NSE7 ATP 2.5 Highlights
How many STIX package types are supported? a. 1 b. 3 c. 2 d. 4
2
There are how many types of threat actors? 5 3 6 3 2
2
How many points of the "kill chain" can Fortinet solutions help with?
3
There are how many "threat actor names"? 4 3 7 5 6
5
How many stages exist in the "Kill Chain"? 6 8 4 7 9
7
How many Sandbox components are there: a. 6 b. 8 c. 10 d. 9
9
Describe FortiWeb's role with Sandbox
Detect and Block Known Bad Offload Suspicious to Sandbox Prevent Outbreak
Outbound Best Practice
Inbound traffic should be inspected to detect malware and intrusion attacks
Three types of HA nodes:
Master Primary Slave Slave
Outbound traffic best practice
Outbound traffic should be inspected to detect requests for botnet IP and malicious URLs.
Where do you look to determine what engine rated a sample?
Scan Report First page and above the "more details" section
What are the scan job "malicious 7"
Static Analysis Files created Files deleted Files Modified Launched Processes Registry changes Network Behaviors
What field name on the widget holds the status of SIMNET?
VM Internet Access
Analysis Details Section of the Scan Job Report will show how many VMs were used for scanning a. true b. false
a
Does Fortinet have solutions to break this stage of the "kill chain": Command and Control a. yes b. no
a
Does Fortinet have solutions to break this stage of the "kill chain": Delivery a. yes b. no
a
Does Fortinet have solutions to break this stage of the "kill chain": Lateral movement a. yes b. no
a
FortiClient will automatically quarantine malicious and suspicious files? a. true b. false
a
FortiMail can submit URLs to the Sandbox: a. true b. false
a
HA Nodes required dedicated communication interface a. yes b. no
a
HA supports a. 100 nodes b. 500 nodes c. 1000 nodes
a
Stix 1.2 is supported a. yes b. no
a
Suspicious is indicative of malware a. true b false
a
The FortiGate can submit files to the Sandbox: a. true b. false
a
The Master and Primary Slave models must be identical a. true b. false
a
What ports can be used as sniffer ports? a. 1 and 3 b 6 and 9 c any port except 1 and 3 d any port except 1
a
Where to look to find out "sample specific info" a. Scan Report > More details
a
Sequence of default Scan order: a. antispam-content-sandbox b. sandbox-antispam-content c antispam-sandbox-content
a. anti-Spam, content,sandbox is default and preferred order. Sandbox last is always best
Does FortiSandbox support more than one quarantine folder? a. Yes - supports max of three b. Yes - supports max of two c. No
b
Does FortiWeb queue up connections to Sandbox? a. yes b. no
b
Does Fortinet have solutions to break this stage of the "kill chain": Data Exfiltration a. yes b. no
b
Does Fortinet have solutions to break this stage of the "kill chain": Exploitation a. yes b. no
b
Does Fortinet have solutions to break this stage of the "kill chain": Reconnaissance a. yes b. no
b
Does Fortinet have solutions to break this stage of the "kill chain": Weaponization a. yes b. no
b
The Fortigate can submit URLs to the Sandbox: a. true b. false
b
Will "AV Scanner" rating engine work with SIMNET ON? a. yes b. no
b
Will "IP Reputation" rating engine work with SIMNET ON? a. yes b. no
b
Will all rating engines work with SIMNET ON? a. yes b. no
b
non-primary slave models must be identical: a. true b. false
b
The following services are simulated by SIMNET, when ON: a. IMAP b. SMTP c. RPC/HTTP d. HTTP e. HTTPS f. DNS Multiple answers Answer with corresponding letters; separate answers with a space
b d e f
Risk level color: low
blue
SIMNET: a. Is used to simulate large amount of user traffic b. To test network connectivity c. To simulate some Internet services if PORT 3 has no Internet access d. To get more accurate behavioral-based analytics
c
Virtual Simulator is used to analyze: a. Java b. Java Beans c. JavaScript
c
What is the name of the fifth stage of the "kill chain"?
command and control
Opportunistic attacks: a. Are taking an opportunity to go after a hated target b. Are trying to create a denial of service attack c. Have insider knowledge used to go after a prior employer d. Are not after a specific target
d
What is the name of the last stage of the "kill chain"?
data exfiltration
What is the name of the "kill chain" stage after "weaponization"?
delivery
What is the name of the third stage of the "kill chain"?
delivery
What is the name of the "kill chain" stage before "command and control"?
exploitation
What is the name of the fourth stage of the "kill chain"?
exploitation
Risk level color: red
high
What is the name of the "kill chain" stage before "data exfiltration"?
lateral movement
What is the name of the sixth stage of the "kill chain"?
lateral movement
Malware hash and IOC STIX info is in this type of STIX Package: "_______________________ Package"
malware
Name the two types of STIX packages supported
malware url
Master tasks
normal scanning duties manages the cluster distributes jobs gathers verdicts
Name the two main types of attacks (separate each answer with a space)
opportunistic targeted
Risk level color: orange
orange
Suspicious Indicators
parsed from tracer engine logs from static AND dynamic analysis Rules are dynamic and updated by FortiGuard The Suspicious Indicators are what the rating engine parsed out of the tracer's log as behaviors indicative of malware. These are behaviors from the VM scan as well as any behaviors observed from the static analysis. The suspicious indicators are all based on a set of rules used by the rating engine, which is constantly updated by FortiGuard.
FortiClient with FortiMail and Sandbox help prevent
patient zerro
Role of Primary Slave Node
primary slave node provides failover protection for the master node master and slave should be same model
What is the name if the first stage of the "Kill Chain"?
reconnaissance
Where is Internet Access for port 3 enabled or disabled?
scan policy general
Timeout value must give enough time for virtual machine _________ to complete
scanning
What widget displays SIMNET status, if ON
system info
What is the second stage of the "kill chain" named?
weaponization
