CCNA Cybersecurity Operations (Version 1.1) - CyberOps Chapter 13 Exam
Which action should be included in a plan element that is part of a computer security incident response capability (CSIRC)? Detail how incidents should be handled based on the mission and functions of an organization. Prioritize severity ratings of security incidents. Develop metrics for measuring the incident response capability and its effectiveness. Create an organizational structure and definition of roles, responsibilities, and levels of authority.
Develop metrics for measuring the incident response capability and its effectiveness.
Which action is taken in the postincident phase of the NIST incident response life cycle? identify and validate incidents. Document the handling of the incident. Implement procedures to contain threats. Conduct CSIRT response training.
Document the handling of the incident
What is the role of vendor teams as they relate to CSIRT? Coordinate incident handling across multiple CSIRTs. Provide incident handling to other organizations as a fee-based service. Use data from many sources to determine incident activity trends. Handle customer reports concerning security vulnerabilities.
Handle customer reports concerning security vulnerabilities.
preserves attack evidence
IT Support
After containment, what is the first step of eradicating an attack? Patch all vulnerabilities. Identify all hosts that need remediation. Hold meetings on lessons learned. Change all passwords.
Identify all hosts that need remediation.
A threat actor has identified the potential vulnerability of the web server of an organization and is building an attack. What will the threat actor possibly do to build an attack weapon? Obtain an automated tool in order to deliver the malware payload through the vulnerability. Create a point of persistence by adding services. Install a webshell on the web server for persistent access. Collect credentials of the web server developers and administrators.
Obtain an automated tool in order to deliver the malware payload through the vulnerability.
What is the role of a Computer Emergency Response Team? Provide security awareness, best practices, and security vulnerability information to a specific population. Provide national standards as a fee-based service. Coordinate security incident handling across multiple CSIRTs. Receive, review, and respond to security incidents in an organization.
Provide security awareness, best practices, and security vulnerability information to a specific population.
initiated through an email attachment
develops firewall rules
human resources
performs disciplinary measures
human resources
Which top-level element of the VERIS schema would allow a company to log who the actors were, what actions affected the asset, which assets were affected, and how the asset was affected? incident description discovery and response incident tracking victim demographics
incident description
changes firewall rules
information assurance
develops firewall rules
information assurance
preserves attack evidence
information assurance
reviews policies for local or federal guideline violations
it support
designs the budget
legal department
reviews policies for local or federal guideline violations
legal department
performs disciplinary measures
management
initiated from external storage
media
Document how incidents are handled.
post incident activities
Conduct training on incident response.
preperation
According to information outlined by the Cyber Kill Chain, which two approaches can help identify reconnaissance threats? (Choose two.) Understand targeted servers, people, and data available to attack. Analyze web log alerts and historical search data. Conduct full malware analysis. Build playbooks for detecting browser behavior. Audit endpoints to forensically determine origin of exploit.
Analyze web log alerts and historical search data. Build playbooks for detecting browser behavior.
What is the main purpose of exploitations by a threat actor through the weapon delivered to a target during the Cyber Kill Chain exploitation phase? Establish a back door into the system. Send a message back to a CnC controlled by the threat actor. Break the vulnerability and gain control of the target. Launch a DoS attack.
Break the vulnerability and gain control of the target.
When dealing with security threats and using the Cyber Kill Chain model, which two approaches can an organization use to help block potential exploitations of a system? (Choose two.) Collect email and web logs for forensic reconstruction. Analyze the infrastructure path used for delivery. Conduct employee awareness training and email testing. Conduct full malware analysis. Audit endpoints to forensically determine origin of exploit.
Conduct employee awareness training and email testing. Audit endpoints to forensically determine origin of exploit.
What is the goal of an attack in the installation phase of the Cyber Kill Chain? Create a back door in the target system to allow for future access. Use the information from the reconnaissance phase to develop a weapon against the target. Establish command and control (CnC) with the target system. Break the vulnerability and gain control of the target.
Create a back door in the target system to allow for future access.
When a security attack has occurred, which two approaches should security professionals take to mitigate a compromised system during the Actions on Objectives step as defined by the Cyber Kill Chain model? (Choose two.) Detect data exfiltration, lateral movement, and unauthorized credential usage. Train web developers for securing code. Perform forensic analysis of endpoints for rapid triage. Collect malware files and metadata for future analysis. Build detections for the behavior of known malware.
Detect data exfiltration, lateral movement, and unauthorized credential usage. Perform forensic analysis of endpoints for rapid triage.
If the web server runs Microsoft IIS, which Windows tool would the network administrator use to view the access logs? Event Viewer net command PowerShell Task Manager
Event Viewer
What is a benefit of using the VERIS community database? It can be used to discover how other organizations dealt with a particular type of security incident. The database can be easily compressed. It can be used to discover the name of known threat actors. Companies who pay to contribute and access the database are protected from security threats.
It can be used to discover how other organizations dealt with a particular type of security incident.
What is the purpose of the policy element in a computer security incident response capability of an organization, as recommended by NIST? It provides a roadmap for maturing the incident response capability. It details how incidents should be handled based on the organizational mission and functions. It defines how the incident response teams will communicate with the rest of the organization and with other organizations. It provides metrics for measuring the incident response capability and effectiveness.
It details how incidents should be handled based on the organizational mission and functions.
designs the budget
Management
Which schema or model was created to anonymously share quality information about security events to the security community? VERIS Cyber Kill Chain Diamond CSIRT
VERIS
The threat actor has already placed malware on the server causing its performance to slow. The network administrator has found and removed the malware as well as patched the security hole where the threat actor gained access. The network administrator can find no other security issue. What stage of the Cyber Kill Chain did the threat actor achieve? actions on objectives command and control delivery exploitation installation
actions on objectives
uses brute force against devices or services
attrition
The network administrator believes that the threat actor used a commonly available tool to slow the server down. The administrator concludes that based on the source IP address identified in the alert, the threat actor was probably one of the students. What type of hacker would the student be classified as? black hat gray hat red hat white hat
black hat
Which term is used in the Diamond Model of intrusion to describe a tool that a threat actor uses toward a target system? capability weaponization adversary infrastructure
capability
Implement procedures to eradicate the impact to organizational assets.
containment, eradication, and recovery
Identify, analyze, and validate incidents.
detection and analysis
A threat actor collects information from web servers of an organization and searches for employee contact information. The information collected is further used to search personal information on the Internet. To which attack phase do these activities belong according to the Cyber Kill Chain model? exploitation reconnaissance action on objectives weaponization
reconnaissance
Which meta-feature element in the Diamond Model describes information gained by the adversary? methodology direction results resources
results
To ensure that the chain of custody is maintained, what three items should be logged about evidence that is collected and analyzed after a security incident has occurred? (Choose three.) extent of the damage to resources and assets serial numbers and hostnames of devices used as evidence vulnerabilities that were exploited in an attack measures used to prevent an incident location of all evidence time and date the evidence was collected
serial numbers and hostnames of devices used as evidence location of all evidence time and date the evidence was collected
What information is gathered by the CSIRT when determining the scope of a security incident? the amount of time and resources needed to handle an incident the strategies and procedures used for incident containment the processes used to preserve evidence the networks, systems, and applications affected by an incident
the networks, systems, and applications affected by an incident
What is defined in the SOP of a computer security incident response capability (CSIRC)? the procedures that are followed during an incident response the metrics for measuring incident response capabilities the roadmap for increasing incident response capabilities the details on how an incident is handled
the procedures that are followed during an incident response
What is the objective the threat actor in establishing a two-way communication channel between the target system and a CnC infrastructure? to steal network bandwidth from the network where the target is located to launch a buffer overflow attack to allow the threat actor to issue commands to the software that is installed on the target to send user data stored on the target to the threat actor
to allow the threat actor to issue commands to the software that is installed on the target
Reports of network slowness lead the network administrator to review server alerts. The administrator confirms that an alert was an actual security incident. Which type of security alert classification would this be? false negative false positive true negative true positive
true positive
initiated from a website application
web