Domain 3.0: Security Operations and Monitoring
C. An agent-based, out-of-band NAC that relies on a locally installed agent to communicate to existing network infrastructure devices about the security state of the system is being used. If the organization used dedicated appliances, it would be an in-band solution.
A PC runs installed NAC software when connecting to the network. The software communicates to an edge switch the PC is plugged into, which validates the login and system security state. What type of NAC solution is being used? A. Agent-based, in-band B. Agentless, in-band C. Agent-based, out-of-band D. Agentless, out-of-band
C. Forming a hypothesis should be the next step. Once a scenario is considered, the target and adversary techniques should be identified, then determine how to verify the hypothesis.
A company is considering a scenario in which components used in software from a public GitHub repository are trojaned. What should be done first to form the basis of a proactive threat hunting effort? A. Search for examples of similar scenarios B. Validate the software currently in use from the repositories C. Form a hypothesis D. Analyze the tools available for this type of attack
A. Adding an iptables entry uses the -A flag to add to a list. Here, we can safely assume that OUTPUT is the outbound ruleset. The -d flag is used to designate the IP address or subnet range, and -j specifies the action, DROP.
Angela wants to block traffic sent to a suspected malicious host. What iptables rule entry can she use to block traffic to a host with IP address 10.24.31.11? A. iptables -A OUTPUT -d 10.24.31.11 -j DROP B. iptables -A INPUT -d 10.24.31.11 -j ADD C. iptables -block -host 10.24.31.11 -j DROP D. iptables -block -ip 10.24.31.11 -j ADD
D. The uses described for the workstation do not require inbound access to the system on any of these ports. Web browsing and domain membership traffic can be handled by traffic initiated by the system.
Based on the following nmap scan on a Kali Linux system which needs access to websites and is part of a Windows domain, what ports should be allowed through the system's firewall for externally initiated connections? A. 80, 135, 139, 445 B. 80, 445, 3389 C. 135, 139, 445 D. No ports
B. These commands will add filters to the INPUT ruleset that block traffic specifically from hosts A and B, while allowing only port 25 from host C. Option D allows all traffic instead of just SMTP. Option A only drops SMTP traffic from host B. Option C allows traffic in from the hosts that should be blocked.
Based on the following setup, which set of commands will set up a Linux iptables-based firewall ruleset to prevent access from hosts A and B, while allowing SMTP traffic from host C? A. #iptables -I INPUT 2 -s 10.1.1.170 -j DROP #iptables - I INPUT 2 -s 10.2.0.0/24 --dport 25 -j DROP #iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j ALLOW B. #iptables -I INPUT 2 -s 10.1.1.170 -j DROP #iptables - I INPUT 2 -s 10.2.0.134 --dport 25 -j DROP #iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j ALLOW C. #iptables -I INPUT 2 -s 10.1.1.170 -j ALLOW #iptables - I INPUT 2 -s 10.2.0.134 -j ALLOW #iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j DROP D. #iptables -I INPUT 2 -s 10.1.1.170 -j DROP #iptables - I INPUT 2 -s 10.2.0.134 -j DROP #iptables -I INPUT 2 -s 10.2.0.130 -j ALLOW
B. Encapsulating Security Payload (ESP) packets are part of the IPsec protocol suite and are typically associated with a tunnel or VPN.
Based upon the following Wireshark packet capture, what should be searched for on the workstation with IP address 10.0.0.1 if it is investigated in person? A. An encrypted RAT B. A VPN app C. a secure web browser D. A base64 encoded packet transfer utility
D. The strings command extracts strings of printable characters from files, allowing Ben to quickly determine the contents of files.
Ben wants to quickly check a suspect binary file for signs of its purpose or other information that it may contain. What Linux tool can quickly show him potentially useful information contained in the file? A. grep B. more C. less D. strings
C. Continuous integration helps developers integrate their code into the mainline code base frequently. Although automated testing isn't always a part of continuous integration, it is a useful part of a complete continuous integration (CI)/continuous delivery (CD) pipeline. Continuous delivery is aimed at making code pipeline deployable at any time by using automated testing and automated configuration.
What is the practice of checking code multiple times a day, verifying it and testing it automatically? A. Continuous delivery B. Repo-stuffing C. Continuous integration D. Time coding
B. Automated malware signature creation is necessary because of the massive number of new malware packages, variants, and thus new signatures that are created daily.
What major problem drives increasing use of automated malware signature tools? A. More complex malware B. Huge numbers of new malware signatures C. Hash-based signatures take too long to create manually D. Sandboxing is no longer effective
C. Attackers will often use built-in editing tools that are inadvertently or purposely exposed to edit files to inject malicious code. In this case, someone has attempted to modify that 404 file displayed by WordPress. Anyone who received a 404 error from this installation could have been exposed to the malicious code.
What occurred based upon the following web server log entry? 10.11.210.6 - GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme= total 200 A. A theme was changed B. A file was not found C. An attempt to edit the 404 page D. The 404 page was displayed
C. The National Vulnerability Database uses the Security Content Automation Protocol (SCAP) to represent vulnerability management data. STIX is a structured language used to describe cyberthreat info. CVSS (Common Vulnerability Scoring System) and CPE (Common Platform Enumeration) are both used to help feed the SCAP data.
What protocol does the U.S. government use to represent the data stored in the National Vulnerability Database? A. STIX B. CVSS C. SCAP D. CPE
B. Sinkholing sends traffic to an alternate address that acts as the sinkhole for traffic that would otherwise go to a known bad domain.
A NGFW security device is used to forge DNS responses for known malicious domains. This result in users who attempt to visit sites hosted by those domains to see a landing page which advises them they were prevented from visiting a malicious site. What is this technique known as? A. DNS masquerading B. DNS sinkholing C. DNS re-sequencing D. DNS hierarchy revision
C. TCP port 22 indicates that this is most likely an SSH scan, and the single packet with no response traffic indicates unsuccessful connection attempts.
Based on the following NetFlow traffic pattern, what is occurring? A. A telnet scan B. An SSH scan C. An SSH scan with unsuccessful connection attempts D. An SFTP scan with unsuccessful connection attempts
C. Although blacklists use entire IP ranges, changing IP addresses for SMTP servers is often a valid quick fix.
A company's email domain has been blacklisted. Which of the following options is not a way to allow her company to send email successfully? A. Migrate the company's SMTP servers to new IP addresses B. Migrate to a cloud email hosting provider C. Change SMTP headers to prevent blacklisting D. Work with the blacklisting organizations to get removed from the list
B. Sites like VirusTotal run multiple antimalware engines, which may use different names for malware packages. This can result in a malware package apparently matching multiple different infections.
A file is uploaded to VirusTotal and receives positive results, but the file is identified with multiple different malware package names. What has likely occured? A. The malware is polymorphic and is being IDed as multiple viruses because it is changing. B. Different antimalware engines call the same malware package by different names. C. VirusTotal has likely misidentified the malware package, and this is a false positive. D. The malware contains multiple malware packages, resulting in the matches.
D. While the infection may not cause the business to lose data, there is an effect as systems must be restored and investigated to determine if data was lost in addition to being encrypted.
An admin is using the US-CERT NCISS observed activity levels to assess threat actor activity. If there are systems with active ransomware infections that have encrypted data on the systems but the systems have available and secure backups, at what level should the observed activity be rated? A. Prepare B. Engage C. Presence D. Effect
C. This flow sample shows four distinct hosts being accessed from 192.168.2.1. They are 10.2.3.1, 10.6.2.4, 10.6.2.5, 10.8.2.5
Based on the following NetFlow, how many distinct hosts should be reviewed to track malware using a fast flux network? A. 1 B. 3 C. 4 D. 5
C. Since LOIC can leverage numerous hosts, limiting each connecting host to a connection rate and volume through filters like that provided by iptables hashlimit pug-in can help. IP-based blacklisting may work for smaller botnets, but it is difficult to maintain for larger attacks and may eventually block legit traffic. Dropping all SYN packets would prevent all TCP connections.
A system has been experiencing consistent DoS attacks from a version of the LOIC, which leverages personal computers in a concerted attack by sending large amounts of traffic from each system to flood a server. What type of firewall rule should be used the limit the impact of a tool like this if bandwidth consumption from the attack itself is not the root problem? A. IP-based blacklisting B. Dropping all SYN packets C. Using a connection rate or volume-limiting filter per IP D. Using a route-blocking filter that analyzes common LOIC routes
B. In STIX, these are all attack resource levels ranging from individuals all the way to government-level resources.
A threat attack is being profiled using STIX and can be labeled as one of the following: Individual, Club, Contest, Team, Organization, Government. What is being identified? A. Affiliation B. Attack resource level C. Certification level D. Threat name
B. Domain names like that listed are a common sign of a domain generation algorithm (DGA), which creates procedurally generated domain names for malware command and control hosts.
After analyzing a malware package, the following list of hostnames are found: What was likely found in the malware package? A. A RPG B. A DGA C. A SPT D. A FIN
B. This case is ideal for machine learning. Trend analysis is not useful for specific app details, manual analysis would involve staff members, and endpoint analysis is vague and undefined in this context.
An organization wants to identify known good behavior patterns for all the apps it uses. They do not want to have a staff member review logs and behaviors for every app in every scenario. What type of analytical tool would be best suited to dealing with this volume and type of data? A. Trend analysis B. Machine learning C. Manual analysis D. Endpoint analysis
D. When an email is forwarded, a new message with a new message-ID header will be created. The In-Reply-To and References field will also be set as normal. The best option is to look for clues like a subject line that reads 'FWD'.
By analyzing the headers of the email, how can it be determined if a received email was forwarded? A. Reviewing the Message-ID to see if it has been incremented B. Checking for the In-Reply-To field C. Checking for the References field D. It cannot be determined by analyzing the headers
C. Packers, or runtime packers, are tools that self-extract when run, making the code harder to reverse-engineer. Crypters may use actual encryption or simply obfuscate the code, making it harder to interpret or read. Protectors are software that is intended to prevent reverse engineering and often include packing and encryption techniques as well as other protective technologies. Shufflers are made up.
During analysis of a malware file, an encoded file is found that is believed to be the primary binary in the package. Which of the following is not a type of tool that the malware writers may have used to obfuscate the code? A. Packer B. Crypter C. Shuffler D. Protector
B. Data enrichment combines data from multiple sources like directories, geolocation info, and other data sources as well as threat feeds to provide deeper and broader security insights. It is not just a form of threat feed combination, and threat feed combination is a narrower technique than data enrichment is.
How does data enrichment differ from threat feed combination? A. Data enrichment is a form of threat feed combination for security insights , focuses on adding more threat feeds together for a full picture, and removes third-party data to focus on core data elements rather than adding together multiple data sources B. Data enrichment uses events and nonevent info to improve security insights, instead of just combining threat info C. Threat feed combination is more useful than data enrichment because of its focus on only the threats D. Threat feed combination techniques are mature, and data enrichment is not ready for enterprise use
C. Threat intelligence feeds may be used to build rules, however unlike option B, threat feeds typically aren't used to build rules in real time for firewall devices. Firewalls typically do not analyze their own logs and build STIX feed entries, nor do they know about threat actor names, resources, and threat levels.
How is integrated intelligence most commonly used in a firewall system? A. The firewall searches for new IPs to block and creates a STIX feed entry. B. The intelligence feed provides firewall rules that are implemented on the firewall in real time. C. Threat intelligence is used to provide IP information for rules. D. Named threat actors are blocked based on their threat level and resource model.
D. Discovering an APT in an admin system typically indicates that you have lost control of the environment.
How should signs of an APT resident in admin systems be classified? A. Significant impact to noncritical services B. Denial of noncritical systems C. Significant impact to critical services D. Denial of critical services or loss of control
C. The key requirements here are that this is an existing network and that the systems are BYOD. That means that Latisha should focus on an agentless system to remove the hurdles that agent-based scanning requires and that an out-of-band solution is likely appropriate since they are easier to retrofit to an existing network than an in-line solution, which can require rearchitecting a network to place the in-line NAC device into a central control location.
Latisha wants to ensure that BYOD workstations that connect to her network meet specific minimum operating system patch level requirements. She also wants to place them into the correct VLAN for the user group that the logged-in user belongs to. She is deploying her solution to an existing, complex network. What solution should she recommend? A. Agent-based, in-line NAC B. Agentless, in-line NAC C. Agent-based, out-of-band NAC D. Agentless, out-of-band NAC
D. Mateo's only sure bet to prevent these services from being accessed is to put a network firewall in front of them. Many appliances enable services by default, since they are appliances they may not have host firewalls available to enable. They also often don't have patches available, and many appliances do not allow the services they provide to be disabled or modified.
Mateo is responsible for hardening systems on his network, and he discovers that a number of network appliances have exposed services including telnet, FTP, and web servers. What is his best option to secure these systems? A. Enable host firewalls B. Install patches for those services C. Turn off the services for each appliance D. Place a network firewall between the devices and the rest of the network
C. A data loss prevention (DLP) system may be able to intercept and block unencrypted sensitive information leaving the web server, but it does not apply cryptography to web communications.
Pranab is implementing cryptographic controls to protect his organization and would like to use defense-in-depth controls to protect sensitive information stored and transmitted by a web server. Which one of the following controls would be least suitable to directly provide this protection? A. TLS B. VPN C. DLP D. FDE
C. Binary diffing looks at multiple potentially related binaries that have anti-reverse-engineering tools run on them and looks for similarities. Graphs map this data, helping the tool identify malware families despite the protections that malware authors bake in.
The automated malware analysis tool that Jose is using uses a disassembler and performs binary diffing across multiple malware binaries. What information is the tool looking for? A. Calculating minimum viable signature length B. Binary fingerprinting to identify the malware author C. Building a similarity graph of similar functions across binaries D. Heuristic code analysis of development techniques
C. The issued command only stops a running service. It will restart at reboot unless the scripts that start it are disabled.
The following Linux command is issued using upstart to stop a rogue service: service rogueservice stop After a reboot, the service is running again. What happened, and what needs to be done to prevent this? A. The service restarted at reboot, so the -p, or permanent flag, must be included B. The service restarted itself, so the binary associated with the service must be deleted C. The service restarted at reboot, so an .override file should be added to stop the service from starting D. A malicious user restarted the service, so it must be ensured users cannot restart services
C. The best option is to delete emails with these URLs from all inbound email. Blocking or monitoring for the IP addresses can help, but mobile and off-site users will not be protected if they do not send their traffic through a firewall or IDS.
The following entries are observed after the openphish URL is added to a SOAR: What action should be taken on phishing URLs? A. Block the IP address at the border firewall B. Monitor for the IP address using an IDS C. Delete emails with the URL from inbound email D. Nothing, as these have not been confirmed
D. Linux systems typically keep user account info stored in /etc/passwd, and /etc/shadow contains password and account expiration info. Using diff between the two files is not a useful strategy in this scenario.
The following is output after running a diff of /etc/shadow and /etc/passwd. What has occured? A. The root account has been compromised B. An account named daemon has been added C. The shadow password file has been modifie D. /etc/shadow and /etc/passwd cannot be diffed to create a useful comparison
A. SCAP (Security Content Automation Protocol) is a set of specifications that define how to exchange security content used to assess configuration compliance. It can also be used to detect vulnerable versions of software.
What is the Security Content Automation Protocol used for? A. Assessing configuration compliance B. Testing for sensitive data in transit C. Testing for sensitive data at rest D. Assessing threat levels
D. According to STIX taxonomy, state actors responsible for APT-level attacks are classified as strategic. Experts are skilled and may create their own tools but are not operating at the massive scale of an APT actor.
What STIX threat actor sophistication level best fits the type of actor responsible for APT-level attacks? A. Intermediate B. Advanced C. Expert D. Strategic
C. Resource monitor is a useful tool to both see real-time data and graph it over time, allowing a user to watch for spikes and drops in usage that may indicate abnormal behavior.
What Windows tool can be used to understand memory, CPU, and disk utilization by displaying performance in both real-time and over a period of time? A. sysmon B. sysgraph C. resmon D. resgraph
D. TAXII's standardized format and built-in mechanisms for securing and protecting data mean that it can speed up data exchange while providing a standard format for data and thus easy interoperability.
What advantages does TAXII provide for threat feed combination? A. Interoperability between security tools B. Confidentiality and integrity of data C. Greater speeder for sharing of data D. All of the above
A. Windows 10 Pro and Enterprise support app whitelisting.
What can be done to prevent users from running a popular game on a Windows 10 Pro workstation? A. Using app whitelisting to prevent all prohibited programs from running B. Using Windows Defender and adding the game to the blacklist file C. Listing it in the Blocked Programs list via secpol.msc D. You cannot blacklist apps in Windows 10 without a third-party app
B. Using numeric rights syntax, a 7 stands for read+write+execute, 4 stands for read, 2 stands for write, and 1 stands for execute, with 0 standing for no permissions.
What command can be used to change the permissions on a file named public_secrets.txt to make it readable to all users on a system without providing the ability to execute or write to the file? A. chmod 777 public_secrets.txt B. chmod 744 public_secrets.txt C. chmod public_secrets.txt 777 D. chmod 447 public_secrets.txt
B. The top command will show a dynamic, real-time list of running processes.
What command could be run to find the process with the highest CPU utilization if you did not have access to htop? A. ps B. top C. proc D. load
C. When faced with massive numbers of notification message that are sent too aggressively, admins are likely to ignore or filter the alerts.
What danger is created by the following pseudo-code alert? Send an SMS alert every 30 seconds when systems do not send logs for more than 1 minute A. DDoS that causes admins to not be able to access systems B. Network outage C. Admins may ignore or filter the alerts D. Memory spike
B. Data loss prevention (DLP) systems use business rules that define when and how data is allowed to move around an organization, as well as how it should be classified.
What do DLP systems use to classify data and to ensure that it remains protected? A. Data signatures B. Business rules C. Data egress filters D. Data at rest
C. Endpoint detection and response (EDR) tools use software agents to monitor endpoint systems and to collect data about processes, user and system activity, and network traffic, which is then sent to a central processing, analysis, and storage system.
What does EDR use to capture data for analysis and storage in a central database? A. Network tap B. Network flows C. Software agents D. Hardware agents
B. PowerShell, wmic, and winrm.vbs are all commonly used for remote execution of code or scripts, and finding them in use on a typical workstation should cause you to be worried as most users will never use any of the three.
What does execution of wmic.exe, powershell.exe, or winrm.vbs most likely indicate if you discover one or more was run on a typical end user's workstation? A. A scripted application installation B. Remote execution of code C. A scripted application uninstallation D. A zero-day attack
B. The 'ps' utility lists currently running processes, and 'aux' are a set of flags that control which processes are selected. This output is then piped to 'grep', and all lines with the text 'apache2' will be selected. Then that list will be searched for the text 'root'. This type of multiple piping can help quickly process large volumes of files and great amounts of lines of text.
What does the following command do when executed? ps -aux | grep apache2 | grep root A. Search for all files owned by root named apache2 B. Check currently running processes with the word apache2 and root both appearing in the output of top C. Shut down all pache2 processes run by boot D. Not enough info to answer
B. Endpoint detection and response (EDR) tools are integrated security solutions that monitor endpoint systems and collect activity data, and then use threat intelligence and behavior to automatically respond by removing or quarantining potential threats. A CRM is a customer relationship management tool. A UEBA captures user behavior but does not have the same threat intelligence and response capabilities that an EDR has.
What sort of tool should be used to combine behavioral detection of indicators of attack based on current threat intelligence with real-time visibility into a system? A. An IPS B. An EDR C. A CRM D. A UEBA
D. While SPF and DKIM can help, combining them to limit trusted senders to only a known list and proving that the domain is the domain that is sending the email combine in the form of DMARC to prevent email impersonation when other organizations also DMARC.
What technology can help prevent email impersonation? A. IMAP B. SPF C. DKIM D. DMARC
B. User and event behavior analytics captures data about entities and events as well as other security data and performs statistical and other analyses to detect abnormal and unexpected behavior, then alerts admins so that they can review the info and take action.
What technology tracks endpoint user and entity behaviors, centralizes that data as well as other security data, and the uses statistical models to detect unusual behavior and notify admins? A. IPS B. UEBA C. IDS D. DMARC
B. This command uses the '-i' flag, which means it will ignore the case of the text. That means that grep will search all files with a .txt extension for any occurrences of 'example', regardless of the case or other letters around it.
What text will the following command match? grep -i example *.txt A. All text files in the current directory with the word 'example' in it B. All occurrences of the text 'example' in all files in the current directory with a .txt extension C. All occurrences of the lowercase text 'example' in all files in the current directory with a .txt extension D. All TXT files with a filename including the word 'example' in the current directory and subdirectories
B. Windows has support for both DEP (Data Execution Prevention) and ASLR (Address Space Location Randomization). These combine to help prevent buffer overflows by preventing items in memory location tagged as data from being executed and by randomizing the memory space Windows uses to make it harder to take advantage of known memory locations with an overflow.
What two built-in technologies should be considered to prevent buffer overflow attacks on a Windows server? A. Memory firewall and stack guard B. ASLR and DEP C. ASLR and DLP D. Memory firewall and buffer guard
D. Artificial Intelligence (AI) and machine learning (MI)-based approaches are ideal for large volumes of log and analytical data. Manual processes like hypothesis-driven investigations, or IOC- or IOA-driven investigations, can take significant amounts of time when dealing with large volumes of data.
What type of approach is best suited to using large volumes of log and analytical data? A. Hypothesis-driven investigation B. Investigation based on indicators of compromise C. Investigation based on indications of attack D. AI/ML-based investigation
B. Brute-force attacks rely on the ability to make multiple attempts to log in, access a service, or otherwise allow probes. A back-off algorithm can limit or prevent this by ensuring that only a limited number of attempts are possible before delays or a timed lockout occurs.
What type of attack is a back-off algorithm intended to limit or prevent? A. DoS attacks B. Brute-force attacks C. Compromised credential-based attacks D. Trojans
B. Tripwire can monitor files and directories for changes.
What type of info can be determined from Tripwire logs on a Linux system if it is configured to monitor a directory? A. How often the directory is accessed B. If files in the directory have changed C. If sensitive data was copied out of the directory D. Who has viewed files in the directory
C. API-based integration allow a SOAR environment to send queries as required for the data they need. Flat files and CSVs can be useful when there is no API, or when there isn't support for the API in an environment, and real-time integration is not required. Email integrations can results in delays as email delivery is not done at a guaranteed speed and can require additional parsing and processing to extract info.
What type of integration is best suited to provide up-to-the-moment data for the SOAR tool? A. CSV B. Flat file C. API C. Email
B. A SOAR (Security Orchestration, Automation, and Response) tool is focused on exactly what is described. A SIEM provides similar functions, but the key difference is the breadth of platforms the SOAR tools can acquire data from, as well as the process automation capabilities they bring. UEBA (User End Behavior Analytics) tools focus on behaviors rather than on a broad set of organizational data, and MDR (managed detection response) systems are used to speed up detection, rather than for compliance and orchestration.
What type of tool can coordinate info from a wide range of platforms so that it can be seen in a central location with automated responses as part of security workflows? A. UEBA B. SOAR C. SIEM D. MDR
C. A workflow orchestration tool is designed to automatically configure, manage, and otherwise oversee systems, applications, and services. Scripts can be used to do this but can be overly complex and failure prone. APIs are used to send and receive data from apps or programs.
What type of tool can provision servers, create virtual servers and assign storage to them, and configure networking and security policies? A. Scripting B. APIs C. Workflow orchestration D. SCAP
D. The flags '-n -i -v' mean that the search will list the line numbers for each occurrence where the word 'mike' does not appear. In fact, the '-v' flag reverses the usual search to make this search for places where the term does not show up. Using an * for the file name will match all files in the current directory.
What will a search using the following command do? grep -n -i -v mike * A. List all the lines where the word 'mike' shows up, regardless of case in all files in the current directory B. Search all files with the word 'mike' in the filename for lowercase words C. Search a file named 'mike' for all uppercase words D. List all the lines where the word 'mike' does not show up, regardless of case, in all files in the current directory
B. Firewall logs typically contain similar info to NetFlow records. However, the firewall does not always have the same access to network traffic the switches and routers that generate NetFlow info. IPSs do not record routine traffic info.
Which one of the following data sources is best suited to serve as a compensating control for a lack of NetFlow information? A. Router logs B. Firewall logs C. Switch logs D. IPS logs
D. Human safety and lives are always the most critical system or resource. On the US-CERT scale, safety systems receive 100/100 on the scale.
When measuring the impact of the location of observed activity by a threat actor, which of the following should be the highest rated threat activity location based on the US-CERT's scale? A. Critical system DMZ B. Business network C. Business DMZ D. Safety systems
B. NAC solutions that implement employee job function-based criteria often use time-based controls to ensure that employees only have access when they are supposed to be working, role-based criteria due to their duties, and location-based rules to ensure that they only access networks where they work. Rule-based criteria typically focus on system health and config, thus focusing more on the system than the user.
Which of the following NAC criteria are least suited to filtering based on a user's job? A. Time-based B. Rule-based C. Role-based D. Location-based
B. By default, an iptables firewall will have INPUT, OUTPUT, and FORWARD chains. The DROP command should be used on all three to stop all traffic to or from a system.
Which of the following commands is not one of the three iptables commands needed to stop all traffic from reaching or leaving a Linux system? A. #iptables-policy INPUT DROP B. #iptables-policy SERVICE DROP C. #iptables-policy OUTPUT DROP D. #iptables-policy FORWARD DROP
D. DNS sinkholes can block many types of drive-by downloads by preventing systems from connecting to malicious sites. DNS sinkholes do have limitations: they only work when a DNS query occurs, which means that some malware uses IP addresses directly to avoid them. They also cannot stop malware from being executed, and malware could use a hard-coded DNS server instead of the organization's DNS server.
Which of the following is not a limitation of a DNS sinkhole? A. They do not work on traffic sent directly to an IP address B. They do not prevent malware from being executed C. They can be bypassed using a hard-coded DNS server D. They cannot block drive-by-download attempts
B. Tripwire and similar programs are designed to monitor files for changes and to report on changes that occur. They rely on file fingerprints (hashes) and are designed to be reliable and scalable.
Which of the following methods is best suited to verifying that a file has not changed on a system on a regular basis? A. Use sha1sum to generate a hash for the file and write a script to check it periodically B. Install and use Tripwire C. Periodically check the MAC info for the file using a script D. Encrypt the file and keep the key secret so the file cannot be modified
B. Scheduled tasks, service creation, and autostart registry keys are all commonly found on Windows systems for legit purposes. Replacing services is far less common unless a known upgrade or patch has occurred.
Which of the following persistence techniques is not commonly used for legitimate purposes too? A. Scheduled tasks B. Service replacement C. Service creation D. Autostart registry keys
C. The most common solution to identifying malicious embedded links in email is to use an antimalware software package to scan all emails. They typically include tools that combine IP and domain reputation lists as well as other heuristic and analytical tools to help identify malicious and unwanted links.
Which of the following solutions is the most common method of decreasing the risk of embedded links in emails? A. Removing all links in email B. Redirecting links in email to a proxy C. Scanning all email using an antimalware tool D. Using a DNS blackhole and IP reputation list
D. Linux systems typically keep user account information stored in /etc/passwd, and /etc/shadow contains password and account expiration information. Using diff between the two files is not a useful strategy in this scenario.
While investigating a compromise, Glenn encounters evidence that a user account has been added to the system he is reviewing. He runs a diff of /etc/shadow and /etc/passwd. What can be determined from the output? A. The root account has been compromised. B. An account has been added. C. The shadow password file has been modified. D. /etc/shadow and /etc/passwd cannot be diffed to create a useful comparison.
C. Availability analysis targets whether a system or service is working as expected. Although a SIEM may not have direct availability analysis capabilities, reporting on when logs or other data is not received from source systems can help detect outages.
While monitoring the SIEM, an administrator notices that all of the log sources from the New York branch have stopped reporting for the past 24 hours. What type of detection rules should be configured to make sure this is detected sooner next time? A. Heuristic B. Behavior C. Availability D. Anomaly
A. The best option is to scan the system with a tool capable of detecting the Dridex malware. Since most command and control systems have multiple control nodes, simply blocking traffic to or from the system might be helpful, but it is unlikely to stop the infection from carrying out it's actions.
While reviewing IPS logs, the following entry is observed: ET TROJAN ABUSE.CH SLL Blacklist Malicious SSL certificate detected (Dridex) What should the next action be? A. Run an antimalware scan of the system associated with the detection B. Block inbound traffic from the external system associated with the infection C. Block outbound traffic to the external system associated with the infection D. Nothing, as this a false positive due to an expired ceritifcate
C. This command will prevent commands entered at the Bash shell prompt from being logged, as they are all sent to /dev/null.
While reviewing the command history for an administrative user, Lakshman discovers a suspicious command that was captured: ln /dev/null ~/.bash_history What action was this user attempting to perform? A. Enabling the Bash history B. Appending the contents of /dev/null to the Bash history C. Logging all shell commands to /dev/null D. Allowing remote access from the null shell
