CySA+ Part I
A security analyst received an alert from the SIEM indicating numerous login attempts from users outside their usual geographic zones, all of which were initiated through the web-based mail server. The logs indicate all domain accounts experienced two login attempted during the same time frame. Which of the following is the MOST likely cause of this issue? A. A password-spraying attack was performed against the organization B. A DDoS attack was performed against the organization C. This was normal shift work activity; the SIEM's AI is learning D. A credentialed external vulnerability scan was performed
A. A password-spraying attack was performed against the organization
The security technician is testing a solution that will prevent outside entities from spoofing the company's email domain, which is comptia.org. The testing is successful, and the security technician is prepared to fully implement the solution. Which of the following actions should the technician take to accomplish this task? A. Add TXT @ 'v=spf mx include:_spf.comptia.org -all"to the DNS record B. Add TXT @ 'v=spf mx include:_spf.comptia.org -all"to the email server C. Add TXT @ 'v=spf mx include:_spf.comptia.org -all"to the domain controller D. Add TXT @ 'v=spf mx include:_spf.comptia.org -all"to the web server
A. Add TXT @ 'v=spf mx include:_spf.comptia.org -all"to the DNS record
Which of the following BEST describes the process by which code is developed, tested, and deployed in small batches? A. Agile B. Waterfall C. SDLC D. Dynamic code analysis
A. Agile
A new on-premises application server was installed on the network. Remote access to the server was enabled for vendor support on required ports, but recent security reports show large amounts of data are being sent to various unauthorized networks through those ports. Which of the following configuration changes must be implemented to resolve this security issue while still allowing remote vendor access? A. Apply a firewall application server rule B. Whitelist the application server C. Sandbox the application server D. Enable port security E. Block the unauthorized networks
A. Apply a firewall application server rule
Which of the following is the MOST important objective of a post-incident review? A. Capture lessons learned and improve incident response processes B. Develop a process for containment and continue improvement efforts C. Identify new technologies and strategies to remediate D. Identify a new management strategy
A. Capture lessons learned and improve incident response processes
A large amount of confidential data was leaked during a recent security breach. As part of a forensic investigation, the security team needs to identify the various types of traffic that were captured between two compromised devices. Which of the following should be used to identify the traffic? A. Carving B. Disk imaging C. Packet analysis D. Memory dump E. Hashing
A. Carving
Which of the following are components of the intelligence cycle? A. Collection B. Normalization C. Response D. Analysis E. Correction F. Dissension
A. Collection D. Analysis
A CISO wants to upgrade an organization's security posture by improving proactive activities associated with attacks from internal and external threats. Which of the following is the most proactive tool or technique that feeds incident response capabilities? A. Development of a hypothesis as part of threat hunting B. Log correlation, monitoring, and automated reporting through a SIEM platform C. Continuous compliance monitoring using SCAP dashboards D. Quarterly vulnerability scanning using credentialed scans
A. Development of a hypothesis as part of threat hunting
A compliance officer of a large organization has reviewed the firm's vendor management program but has discovered there are no controls defined to evaluate third-party risk or hardware source authenticity. The compliance officer wants to gain some level of assurance on a recurring basis regarding the implementation of controls by third parties. Which of the following would BEST satisfy the objectives defined by the compliance officer? A. Executing vendor compliance assessments against the organization's security controls B. Executing NDAs prior to sharing critical data with third parties C. Soliciting third-party audit reports on an annual basis D. Maintaining and reviewing the organization risk assessment on a quarterly bases E. Completing a business impact assessment for all critical service providers F. Utilizing DLP capabilities at both the endpoint and perimeter levels
A. Executing vendor compliance assessments against the organization's security controls C. Soliciting third-party audit reports on an annual basis
A security analyst discovers accounts in sensitive SaaS-based systems are not being removed in a timely manner when an employee leaves the organization. To BEST resolve the issue, the organization should implement A. Federated authentication B. Role-based access control C. Manual account reviews D. Multifactor authentication
A. Federated authentication
The security team wants to make SaaS solutions accessible from only the corporate campus. Which of the following would BEST accomplish this goal? A. Geofencing B. IP restrictions C. Reverse proxy D. Single sign-on
A. Geofencing
A security analyst is trying to determine if a host is active on a network. The analyst first attempts the following (SEE FIG 42). Which of the following would explain the difference in results? A. ICMP is being blocked by a firewall B. The routing tables for ping and hping3 were different C. The original ping command needed root permission to execute D. hping3 is returning a false positive
A. ICMP is being blocked by a firewall
Which of the following software security best practices would prevent an attacker from being able to run arbitrary SQL commands within a web application? A. Parameterized queries B. Session management C. Input validation D. Output encoding E. Data protection F. Authentication
A. Parameterized queries C. Input validation
A monthly job to install approved vendor software updates and hot fixes recently stopped working. The security team performed a vulnerability scan, which identified several hosts as having some critical OS vulnerabilities, as referenced in the common vulnerabilities and exposures (CVE) database. Which of the following should the security team do NEXT to resolve the critical findings in the most effective manner? A. Patch the required hosts with the correct updates and hot fixes, and rescan them for vulnerabilities B. Remove the servers reported to have high and medium vulnerabilities C. Tag the computers with critical findings as a business risk acceptance D. Manually patch the computers on the network, as recommended on the CVE website E. Harden the hosts on the network, as recommended by the NIST framework F. Resolve the monthly job issues and test them before applying them to the production network
A. Patch the required hosts with the correct updates and hot fixes, and rescan them for vulnerabilities F. Resolve the monthly job issues and test them before applying them to the production network
A security analyst is providing a risk assessment for a medical device that will be installed on the corporate network. During the assessment, the analyst discovers the device has an embedded operating system that will be installed on the corporate network. During the assessment, the analyst discovers the device has an embedded operating system that will be at the end of its life in two years. Due to the criticality of the device, the security committed makes a risk-based policy decision to review and enforce the vendor before the end of life is reached. Which of the following risk actions has the security committee taken? A. Risk exception B. Risk avoidance C. Risk tolerance D. Risk acceptance
A. Risk exception
A cybersecurity analyst is investigating a potential incident multiple systems on a company's internal network. Although there is a negligible impact to performance, the following systems are present on each of the affected systems: - Existence of a new and unexpected svchost.exe process - Persistent, outbound TCP/IP connection to an unknown external host with routine keep-alives transferred - DNS query logs showing successful name resolution for an Internet-resident dynamic DNS domain. If this situation remains unresolved, which of the following will MOST likely occur? A. The affected hosts may participate in a coordinated DDoS attack upon command B. An adversary may leverage the affected hosts to reconfigure the company's router ACLs C. Key files on the affected hosts may become encrypted and require ransom payment for unlock D. The adversary may attempt to perform a MITM attack
A. The affected hosts may participate in a coordinated DDoS attack upon command B. An adversary may leverage the affected hosts to reconfigure the company's router ACLs
Because some clients have reported unauthorized activity of their accounts, a security analyst is reviewing network packet captures from the company's API server. A portion of a capture file is shown below (SEE FIG 58). Which of the following MOST likely explains how the clients' accounts were comprised? A. The clients' authentication tokens were impersonated and replayed B. The clients' usernames and passwords were transmitted in cleartext C. A XSS scripting attack was carried out on the server D. A SQL injection attack was carried out on the server
A. The clients' authentication tokens were impersonated and replayed
During an investigation, a security analyst identified machines that are infected with malware the antivirus was unable to detect. Which of the following is the BEST place to acquire evidence to perform data carving? A. The system memory B. The hard drive C. Network packets D. The Windows Registry
A. The system memory
An analyst is reviewing the following output (SEE FIG 31). Which of the following was MOST likely used to discover this? A. Reverse engineering using a debugger B. A static analysis vulnerability scan C. A passive vulnerability scan D. A web application vulnerability scan
B. A static analysis vulnerability scan
A security analyst gathered forensics from a recent intrusion in preparation for legal proceedings. The analyst used EnCase to gather the digital forensics, cloned the hard drive, and took the hard drive home for further analysis. Which of the following did the security analyst violate? A. Cloning procedures B. Chain of custody C. Hashing procedures D. Virtualization
B. Chain of custody
A security analyst for a large financial institution is creating a threat model for a specific threat actor that is likely targeting an organization's financial assets. Which of the following is the BEST example of the level of sophistication this threat actor is using? A. Social media accounts attributed to the threat actor B. Custom malware attributed to the threat actor from prior attacks C. Email addresses and phone numbers tied to the threat actor D. Network assets used in previous attacks attributed to the threat actor E. IP addresses used by the threat actor for command and control
B. Custom malware attributed to the threat actor from prior attacks
Which of the following roles is ultimately responsible for determining the classification levels assigned to specific data sets? A. Data custodian B. Data owner C. Data processor D. Senior management
B. Data owner
A cybersecurity analyst is contributing to a team hint on an organization's endpoints. Which of the following should the analyst do FIRST? A. Write detection logic B. Establish a hypothesis C. Profile the threat actors and activities D. Perform a process analysis
B. Establish a hypothesis
A development team uses open-source software and follows an Agile methodology with two-week sprints. Last month, the security team filed a bug for an insecure version of a common library. The DevOps team updated the library on the server, and then the security team rescanned the server to verify it was no longer vulnerable. This month, the security team found the same vulnerability on the server. Which of the following should be done to correct the cause of the vulnerability. A. Deploy a WAF in front of the application B. Implement a software repository management tool C. Install a HIPS on the server D. Instruct the developers to use input validation in the code
B. Implement a software repository management tool
Legacy medical equipment, which contains sensitive data, cannot be patched. Which of the following is the MOST practical solution to improve the equipment's security posture? A. move the legacy systems behind a WAF B. Implement an air gap for the legacy systems C. place the legacy systems in a DMZ D. implement a VPN between the legacy system and the local network
B. Implement an air gap for the legacy systems
A web-based front end for a business intelligence application uses pass-through authentication to authenticate users. The application then uses service account to perform queries and look up data in a database. A security analyst discovers employees are accessing data sets they have not been authorized to use. Which of the following will fix the cause of the issue? A. Change the security model to force the users to access the database as themselves B. Parameterize queries to prevent unauthorized SQL queries against the database C. Configure database security logging using syslog or a SIEM D. Enforce unique session IDs so users do not get reused session ID
B. Parameterize queries to prevent unauthorized SQL queries against the database
An application authenticates users. The application then uses a service account to perform queries and look up data in a database. A security analyst discovers employees are accessing data sets they have not been authorized to use. Which of the following will fix the cause of the issue? A. Change the security model to force the users to access databases as themselves B. Parameterize queries to prevent unauthorized SQL queries against the database C. Configure database security logging using syslog or a SIEM D. Enforce unique session lds so users do not get a reused session ID
B. Parameterize queries to prevent unauthorized SQL queries against the database
An audit has revealed an organization is using a large number of servers that are running unsupported operating systems. As part of the management response phase of the audit, which of the following would BEST demonstrate senior management is appropriately aware of and addressing the issue? A. Copies of prior audits that did not identify the servers as an issue B. Project plans relating to the replacement of the servers that were approved by management C. Minutes from meetings in which risk assessment activities addressing the servers were discussed D. ACLs from perimeter firewalls showing blocked access to the servers E. Copies of the change orders related to the vulnerable servers
B. Project plans relating to the replacement of the servers that were approved by management
An audit has revealed an organization is using a large number of servers that are running unsupported operating systems. As part of the management response phase of the audit, which of the following would BEST demonstrate senior management is appropriately aware of and addressing the issue? A. Copies of prior audits that did not identify the servers as an issue B. Project plans relating to the replacement of the servers that were approved by management C. Minutes from meetings in which risk assessment activities addressing the servers were were discussed D. ACLs from perimeter firewalls showing blocked access to the servers E. Copies of change orders relating to the vulnerable servers
B. Project plans relating to the replacement of the servers that were approved by management
Which of the following would MOST likely be included in the incident response procedure after a security breach of customer PII? A. Human resources B. Public relations C. Marketing D. Internal network operations center
B. Public relations
The security team at a large corporation is helping the payment-processing team to prepare for a regulatory compliance audit and meet the following objectives: -Reduce the number of potential findings by the auditors - Limit the scope of the audit to only devices used by the payment-processing team for activities directly impacted by the regulations - Prevent the external-facing web infrastructure used by other teams from coming into scope - Limit the amount of exposure the company will face if the systems used by the payment-processing team are compromised. Which of the following would be the MOST effective way for the security team to meet these objectives? A. Limit the permissions to prevent other employees from accessing data owned by the business unit B. Segment the servers and systems used by the business unit from the rest of the network C. Deploy patches to all servers and workstations across the entire organization D. Implement full-disk encryption on the laptops used by employees of the payment-processing team
B. Segment the servers and systems used by the business unit from the rest of the network
Which of the following software assessment methods would be BEST for gathering data related to an application's availability during peak times? A. Security regression testing B. Stress testing C. Static analysis testing D. Dynamic analysis testing E. User acceptance testing
B. Stress testing
A company's marketing emails are either being found in a spam folder or not being delivered at all. The security analyst investigates the issue and discovers the emails in question are being sent on behalf of the company by a third party, mail.marketingpartners.com. Below is the existing SPF record: V=spfl a mx -all. Which of the following updates to the SPF record will work BEST to prevent the emails from being marked as spam or blocked? A. V=spfl a mx redirect:mail.marketingpartners.com ?all B. V=spfl a mx redirect:mail.marketingpartners.com -all C. V=spfl a mx +all D. V=spfl a mx redirect:mail.marketingpartners.com ~all
B. V=spfl a mx redirect:mail.marketingpartners.com -all
Given the Nmap request below (SEE FIG 32) which of the following actions will an attacker be able able to initiate against this host? A. Password snarfing B. ARP spoofing C. A brute-force attack D. An SQL injection
C. A brute-force attack
An analyst needs to forensically examine a Windows machine that was compromised by a threat actor. Intelligence reports state this specific threat actor is characterized by hiding malicious artifacts, especially with alternate data streams. Based on this intelligence, which of the following BEST explains alternate data streams? A. A different way data can be streamlined if the user wants to use less memory on a Windows system for forking resources B. A way to store data on an external drive attached to a Windows machine that is not readily accessible to users C. A windows attribute that provides for forking resources and is potentially used to hide the presence of secret or malicious files in the file records of a benign file D. A Windows attribute that can be used by attackers to hide malicious files within system memory
C. A windows attribute that provides for forking resources and is potentially used to hide the presence of secret or malicious files in the file records of a benign file
A security analyst has discovered suspicious traffic and determined a host is connecting to a known malicious website. The MOST appropriate action for the analyst to take would be to implement a change request to: A. Update the antivirus software B. Configure the firewall to block traffic to the domain C. Add the domain to the blacklist D. Create an IPS signature for the domain
C. Add the domain to the blacklist
A security analyst receives an alert that highly sensitive information has left the company's network. Upon investigation, the analyst discovers an outside IP range has had connections from the three servers more than 100 times in the past month. The affected servers are virtual machines. Which of the following is the BEST course of action? A. Shut down the server as soon as possible, move them to a clean environment, restart, run a vulnerability scanner to find weaknesses, determine the root cause, remediate, and report B. Report the data exfiltration to management, take the affected servers offline, conduct an antivirus scan, remediate all threats found, and return the servers to service C. Disconnect the affected servers from the network, use the virtual machine console to access the systems, determine which information has left the network, find the security weakness, and remediate D. Determine if any other server have been affected, snapshot any servers found, determine the vector that was used to allow the data exfiltration, fix any vulnerabilities, remediate, and report
C. Disconnect the affected servers from the network, use the virtual machine console to access the systems, determine which information has left the network, find the security weakness, and remediate
A team of security analysts has been alerted to potential malware activity. The initial examination indicates one of the affected workstations is beaconing on TCP port 80 to five IP addresses ad attempting to spread across the network over port 445. Which of the following should be the team's NEXT step during the detection phase of this response process? A. Escalate the incident to management, who will then engage the network infrastructure team to keep them informed B. Depending on system criticality, remove each affected device from the network by disabling wired and wireless connections C. Engage the engineering team to block SMB traffic internally and outbound HTTP traffic to the five IP addresses D. Identify potentially affected systems by creating correlation search in the SIEM based on the network traffic
C. Engage the engineering team to block SMB traffic internally and outbound HTTP traffic to the five IP addresses
An analyst performs a routine scan to a host using Nmap and receives the following output (SEE FIG 36). Which of the following should the analyst investigate FIRST? A. Port 21 B. Port 22 C. Port 23 D. Port 80
C. Port 23
A security analyst suspects a malware infection was caused by a user who downloaded malware after clicking http://<malwareresource>/a.php in a phishing email. To prevent other computers from being infected by the same malware variation, the analyst should create a rule on the: A. Email server that automatically deletes attached executables B. IDS to match the malware sample C. Proxy to block all connections to <malwaresource> D. Firewall to block connection attempts to dynamic DNS hosts
C. Proxy to block all connections to <malwaresource>
A cybersecurity analyst is supporting an incident response effort via threat intelligence. Which of the following is the analyst MOST likely executing? A. Requirements analysis and collection planning B. Containment and eradication C. Recovery and post-incident review D. Indicator enrichment and research pivoting
C. Recovery and post-incident review
While reviewing a packet capture, a security analyst discovers a recent attack used specific ports communicating across non-standard ports and exchanged a particular set of files. In addition, forensics determines the files contain malware and have a specific callback domain within the files. The MOST appropriate action to take in this situation would be to implement a change request for an IPS. A. To block the callback domain and another signature hash to clock the files B. Behavioral signature and update the blacklisting on the domain C. Rule to block the non-standard ports and update the blacklisting of the callback domain D. Signature for the callback domain and update the firewall settings to block the non-standard ports
C. Rule to block the non-standard ports and update the blacklisting of the callback domain
An organization wants to move non-essential services into a cloud computing environment. Management has a cost focus and would like to achieve a recovery time objective of 12 hours. Which of the following cloud recovery strategies would work BEST to attain the desired outcome? A. Duplicate all services in another instance and load balance between the instances B. Establish a hot site with active replication to another region within the same cloud provider C. Set up a warm disaster recovery site with the same cloud provider in a different region D. Configure the system with a cold site at another cloud provider that can be used for failover
C. Set up a warm disaster recovery site with the same cloud provider in a different region
A critical server was comprised by malware, and all functionality was lost. Backups of the server were taken; however, management believes a logic bomb may have been injected by a rootkit. Which of the following should a security analyst perform to restore functionality quickly? A. Work backward, restoring each backup until the server is clean B. Restore the previous backup and scan with a live boot anti-malware scanner C. Stand up a new server and restore critical data from backups D. Offload the critical data to a new server and continue operations
C. Stand up a new server and restore critical data from backups
Which of the following technologies can be used to house the entropy keys for disk encryption on desktops and laptops A. Self-encryption drive B. Bus encryption C. TPM D. HSM
C. TPM
A cyber incident response analyst is investigation a suspected cryptocurrency miner on a company's server. Which of the following is the FIRST step the analyst should take? A. Create a full disk image of the server's hard drives to look for the file containing the malware B. Run a manual antivirus scan on the machine to look for known malicious software C. Take a memory snapshot of the machine to capture violate information stored in memory D. Start packet capturing to look for traffic that could be indicative of command and control from the miner
C. Take a memory snapshot of the machine to capture violate information stored in memory
A security analyst is reviewing vulnerability scan results and notice new workstations are being flagged as having outdated antivirus signatures. The analyst observes the following plugin output (SEE FIG 39). Which of the following BEST describes the situation? A. This is a false positive, and the scanning plugin needs to be updated by the vendor B. This is a true negative, and the new computers have the correct version of the software C. This is a true positive, and the new computers were imaged with an old version of the software D. This is a false negative, and the new computers need to be updated by the desktop team
C. This is a true positive, and the new computers were imaged with an old version of the software
Employees of a large financial company are continuously being infected by strands of malware that are not detected by EDR tools. Which of the following is the BEST security control to implement to reduce corporate risk while allowing employees to exchange files at client sites? A. MFA on the workstations B. Additional host firewalls rules C. VDI environment D. Hard drive encryption E. Network access control F. Network segmentation
C. VDI environment
A cybersecurity analyst needs to rearchitect the network using a firewall and a VPN server to achieve the highest level of security. To BEST complete this task, the analyst should place the: A. Firewall behind the VPN server B. VPN server parallel to the firewall C. VPN server behind the firewall D. VPN on the firewall
C. VPN server behind the firewall
A security analyst is conducting a post-incident log analysis to determine which indicators can be used to detect further occurrences of a data exfiltration incident. The analyst determines backups were not performed during this time and reviews the following (SEE FIG 13). Which of the following should the analyst review to find out how the data was exfiltrated? A. Monday's logs B. Tuesday's logs C. Wednesday's logs D. Thursday's logs
C. Wednesday's logs
A security analyst needs to reduce the overall attack surface. Which of the following infrastructure changes should the analyst recommend? A. implement a honeypot B. air gap sensitive systems C. increase the network segmentation D. implement a cloud-based architecture
C. increase the network segmentation
When attempting to do a stealth scan against a system that does not respond to ping, which of the following Nmap commands BEST accomplishes that goal? A. nmap -sA -o <system> -noping B. nmap -sT -o <system> -po C. nmap -sS -o <system> -po D. nmap -sQ -o <system> -po
C. nmap -sS -o <system> -po
An organization developed a comprehensive incident response policy. Executive management approved the policy and its associated procedures. Which of the following activities would be MOST beneficial to evaluate personnel's familiarity with incident response procedures? A. simulated breach scenario involving the incident response team B. completion of annual information security awareness training by all employees C. tabletop activities involving business continuity team members D. completion of lessons-learned documentation by the computer security incident response team E. external and internal penetration testing by a third party
C. tabletop activities involving business continuity team members
Which of the following will allow different cloud instances to share various types of data with a minimal amount of complexity? A. Reverse engineering B. Application log collections C. Workflow or orchestration D. API integration E. Scripting
D. API integration
A development team signed a contract that required access to an on-premises physical server. Access must be restricted to authorized users only and cannot be connected to the Internet. Which of the following solutions would meet these requirements? A. Establish a hosted SSO B. Implements a CASB C. Virtualize the server D. Air gap the server
D. Air gap the server
A security analyst is investigating an incident that appears to have started with SQL injection against a publicly available web application. Which of the following is the FIRST step the analyst should take to prevent future attacks? A. Modify the IDS rules to have a signature for SQL injection B. Take the server offline to prevent continued SQL injection C. Create a WAF rule in block mode for SQL injection D. Ask the developers to implement parameterized SQL queries
D. Ask the developers to implement parameterized SQL queries
A company recently experienced a break-in, whereby a number of hardware assets were stolen through unauthorized access at the back of the building. Which of the following would BEST prevents this type of theft from occurring in the future? A. Motion detection B. Perimeter fencing C. Monitored security cameras D. Badged entry
D. Badged entry
A security analyst is reviewing packet captures from a system that was comprised. The system was already isolated from the network, but it did have network access for a few hours after being comprised. When viewing the capture in a packet analyzer, the analyst sees the following (SEE FIG 35). Which of the following can the analyst conclude? A. Malware is attempting to beacon to 128.50.100.3 B. The system is running a DoS attack against ajgidwle.com C. The system is scanning ajgidklw.com for PII D. Data is being exfiltrated over DNS
D. Data is being exfiltrated over DNS
A security analyst discovered a specific series of IP addresses that are targeting an organization. None of the attacks have been successful. Which of the following should the security analyst perform NEXT? A. Baseline configuration assessment B. Uncredentialled scan C. Network ping sweep D. External penetration test
D. External penetration test
A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development phases will occur off-site at the contractor's labs. Which of the following is the main concern a security analyst should have with this arrangement? A. Making multiple trips between development sites increases the chance of a physical damage to the FPGAs B. Moving FGPAs between development sites will lessen the time that is available for security testing C. Development phases occurring at multiple sites may produce change management issues D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft
D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft
As a proactive threat-hunting technique, hunters must develop situational cases based on likely attack scenarios derived from the available threat intelligence information. After forming the basis of the scenario, which of the following may the threat hunter construct to establish a framework for the threat assessment? A. Critical asset list B. Threat vector C. Attack profile D. Hypothesis
D. Hypothesis
A cybersecurity analyst is establishing a threat hunting and intelligence group at a growing organization. Which of the following is a collaborative resource that would MOST likely be used for this purpose? A. IOC feeds B. CVSS scores C. SCRUM D. ISAC
D. ISAC
A security analyst working in the SOC recently discovered instances in which hosts visited a specific set of domains and IPs and became infected with malware. Which of the following is the MOST appropriate action to take in this situation? A. Implement an IP signature for the malware and update the blacklisting for the associated domains and IPs B. Implement an IP signature for the malware and another signature request to block all the associated domains and IPs C. Implement a change request to the firewall setting to now allow the traffic to and from the IPs and domains D. Implement an IP signature for the malware and a change request to the firewall setting to not allow traffic to and from the IPs and domains
D. Implement an IP signature for the malware and a change request to the firewall setting to not allow traffic to and from the IPs and domains
A company wants to establish a threat-hunting team. Which of the following BEST describes the rationale for integrating intelligence into hunt operations? A. It enables the team to prioritize the focus areas and tactics within the company's environment B. It provides criticality analysis for key enterprise servers and services C. It allows analysts to receive routine updates on newly discovered software vulnerabilities D. It supports rapid response and recovery during and following an incident
D. It supports rapid response and recovery during and following an incident
A custom script currently monitors real-time logs of a SAML authentication servicer to mitigate brute-force attacks. Which of the following is a concern when moving authentication to a cloud service? A. Logs may contain incorrect information B. SAML logging is not supported for cloud-based authentication C. Access to logs may be delayed for some time D. Log data may be visible to other customers
D. Log data may be visible to other customers
The help desk provided a security analyst with a screenshot of a user's desktop (SEE FIG 54). For which of the following is aircrack-ng being used? A. Wireless access point discovery B. Rainbow attack C. Brute-force attack D. PCAP data collection
D. PCAP data collection
A security analyst has received reports of very slow, intermittent access to a public-facing corporate server. Suspecting the system may be compromised, the analyst runs the following command (SEE FIG 52). Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation? A. Run crontab -r; rm -rf /tmp/ .t to remove and disable the malware on the system B. Examine the server logs for further indicators of compromise of a web application C. Run kill -9 1325 to bring the load average down so the server is usable again D. Perform a binary analysis on the /tmp/ .t/t file, as it is likely to be a rogue SSHD server
D. Perform a binary analysis on the /tmp/ .t/t file, as it is likely to be a rogue SSHD server
A security analyst for a large pharmaceutical company was given credentials from a threat intelligence resources organization for internal users, which contain usernames and valid passwords for company accounts. Which of the following is the FIRST action the analyst should take as part of security operations monitoring? A. Run scheduled antivirus scans on all employees' machines to look for malicious processes B. Reimage the machines of all users within the group in case of a malware infection C. Change all the user passwords to ensure the malicious actors cannot use them D. Search the event logs for event identifiers that indicate Mimikatz was used
D. Search the event logs for event identifiers that indicate Mimikatz was used
A security analyst is reviewing the following log from an email security service (SEE FIG 16). Which of the following BEST describes the reason why the email was blocked? A. The To address is invalid B. The email originated from the www.spamfilter.org URL C. The IP address and the remote server name are the same D. The IP address was blacklisted E. The From address is invalid
D. The IP address was blacklisted
A security analyst is reviewing the following log from an email security service (SEE FIG 46). Which of the following best describes the reason why the email was blocked? A. To address is invalid B. The email originated from the www.spamfilter.org URL C. The IP address and the remote server name are the same D. The IP address was blacklisted E. The From address is invalid
D. The IP address was blacklisted
A security analyst is reviewing the following DNS logs as a part of security monitoring activities (SEE FIG 5). Which of the following MOST likely occurred? A. The attack used an algorithm to generate command and control information dynamically B. The attack attempted to contact www.google.com to verify Internet connectivity C. The attack used encryption to obfuscate the payload and bypass detection by an IDS D. The attack caused an internal host to connect to a command and control server
D. The attack caused an internal host to connect to a command and control server
A security analyst at a technology solutions firm has uncovered the same vulnerabilities on a vulnerability scan for a long period of time. The vulnerabilities are on systems that are dedicated to the firm's largest client. Which of the following is MOST likely inhibiting the remediation efforts? A. The parties have an MOU between them that could prevent shutting down the systems B. There is a potential disruption of the vendor-client relationship C. Patches for the vulnerabilities have not been fully tested by the software vendor D. There is an SLA with the client that allows very little downtime
D. There is an SLA with the client that allows very little downtime
A security analyst is investigating a system compromise. The analyst verifies the system was up to date on OS patches at the time of the compromise. Which of the following describes the type of vulnerability that was MOST likely exploited? A. Insider threat B. Buffer overflow C. Advanced persistent threat D. Zero day vulnerability
D. Zero day vulnerability
A security analyst is reviewing the logs from an internal chat server. The chat.log file is too large to review manually, so the analyst wants to create a shorter log file that only includes lines associated with a user demonstrating anomalous activity. Below is a snippet of the log (SEE FIG 34) A. grep -v chatter14 chat.log B. grep -i pythonfun chat.log C. grep -i javashark chat.log D. grep -v javashark chat.log E. grep -v pythonfun chat.log F. grep -i chatter14 chatlog.log
F. grep -i chatter14 chatlog.log
A security analyst reviews the following aggregated output from an Nmap scan and the border firewall ACL (SEE FIG 4). Which of the following should the analyst reconfigure to BEST reduce organizational risk while maintaining current functionality? A. PC1 B. PC2 C. Server1 D. Server2 E. Firewall
e. Firewall