methods for making data inaccessible is considered insufficient for preventing data recovery? (Select two.) AnswerCorrect Answer: Formatting all partitions Running an overwrite utility with more than two passes Running an overwrite utility with seven passes Correct Answer: Deleting or changing all partitions on the device Running an overwrite utility with three passes
Formatting all partitions Deleting or changing all partitions on the device
An organization tasked its cybersecurity team leader with addressing a security incident that requires immediate action. What steps should the team take to prevent additional damage to the systems as part of their security operations plan? Answer Conduct a security audit. Notify all employees. Install security updates on all systems. Correct Answer: Isolate affected systems.
Isolate affected systems.
How can a legal hold be helpful in digital forensics? AnswerCorrect Answer: It protects data from being altered. It restricts companies from doing business while under investigation. It allows only investigators to manipulate evidence to test theories. It keeps a suspect from leaving the country.
It protects data from being altered.
An essential post-incident activity is to review security incidents to determine their cause, whether they were avoidable, and how to avoid them in the future. What is this activity called? Answer Business continuity BCDR threshold Correct Answer: Lessons learned Disaster recovery
Lessons learned
You have had a data breach in your organization, and employees have submitted their mobile devices for review. You look through each device's interface and take pictures of evidence you see on the screen. Which type of data acquisition have you just performed? Answer File system acquisition Correct Answer: Manual acquisition Logical acquisition Physical acquisition
Manual acquisition
A security analyst has identified a compromised system on the network and needs to take action to prevent further damage. The analyst has decided to implement compensating controls to limit the potential damage. After implementing compensating controls, the security analyst wants to isolate the compromised system from the network for further analysis. Which of the following is the BEST approach for isolating the system? Answer Terminating the system's processes through task manager Disabling the system's network adapter through the device manager Correct Answer: Physically disconnecting the system from the network Shutting down the system
Physically disconnecting the system from the network
During which phase of the incident response life cycle do you reinforce your systems, policies, and procedures to ensure that your resources are well secured? Answer Post-incident activity Post-incident feedback Containment Correct Answer: Preparation
Preparation
Which of the following is true about a SIEM's Security Information Management? Answer Aggregates log messages and other security-related information it receives from multiple sources on a network Consists of customizable information screens that show real-time security and network information Provides long-term storage of collected data to meet government compliance requirements Eliminates the need for you to access each system individually to view security events
Provides long-term storage of collected data to meet government compliance requirements
During an incident response, a security team discovered evidence of an unauthorized access attempt on a server. The team needs to collect and preserve the digital evidence for further investigation. What practice should the team use for handling digital evidence during the incident response? Answer Deleting irrelevant evidence Altering the evidence to make it more convincing Sharing evidence with unauthorized parties Correct Answer: Storing evidence in a secure location
Storing evidence in a secure location
Which of the following methods involves considering all of an incident's details and taking action to keep the incident from happening again? Answer System hardening Reconstitution Impact analysis Correct Answer: Vulnerability mitigation
Vulnerability mitigation
As the company security analyst, you are using the SIEM dashboard to follow up on some suspicious authentication failures. You click on the authentication failure number to filter the view to the matching events as illustrated below. The view of the authentication failure events indicates several other problems. Besides authentication failures, which of the following are other problems that are listed in the review? (Select two.) AnswerCorrect Answer: Successful access to the root account Persistence Privilege escalation Correct Answer: A change to a user password Defense evasion
A change to a user password Successful access to the root account
You are the security analyst for a small corporate network. You recognize that the threat of malware is increasing, and you have implemented Windows Security on the office computers. In this lab, your task is to configure Windows Security as follows: Add a file exclusion for D:\Graphics\book.jpg. Add a process exclusion for files associated with your corporate software (corp_process.exe). Check for virus and threat updates. Perform a quick scan.
Add a file exclusion.In the search field on the taskbar, type Windows Security.Under Best match, select Windows Security.Maximize the window for better viewing.Select Virus & threat protection.Under Virus & threat protection settings, select Manage settings.Under Exclusions, select Add or remove exclusions.Select + Add an exclusion.From the drop-down lists, select File.Under This PC, select Data (D:).Double-click Graphics.Select book.jpg.Select Open. Add a process exclusion.Select + Add an exclusion.From the drop-down lists, select Process.In the Enter process name field, enter corp_process.exe for the process name.Select Add. Update protection definitions.In the left menu, select the shield (Virus & threat protection) icon.Under Virus & threat protection updates, select Check for updates.Under Security Intelligence updates, select Check for updates. Perform a quick scan.In the left menu, select the shield icon.Under Current threats, select Quick scan to run a quick scan now.
In a large organization, the security team struggles to track all the security tools used across different departments. They want to streamline their security operations by integrating all the security tools into a central dashboard. Which solution should the team consider to achieve this goal? Answer Plugins Security orchestration, automation and response (SOAR) Webhooks Application programming interface (API)
Application programming interface (API)
Which of the following is the EDR (Endpoint Detection and Response) component where data collected is stored and analyzed? AnswerCorrect Answer: Centralized security monitoring platform Honeypot Data analysis engine Endpoint acquisition point
Centralized security monitoring platform
Which of the following SCAP identification schemes uses a list of records where each item contains a unique identifier used to describe publicly known vulnerabilities? Answer Asset Reporting Format (ARF) Common Platform Enumeration (CPE) Common Configuration Enumeration (CCE) Common Vulnerabilities and Exposures (CVE)
Common Vulnerabilities and Exposures (CVE)
A security analyst has identified a critical vulnerability in the company's web server. The analyst was able to fix the vulnerability within two hours. What does this two-hour time period represent? Answer Mean time between failure Correct Answer: Mean time to respond Mean time to detect Mean time to recover
Mean time to respond
You are the security analyst for a small corporate network. You are concerned that several employees may still be using the unsecured FTP protocol against company policy. You have decided to run a test to see if FTP is being used. If any FTP packets are found, you need to determine information about who is using this protocol. In this lab, your task is to capture FTP packets as follows: Use Wireshark to capture packets on the enp2s0 interface for five or more seconds. Filter for FTP packets. Answer the questions.
Complete this lab as follows: Using Wireshark, capture packets for five seconds.From the Favorites bar, select Wireshark.Under Capture, select enp2s0.Select the blue fin to start a Wireshark capture.Capture packets for five seconds.Select the red box to stop the Wireshark capture.Maximize the window for easier viewing. Apply the FTP filter and answer the questions.In the Apply a display filter field, type ftp and press Enter.In the top right, select Answer Questions.Answer the questions. (Optional) Use filters for only the required informationIn the Apply a display filter field, type ftp.request.command==USER and then press Enter to find the user account.In the Apply a display filter field, type ftp.request.command==PASS and then press Enter to find the password.In the Apply a display filter field, type ftp.request.command==RETR and then press Enter to find the file retrieved. Select Score Lab.
Where are network device log files stored by default? Answer On an intrusion detection system On the SIEM system On the nearest server On the local device
On a local device
What is the name of the sanitization method that involves destruction of an encryption key to render a drive's data useless? Answer Reimaging Correct Answer: Cryptographic erase Secure disposal Degaussing
Cryptographic erase
Where can you find a quick overview of your monitored system's current state? Answer Alerts Dashboard Retentions Information Management
Dashboard
There are several types of breaches that may require outside reporting to various entities such as customers, media, and the government. One of these types of breaches occurs when an attacker takes data that is stored inside of a private network and moves it to an external network. Which type of breach does this MOST likely describe? Answer Accidental data breach Integrity/availability Correct Answer: Data exfiltration Device theft or loss
Data exfiltration
What is the philosophy behind DevSecOps? Answer Everyone on the development team should be able to use multiple programming languages. Everyone on the development team should be responsible for security. Everyone on the development team should seek user feedback. Everyone on the development team should be responsible for quality assurance.
Everyone on the development team should be responsible for security.
Which of the following is a device used by the blue team to lure an unsuspecting attacker to aimlessly explore? AnswerCorrect Answer: Honeypot IDS Wireshark IPS
Honeypot
As a security analyst, you are tasked with monitoring a company's threat feed. Which of the following should you look for as part of your analysis? Answer Scripts that the company uses regularly. IP addresses that might be malicious. The API the company employs. Bits of code that might be malicious.
IP addresses that might be malicious.
Which of the following questions should be answered in a lessons learned report (LLR)? Answer Who was to blame for the incident? Correct Answer: If the same incident occurred again, how would the response differ? Correct Answer: Are there more capable solutions available? How much additional money is needed to secure the network system? Which employees did not complete security training?
If the same incident occurred again, how would the response differ? Are there more capable solutions available?
What is the process of determining the extent of damage/potential damage from a security event known as? Answer Intrusion analysis Damage analysis Trend analysis Correct Answer: Impact analysis
Impact analysis
A company hires a new employee to work in its IT department. The new employee quickly gains the trust of the other coworkers. However, the company soon notices someone is accessing files without authorization and leaking sensitive information. Which of the following BEST describes the security threat presented in this scenario? AnswerCorrect Answer: Insider threat Social engineering attack Phishing attack Malware attack
Insider threat
A security analyst responsible for carrying out security operations on a company's network has received reports of certain users experiencing issues with their device's slow performance and high memory consumption. Which of the following options is a probable cause of the high memory usage and slow performance? Answer Having insufficient disk space on the device Correct Answer: Installing software from unverified sources Running outdated operating system software Running multiple applications at the same time
Installing software from unverified sources
Which of the following BEST describes the isolation-based containment method? Answer Helps to ensure that compromised systems are restricted to the local segment Separates the network into subnetworks that are not able to communicate with each other directly Correct Answer: Involves disconnecting a device, VLAN, or network segment from the rest of the network Provides an extra layer of security that helps with containment
Involves disconnecting a device, VLAN, or network segment from the rest of the network
Which of the following is the term used for an IP address that's been flagged for suspicious or malicious activity? Answer Non-routable Translated Known bad Spoofed
Known bad
You are the Security Analyst for a small corporate network. The company has a single Active Directory domain named CorpNet.xyz. You need to increase the domain's authentication security. You need to make sure that User Account Control (UAC) settings are consistent throughout the domain and in accordance with industry recommendations. In this lab, your task is to configure the following UAC settings in the Default Domain Policy on CorpDC:
Open Group Policy Management on CorpDC.From Hyper-V Manager, select CORPSERVER.Double-click CorpDC to open the virtual machine.From Server Manager, select Tools > Group Policy Management.Maximize the window for better viewing. Open the Default Domain Policy for editing.Expand Forest: CorpNet.local > Domains > CorpNet.local.Right-click Default Domain Policy and select Edit.Maximize the window for easier viewing. In Security Options, edit the User Account Control policies .Under Computer Configuration, expand Policies.Expand Windows Settings > Security Settings > Local Policies.Select Security Options.In the right pane, right-click the policy you want to edit and select Properties.Select Define this policy setting.Select Enable or Disable as necessary.Edit the value for the policy as needed and then select OK.Repeat steps 3d-3g for each policy setting.
Which of the following BEST describes how using scripts is different from running regular code? Answer Code is usually interpreted instead of compiled. Code is usually used only on apps for mobile devices. Scripts are usually interpreted instead of compiled. Scripts are usually used only for apps on desktop computers.
Scripts are usually interpreted instead of compiled.
Which of the following containment methods divides the network into subnetworks that are unable to communicate with each other directly? Answer Control Isolation Correct Answer: Segmentation Removal
Segmentation
In order for SIEM to play a critical role in helping locate when admin and troubleshooting commands are used in any system in the environment, what needs to be done? Answer Remotely access a server and obtain shell access for administrative purposes. Correct Answer: Set system configurations to log command activity. Allow local and remote configuration of network-related services. Test connectivity among network devices.
Set system configurations to log command activity.
A financial institution has experienced a cyber attack that has resulted in the theft of customer information. Which of the following is the MOST critical consideration for the incident response team? Answer Timeline of breach Evidence Correct Answer: Stakeholders impacted Incident declaration
Stakeholders impacted
Which of the following recovery actions (after a security incident) involves reviewing the vendor documentation to determine if a known vulnerability exists in a piece of hardware or software? AnswerCorrect Answer: Verify system updates and patches Verify security systems Verify user access Reconstruct the disks
Verify system updates and patches
You are the security analyst for a small corporate network. Recently, several of your computers were infected by a Trickbot virus. It appears they got the virus from a spreadsheet. Various versions of spreadsheets had different requests for the virus files from different servers. You are using Security Onion Hunter to analyze the attack. In this lab, your task is to: Log in to Security Onion and access Hunt.Security Onion server: 192.168.0.101Email address: [email protected]: password From Hunt:Examine the ET INFO Dotted Quad Host DLL Request alert event.Answer Questions 1 and 2.Examine the ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 alert event.Answer Questions 3 and 4.
Access Security Onion.From the Favorites bar, select Google Chrome.In the address field, enter 192.168.0.101 and press Enter to access Security Onion.Log in to Security Onion using the following:Email address: [email protected]: passwordSelect LOGIN. Access Hunt.Select the hamburger menu and then click Hunt.Maximize the window for better viewing. Examine the ET INFO Dotted Quad Host DLL Request alert event.Under Events, expand the ET INFO Dotted Quad Host DLL Request event.Examine the various fields, especially network.data.decoded.In the top right, select Answer Questions.Answer Questions 1 and 2. Examine the ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 alert event.From Hunt Events, expand the ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 event.Examine the various fields, especially event.module and network.data.decoded.Answer Questions 3 and 4.Select Score Lab.
You are the security analyst for a small corporate network. Your boss is concerned that her computer (Exec) contains sensitive company information. To prevent this information from being stolen, you have decided to encrypt the drive using BitLocker. The Exec computer has a built-in TPM on the motherboard. In this lab, your task is to configure BitLocker drive encryption as follows: Try to turn on BitLocker for the System (C:) drive. Answer the question. From the BIOS settings, turn on and activate TPM. Turn on BitLocker for the System (C:) drive. Save the recovery key to \\CorpServer\BU-Exec. Encrypt the entire System (C:) drive. Run the BitLocker system check.
Attempt to enable BitLocker.In the search field on the taskbar, enter Bitlock.Under Best match, select Manage BitLocker.Under Operating system drive, select Turn on BitLocker.In the top right, select Answer Questions.Answer Question 1 and then minimize the question dialog.Select Cancel. Access Exec's BIOS settings.From the taskbar, right-click Start and then select Shut down or sign out > Restart.When the TestOut logo appears, press Delete to enter the BIOS. Turn on and activate TPM.From the left pane, expand Security.Select TPM Security.From the right pane, select TPM Security to turn TPM security on.Select Apply.Select Activate.Select Apply.Select Exit.Windows is restarted and you are signed in. Turn on BitLocker.After Exec finishes rebooting, in the search field on the taskbar, enter Bitlock.Under Best match, select Manage BitLocker.Under Operating system drive, select Turn on BitLocker.Windows is now able to begin the Drive Encryption setup. Save the recovery key to \\CorpServer\BU-Exec.Select Save to a file to back up your recovery key to a file.Browse the network to \\CorpServer\BU-Exec.Select Save.After your recovery key is saved, select Next. Choose how much of your drive to encrypt and verify that the drive is encrypted.Select Encrypt entire drive and then click Next.Leave the default setting selected when choosing the encryption mode and click Next.Select Run BitLocker system check and then click Continue.Select Restart now.When the encryption process is complete, select Close. Verify that System (C:) is being encrypted.From the taskbar, open File Explorer.From the left pane, select This PC.From the right pane, verify that the System (C:) drive shows the lock icon.In the top right, select Answer Questions.Select Score Lab.
Most SIEM implementations start by installing which tool on network devices? Log file Intrusion detection system Dashboard Collection agent
Collection Agent
Listen to simulation instructions You are the security analyst for a small corporate network. You have just downloaded a new release of the ThreatProtec program, which you use to do your job. You need to make sure that the file was not altered before you received it. To help do this, you also downloaded the ThreatProtec_hash.txt file, which contains the original file hash for the new release of the ThreatProtec program. The two files are located in C:\Downloads. In this lab, your task is to use MD5 hash files to confirm that the ThreatProtec.zip file was unaltered as follows: Use Windows PowerShell to:Generate a file hash for ThreatProtec.zip.Extract the hash from the ThreatProtec_hash.txt.Compare the two hashes using the applicable cmdlet to see if they match.
Complete this lab as follows: View the files in the C:\Downloads folder.Right-click Start and select Windows PowerShell (Admin).At the prompt, type cd \downloads and press Enter to navigate to the directory that contains the files.Type dir and press Enter to view the available files. Obtain the hash files for the new releases of the software.Type get-filehash ThreatProtec.zip -a md5 and press Enter to view the MD5 hash for the new release.Type get-content ThreatProtec_hash.txt and press Enter to view the known hash contained in the .txt file. Compare the hashes and answer the question.Type "calculated hash" -eq "known hash" and press Enter to determine if the file hashes match.In the top right, select Answer Questions.Answer the question.Select Score Lab.
A multinational corporation has tasked a security analyst with improving the organization's incident response capabilities. What should the analyst focus on to BEST enhance the team's ability to respond to security incidents? AnswerCorrect Answer: Conducting tabletop exercises Developing playbooks Implementing security awareness training Performing regular vulnerability scans
Conducting tabletop exercises
Listen to simulation instructions You are the security analyst for a small corporate network. Your manager has received several concerning emails. He has asked you to view his email and determine whether these messages are hazardous or safe. In this lab, your task is to: Read each email and determine whether the email is legitimate. Delete any emails that are attempts at social engineering. Keep all emails that are safe.
EmailDiagnosisActionDescriptionMicrosoft Windows Update CenterNew Service PackPhishingDeleteNotice the various spelling errors and that the link does not direct you to a Microsoft website.Jim HawsRe: Lunch Today?Malicious AttachmentDeleteThis email appears to be from a colleague. However, why would he fail to respond to your lunch question and send you a random attachment in return?Executive RecruitingExecutive JobsWhalingDeleteWhaling uses tailored information to attack executives. Clicking the link could install malware that would capture sensitive company information.Human ResourcesEthics VideoSafeKeepWhile this email has an embedded link, it is digitally signed, so you know it actually comes from your Human Resources department. In addition, if you hover over the link, you see that it is a secure link to the corporate web server.Riverdale Estates HOAPayment PendingPhishingDeleteThis is a carefully crafted attempt to get your bank account information. Hover over the link and notice that it does not direct you to your credit union website, but to an unknown IP address instead.Grandma WhiteFW: FW: FW: Virus Attack WarningHoaxDeleteAny email that asks you to forward it to everyone you know is probably a hoax.Daisy KnudsenWeb Site UpdateSpear PhishingDeleteWhile this email appears to come from a colleague, notice that the link points to an executable file from a Russian domain name. This probably is not a message a real colleague would send. This file will likely infect the computer with malware.Rachelle HancockWow!!Malicious AttachmentDeleteEmails with attachments from random people who address you as "Dear Friend" are probably not safe.Grandma WhiteFree Airline TicketsHoaxDeleteAny email that asks you to forward it to everyone you know is probably a hoax, even if the contents promise you a prize. In addition, there is
You are a cybersecurity consultant for a small corporate office. The employee in Office1 is suspected of using their work computer in some sort of criminal operation. You have made an image of the hard drive on that computer and you would like to use Autopsy to analyze the contents of the hard drive. In this lab, your task is to analyze an Office1 disk image with Autopsy by doing the following: Create a case file.Case Name: corpnet-case132 (no spaces)Base Directory: d:\autopsyCase Number: 132Examiner: enter your name, number, and email Import the disk image.Disk image file: e:\office1_hd.vhdIngest Modules: Recent Activity, Hash Lookup, File Type Identification, EXIF Parser, and Keyword Search Analyze the disk image.Under Data Sources, analyze the Users folder on vol2.Answer Question 1.Under Views, analyze the File Types and the File Size.Answer Questions 2 and 3.Under Results, analyze the Extracted Content and the Ke
In Autopsy, create a case file.Select Start and then select Autopsy.From the Welcome dialog, select New Case.In the Case Name field, enter corpnet-case132 (no spaces).Select Browse and then from the left pane, expand and select Forensic (D) > autopsy as the Base Directory.Select Folder.Select Next.Under Case, enter the number 132.Under Examiner, enter your name, phone number, and email address.Select Finish. Import the disk image.Under Select Type of Data Source to Add, make sure Disk Image or VM File is checked and then select Next.For Path, select Browse and then expand and select Data (E:).From the right pane, select office1_hd.vhd as the disk image file and then select Open.Select Next.Under Configure Ingest Modules, select Deselect All.Select:Recent ActivityHash LookupFile Type IdentificationEXIF ParserKeyword SearchSelect Next.Select Finish and wait for the disk to finish analyzing. Under Data Sources, analyze the Users folder on vol2.From the left pane, expand Data Sources > PhysicalDrive0 > vol2 > Users.In the top right, select Answer Questions.Answer Question 1.Browse the user files as desired. Under Views, analyze the File Types and the File Size.Expand and select Views > File Types > By MIME Type > application > pdf.Examine the various documents and answer Question 2.Expand and select image > jpeg.Select an image and then select the Application tab to see the image. Do this for all the image files.Answer Question 3.Browse the files in Views as desired. Under Results, analyze the Extracted Content and the Keyword Hits.Expand Results > Extracted Content.Examine the Source Files found in Web Cookies and Web History and then answer Question 4.Under Results, expand Keyword Hits > Email Addresses.Select the search parameters and then answer Question 5.Expand URLs and select the search parameters; then answer Quest
A security analyst is analyzing the activities of an incident response team during a recent security breach. They find that unauthorized privileges were granted to a user account, and there was unexpected outbound communication from the compromised system. Which of the following actions should the analyst prioritize to mitigate the risks associated with these issues? Answer Monitor network traffic for additional anomalies. Perform a comprehensive system audit. Correct Answer: Isolate the compromised system. Revoke unauthorized privileges.
Isolate the compromised system.
You want to use a SCAP language that uses an XML schema and helps describe the three main aspects of an evaluated system: system information, machine states, and reporting. Which of the following SCAP languages would BEST fit your requirements? Open Vulnerability and Assessment Language (OVAL) Extensible Configuration Checklist Description Format (XCCDF) Common Platform Enumeration (CPE) Asset Reporting Format (ARF)
Open Vulnerability and Assessment Language (OVAL)
As a network engineer for a large corporation, you have been monitoring network traffic and notice that several client devices are beginning to communicate with each other (instead of the normal client-to-server communication). Besides monitoring network traffic, what else should you be doing to analyze this irregular peer-to-peer communication? AnswerCorrect Answer: Regularly review a traffic map that show common network traffic flows. Update your configuration documentation to show which server ports are allowed on any given host type. Configure firewalls to allow only whitelisted ports. Configure detection rules to detect mismatched protocol usage over a standard port.
Regularly review a traffic map that show common network traffic flows.
A cybersecurity analyst at a company notices an unusual spike in network traffic that is leading to service interruptions. The analyst suspects that this may be due to a security breach. Why could these service interruptions be an indicator of a security breach? Answer Service interruption is often the result of user error, such as misconfiguration of network devices. Service interruption is usually caused by power outages or hardware failures. Correct Answer: Service interruption could indicate an attacker using a denial-of-service attack to overload the network. Service interruption might be caused by routine maintenance tasks that require temporarily taking down the system.
Service interruption could indicate an attacker using a denial-of-service attack to overload the network.
As a security administrator for your company, you are working with the network engineer to find a graphical user interface that allows network administrators to manage their entire network from one place. Which of the following orchestration types would meet your requirements? Answer Release orchestration Service orchestration Cloud orchestration Single pane of glass orchestration
Single pane of glass orchestration
ABC Inc. is a large organization with several offices located around the world. The company has an incident response plan and conducts regular training and tabletop exercises to prepare its team for potential security incidents. During a recent tabletop exercise, the team discovered a critical flaw in their incident response plan. Which of the following statements regarding training and tabletop exercises for incident response planning are true? (Select two.) Answer Training ensures that staff members have access to and are familiar with the latest technology and tools. Correct Answer: Tabletop exercises identify areas for improvement in the incident response plan. Correct Answer: Tabletop exercises test and improve the incident response plan. Tabletop exercises involve a mock or full incident simulation. Training provides staff with the skills and knowledge to carry out their assigned roles during an incident.
Tabletop exercises test and improve the incident response plan. Tabletop exercises involve a mock or full incident simulation.
A security analyst is responsible for detecting and responding to security incidents in the organization. The security analyst has decided to implement a security orchestration, automation, and response (SOAR) platform. What is the primary purpose of using a SOAR platform in this scenario? Answer To monitor and control access to sensitive information To automate incident responses To store and manage security-related data To provide real-time threat intelligence to security teams
To automate incident responses
Which method does degaussing use to securely dispose of data? Answer Destroying a drive's encryption key Destroying platters by punching a hole into the hard drive Slicing the drive into tiny pieces with the use of large amounts of force Correct Answer: The use of a powerful magnetic force to wipe data completely from a drive
The use of a powerful magnetic force to wipe data completely from a drive
A large retail company notifies its incident response team in response to a recent security incident. The team then activates the incident response plan (IRP) and business continuity plan (BCP). After they resolve the incident, they conduct a lessons-learned review. What is the purpose of an incident response plan (IRP) and business continuity plan (BCP) in cybersecurity incident response and management? Answer To restore affected systems and data to their pre-incident state To conduct a forensic analysis of the incident to determine the root cause and identify the responsible party Correct Answer: To provide a step-by-step guide on how to respond to a security incident and ensure the continuity of critical business functions To educate employees on how to prevent and respond to future security incidents
To provide a step-by-step guide on how to respond to a security incident and ensure the continuity of critical business functions
Which type of IoC are pop-up windows and unusual error messages? AnswerCorrect Answer: Unexpected output Service interruptions Unexpected outgoing communication Introduction of new accounts
Unexpected output
As a security analyst, you often scan for any zombie processes that might be running on your computer. In this lab, your task is to: Use the ps command to find all zombie processes. Use the applicable ps options to:Show the processes for all users.Display the process's user/owner.Show the processes not attached to a terminal. Kill all zombie processes found using kill -9.
Use the ps aux command to find any zombie processes running.From the Favorites bar, select Terminal.At the prompt, type ps aux | less and press Enter to view the list of processes.Use the Page Up/Page Down keys to find the processes with status z.Type q to exit the process list and return to Command Prompt.In the top right, select Answer Questions.Answer Question 1. Terminate the zombie processes.Type kill -9 1260 and press Enter.Type kill -9 1430 and press Enter.Type kill -9 2165 and press Enter.Select Score Lab.