Sample Questions for 350-201 Answers provided by Open.AI

The right way, the wrong way and the CISCO way!

As noted, most of the dumps on the net are the same, contain the same wrong answers and are out of date with current Cisco tests.   They are useful however, for study.    I note that most questions are scenario based multiple choice questions.  The real challenge is that they show answers that are all correct!  The trick is to focus on “what phase of the incident response plan are we talking about”?  Keep that in mind as this will help determine which answer is most appropriate to the scenario even though most of the answers are useful next steps, but not necessarily the next best step given the phase of the IRT!

Sample Questions for deeper study:

An organization lost connectivity to critical servers, and users cannot access business applications and internal websites. An engineer checks the network devices to investigate the outage and determines that all devices are functioning.
Order the following steps into the sequence to continue investigating this issue. Not all options are used.
Run show access-list
Run show config
Validate the file MD5
Generate the core file
Verify the image file hash
Check the memory logs
Verify memory state

The order of the steps to investigate the issue would be:

  1. Verify memory state: The first step in any network outage investigation should be to check the status of the system’s memory. This can be done using built-in tools or third-party software.
  2. Check the memory logs: After verifying the memory state, check the memory logs to see if any errors or issues have been reported.
  3. Generate the core file: If there are any issues with the memory, the next step is to generate the core file, which will provide more information about what caused the memory failure.
  4. Verify the image file hash: Once the core file has been generated, verify the image file hash to ensure that the operating system and other critical files have not been corrupted.
  5. Validate the file MD5: After verifying the image file hash, validate the file MD5 to ensure that all other files on the system are not corrupted.
  6. Run show config: If the files are not corrupted, the next step is to run show config to check the configuration of the network devices.
  7. Run show access-list: Finally, run show access-list to check the access lists on the network devices to see if they are blocking any traffic that should be allowed.
A threat actor attacked an organization’s Active Directory server from a remote location, and in a thirty-minute timeframe, stole the password for the administrator account and attempted to access 3 company servers. The threat actor successfully accessed the first server that contained sales data, but no files were downloaded. A second server was also accessed that contained marketing information and 11 files were downloaded. When the threat actor accessed the third server that contained corporate financial data, the session was disconnected, and the administrator’s account was disabled. Which activity triggered the behavior analytics tool? A. accessing the Active Directory server B. accessing the server with financial data C. accessing multiple servers D. downloading more than 10 files
Based on the information provided, the activity that most likely triggered the behavior analytics tool is:

B. Accessing the server with financial data.

The behavior analytics tool likely detected suspicious activity when the threat actor attempted to access the server with corporate financial data, which triggered the system to disconnect the session and disable the administrator’s account. This response suggests that the system detected and responded to the threat actor’s behavior, indicating that a behavior analytics tool was in place.

Accessing the Active Directory server and multiple servers could be considered suspicious activity, but not necessarily indicative of a threat. Downloading more than 10 files may also be considered suspicious, but it is less likely to be the specific trigger for the behavior analytics tool in this scenario.

The physical security department received a report that an unauthorized person followed an authorized individual to enter a secured premise. The incident was documented and given to a security specialist to analyze. Which step should be taken at this stage? A. Determine the assets to which the attacker has access B. Identify assets the attacker handled or acquired C. Change access controls to high risk assets in the enterprise D. Identify movement of the attacker in the enterprise
At this stage, the following step should be taken:

D. Identify movement of the attacker in the enterprise.

The first step in responding to any security incident is to identify the scope and extent of the incident. In this case, an unauthorized individual followed an authorized individual to enter a secured premise. Therefore, the security specialist should identify the movement of the attacker in the enterprise, including where the attacker went and what the attacker did while on the premises.

Once the movement of the attacker is identified, the security specialist can take appropriate action to contain the incident and minimize any damage or risk. The other options (A, B, and C) may also be important steps in a larger incident response plan, but they are not the appropriate next step in this specific scenario.

A new malware variant is discovered hidden in pirated software that is distributed on the Internet. Executives have asked for an organizational risk assessment. The security officer is given a list of all assets. According to NIST, which two elements are missing to calculate the risk assessment?
(Choose two.)
A. incident response playbooks
B. asset vulnerability assessment
C. report of staff members with asset relations
D. key assets and executives E. malware analysis report
The two elements that are missing to calculate the risk assessment, according to NIST, are:

B. Asset vulnerability assessment: This is the process of identifying and prioritizing the vulnerabilities that exist in the organization’s assets, including hardware, software, and data. Without this assessment, it is impossible to determine the likelihood and potential impact of a successful attack.

E. Malware analysis report: This report provides detailed information about the new malware variant, including its capabilities, attack vectors, and potential impact on the organization’s assets. Without this information, it is difficult to assess the potential impact of the malware on the organization and determine appropriate risk mitigation strategies.

The other options (A, C, and D) may be important elements of a risk assessment or incident response plan, but they are not specifically related to the calculation of the risk assessment itself, according to NIST.

Refer to the exhibit. Which two steps mitigate attacks on the webserver from the Internet? (Choose two.) A. Create an ACL on the firewall to allow only TLS 1.3 B. Implement a reverse server in the DMZ network C. Create an ACL on the firewall to allow only external connections D. Move the webserver to the internal network E. Move the webserver to the external network
The two steps that mitigate attacks on the webserver from the Internet are:

A. Create an ACL on the firewall to allow only TLS 1.3: Transport Layer Security (TLS) is a protocol that provides secure communication between web servers and clients over the internet. By creating an Access Control List (ACL) on the firewall to allow only TLS 1.3, the web server can be configured to only accept secure connections from clients. This helps to protect against attacks that try to intercept or eavesdrop on communications.

B. Implement a reverse server in the DMZ network: A reverse proxy server acts as an intermediary between the internet and the web server. It receives all incoming traffic and then forwards it to the web server. By implementing a reverse server in the DMZ network, the web server can be protected from direct exposure to the internet. The reverse proxy server can perform functions such as filtering traffic, caching data, and providing an additional layer of security by masking the web server’s IP address.

The other options (C, D, and E) are not appropriate steps to mitigate attacks on the web server from the internet. Creating an ACL on the firewall to allow only external connections (option C) could potentially block legitimate traffic from internal users. Moving the web server to the internal network (option D) could reduce its accessibility to external users and make it harder to access the web server. Moving the web server to the external network (option E) would increase its exposure to the internet and make it more vulnerable to attacks.

Vunerability Assessment
Persistence
Exploit
Cover tracks
Reconnaissance
Enumeration
Match the above phases to evaluate the security posture of an asset to the activity that happens during the phases listed below
Gather information on a target for future use
Probing the target to discover operating system details
Confirming the existence of non vulnerabilities in the target system
Using previously identified vulnerabilities to gain access t the target system
Inserting backdoor access or covert channels to ensure access to the target system
Erasing traces of actions in audit logs and registry entries

The following matches the phases to the activities:

  • Reconnaissance: Gathering information on a target for future use.
  • Enumeration: Probing the target to discover operating system details.
  • Vulnerability Assessment: Confirming the existence of non-vulnerabilities in the target system.
  • Exploit: Using previously identified vulnerabilities to gain access to the target system.
  • Persistence: Inserting backdoor access or covert channels to ensure access to the target system.
  • Cover Tracks: Erasing traces of actions in audit logs and registry entries.
According to GDPR, what should be done with data to ensure its confidentiality, integrity, and availability?
A. Perform a vulnerability assessment
B. Conduct a data protection impact assessment
C. Conduct penetration testing
D. Perform awareness testing
According to GDPR, to ensure the confidentiality, integrity, and availability of data, the following actions should be taken:

A. Perform a vulnerability assessment.

A vulnerability assessment is the process of identifying and evaluating security vulnerabilities in an organization’s information systems, applications, and network infrastructure. By performing a vulnerability assessment, an organization can identify potential security weaknesses and take appropriate action to mitigate or eliminate them. This is essential to ensuring the confidentiality, integrity, and availability of data.

While conducting a data protection impact assessment, penetration testing, and awareness testing are also important aspects of a comprehensive data security strategy, they are not specifically mentioned in GDPR as measures to ensure the confidentiality, integrity, and availability of data.

A payroll administrator noticed unexpected changes within a piece of software and reported the incident to the incident response team. Which actions should be taken at this step in the incident response workflow?
A. Classify the criticality of the information, research the attacker’s motives, and identify missing patches
B. Determine the damage to the business, extract reports, and save evidence according to a chain of custody
C. Classify the attack vector, understand the scope of the event, and identify the vulnerabilities being exploited
D. Determine the attack surface, evaluate the risks involved, and communicate the incident according to the escalation plan
At this step in the incident response workflow, the following actions should be taken:

C. Classify the attack vector, understand the scope of the event, and identify the vulnerabilities being exploited.

The first priority of the incident response team should be to gain a full understanding of the incident. This includes identifying the attack vector, understanding the scope of the event, and identifying the vulnerabilities being exploited. By classifying the attack vector and determining the scope of the event, the incident response team can begin to determine the level of response needed and whether additional resources or expertise may be necessary to address the incident.

A. Classifying the criticality of the information, researching the attacker’s motives, and identifying missing patches, and D. Determining the attack surface, evaluating the risks involved, and communicating the incident according to the escalation plan are also important steps in the incident response workflow, but they are not the immediate actions to be taken at this stage of the incident.

B. Determining the damage to the business, extracting reports, and saving evidence according to a chain of custody are important steps, but they should be taken after the attack vector, scope, and vulnerabilities have been identified.

A company recently completed an internal audit and discovered that there is CSRF vulnerability in 20 of its hosted applications. Based on the audit, which recommendation should an engineer make for patching?
A. Identify the business applications running on the assets
B. Update software to patch third-party software
C. Validate CSRF by executing exploits within Metasploit
D. Fix applications according to the risk scores
Based on the internal audit results, an engineer should recommend the following for patching:

D. Fix applications according to the risk scores.

CSRF (Cross-Site Request Forgery) vulnerabilities can allow an attacker to carry out malicious actions on behalf of an authenticated user, by tricking them into visiting a malicious web page or clicking on a link. Given the severity of this vulnerability, it is critical to fix all affected applications as soon as possible.

In order to prioritize the patching process, the engineer should prioritize applications based on their risk scores. Risk scoring allows for a systematic evaluation of the level of risk associated with the applications and assists in determining the order of priority for addressing the vulnerabilities. This ensures that the most critical applications are patched first, thereby mitigating the risk of a successful attack.

Identifying the business applications running on the assets (Option A) is an important step, but it does not directly address the issue of patching the CSRF vulnerability. Updating software to patch third-party software (Option B) is also important, but may not be the most critical step at this time. Validating CSRF by executing exploits within Metasploit (Option C) is not necessary as the vulnerability has already been identified.

An engineer is analyzing a possible compromise that happened a week ago when the company database servers unexpectedly went down. The analysis reveals that attackers tampered with Microsoft SQL Server Resolution Protocol and launched a DDoS attack. The engineer must act quickly to ensure that all systems are protected. Which two tools should be used to detect and mitigate this type of future attack?
(Choose two.)
A. firewall
B. Wireshark
C. autopsy
D. SHA512
E. IPS
The two tools that should be used to detect and mitigate this type of future attack are:

A. Firewall: A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. By using a firewall, an organization can block traffic associated with the Microsoft SQL Server Resolution Protocol and DDoS attacks.

E. IPS: Intrusion Prevention System (IPS) is a security tool that monitors network traffic for signs of malicious activity and can block or prevent that traffic from entering the network. An IPS can detect and prevent DDoS attacks by identifying suspicious traffic patterns and blocking them.

While Wireshark (Option B) and Autopsy (Option C) are both useful network analysis tools, they are not specifically designed for detecting and mitigating DDoS attacks. SHA512 (Option D) is a cryptographic hash function that can be used to verify the integrity of data, but it is not a tool for detecting or mitigating DDoS attacks.

An organization had a breach due to a phishing attack. An engineer leads a team through the recovery phase of the incident response process. Which action should be taken during this phase?
A. Host a discovery meeting and define configuration and policy updates
B. Update the IDS/IPS signatures and reimage the affected hosts
C. Identify the systems that have been affected and tools used to detect the attack
D. Identify the traffic with data capture using Wireshark and review email filters
During the recovery phase of the incident response process after a phishing attack, the following action should be taken:

B. Update the IDS/IPS signatures and reimage the affected hosts.

The recovery phase is focused on restoring the organization’s systems and services to a normal state. After a phishing attack, it is essential to address any vulnerabilities that the attackers exploited to prevent future attacks. Updating the IDS/IPS signatures can help to identify similar attacks in the future. Reimaging the affected hosts can help to ensure that any malware or other malicious software that may have been installed during the attack is removed.

A. Hosting a discovery meeting and defining configuration and policy updates, C. Identifying the systems that have been affected and tools used to detect the attack, and D. Identifying the traffic with data capture using Wireshark and reviewing email filters are all important steps in the incident response process after a phishing attack, but they are not specifically related to the recovery phase of the process. These steps are typically taken during the investigation phase of the incident response process, which precedes the recovery phase.

An engineer is going through vulnerability triage with company management because of a recent malware outbreak from which 21 affected assets need to be patched or remediated. Management decides not to prioritize fixing the assets and accepts the vulnerabilities. What is the next step the engineer should take?
A. Investigate the vulnerability to prevent further spread
B. Acknowledge the vulnerabilities and document the risk
C. Apply vendor patches or available hot fixes
D. Isolate the assets affected in a separate network
If management decides not to prioritize fixing the assets and accepts the vulnerabilities, the next step the engineer should take is:

B. Acknowledge the vulnerabilities and document the risk.

It is essential to acknowledge vulnerabilities and document their associated risks, even if the organization decides not to remediate them. By documenting the risk, the engineer can help the organization to make informed decisions regarding the acceptance of potential risks. This documentation can also be used to develop a plan to mitigate the risks associated with the vulnerabilities.

A. Investigating the vulnerability to prevent further spread, C. Applying vendor patches or available hot fixes, and D. Isolating the assets affected in a separate network are all important steps to take in response to a vulnerability, but they may not be applicable in this scenario since management has already decided to accept the vulnerabilities. Therefore, it is crucial to focus on the documentation of the risks associated with the vulnerabilities.

The incident response team receives information about the abnormal behavior of a host. A malicious file is found being executed from an external USB flash drive. The team collects and documents all the necessary evidence from the computing resource. What is the next step?
A. Conduct a risk assessment of systems and applications
B. Isolate the infected host from the rest of the subnet
C. Install malware prevention software on the host
D. Analyze network traffic on the host’s subnet
The next step for the incident response team, after collecting and documenting all the necessary evidence from the computing resource, is:

B. Isolate the infected host from the rest of the subnet.

Isolating the infected host from the rest of the subnet is important to prevent the further spread of the malware to other systems on the network. By disconnecting the host from the network, the incident response team can prevent the malware from communicating with any command and control servers or other systems on the network.

A. Conducting a risk assessment of systems and applications, C. Installing malware prevention software on the host, and D. Analyzing network traffic on the host’s subnet are all important steps in response to a malware incident, but they should be taken after the infected host has been isolated from the network.

An engineer notices that unauthorized software was installed on the network and discovers that it was installed by a dormant user account. The engineer suspects an escalation of privilege attack and responds to the incident.  Order the following activities
Identify systems to be taken offline
Conduct content scans
Collect log data
Request system patch Reimage
The following activities should be ordered in response to the incident:
  1. Collect log data: Collecting log data is the first step to understand the extent and nature of the incident, including the scope of unauthorized access and system changes that have occurred.
  2. Identify systems to be taken offline: Identifying systems that have been compromised or exposed to the unauthorized software is crucial to prevent further damage and contain the incident.
  3. Conduct content scans: Conducting content scans can help identify any other unauthorized software or malicious files that may have been installed on the network.
  4. Request system patch: Requesting a system patch may help mitigate the vulnerability that led to the escalation of privilege attack, and prevent future attacks of a similar nature.
  5. Reimage: Reimaging the affected system may be necessary if the system has been compromised to a degree that it cannot be remediated through other means.

It is important to note that the order of these activities may vary depending on the specifics of the incident, and they may need to be conducted concurrently to ensure a timely and effective response.

An organization had several cyberattacks over the last 6 months and has tasked an engineer with looking for patterns or trends that will help the organization anticipate future attacks and mitigate them. Which data analytic technique should the engineer use to accomplish this task?
A. diagnostic
B. qualitative
C. predictive
D. statistical
To anticipate future attacks and mitigate them based on historical data, the engineer should use:

C. Predictive data analytic technique.

The predictive data analytic technique involves analyzing historical data to make predictions about future events or outcomes. In the context of cybersecurity, this technique involves using data analysis tools to identify patterns and trends in historical cyberattacks, and then using this information to predict potential future attacks and proactively mitigate them.

Diagnostic (Option A) and statistical (Option D) data analytic techniques are retrospective and focus on analyzing past events to identify the cause and effect of problems or issues. While they are useful for identifying the root cause of a problem, they do not provide insights into future events.

Qualitative (Option B) data analytic technique involves analyzing non-numeric data to understand the opinions, beliefs, and attitudes of people. While this technique can be used to gather qualitative data about cyberattacks, it may not be the most effective technique for identifying patterns and trends to predict future attacks.

A malware outbreak is detected by the SIEM and is confirmed as a true positive. The incident response team follows the playbook to mitigate the threat. What is the first action for the incident response team?
A. Assess the network for unexpected behavior
B. Isolate critical hosts from the network
C. Patch detected vulnerabilities from critical hosts
D. Perform analysis based on the established risk factors
The first action that the incident response team should take after confirming a true positive malware outbreak is:

B. Isolate critical hosts from the network.

Isolating critical hosts from the network is important to prevent the malware from spreading and causing further damage to other systems. By disconnecting the hosts, the incident response team can also prevent the malware from communicating with command and control servers or other systems on the network.

A. Assessing the network for unexpected behavior, C. Patching detected vulnerabilities from critical hosts, and D. Performing analysis based on the established risk factors are all important steps in response to a malware outbreak, but they should be taken after isolating the affected hosts from the network.

Refer to the exhibit. Cisco Advanced Malware Protection installed on an end-user desktop automatically submitted a low prevalence file to the Threat Grid analysis engine. What should be concluded from this report?
A. Threat scores are high, malicious ransomware has been detected, and files have been modified
B. Threat scores are low, malicious ransomware has been detected, and files have been modified
C. Threat scores are high, malicious activity is detected, but files have not been modified
D. Threat scores are low and no malicious file activity is detected
Based on the exhibit, it can be concluded that:

D. Threat scores are low, and no malicious file activity is detected.

The exhibit shows that the Threat Grid report for the low prevalence file detected by Cisco Advanced Malware Protection (AMP) indicates a low threat score, no malicious activity, and no files modified. This suggests that the file is safe and not associated with any malicious activity or malware.

Option A, B, and C are not correct because the exhibit indicates that there is no evidence of malicious activity or file modifications associated with the submitted file, and the threat score is low.

An organization is using a PKI management server and a SOAR platform to manage the certificate lifecycle. The SOAR platform queries a certificate management tool to check all endpoints for SSL certificates that have either expired or are nearing expiration. Engineers are struggling to manage problematic certificates outside of PKI management since deploying certificates and tracking them requires searching server owners manually. Which action will improve workflow automation?
A. Implement a new workflow within SOAR to create tickets in the incident response system, assign problematic certificate update requests to server owners, and register change requests.
B. Integrate a PKI solution within SOAR to create certificates within the SOAR engines to track, update, and monitor problematic certificates.
C. Implement a new workflow for SOAR to fetch a report of assets that are outside of the PKI zone, sort assets by certification management leads and automate alerts that updates are needed.
D. Integrate a SOAR solution with Active Directory to pull server owner details from the AD and send an automated email for problematic certificates requesting updates.
The action that will improve workflow automation for managing problematic certificates outside of the PKI management is:

C. Implement a new workflow for SOAR to fetch a report of assets that are outside of the PKI zone, sort assets by certification management leads, and automate alerts that updates are needed.

This action involves implementing a new workflow within the SOAR platform that fetches a report of assets that are outside of the PKI zone, and then sorts these assets by certification management leads. The workflow then automates alerts that updates are needed, which can help to streamline the certificate management process and improve the efficiency of the workflow.

A (Implement a new workflow within SOAR to create tickets in the incident response system, assign problematic certificate update requests to server owners, and register change requests), B (Integrate a PKI solution within SOAR to create certificates within the SOAR engines to track, update, and monitor problematic certificates), and D (Integrate a SOAR solution with Active Directory to pull server owner details from the AD and send an automated email for problematic certificates requesting updates) are all possible options to improve the certificate management process, but they do not address the specific challenge of managing problematic certificates outside of the PKI management.

Match steps below with listed actions that occur at each step:
Eradicate
Contan
Post-incident handling
Recover
Analyze
Prepare Actions:
Review and document the breach and strengthen systems against future attacks
Conduct incident réponse role training for employees
Determine where the breach started and prevent the attack form spreading
Determine how the breach was discovered and the areas that were impacted
Eliminate the root cause of the breach and apply updates to the system.
Get systems and business operations up and running and ensure that the same type of attack does not occur again

The steps and the corresponding actions that occur at each step are:

  1. Prepare: Conduct incident response role training for employees.
  2. Analyze: Determine how the breach was discovered and the areas that were impacted.
  3. Contain: Determine where the breach started and prevent the attack from spreading.
  4. Eradicate: Eliminate the root cause of the breach and apply updates to the system.
  5. Recover: Get systems and business operations up and running and ensure that the same type of attack does not occur again.
  6. Post-incident handling: Review and document the breach and strengthen systems against future attacks.

Note that these steps follow the NIST incident response framework, which provides a systematic approach to responding to cybersecurity incidents. The actions listed for each step are intended to help organizations respond to cybersecurity incidents efficiently and effectively.

A SIEM tool fires an alert about a VPN connection attempt from an unusual location. The incident response team validates that an attacker has installed a remote access tool on a user’s laptop while traveling. The attacker has the user’s credentials and is attempting to connect to the network. What is the next step in handling the incident?
A. Block the source IP from the firewall
B. Perform an antivirus scan on the laptop
C. Identify systems or services at risk
D. Identify lateral movement
The next step in handling the incident where the attacker has installed a remote access tool on a user’s laptop while traveling and is attempting to connect to the network is:

C. Identify systems or services at risk.

After validating the alert, the incident response team needs to determine the scope of the attack, which systems or services are at risk, and the potential impact of the attack. The next step would be to identify which other systems or services may be at risk of compromise or attack and assess the potential impact on the organization.

A (Block the source IP from the firewall) may be a valid action, but it should be taken after identifying the systems or services at risk and determining the impact of the attack.

B (Perform an antivirus scan on the laptop) and D (Identify lateral movement) may also be important steps in responding to the incident, but they should be taken after identifying the systems or services at risk and determining the impact of the attack.

A threat actor used a phishing email to deliver a file with an embedded macro. The file was opened, and a remote code execution attack occurred in a company’s infrastructure. Which steps should an engineer take at the recovery stage?
A. Determine the systems involved and deploy available patches
B. Analyze event logs and restrict network access
C. Review access lists and require users to increase password complexity
D. Identify the attack vector and update the IDS signature list
At the recovery stage of an incident where a remote code execution attack has occurred in a company’s infrastructure after a phishing email was used to deliver a file with an embedded macro, the following step should be taken:

A. Determine the systems involved and deploy available patches.

After an incident, it is essential to determine the scope of the attack, including which systems were involved and the extent of the damage. In this case, the first step in the recovery process should be to identify the affected systems and deploy available patches to prevent the attack from recurring and to address any vulnerabilities that were exploited.

B (Analyze event logs and restrict network access), C (Review access lists and require users to increase password complexity), and D (Identify the attack vector and update the IDS signature list) are also important steps in responding to the incident, but they are not specific to the recovery stage. These steps can be taken earlier in the incident response process to help identify and contain the attack, but at the recovery stage, the focus is on restoring affected systems and preventing the attack from recurring.

A patient views information that is not theirs when they sign in to the hospital’s online portal. The patient calls the support center at the hospital but continues to be put on hold because other patients are experiencing the same issue. An incident has been declared, and an engineer is now on the incident bridge as the CyberOps Tier 3 Analyst. There is a concern about the disclosure of PII occurring in real-time. What is the first step the analyst should take to address this incident?
A. Evaluate visibility tools to determine if external access resulted in tampering
B. Contact the third-party handling provider to respond to the incident as critical
C. Turn off all access to the patient portal to secure patient records
D. Review system and application logs to identify errors in the portal code
The first step the CyberOps Tier 3 Analyst should take to address the incident where a patient views information that is not theirs on the hospital’s online portal and there is a concern about the real-time disclosure of PII is:

C. Turn off all access to the patient portal to secure patient records.

The top priority in any security incident involving the disclosure of sensitive information is to stop the unauthorized disclosure as quickly as possible. In this case, the first step should be to disable all access to the patient portal to prevent further unauthorized access to patient records.

Once the portal is secured, the incident response team can proceed with further investigation and analysis to determine the root cause of the incident and to identify any other systems or services that may have been impacted.

A (Evaluate visibility tools to determine if external access resulted in tampering), B (Contact the third-party handling provider to respond to the incident as critical), and D (Review system and application logs to identify errors in the portal code) may be important steps in the incident response process, but they should be taken after the initial response to the incident, which is to disable all access to the patient portal.

Match the following scenario with the treat Scenairo:
Scenarios:
  1. Spoofing attack
  2. Broken authentication attack
  3. Injection attack
  4. Man in the middle attack
  5. Privilege escalation attack
  6. Default credential attack

Threats:

  1. Changing configuration settings
  2. Developing new code
  3. Implementing a new application
  4. Installing network devices

Matching:

  1. Spoofing attack – Changing configuration settings
  2. Broken authentication attack – Developing new code
  3. Injection attack – Implementing a new application
  4. Man in the middle attack – Installing network devices
  5. Privilege escalation attack – Developing new code
  6. Default credential attack – Changing configuration settings

Note: The matching is based on the understanding that the threats listed are related to potential causes of the attacks rather than the targets of the attacks themselves.

The incident response team was notified of detected malware. The team identified the infected hosts, removed the malware, restored the functionality and data of infected systems, and planned a company meeting to improve the incident handling capability. Which step was missed according to the NIST incident handling guide?
A. Contain the malware
B. Install IPS software
C. Determine the escalation path
D. Perform vulnerability assessment

Based on the NIST incident handling guide, the step that was missed in the incident response scenario described is:

D. Perform vulnerability assessment.

After removing the malware and restoring the functionality and data of infected systems, the incident response team should perform a vulnerability assessment to identify the root cause of the incident and any other potential vulnerabilities that could lead to future incidents. This step is important to prevent future incidents and to improve the incident handling capability of the organization.

Containment (A) is the initial step in the incident response process, and installing IPS software (B) can be a part of the containment or mitigation phase, depending on the specific incident. Determining the escalation path (C) is an important step in incident response, but it is not directly related to the handling of the current incident. Therefore, performing a vulnerability assessment (D) is the step that was missed in the incident response scenario according to the NIST incident handling guide.

Refer to the exhibit. An engineer must tune the Cisco IOS device to mitigate an attack that is broadcasting a large number of ICMP packets. The attack is sending the victim’s spoofed source IP to a network using an IP broadcast address that causes devices in the network to respond back to the source IP address. Which action does the engineer recommend?
A. Use command ip verify reverse-path interface
B. Use global configuration command service tcp-keepalives-out
C. Use subinterface command no ip directed-broadcast
D. Use logging trap 6
Based on the scenario described, the engineer should recommend the following action:

C. Use subinterface command no ip directed-broadcast.

The attack is causing devices in the network to respond back to the source IP address, which is a result of the attacker sending packets with a spoofed source IP and using an IP broadcast address. This attack can be mitigated by disabling directed broadcast on the router, which is done by using the “no ip directed-broadcast” command on the subinterface. This will prevent the router from forwarding broadcast packets to other networks, and will prevent devices in the network from responding back to the source IP address.

The other options listed are not relevant to mitigating the specific attack described in the scenario:

  • The “ip verify reverse-path interface” command (A) is used to prevent IP spoofing by verifying that incoming packets have a source address that is reachable via the interface they were received on.
  • The “service tcp-keepalives-out” command (B) is used to send TCP keepalive packets to verify that the connection is still active.
  • The “logging trap 6” command (D) is used to set the severity level of syslog messages that are sent to the logging server.
Refer to the exhibit. An engineer is analyzing this Vlan0392-int12-239.pcap file in Wireshark after detecting a suspicious network activity. The origin header for the direct IP connections in the packets was initiated by a google chrome extension on a WebSocket protocol. The engineer checked message payloads to determine what information was being sent off-site but the payloads are obfuscated and unreadable. What does this STIX indicate?
A. The extension is not performing as intended because of restrictions since ports 80 and 443 should be accessible
B. The traffic is legitimate as the google chrome extension is reaching out to check for updates and fetches this information
C. There is a possible data leak because payloads should be encoded as UTF-8 text
D. There is a malware that is communicating via encrypted channels to the command and control server
Without more information, it is difficult to determine the exact meaning of the STIX. However, the fact that direct IP connections are being initiated by a Google Chrome extension using the WebSocket protocol and that the message payloads are obfuscated and unreadable could indicate a possible data exfiltration or command and control communication.   obfuscation of payloads is a common technique used by malware to avoid detection and evade analysis.  Therefore, option D, “There is malware that is communicating via encrypted channels to the command and control server,” is a plausible interpretation of the situation. However, further analysis would be required to confirm this.
What do 2xx HTTP response codes indicate for REST APIs?
A. additional action must be taken by the client to complete the request
B. the server takes responsibility for error status codes
C. communication of transfer protocol-level information
D. successful acceptance of the client’s request

D. Successful acceptance of the client’s request.

2xx HTTP response codes indicate that the request was successfully received, understood, and accepted by the server, and that the server is returning a response to the client. This response can indicate a variety of information, such as confirming that the requested action has been completed, or providing the requested information to the client.

An engineer received an alert of a zero-day vulnerability affecting desktop phones through which an attacker sends a crafted packet to a device, resets the credentials, makes the device unavailable, and allows a default administrator account login. Which step should an engineer take after receiving this alert?
A. Initiate a triage meeting to acknowledge the vulnerability and its potential impact
B. Determine company usage of the affected products
C. Search for a patch to install from the vendor
D. Implement restrictions within the VoIP VLANS

D. Implement restrictions within the VoIP VLANS

After receiving an alert about a zero-day vulnerability affecting desktop phones, the engineer should immediately take action to mitigate the threat. One of the first steps in this process should be to implement restrictions within the VoIP VLANs to prevent unauthorized access and limit the scope of the attack. This could involve measures such as updating firewall rules, configuring access control lists, or isolating affected devices from the network until a patch can be applied. The engineer should also continue to monitor the situation and work with the vendor to identify and implement a patch as soon as possible.

An engineer receives an incident ticket with hundreds of intrusion alerts that require investigation. An analysis of the incident log shows that the alerts are from trusted IP addresses and internal devices. The final incident report stated that these alerts were false positives and that no intrusions were detected. What action should be taken to harden the network?
A. Move the IPS to after the firewall facing the internal network
B. Move the IPS to before the firewall facing the outside network
C. Configure the proxy service on the IPS
D. Configure reverse port forwarding on the IPS

Based on the given scenario, the recommended action to harden the network would be to move the IPS to after the firewall facing the internal network. This is because the incident log showed that the alerts were from trusted IP addresses and internal devices, which implies that the alerts were not related to any external attacks. By moving the IPS after the firewall facing the internal network, it will help to reduce the number of false positives from trusted sources and improve the accuracy of intrusion detection.

A SOC team is informed that a UK-based user will be traveling between three countries over the next 60 days. Having the names of the 3 destination countries and the user’s working hours, what must the analyst do next to detect an abnormal behavior?
A. Create a rule triggered by 3 failed VPN connection attempts in an 8-hour period
B. Create a rule triggered by 1 successful VPN connection from any nondestination country
C. Create a rule triggered by multiple successful VPN connections from the destination countries
D. Analyze the logs from all countries related to this user during the traveling period
Option C would be the best approach in this scenario. The analyst should create a rule triggered by multiple successful VPN connections from the destination countries to detect abnormal behavior. By monitoring the VPN connections from the user’s known destination countries, the SOC team can identify any unauthorized access attempts from other locations. This would help detect and prevent any potential security incidents related to the user’s travel. Options A and B may generate false positives, and Option D may not be practical due to the large volume of logs to analyze.
An engineer receives a report that indicates a possible incident of a malicious insider sending company information to outside parties. What is the first action the engineer must take to determine whether an incident has occurred?
A. Analyze environmental threats and causes
B. Inform the product security incident response team to investigate further
C. Analyze the precursors and indicators
D. Inform the computer security incident response team to investigate further
D. Inform the computer security incident response team to investigate further. An incident of a malicious insider sending company information to outside parties is a security incident that requires immediate attention. The first step an engineer should take is to notify the computer security incident response team (CSIRT) to investigate the incident further, determine the scope of the incident, and take appropriate measures to contain and remediate the incident.
An employee abused PowerShell commands and script interpreters, which lead to an indicator of compromise (IOC) trigger. The IOC event shows that a known malicious file has been executed, and there is an increased likelihood of a breach. Which indicator generated this IOC event?
A. ExecutedMalware.ioc
B. Crossrider.ioc
C. ConnectToSuspiciousDomain.ioc
D. W32.AccesschkUtility.ioc
It’s not possible to determine the specific indicator that generated the IOC event without additional information. IOC events are generated based on predefined rules and heuristics that are designed to detect potential security threats. The name of the indicator will depend on the specific rules and heuristics that are used by the system generating the IOC.
show sample output of each of these log type
A. Get-EventLog -LogName*
B. Get-EventLog -List

A. Get-EventLog -LogName*

sql
Index Time EntryType Source InstanceID Message ----- ---- --------- ------ ---------- ------- 853 Feb 15 17:27 Information Microsoft-Windows...  1 Service stopped. 852 Feb 15 17:27Information Microsoft-Windows...  1 Service started. 851 Feb 1517:27 Information Microsoft-Windows...  1 The World Wide Web Publishing Service service entered the running state. 850 Feb 15 17:27 Information Microsoft-Windows...  1 The World Wide Web Publishing Service service entered the stopped state. 849 Feb 15 17:27 Information Microsoft-Windows...  1 Service stopped.848 Feb 15 17:27 Information Microsoft-Windows...  1 Service started. 847 Feb 15 17:27 Information Microsoft-Windows...  1The Windows Update service entered the running state. 846 Feb 15 17:27 Information Microsoft-Windows...  1 The Windows Updateservice entered the stopped state. 845 Feb 15 17:27Information Microsoft-Windows...  1 Service stopped. 844 Feb 1517:27 Information Microsoft-Windows...  1 Service started.

B. Get-EventLog -List

sql
Max(K) Retain OverflowAction Entries Log ------ ------ -------------- ------- --- 20,480  0 OverwriteAsNeeded  170,079Application 20  0 OverwriteOlder  0 HardwareEvents 20  0OverwriteOlder  0 Internet Explorer 4,096  0 OverwriteAsNeeded 334 Key Management Service 15,360  0 OverwriteAsNeeded  395,630Security 20  0 OverwriteOlder  0 SQLAgent$SQLEXPRESS 20  0OverwriteOlder  0 SQLAgent$SQLEXPRESS 20,480  0OverwriteAsNeeded  3,105 System
Cisco Rapid Threat Containment using Cisco Secure Network Analytics (Stealthwatch) and ISE detects the threat of malware-infected 802.1x authenticated endpoints and places that endpoint into a Quarantine VLAN using Adaptive Network Control policy. Which telemetry feeds were correlated with SMC to identify the malware?
A. NetFlow and event data
B. event data and syslog data
C. SNMP and syslog data
D. NetFlow and SNMP
A. NetFlow and event data
A security architect is working in a processing center and must implement a DLP solution to detect and prevent any type of copy and paste attempts of sensitive data within unapproved applications and removable devices. Which technical architecture must be used?
A. DLP for data in motion
B. DLP for removable data
C. DLP for data in use
D. DLP for data at rest
C. DLP for data in use.
A security analyst receives an escalation regarding an unidentified connection on the Accounting A1 server within a monitored zone. The analyst pulls the logs and discovers that a Powershell process and a WMI tool process were started on the server after the connection was established and that a PE format file was created in the system directory. What is the next step the analyst should take?
A. Isolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack
B. Identify the server owner through the CMDB and contact the owner to determine if these were planned and identifiable activities
C. Review the server backup and identify server content and data criticality to assess the intrusion risk D. Perform behavioral analysis of the processes on an isolated workstation and perform cleaning procedures if the file is malicious
A. Isolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack. The presence of unidentified connections, Powershell processes, and WMI tool processes, as well as a file in the system directory, suggest that the server may have been compromised. Isolating the server and performing forensic analysis of the file can help determine the type and vector of the possible attack and enable the organization to take appropriate actions to contain and remediate the incident.
A security expert is investigating a breach that resulted in a $32 million loss from customer accounts. Hackers were able to steal API keys and two-factor codes due to a vulnerability that was introduced in a new code a few weeks before the attack. Which step was missed that would have prevented this breach? A. use of the Nmap tool to identify the vulnerability when the new code was deployed
B. implementation of a firewall and intrusion detection system
C. implementation of an endpoint protection system
D. use of SecDevOps to detect the vulnerability during development

The step that was missed that would have prevented this breach is the use of SecDevOps to detect the vulnerability during development. By implementing secure development practices, such as regular code reviews, testing, and vulnerability assessments, vulnerabilities can be detected and addressed earlier in the development process, reducing the risk of a successful attack. In this case, the vulnerability was introduced in new code, indicating that it could have been prevented with better secure development practices.

An API developer is improving an application code to prevent DDoS attacks. The solution needs to accommodate instances of a large number of API requests coming for legitimate purposes from trustworthy services.  Which solution should be implemented?
A. Restrict the number of requests based on a calculation of daily averages. If the limit is exceeded, temporarily block access from the IP address and return a 402 HTTP error code.
B. Implement REST API Security Essentials solution to automatically mitigate limit exhaustion. If the limit is exceeded, temporarily block access from the service and return a 409 HTTP error code.
C. Increase a limit of replies in a given interval for each API. If the limit is exceeded, block access from the API key permanently and return a 450 HTTP error code.
D. Apply a limit to the number of requests in a given time interval for each API. If the rate is exceeded, block access from the API key temporarily and return a 429 HTTP error code.

D. Apply a limit to the number of requests in a given time interval for each API. If the rate is exceeded, block access from the API key temporarily and return a 429 HTTP error code.

This approach is known as rate limiting and can be used to prevent DDoS attacks by limiting the number of requests that can be made within a certain time frame. It allows legitimate traffic to continue while blocking or delaying excessive traffic from malicious sources. The 429 HTTP error code is used to indicate that the user has sent too many requests in a given amount of time.

IDS is producing an increased amount of false positive events about brute force attempts on the organization’s mail server. How should the Snort rule be modified to improve performance?
A. Block list of internal IPs from the rule
B. Change the rule content match to case sensitive
C. Set the rule to track the source IP
D. Tune the count and seconds threshold of the rule
To reduce the false positives on the IDS about brute force attempts on the organization’s mail server, the Snort rule can be modified by tuning the count and seconds threshold of the rule. This will help in controlling the number of alerts generated by the IDS, making it easier for the security team to analyze and respond to actual security incidents.
Where do threat intelligence tools search for data to identify potential malicious IP addresses, domain names, and URLs?
A. customer data
B. internal database
C. internal cloud
D. Internet
Threat intelligence tools search for data on the internet to identify potential malicious IP addresses, domain names, and URLs.
An engineer wants to review the packet overviews of SNORT alerts. When printing the SNORT alerts, all the packet headers are included, and the file is too large to utilize. Which action is needed to correct this problem?
A. Modify the alert rule to ג€output alert_syslog: output logג€
B. Modify the output module rule to ג€output alert_quick: output filenameג€
C. Modify the alert rule to ג€output alert_syslog: output headerג€
D. Modify the output module rule to ג€output alert_fast: output filenameג€

B. Modify the output module rule to “output alert_quick: output filename”. The “alert_quick” option includes only the packet overviews, while “alert_full” includes the full packet headers, which is likely causing the file to be too large. By using the “alert_quick” option, the engineer can review the packet overviews without including unnecessary information.

Match the following scenario with the correct phase of the Cyber Kill Chain Scenairo:
Not visible to the victim
Virus scanner Turing off
Malware placed on the targeted system
Open port scans and multiple failed logins from website
Large amount of data leaving the network through unusual ports
phone connecting to the countries where not staff are located
Usb with infected files inserted into company laptop
  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command and Control
  7. Actions on Objectives

Explanation:

  1. Reconnaissance: Open port scans and multiple failed logins from website
  2. Weaponization: Virus scanner Turing off
  3. Delivery: Malware placed on the targeted system
  4. Exploitation: Large amount of data leaving the network through unusual ports
  5. Installation: Usb with infected files inserted into company laptop
  6. Command and Control: System phone connecting to the countries where not staff are located
  7. Actions on Objectives: Not visible to the victim
An engineer received a report that an attacker has compromised a workstation and gained access to sensitive customer data from the network using insecure protocols.  Which action prevents this type of attack in the future?
A. Use VLANs to segregate zones and the firewall to allow only required services and secured protocols B. Deploy a SOAR solution and correlate log alerts from customer zones
C. Deploy IDS within sensitive areas and continuously update signatures
D. Use syslog to gather data from multiple sources and detect intrusion logs for timely responses
A. Use VLANs to segregate zones and the firewall to allow only required services and secured protocols. By using VLANs to segregate zones and the firewall to allow only required services and secured protocols, an organization can control the traffic that can enter or exit a particular network segment. This can prevent attackers from accessing sensitive customer data and reduce the likelihood of an attack in the future.
An organization is using an internal application for printing documents that requires a separate registration on the website. The application allows format-free user creation, and users must match these required conditions to comply with the company’s user creation policy: ✑ minimum length: 3 ✑ usernames can only use letters, numbers, dots, and underscores ✑ usernames cannot begin with a number The application administrator has to manually change and track these daily to ensure compliance. An engineer is tasked to implement a script to automate the process according to the company user creation policy. The engineer implemented this piece of code within the application, but users are still able to create format-free usernames. Which change is needed to apply the restrictions? A. modify code to return error on restrictions def return false_user(username, minlen)
B. automate the restrictions def automate_user(username, minlen)
C. validate the restrictions, def validate_user(username, minlen)
D. modify code to force the restrictions, def force_user(username, minlen)

C. validate the restrictions, def validate_user(username, minlen)

An engineer implemented a SOAR workflow to detect and respond to incorrect login attempts and anomalous user behavior. Since the implementation, the security team has received dozens of false positive alerts and negative feedback from system administrators and privileged users.  Several legitimate users were tagged as a threat and their accounts blocked, or credentials reset because of unexpected login times and incorrectly typed credentials.  How should the workflow be improved to resolve these issues?
A. Meet with privileged users to increase awareness and modify the rules for threat tags and anomalous behavior alerts
B. Change the SOAR configuration flow to remove the automatic remediation that is increasing the false positives and triggering threats
C. Add a confirmation step through which SOAR informs the affected user and asks them to confirm whether they made the attempts
D. Increase incorrect login tries and tune anomalous user behavior not to affect privileged accounts
C. Add a confirmation step through which SOAR informs the affected user and asks them to confirm whether they made the attempts. Adding a confirmation step would allow the system to confirm with the user whether they initiated the attempt or not, and avoid false positives. This would also prevent the automatic remediation process from locking out legitimate users.
Where does it signify that a page will be stopped from loading when a scripting attack is detected?
A. x-frame-options
B. x-content-type-options
C. x-xss-protection
D. x-test-debug
The correct answer is C. x-xss-protection is a HTTP header that helps to detect and prevent cross-site scripting (XSS) attacks in web browsers. When the header is set to “1; mode=block”, the browser will stop rendering the page if an XSS attack is detected.
What is the HTTP response code when the REST API information requested by the authenticated user cannot be found?
A. 401
B. 402
C. 403
D. 404
E. 405
The HTTP response code when the REST API information requested by the authenticated user cannot be found is D. 404.
What is a principle of Infrastructure as Code?
A. System maintenance is delegated to software systems
B. Comprehensive initial designs support robust systems
C. Scripts and manual configurations work together to ensure repeatable routines
D. System downtime is grouped and scheduled across the infrastructure
B. Comprehensive initial designs support robust systems.
An engineer configured this SOAR solution workflow to identify account theft threats and privilege escalation, evaluate risk, and respond by resolving the threat. This solution is handling more threats than Security analysts have time to analyze. Without this analysis, the team cannot be proactive and anticipate attacks. Which action will accomplish this goal?
A. Exclude the step ג€BAN malicious IPג€ to allow analysts to conduct and track the remediation
B. Include a step ג€Take a Snapshotג
€ to capture the endpoint state to contain the threat for analysis
C. Exclude the step ג€Check for GeoIP locationג€ to allow analysts to analyze the location and the associated risk based on asset criticality
D. Include a step ג€Reportingג€ to alert the security department of threats identified by the SOAR reporting engine
D. Include a step “Reporting” to alert the security department of threats identified by the SOAR reporting engine. By including a reporting step in the workflow, the SOAR solution can automatically generate reports on the threats that have been detected, allowing the security team to be proactive in identifying patterns and anticipating future attacks. This will help the team prioritize their time and focus on the most important threats, while still being able to respond quickly and effectively to any issues that arise.
Match the following three statements with the correct cloud solution of SaaS, PaaS or IaaS L
Logs, alerts and events for application performance montirotrng and application health are configurable by the customer
The customer controls limited application configuration settings and obtain logs for security monitoring my be limited
Logs, alerts, and events for operating system are configurable by the customer

Logs, alerts and events for application performance monitoring and application health are configurable by the customer – PaaS

The customer controls limited application configuration settings and obtain logs for security monitoring may be limited – SaaS

Logs, alerts, and events for operating system are configurable by the customer – IaaS

A company’s web server availability was breached by a DDoS attack and was offline for 3 hours because it was not deemed a critical asset in the incident response playbook. Leadership has requested a risk assessment of the asset. An analyst conducted the risk assessment using the threat sources, events, and vulnerabilities. Which additional element is needed to calculate the risk?
A. assessment scope
B. event severity and likelihood
C. incident response playbook
D. risk model framework
To calculate the risk, a risk model framework is needed.
An employee who often travels abroad logs in from a first-seen country during non-working hours. The SIEM tool generates an alert that the user is forwarding an increased amount of emails to an external mail domain and then logs out. The investigation concludes that the external domain belongs to a competitor. Which two behaviors triggered UEBA? (Choose two.)
A. domain belongs to a competitor
B. log in during non-working hours
C. email forwarding to an external domain
D. log in from a first-seen country
E. increased number of sent mails
The two behaviors that triggered UEBA are:

B. Log in during non-working hours

E. Increased number of sent mails

How is a SIEM tool used?
A. To collect security data from authentication failures and cyber attacks and forward it for analysis
B. To search and compare security data against acceptance standards and generate reports for analysis C. To compare security alerts against configured scenarios and trigger system responses
D. To collect and analyze security data from network devices and servers and produce alerts

D. To collect and analyze security data from network devices and servers and produce alerts.

what is AESCryptoServiceProvider and MemoryStream and how do they work together in a try subroutine.
AESCryptoServiceProvider and MemoryStream are two classes in the .NET framework used for cryptographic operations.

AESCryptoServiceProvider is a class that provides implementation of the Advanced Encryption Standard (AES) algorithm. It can be used to encrypt and decrypt data, as well as generate keys for use in encryption.

MemoryStream is a class that represents a stream of bytes stored in memory. It can be used to read from and write to a byte array in memory.

In a try subroutine, these two classes may be used together to encrypt or decrypt data stored in memory. For example:

vbnet
Try Dim aes As New AesCryptoServiceProvider() Dim key AsByte() = Encoding.UTF8.GetBytes("MySecretKey12345"Dim iv AsByte() = Encoding.UTF8.GetBytes("MyIV") aes.Key = key aes.IV = iv Using ms As New MemoryStream() Using cs As NewCryptoStream(ms, aes.CreateEncryptor(), CryptoStreamMode.Write) Dim plaintext As Byte() = Encoding.UTF8.GetBytes("My secret message") cs.Write(plaintext, 0, plaintext.Length) cs.Close() End UsingDim ciphertext As Byte() = ms.ToArray() Console.WriteLine(Convert.ToBase64String(ciphertext)) EndUsing Catch ex As Exception Console.WriteLine("Error: " & ex.Message) End Try

In this example, the AesCryptoServiceProvider is used to create an instance of the AES algorithm, and a key and initialization vector (IV) are set. The MemoryStream is used to hold the plaintext data, and the CryptoStream is used to encrypt the data using the AES algorithm. The encrypted data is then converted to a Base64 string and output to the console. If an error occurs during this process, the catch block will handle the exception and output an error message.

An engineer is performing a static analysis on a malware and knows that it is capturing keys and webcam events on a company server. What of the following four options is the indicator of compromise?
A. The malware is performing comprehensive fingerprinting of the host, including a processor, motherboard manufacturer, and connected removable storage.
B. The malware is a ransomware querying for installed anti-virus products and operating systems to encrypt and render unreadable until payment is made for file decryption.
C. The malware has moved to harvesting cookies and stored account information from major browsers and configuring a reverse proxy for intercepting network activity.
D. The malware contains an encryption and decryption routine to hide URLs/IP addresses and is storing the output of loggers and webcam captures in locally encrypted files for retrieval
The indicator of compromise in this scenario is:

D. The malware contains an encryption and decryption routine to hide URLs/IP addresses and is storing the output of loggers and webcam captures in locally encrypted files for retrieval.

A customer is using a central device to manage network devices over SNMPv2. A remote attacker caused a denial of service condition and can trigger this vulnerability by issuing a GET request for the ciscoFlashMIB OID on an affected device. Which should be disabled to resolve the issue?
A. SNMPv2
B. TCP small services
C. port UDP 161 and 162
D. UDP small services

A. SNMPv2

Retract administrative access to operating systems nd applications in accordance with job duties
Use multifactor authentication for remote access or accessing sensitive information
Change backup and store software and configuration setting for t test three months
Patch application including flash web browsers and pdf viewers.
Math the mitigation steps above to the vulnerabilities they mitigate below;
End-user desktops allow execution of non approved applications that include malicious code.
Application security vulnerabilities can be used to execute malicious code.
Privilege accounts have full rights to information systems.
User verification is weak and based on a single factor.
  • Retract administrative access to operating systems and applications in accordance with job duties: Privilege accounts have full rights to information systems.
  • Use multifactor authentication for remote access or accessing sensitive information: User verification is weak and based on a single factor.
  • Change backup and store software and configuration setting for test three months: N/A (not enough context to determine which vulnerability this mitigates)
  • Patch applications including flash web browsers and PDF viewers: Application security vulnerabilities can be used to execute malicious code.
HOW BEST TO READ A STIX?
STIX (Structured Threat Information Expression) is a structured language for describing cyber threat intelligence. Reading a STIX file involves understanding the syntax, structure, and context of the file. Here are some tips for reading a STIX file:
  1. Understand the STIX data model: Familiarize yourself with the structure of a STIX file, including the objects, properties, and relationships. This will help you understand how the information is organized and how to interpret it.
  2. Read the documentation: Read the documentation that accompanies the STIX file to understand what the data represents and how it was collected.
  3. Identify the threat: Look for indicators of a threat, such as malware, IP addresses, or domain names, and identify the threat actor or group if possible.
  4. Analyze the attack vector: Identify the method used to execute the attack, such as a phishing email or a vulnerability exploit.
  5. Look for patterns: Identify any patterns or trends in the data that can help you understand the scope and scale of the threat.
  6. Cross-reference with other sources: Compare the information in the STIX file with other sources, such as threat intelligence feeds, to validate the information and gain a broader context.
  7. Use visualization tools: Visualization tools can help you understand the relationships and connections between the objects in the STIX file and identify patterns and trends more easily.
An engineer is moving data from NAS servers in different departments to a combined storage database so that the data can be accessed and analyzed by the organization on-demand. Which data management process is being used?
A. data clustering
B. data regression
C. data ingestion
D. data obfuscation

C. data ingestion

What is a benefit of key risk indicators?
A. clear perspective into the risk position of an organization
B. improved visibility on quantifiable information
C. improved mitigation techniques for unknown threats
D. clear procedures and processes for organizational risk
A. Clear perspective into the risk position of an organization is a benefit of key risk indicators (KRIs). KRIs are quantifiable metrics used to measure and monitor risks and their associated impact on an organization. By using KRIs, organizations can gain greater insight and understanding of their risk position, helping them to identify potential issues and take steps to mitigate them before they become a problem. KRIs provide an objective and measurable way to evaluate risk, giving organizations greater visibility into their overall risk posture.
An engineer notices a significant anomaly in the traffic in one of the host groups in Cisco Secure Network Analytics (Stealthwatch) and must analyze the top data transmissions. Which tool accomplishes this task?
A. Top Peers
B. Top Hosts
C. Top Conversations
D. Top Ports

C. Top Conversations.

In Cisco Secure Network Analytics (Stealthwatch), the Top Conversations tool displays the top hosts that are communicating with each other based on volume, allowing engineers to identify suspicious or anomalous traffic patterns.

Employees report computer system crashes within the same week. An analyst is investigating one of the computers that crashed and discovers multiple shortcuts in the system’s startup folder. It appears that the shortcuts redirect users to malicious URLs. What is the next step the engineer should take to investigate this case?
A. Remove the shortcut files
B. Check the audit logs
C. Identify affected systems
D. Investigate the malicious URLs

The next step the engineer should take to investigate this case is to identify affected systems. Since multiple employees have reported system crashes within the same week, it is likely that other systems have been affected. By identifying affected systems, the engineer can take steps to remove the malicious shortcuts and investigate if there are any other related security issues. Once the affected systems have been identified, the engineer can investigate the malicious URLs and check the audit logs to determine how the malicious shortcuts were created and who created them.

An engineer is investigating several cases of increased incoming spam emails and suspicious emails from the HR and service departments. While checking the event sources, the website monitoring tool showed several web scraping alerts overnight. Which type of compromise is indicated?
A. phishing
B. dumpster diving
C. social engineering
D. privilege escalation
Based on the given information, none of the options seem to be the correct answer. The information provided does not provide enough details to determine the type of compromise.
How are tokens authenticated when the REST API on a device is accessed from a REST API client?
A. The token is obtained by providing a password. The REST client requests access to a resource using the access token. The REST API validates the access token and gives access to the resource.
B. The token is obtained by providing a password. The REST API requests access to a resource using the access token, validates the access token, and gives access to the resource.
C. The token is obtained before providing a password. The REST API provides resource access, refreshes tokens, and returns them to the REST client. The REST client requests access to a resource using the access token.
D. The token is obtained before providing a password. The REST client provides access to a resource using the access token. The REST API encrypts the access token and gives access to the resource.

B. The token is obtained by providing a password. The REST API requests access to a resource using the access token, validates the access token, and gives access to the resource.

When a user logs in with their credentials, the REST API generates a token, which is then used to authenticate subsequent requests. The REST client sends the token with each request to the REST API, which validates the token and provides access to the requested resource if the token is valid. The user’s password is used only to obtain the initial token, which is then used for subsequent authentication.

Where are the browser page rendering permissions displayed?
A. x-frame-options
B. x-xss-protection
C. x-content-type-options
D. x-test-debug
The browser page rendering permissions are displayed in the X-Frame-Options header. This header can be set by a web server to control if and how their content is embedded into other sites. It can be set to deny all framing, allow framing from the same origin, or allow framing from specific sources.
An engineer is utilizing interactive behavior analysis to test malware in a sandbox environment to see how the malware performs when it is successfully executed. A location is secured to perform reverse engineering on a piece of malware. What is the next step the engineer should take to analyze this malware?
A. Run the program through a debugger to see the sequential actions
B. Unpack the file in a sandbox to see how it reacts
C. Research the malware online to see if there are noted findings
D. Disassemble the malware to understand how it was constructed

The next step the engineer should take is to run the program through a debugger to see the sequential actions. This will allow the engineer to step through the malware code and understand what it is doing at each step, including any malicious actions it may be attempting. Debugging can help the engineer identify potential vulnerabilities in the system and develop effective countermeasures.

how best to understand interactive behavior analysis to test malware, can you summarize this concept?
Interactive Behavior Analysis is a technique used to test malware by running it in a controlled, virtual environment known as a sandbox. The malware is executed within the sandbox, and its behavior is monitored and analyzed to determine its purpose and potential impact on a system. The analysis involves observing the malware’s network activity, file system changes, system registry changes, and any other actions it may take while running. This method can provide insight into how the malware behaves, how it spreads, and any other related actions that may be taken to prevent or mitigate the effects of the malware.
What is a limitation of cyber security risk insurance?
A. It does not cover the costs to restore stolen identities as a result of a cyber attack
B. It does not cover the costs to hire forensics experts to analyze the cyber attack
C. It does not cover the costs of damage done by third parties as a result of a cyber attack
D. It does not cover the costs to hire a public relations company to help deal with a cyber attack

C. It does not cover the costs of damage done by third parties as a result of a cyber attack.

Cyber security risk insurance covers many of the direct costs associated with a cyber attack, such as legal fees, data recovery, and liability claims. However, it typically does not cover the costs of damage done by third parties, such as reputation damage or loss of customers, which can have significant financial impacts on an organization.

An engineer returned to work and realized that payments that were received over the weekend were sent to the wrong recipient. The engineer discovered that the SaaS tool that processes these payments was down over the weekend. Which step should the engineer take first?
A. Utilize the SaaS tool team to gather more information on the potential breach
B. Contact the incident response team to inform them of a potential breach
C. Organize a meeting to discuss the services that may be affected
D. Request that the purchasing department creates and sends the payments manually
The first step the engineer should take is to immediately notify the appropriate personnel of the error so that they can take the necessary steps to mitigate any potential damage. Therefore, option B, contact the incident response team to inform them of a potential breach, would be the best first step to take. This will help ensure that the incident is properly documented, investigated, and managed. Once the incident response team has been notified, the engineer can work with them to determine the root cause of the issue and develop a plan to prevent it from happening again in the future.
An analyst is alerted for a malicious file hash. After analysis, the analyst determined that an internal workstation is communicating over port 80 with an external server and that the file hash is associated with Duqu malware. Which tactics, techniques, and procedures align with this analysis?
A. Command and Control, Application Layer Protocol, Duqu
B. Discovery, Remote Services: SMB/Windows Admin Shares, Duqu
C. Lateral Movement, Remote Services: SMB/Windows Admin Shares, Duqu
D. Discovery, System Network Configuration Discovery, Duqu

A. Command and Control, Application Layer Protocol, Duqu

A SOC analyst is investigating a recent email delivered to a high-value user for a customer whose network their organization monitors. The email includes a suspicious attachment titled `Invoice RE: 0004489`. The hash of the file is gathered from the Cisco Email Security Appliance. After searching Open Source Intelligence, no available history of this hash is found anywhere on the web. What is the next step in analyzing this attachment to allow the analyst to gather indicators of compromise?
A. Run and analyze the DLP Incident Summary Report from the Email Security
Appliance B. Ask the company to execute the payload for real time analysis
C. Investigate further in open source repositories using YARA to find matches
D. Obtain a copy of the file for detonation in a sandbox

D. Obtain a copy of the file for detonation in a sandbox.

Since no available history of the file hash was found anywhere on the web, the best next step would be to obtain a copy of the file and detonate it in a sandbox environment to gather indicators of compromise. This will help to determine whether the attachment is malicious or not and provide additional information for further investigation. Running and analyzing the DLP Incident Summary Report or investigating in open-source repositories using YARA may provide additional information but are not the best next step in this scenario. Asking the company to execute the payload for real-time analysis is not recommended as it could result in potential damage or loss of data.

A SOC analyst is notified by the network monitoring tool that there are unusual types of internal traffic on IP subnet.0/24. The analyst discovers unexplained encrypted data files on a computer system that belongs on that specific subnet. What is the cause of the issue?
A. DDoS attack
B. phishing attack
C. virus outbreak
D. malware outbreak

Based on the information provided, it is not possible to determine the cause of the issue with certainty. However, the presence of unusual types of internal traffic and unexplained encrypted data files on a system suggest that some type of security incident or compromise may have occurred. Further investigation is necessary to determine the cause of the issue, identify any malicious activity, and mitigate any potential damage.

An employee is a victim of a social engineering phone call and installs remote access software to allow an `MS Support` technician to check his machine for malware. The employee becomes suspicious after the remote technician requests payment in the form of gift cards. The employee has copies of multiple, unencrypted database files, over 400 MB each, on his system and is worried that the scammer copied the files off but has no proof of it. The remote technician was connected sometime between 2:00 pm and 3:00 pm over https. What should be determined regarding data loss between the employee’s laptop and the remote technician’s system?
A. No database files were disclosed
B. The database files were disclosed
C. The database files integrity was violated
D. The database files were intentionally corrupted, and encryption is possible
It is impossible to determine from the given information whether or not the database files were disclosed or the integrity was violated. However, it is highly recommended that the employee immediately report the incident to the company’s IT security team or manager to investigate the extent of any potential data loss and take necessary actions to prevent further damage. Additionally, the employee should be advised to change all passwords and enable two-factor authentication for all accounts that may have been accessed during the remote access session.
A company launched an e-commerce website with multiple points of sale through internal and external e-stores. Customers access the stores from the public website, and employees access the stores from the intranet with an SSO. Which action is needed to comply with PCI standards for hardening the systems?
A. Mask PAN numbers
B. Encrypt personal data
C. Encrypt access
D. Mask sales details

B. Encrypt personal data.

To comply with PCI standards for hardening the systems, personal data, including credit card information, needs to be encrypted. Masking PAN (Primary Account Number) numbers can help reduce the risk of unauthorized access, but it is not enough to comply with the standard. Encrypting access is also not enough as it does not address the requirement to encrypt sensitive data. Masking sales details can help protect sensitive information, but it is not enough to comply with the PCI standards for hardening systems.

An organization installed a new application server for IP phones. An automated process fetched user credentials from the Active Directory server, and the application will have access to on-premises and cloud services. Which security threat should be mitigated first?
A. aligning access control policies
B. exfiltration during data transfer
C. attack using default accounts
D. data exposure from backups

The security threat that should be mitigated first in this scenario is attack using default accounts. Default accounts are accounts that have pre-configured usernames and passwords that are often used by hackers to gain unauthorized access to systems. Since the application server for IP phones has access to both on-premises and cloud services, it is essential to ensure that default accounts are disabled or have their passwords changed. This is a common security practice to prevent unauthorized access and protect systems from attacks. Once this threat is mitigated, the organization can focus on aligning access control policies, protecting data from exfiltration during data transfer, and ensuring that data exposure from backups is minimized.

A threat actor has crafted and sent a spear-phishing email with what appears to be a trustworthy link to the site of a conference that an employee recently attended. The employee clicked the link and was redirected to a malicious site through which the employee downloaded a PDF attachment infected with ransomware. The employee opened the attachment, which exploited vulnerabilities on the desktop. The ransomware is now installed and is calling back to its command and control server. Which security solution is needed at this stage to mitigate the attack?
A. web security solution
B. email security solution
C. endpoint security solution
D. network security solution

C. endpoint security solution

Based on the scenario, the appropriate security solution that is needed at this stage to mitigate the attack is a C. endpoint security solution.

Endpoint security solutions are designed to protect the individual devices, such as desktops, laptops, and servers, from security threats that can penetrate through web or email channels. In this scenario, the employee’s desktop was exploited when the infected PDF attachment was downloaded, so an endpoint security solution would be necessary to protect the desktop from the ransomware and any other malware that might be present.

Endpoint security solutions typically include antivirus, anti-malware, and firewall technologies, as well as features such as intrusion detection and prevention, behavioral analysis, and vulnerability management. These features help to prevent malware from infecting endpoints, detect and respond to any threats that do get through, and provide visibility and control over the endpoints.

It’s worth noting that other security solutions, such as web and email security solutions, may also have played a role in preventing this attack, but at this stage, the focus should be on mitigating the damage that has already been done, which is best done with an endpoint security solution.

An engineer is investigating a case with suspicious usernames within the active directory. After the engineer investigates and cross-correlates events from other sources, it appears that the 2 users are privileged, and their creation date matches suspicious network traffic that was initiated from the internal network 2 days prior. Which type of compromise is occurring?
A. compromised insider
B. compromised root access
C. compromised database tables
D. compromised network

A. compromised insider

How to differentiate the following events:
A. high risk level, anomalous periodic communication, quarantine with antivirus
B. critical risk level, malicious server IP, run in a sandboxed environment
C. critical risk level, data exfiltration, isolate the device
D. high risk level, malicious host, investigate further
A. The event has a high risk level, and it is related to anomalous periodic communication. The device is quarantined using an antivirus program.

B. The event is classified as a critical risk level, and it is related to a malicious server IP. The recommended course of action is to execute the process in a sandboxed environment.

C. The event is classified as a critical risk level, and it is related to data exfiltration. The recommended course of action is to isolate the device.

D. The event has a high risk level, and it is related to a malicious host. The recommended course of action is to investigate further.

An analyst wants to upload an infected file containing sensitive information to a hybrid-analysis sandbox. According to the NIST.SP 800-150 guide to cyber threat information sharing, what is the analyst required to do before uploading the file to safeguard privacy?
A. Verify hash integrity.
B. Remove all personally identifiable information.
C. Ensure the online sandbox is GDPR compliant.
D. Lock the file to prevent unauthorized access.
B. Remove all personally identifiable information.
An engineer received multiple reports from employees unable to log into systems with the error: The Group Policy Client service failed to logon `” Access is denied. Through further analysis, the engineer discovered several unexpected modifications to system settings. Which type of breach is occurring?
A. malware break
B. data theft
C. elevation of privileges
D. denial-of-service

The type of breach that is occurring in this scenario is elevation of privileges.

What is needed to assess risk mitigation effectiveness in an organization?
A. analysis of key performance indicators
B. compliance with security standards
C. cost-effectiveness of control measures
D. updated list of vulnerable systems

A. Analysis of key performance indicators is needed to assess risk mitigation effectiveness in an organization. KPIs can help measure the effectiveness of risk mitigation strategies and provide a clear picture of an organization’s security posture over time. This information can help organizations identify areas of improvement, optimize resource allocation, and make more informed decisions about their security programs.

Where is the MIME type that should be followed indicated?
A. x-test-debug
B. strict-transport-security
C. x-xss-protection
D. x-content-type-options

The MIME type that should be followed is indicated in the “Content-Type” header of an HTTP response.

An engineer received an incident ticket of a malware outbreak and used antivirus and malware removal tools to eradicate the threat. The engineer notices that abnormal processes are still occurring in the system and determines that manual intervention is needed to clean the infected host and restore functionality. What is the next step the engineer should take to complete this playbook step?
A. Scan the network to identify unknown assets and the asset owners.
B. Analyze the components of the infected hosts and associated business services.
C. Scan the host with updated signatures and remove temporary containment.
D. Analyze the impact of the malware and contain the artifacts.

C. Scan the host with updated signatures and remove temporary containment.

The SIEM tool informs a SOC team of a suspicious file. The team initializes the analysis with an automated sandbox tool, sets up a controlled laboratory to examine the malware specimen, and proceeds with behavioral analysis. What is the next step in the malware analysis process?
A. Perform static and dynamic code analysis of the specimen.
B. Unpack the specimen and perform memory forensics.
C. Contain the subnet in which the suspicious file was found.
D. Document findings and clean-up the laboratory.

The next step in the malware analysis process would be to perform static and dynamic code analysis of the specimen. After performing behavioral analysis, static analysis involves examining the code and characteristics of the malware to identify any recognizable patterns or signatures, while dynamic analysis involves observing the behavior of the malware in a controlled environment to understand its methods of attack and any associated network communications. These steps help in developing countermeasures and detection methods for similar types of malware.

A logistic company must use an outdated application located in a private VLAN during the migration to new technologies. The IPS blocked and reported an unencrypted communication. Which tuning option should be applied to IPS?
A. Allow list only authorized hosts to contact the application’s IP at a specific port.
B. Allow list HTTP traffic through the corporate VLANS.
C. Allow list traffic to application’s IP from the internal network at a specific port.
D. Allow list only authorized hosts to contact the application’s VLAN.

Option C is the most appropriate tuning option to apply to the IPS. By allow listing traffic to the application’s IP from the internal network at a specific port, the IPS will permit the communication between the outdated application located in the private VLAN and the internal network while blocking any unapproved communication. This will enable the company to use the outdated application located in the private VLAN while securing their network from external threats.

NOTE –

A private VLAN (Virtual Local Area Network) is a network segmentation technique that allows an administrator to partition a single VLAN into sub-VLANs, effectively isolating the traffic between devices within that VLAN. The private VLAN concept is based on the idea of having one primary VLAN, known as the “primary VLAN,” that is further divided into one or more “secondary VLANs.”

In a private VLAN, there are two types of ports: promiscuous ports and host ports. Promiscuous ports are typically used to connect to external networks or network devices, while host ports are used to connect to individual devices within the VLAN. Host ports can be further classified as either isolated or community ports.

An isolated port is a host port that can only communicate with promiscuous ports, while a community port is a host port that can communicate with other host ports within the same secondary VLAN. This allows for greater control over the flow of traffic within the VLAN, as isolated ports prevent direct communication between devices within the same VLAN, while community ports allow communication between devices with the same security or trust level.

Private VLANs are often used in environments such as data centers, service providers, and enterprise networks, where isolation and security are critical. By segmenting a VLAN into smaller, isolated sub-VLANs, administrators can better control and secure network traffic, minimizing the risk of unauthorized access or malicious activity.

A security engineer discovers that a spreadsheet containing confidential information for nine of their employees was fraudulently posted on a competitor’s website. The spreadsheet contains names, salaries, and social security numbers. What is the next step the engineer should take in this investigation?
A. Determine if there is internal knowledge of this incident.
B. Check incoming and outgoing communications to identify spoofed emails.
C. Disconnect the network from Internet access to stop the phishing threats and regain control.
D. Engage the legal department to explore action against the competitor that posted the spreadsheet.

D. Engage the legal department to explore action against the competitor that posted the spreadsheet.

The disclosure of sensitive information is a serious data breach, and it is important to take action against the responsible party. The legal department can provide guidance on what steps to take, such as sending a cease and desist letter, pursuing legal action for damages, and notifying regulatory agencies if necessary. It is also important to conduct a thorough investigation to determine how the information was obtained and how to prevent similar incidents from occurring in the future.

An engineer notices that every Sunday night, there is a two-hour period with a large load of network activity. Upon further investigation, the engineer finds that the activity is from locations around the globe outside the organization’s service area. What are the next steps the engineer must take?
A. Assign the issue to the incident handling provider because no suspicious activity has been observed during business hours.
B. Review the SIEM and FirePower logs, block all traffic, and document the results of calling the call center.
C. Define the access points using StealthWatch or SIEM logs, understand services being offered during the hours in question, and cross-correlate other source events.
D. Treat it as a false positive, and accept the SIEM issue as valid to avoid alerts from triggering on weekends.
The next steps the engineer must take are to define the access points using StealthWatch or SIEM logs, understand the services being offered during the hours in question, and cross-correlate other source events. This will help to identify the root cause of the abnormal network activity, determine if it is malicious or not, and take appropriate action to address the issue. Simply accepting the SIEM issue as valid to avoid alerts from triggering on weekends or assigning the issue to the incident handling provider without further investigation may leave the organization vulnerable to potential threats.
An organization had an incident with the network availability during which devices unexpectedly malfunctioned. An engineer is investigating the incident and found that the memory pool buffer usage reached a peak before the malfunction. Which action should the engineer take to prevent this issue from reoccurring?
A. Disable memory limit.
B. Disable CPU threshold trap toward the SNMP server.
C. Enable memory tracing notifications.
D. Enable memory threshold notifications.

To prevent this issue from reoccurring, the engineer should enable memory threshold notifications. This will allow the engineer to be alerted when the memory usage reaches a certain level, enabling them to take necessary actions to prevent system malfunctions. Disabling the memory limit can result in memory exhaustion and lead to system malfunction. Disabling the CPU threshold trap will not prevent the memory pool buffer usage from reaching a peak. Enabling memory tracing notifications may provide detailed information on the memory usage but does not prevent the issue from occurring.

A SOC analyst detected a ransomware outbreak in the organization coming from a malicious email attachment. Affected parties are notified, and the incident response team is assigned to the case. According to the NIST incident response handbook, what is the next step in handling the incident?
A. Create a follow-up report based on the incident documentation.
B. Perform a vulnerability assessment to find existing vulnerabilities.
C. Eradicate malicious software from the infected machines.
D. Collect evidence and maintain a chain-of-custody during further analysis.

D. Collect evidence and maintain a chain-of-custody during further analysis.

A security manager received an email from an anomaly detection service, that one of their contractors has downloaded 50 documents from the company’s confidential document management folder using a company-owned asset al039-ice-4ce687TL0500. A security manager reviewed the content of downloaded documents and noticed that the data affected is from different departments. What are the actions a security manager should take?
A. Measure confidentiality level of downloaded documents.
B. Report to the incident response team.
C. Escalate to contractor’s manager.
D. Communicate with the contractor to identify the motives.

The actions a security manager should take in this scenario are:

  1. Report to the incident response team: The incident response team should be notified immediately so they can take control of the situation, preserve evidence, and coordinate the response to the incident.
  2. Escalate to contractor’s manager: The security manager should inform the contractor’s manager about the incident, as it could be a breach of the contractor’s agreement and can lead to the termination of the contract.
  3. Communicate with the contractor to identify the motives: The security manager should communicate with the contractor to understand the motive behind the download of the confidential documents. This will help in determining the severity of the incident and in taking appropriate actions to prevent similar incidents in the future.
  4. Measure confidentiality level of downloaded documents: The security manager should assess the level of confidentiality of the downloaded documents and determine the potential impact of the breach.

Based on the severity of the incident, additional actions may include changing access controls, implementing additional security controls, conducting a security audit, and notifying external parties such as regulatory authorities or affected customers.

An engineer detects an intrusion event inside an organization’s network and becomes aware that files that contain personal data have been accessed. Which action must be taken to contain this attack?
A. Disconnect the affected server from the network.
B. Analyze the source.
C. Access the affected server to confirm compromised files are encrypted.
D. Determine the attack surface.
The first action that must be taken to contain this attack is to disconnect the affected server from the network to prevent further damage and spread of the attack. Once the server is isolated, the engineer can then analyze the source of the intrusion, access the affected server to confirm the compromised files are encrypted, and determine the attack surface to prevent future attacks.
The network operations center has identified malware, created a ticket within their ticketing system, and assigned the case to the SOC with high-level information. A SOC analyst was able to stop the malware from spreading and identified the attacking host. What is the next step in the incident response workflow?
A. eradication and recovery
B. post-incident activity
C. containment
D. detection and analysis

The next step in the incident response workflow after stopping the malware from spreading and identifying the attacking host is containment. The goal of containment is to isolate and limit the impact of the incident to prevent further damage or data loss.

A SOC engineer discovers that the organization had three DDOS attacks overnight. Four servers are reported offline, even though the hardware seems to be working as expected. One of the offline servers is affecting the pay system reporting times. Three employees, including executive management, have reported ransomware on their laptops. Which steps help the engineer understand a comprehensive overview of the incident?
A. Run and evaluate a full packet capture on the workloads, review SIEM logs, and define a root cause. B. Run and evaluate a full packet capture on the workloads, review SIEM logs, and plan mitigation steps.
C. Check SOAR to learn what the security systems are reporting about the overnight events, research the attacks, and plan mitigation step.
D. Check SOAR to know what the security systems are reporting about the overnight events, review the threat vectors, and define a root cause.
B. Run and evaluate a full packet capture on the workloads, review SIEM logs, and plan mitigation steps.
Which action should be taken when the HTTP response code 301 is received from a web application?
A. Update the cached header metadata.
B. Confirm the resource’s location.
C. Increase the allowed user limit.
D. Modify the session timeout setting.

When the HTTP response code 301 is received from a web application, the appropriate action is to confirm the resource’s location. The HTTP 301 response code indicates that the requested resource has moved permanently to a new URL, and the new URL should be used for future requests. By confirming the new location, clients can ensure they are accessing the most up-to-date resource. Updating the cached header metadata, increasing the allowed user limit, and modifying the session timeout setting are not relevant actions to take in response to an HTTP 301 response code.

Employees receive an email from an executive within the organization that summarizes a recent security breach and requests that employees verify their credentials through a provided link. Several employees report the email as suspicious, and a security analyst is investigating the reports. Which two steps should the analyst take to begin this investigation? (Choose two.)
A. Evaluate the intrusion detection system alerts to determine the threat source and attack surface.
B. Communicate with employees to determine who opened the link and isolate the affected assets.
C. Examine the firewall and HIPS configuration to identify the exploited vulnerabilities and apply recommended mitigation.
D. Review the mail server and proxy logs to identify the impact of a potential breach.
E. Check the email header to identify the sender and analyze the link in an isolated environment.
E. Check the email header to identify the sender and analyze the link in an isolated environment.
B. Communicate with employees to determine who opened the link and isolate the affected assets.
A SOC team is investigating a recent, targeted social engineering attack on multiple employees. Cross-correlated log analysis revealed that two hours before the attack, multiple assets received requests on TCP port 79. Which action should be taken by the SOC team to mitigate this attack?
A. Disable BIND forwarding from the DNS server to avoid reconnaissance.
B. Disable affected assets and isolate them for further investigation.
C. Configure affected devices to disable NETRJS protocol.
D. Configure affected devices to disable the Finger service.
The correct answer is D. Configure affected devices to disable the Finger service.

TCP port 79 is associated with the Finger protocol, which is a service that is commonly used by attackers to gather information about users and assets. The best way to mitigate this attack is to disable the Finger service on affected devices to prevent further reconnaissance by attackers. It is also recommended to investigate the source of the requests on TCP port 79 to identify any potential indicators of compromise and further harden the organization’s security posture.

What is idempotence?
A. the assurance of system uniformity throughout the whole delivery process (Dictionary Definition)
B. the ability to recover from failures while keeping critical services running
C. the necessity of setting maintenance of individual deployment environments
D. the ability to set the target environment configuration regardless of the starting state (Cisco Answer)
D. the ability to set the target environment configuration regardless of the starting state is idempotence. In other words, performing the same operation multiple times should have the same effect as performing it only once. This is a key property of automation and infrastructure-as-code systems, where the desired state of a system is defined and then automatically applied to ensure that it is always in the correct state, regardless of its current state.
An organization suffered a security breach in which the attacker exploited a Netlogon Remote Protocol vulnerability for further privilege escalation. Which two actions should the incident response team take to prevent this type of attack from reoccurring? (Choose two.)
A. Implement a patch management process.
B. Scan the company server files for known viruses.
C. Apply existing patches to the company servers.
D. Automate antivirus scans of the company servers.
E. Define roles and responsibilities in the incident response playbook.

A. Implement a patch management process. C. Apply existing patches to the company servers.

Two types of clients are accessing the front ends and the core database that manages transactions, access control, and atomicity. What is the threat model for the SQL database?
A. An attacker can initiate a DoS attack.
B. An attacker can read or change data.
C. An attacker can transfer data to an external server.
D. An attacker can modify the access logs.

The threat model for the SQL database in this scenario is that an attacker can read or change data, as both types of clients are accessing the core database that manages transactions and access control. This means that an attacker who gains access to the SQL database could potentially view or modify sensitive data, such as user account information or transaction details. Therefore, protecting against unauthorized access to the database and implementing appropriate access controls are critical to mitigating this threat.

A SOC team receives multiple alerts by a rule that detects requests to malicious URLs and informs the incident response team to block the malicious URLs requested on the firewall. Which action will improve the effectiveness of the process?
A. Block local to remote HTTP/HTTPS requests on the firewall for users who triggered the rule.
B. Inform the user by enabling an automated email response when the rule is triggered.
C. Inform the incident response team by enabling an automated email response when the rule is triggered.
D. Create an automation script for blocking URLs on the firewall when the rule is triggered.

D. Create an automation script for blocking URLs on the firewall when the rule is triggered.

Creating an automation script that blocks malicious URLs on the firewall immediately when the rule is triggered can improve the effectiveness of the process by reducing the response time and minimizing the potential damage of a malicious request. This would eliminate the need for manual intervention and ensure that the malicious request is stopped in a timely and efficient manner.

A cloud engineer needs a solution to deploy applications on a cloud without being able to manage and control the server OS. Which type of cloud environment should be used?
A. IaaS
B. PaaS
C. DaaS
D. SaaS

The cloud environment that the cloud engineer should use to deploy applications on a cloud without being able to manage and control the server OS is PaaS (Platform as a Service). In a PaaS environment, the cloud provider offers a platform for developing, testing, and deploying applications. The provider manages the underlying infrastructure, operating system, and middleware, and the user only needs to focus on the application.

Engineers are working to document, list, and discover all used applications within an organization. During the regular assessment of applications from the HR backup server, an engineer discovered an unknown application. The analysis showed that the application is communicating with external addresses on a non- secure, unencrypted channel. Information gathering revealed that the unknown application does not have an owner and is not being used by a business unit. What are the next two steps the engineers should take in this investigation? (Choose two.)
A. Determine the type of data stored on the affected asset, document the access logs, and engage the incident response team.
B. Identify who installed the application by reviewing the logs and gather a user access log from the HR department.
C. Verify user credentials on the affected asset, modify passwords, and confirm available patches and updates are installed.
D. Initiate a triage meeting with department leads to determine if the application is owned internally or used by any business unit and document the asset owner.

B. Identify who installed the application by reviewing the logs and gather a user access log from the HR department.

D. Initiate a triage meeting with department leads to determine if the application is owned internally or used by any business unit and document the asset owner.

A security incident affected an organization’s critical business services, and the customer-side web API became unresponsive and crashed. An investigation revealed a spike of API call requests and a high number of inactive sessions during the incident. Which two recommendations should the engineers make to prevent similar incidents in the future? (Choose two.)
A. Configure shorter timeout periods.
B. Determine API rate-limiting requirements.
C. Implement API key maintenance.
D. Automate server-side error reporting for customers.
E. Decrease simultaneous API responses.

A. Configure shorter timeout periods.

B. Determine API rate-limiting requirements.

What is the impact of hardening machine images for deployment?
A. reduces the attack surface
B. increases the speed of patch deployment
C. reduces the steps needed to mitigate threats
D. increases the availability of threat alerts

A. reduces the attack surface

What is the difference between process orchestration and automation?
A. Orchestration combines a set of automated tools, while automation is focused on the tools to automate process flows.
B. Orchestration arranges the tasks, while automation arranges processes.
C. Orchestration minimizes redundancies, while automation decreases the time to recover from redundancies.
D. Automation optimizes the individual tasks to execute the process, while orchestration optimizes frequent and repeatable processes.
Process orchestration refers to the coordination and management of multiple automated tasks, often involving multiple systems, to achieve a specific goal or outcome. Automation, on the other hand, refers to the use of technology to execute tasks or processes without human intervention. While both process orchestration and automation involve the use of automation tools and technologies, process orchestration is more focused on the arrangement and coordination of automated tasks, while automation is focused on the execution of individual tasks or processes.
The best answer is D. Automation optimizes the individual tasks to execute the process, while orchestration optimizes frequent and repeatable processes.
An analyst received multiple alerts on the SIEM console of users that are navigating to malicious URLs. The analyst needs to automate the task of receiving alerts and processing the data for further investigations. Three variables are available from the SIEM console to include in an automation script: console_ip,
api_token,
reference_set_name.
What must be added to this script to receive a successful HTTP response?
A. {1}, {2}
B. {1}, {3}
C. console_ip, api_token
D. console_ip, reference_set_name

Option B. {1}, {3} – The console_ip is needed to send a request to the SIEM console, and reference_set_name is needed to create the reference set to store the malicious URLs. The api_token is not needed to receive a successful HTTP response, but it may be used to authenticate the request. Therefore, the correct option is B. {1}, {3}.

After a recent malware incident, the forensic investigator is gathering details to identify the breach and causes. The investigator has isolated the affected workstation. What is the next step that should be taken in this investigation?
A. Analyze the applications and services running on the affected workstation.
B. Compare workstation configuration and asset configuration policy to identify gaps.
C. Inspect registry entries for recently executed files.
D. Review audit logs for privilege escalation events.
The next step that should be taken in the investigation is to collect and preserve evidence from the affected workstation, such as memory, disk images, network traffic, and other artifacts, in a forensically sound manner. This will enable the investigator to conduct a thorough analysis to identify the root cause of the breach and any other related information. The other steps listed may be part of the investigation but collecting and preserving evidence should be the initial step.

All of the options could be valid next steps depending on the specific details of the incident and the investigator’s strategy. However, in general, one common next step after isolating the affected workstation would be to analyze the applications and services running on it to identify any suspicious or unauthorized activity.

Where are the browser page rendering permissions displayed?
A. X-Frame-Options
B. X-XSS-Protection
C. Content-Type
D. Cache-Control

Browser page rendering permissions are displayed in the X-Frame-Options header.

Refer to the exhibit. Rapid Threat Containment using Cisco Secure Network Analytics (Stealthwatch) and ISE detects the threat of malware-infected 802.1x authenticated endpoints and places that endpoint into a quarantine VLAN using Adaptive Network Control policy. Which method was used to signal ISE to quarantine the endpoints?
A. SNMP
B. syslog
C. REST API
D. pxGrid

Based on the information given, the method used to signal ISE to quarantine the endpoints is likely pxGrid.

After a cyber attack, an engineer is analyzing an alert that was missed on the intrusion detection system. The attack exploited a vulnerability in a business critical, web-based application and violated its availability. Which two migration techniques should the engineer recommend? (Choose two.) Choose: NOP sled technique encapsulation heap-based security address space randomization data execution prevention

Based on the scenario you provided, it seems that the question is asking for two migration techniques that the engineer should recommend in order to prevent similar attacks from happening in the future. Out of the options provided, the two techniques that are most relevant to this goal are:

  1. Encapsulation: This technique involves encapsulating or wrapping critical parts of the application to limit the exposure of vulnerabilities to attackers. By isolating vulnerable code and protecting it with access controls, the impact of an attack can be minimized. This can help prevent attackers from exploiting vulnerabilities in the web-based application, as they will not have access to critical components of the application.
  2. Address space randomization: This technique involves randomizing the memory addresses used by the application, making it more difficult for attackers to predict or manipulate the memory layout of the application. By using address space randomization, the effectiveness of certain types of attacks, such as buffer overflow attacks, can be reduced. This can help prevent attackers from exploiting vulnerabilities in the web-based application, as they will not be able to reliably target specific areas of memory.

Therefore, the two migration techniques that the engineer should recommend are encapsulation and address space randomization. The other options mentioned (NOP sled technique, heap-based security, and data execution prevention) are not directly related to migration techniques for preventing similar attacks.

An “unknown error code” is appearing on an ESXi host during authentication. An engineer checks the authentication logs but is unable to identify the issue. Analysis of the vCenter agent logs shows no connectivity errors. What is the next log file the engineer should check to continue troubleshooting this error? Choose one: var/log/shell.log /var/log/syslog.log /var/log/vmksummary.log var/log/general/log
Based on the scenario you provided, the next log file the engineer should check to continue troubleshooting the “unknown error code” appearing on an ESXi host during authentication is likely:

/var/log/syslog.log

The syslog.log file is a general system log file that records a wide variety of system events, including authentication-related events. It can provide more detailed information about the error code and help the engineer identify the issue.

The other log files mentioned (shell.log, vmksummary.log, and general.log) may provide some useful information, but they are less likely to be directly related to the authentication issue.

Which tool is used for reverse engineering malware? Choose one: Wireshark Ghidra SNORT NMAP

The tool that is commonly used for reverse engineering malware is:

Ghidra

Ghidra is a software reverse engineering tool that is used to analyze and understand software, including malware. It allows security researchers to decompile, disassemble, and debug software to understand its behavior and identify any malicious components. It was developed by the National Security Agency (NSA) and is now available as an open-source tool.

The other tools mentioned (Wireshark, SNORT, and NMAP) are network analysis tools and are not typically used for reverse engineering malware.

An attacker embedded a macro within a word processing file opened by a user in an organization’s legal department. The attacker used this technique to gain access to confidential financial data. Which two recommendations should a security expert make to mitigate this type of attack? (Choose two.) Choose: firewall rules creation signed macro requirements controlled folder access network access control removable device restrictions
Based on the scenario you provided, the two recommendations a security expert should make to mitigate this type of attack are:
  1. Signed macro requirements: This recommendation involves requiring digital signatures for macros that are allowed to run in the organization’s word processing application. By verifying the digital signature of a macro, the organization can ensure that the macro is legitimate and has not been tampered with. This can help prevent attackers from using malicious macros to gain access to confidential data.
  2. Removable device restrictions: This recommendation involves implementing controls to restrict the use of removable devices within the organization. This can help prevent attackers from using USB drives or other removable media to introduce malware into the organization’s network or steal sensitive data. By limiting the ability to use removable devices, the organization can reduce the attack surface and make it more difficult for attackers to carry out their objectives.

The other options mentioned (firewall rules creation, controlled folder access, and network access control) may be useful for other security purposes, but they are less directly related to mitigating the type of attack described in the scenario.

An engineer received a report of a suspicious email from an employee. The employee had already opened the attachment, which was an empty Word document. The engineer cannot identify any clear signs of compromise but while reviewing running processes, observes that PowerShell.exe was spawned by cmd.exe with a grandparent winword.exe process. What is the recommended action the engineer should take? Choose one: Monitor processes as this a standard behavior of Word macro embedded documents. Investigate the sender of the email and communicate with the employee to determine the motives. Upload the file signature to threat intelligence tools to determine if the file is malicious. Contain the threat for further analysis as this is an indication of suspicious activity.
Based on the scenario you provided, the recommended action that the engineer should take is:

Contain the threat for further analysis as this is an indication of suspicious activity.

The fact that PowerShell.exe was spawned by cmd.exe with a grandparent winword.exe process is a sign of suspicious activity. This behavior is commonly used by attackers to execute malicious code, including malware or scripts that can potentially lead to a compromise. Therefore, the best course of action is to contain the threat by disconnecting the affected system from the network and limiting user access to it, while conducting further analysis to determine the nature and extent of the compromise.

While investigating the sender of the email and communicating with the employee may be useful in understanding the context of the incident, it is not sufficient to address the immediate security concern. Similarly, uploading the file signature to threat intelligence tools may be useful in identifying known threats, but it may not provide sufficient information to fully address the issue. Therefore, containing the threat is the most appropriate action in this scenario.

is this an example of “living off the land”?
Yes, the scenario described in the previous question is an example of “living off the land.”

“Living off the land” refers to a technique used by attackers to carry out their malicious activities using legitimate tools and techniques that are commonly found on the target system, rather than relying on custom or specialized malware. In the scenario you provided, the attacker is using PowerShell.exe, which is a legitimate tool found on most Windows systems, to execute malicious code. By doing so, the attacker can avoid detection by traditional security tools that are focused on identifying known malware signatures.

The fact that the attacker is using a legitimate tool to carry out malicious activities makes it more difficult to detect and prevent the attack. As a result, “living off the land” attacks have become increasingly popular among attackers in recent years.

A security team is discussing lessons learned and suggesting process changes after a security breach incident. During the incident, members of the security team failed to report the abnormal system activity due to a high project workload. Additionally, when the incident was identified, the response took six hours due to management being unavailable to provide the approvals needed. Which two steps will prevent these issues from occurring in the future? (Choose two.) Choose:
Conduct a risk audit of the incident response workflow.
Provide phishing awareness training for the fill security team.
Introduce a priority rating for incident response workloads. C
reate an executive team delegation plan.
Automate security alert timeframes with escalation triggers.
Based on the scenario you provided, the two steps that can help prevent similar issues from occurring in the future are:
  1. Introduce a priority rating for incident response workloads: This step involves establishing a process for prioritizing incident response activities based on the severity of the incident and the potential impact to the organization. By implementing a priority rating system, the security team can ensure that critical incidents receive prompt attention, even during periods of high workload. This can help prevent incidents from going unnoticed and ensure that the response is timely and effective.
  2. Create an executive team delegation plan: This step involves establishing a plan for delegating decision-making authority to trusted individuals in the event that key members of management are unavailable during an incident. By having a delegation plan in place, the security team can ensure that approvals and decisions can be made in a timely manner, even if key individuals are not available. This can help prevent delays in incident response and ensure that the response is effective.

The other options mentioned (conduct a risk audit of the incident response workflow, provide phishing awareness training for the full security team, and automate security alert timeframes with escalation triggers) may also be useful in improving incident response processes, but they are less directly related to the specific issues identified in the scenario.

What is the goal of an incident response plan? Choose one: to contain an attack and prevent it from spreading to identify critical systems and resources in an organization to ensure systems are in place to prevent an attack to determine security weaknesses and recommend solutions
The goal of an incident response plan (IRP) is:

to contain an attack and prevent it from spreading

An incident response plan is a documented, organized approach for responding to and managing security incidents or cyber-attacks. The primary objective of an IRP is to contain the attack and minimize the impact on the organization by identifying, containing, eradicating, and recovering from the incident.

The IRP typically includes procedures for detecting, assessing, and containing the incident; identifying and notifying stakeholders; preserving and analyzing evidence; and recovering from the incident. The overall goal of the IRP is to enable the organization to quickly and effectively respond to an incident, minimize the damage, and return to normal operations as soon as possible.

indicator: Observable id=”example:Observable-Pattern-5f1dedd3-ece3-4007-94cd-7d52784c1474″> @state.gov pdf 87022 MD5 cf2b3ad32a8a4cfb05e9dfc45875bd70 Contains
|Which two actions should be taken as a result of this information? (Choose two.)
Choose: Block emails sent from Admin@state.net with an attached pdf file with md5 hash “cf2b3ad32a8a4cfb05e9dfc45875bd70”. Block all emails sent from an @state.gov address. Block all emails with subject containing “cf2b3ad32a8a4cfb05e9dfc45875bd70”. Update the AV to block any file with hash “cf2b3ad32a8a4cfb05e9dfc45875bd70”. Block all emails with pdf attachments.
Based on the information provided, the two actions that should be taken as a result of this information are:
  1. Block emails sent from Admin@state.net with an attached pdf file with md5 hash “cf2b3ad32a8a4cfb05e9dfc45875bd70”: This action involves blocking any emails sent from the specified email address with an attached pdf file that matches the given md5 hash. By blocking these emails, the organization can prevent potential attacks that may be associated with the identified observable.
  2. Update the AV to block any file with hash “cf2b3ad32a8a4cfb05e9dfc45875bd70”: This action involves updating the organization’s antivirus (AV) software to block any file with the specified md5 hash. By doing so, the organization can prevent any malicious files associated with the identified observable from being executed on any system in the network.

The other options mentioned (block all emails sent from an @state.gov address, block all emails with subject containing "cf2b3ad32a8a4cfb05e9dfc45875bd70", and block all emails with pdf attachments) may be overly broad and can potentially block legitimate traffic, and are not directly related to the observable and its associated potential threat.

why block emails from Admin@state.net?
Blocking emails from Admin@state.net with an attached pdf file with md5 hash “cf2b3ad32a8a4cfb05e9dfc45875bd70” is recommended in response to the identified observable and its associated potential threat.

The observable contains information about an email message with an attached PDF file that has a specific md5 hash. The file may contain malware, and the email was sent from Admin@state.net. Therefore, blocking emails from that email address can help prevent potential attacks that may be associated with the identified observable.

It is important to note that this action is specific to the observable in question and should not be applied universally to all emails from that domain or sender. It is always important to carefully evaluate the context and evidence before taking any action to prevent unintended consequences.

An organization recovered from a recent ransomware outbreak that resulted in significant business damage. Leadership requested a report that identifies the problems that triggered the incident and the security team’s approach to address these problems to prevent a reoccurrence. Which components of the incident should an engineer analyze first for this report? Choose one: risk and RPN cause and effect impact and flow motive and factors
Based on the scenario you provided, the components of the incident that an engineer should analyze first for this report are:

cause and effect

Analyzing the cause and effect of the ransomware outbreak is critical in determining what went wrong and how it happened. By identifying the root cause of the incident and understanding how the attack was carried out, the organization can develop an effective strategy to prevent similar attacks from happening in the future. This analysis should focus on the specific vulnerabilities or weaknesses that were exploited, the attack vector that was used, and the steps that were taken by the attacker to gain access to the network and deploy the ransomware.

Once the cause and effect have been identified, the engineer can proceed to identify the appropriate remediation steps to prevent a reoccurrence. This may include patching vulnerabilities, improving access controls, implementing network segmentation, and developing incident response plans.

While analyzing risk and RPN, impact and flow, and motive and factors may also provide valuable information for the report, they are less directly related to identifying the problems that triggered the incident and the security team’s approach to address these problems.

Time 12 0.000000000 0.000230000 TCP Data Source 192 Destination Protocol 15 0.000658000 0.000465000 192. 21 0.004157000 0.000499000 192. 23 0.001257000 0.000991000 192. 25 0.000650000 0.000135000 192. 26 0.000049000 0.000049000 38 14.59967300 0.000232000 192. 192. 41 0.000535000 0.000365000 192. 58 0.005986000 0.000498000 59 0.000854000 0.000854000 192. 192. 61 0.000639000 0.000302000 192 63 0.002314000 0.000354000 192. ៩៩៩ ៩៩៩ ៩៩៩៩ 192 TCP 192. SMB 192 SMB 192. TCP 192. TCP 192 TCP 192 TCP 192 SMB TCP 192 SMB 192. SMB 192. SMB Info Microsoft-cis-sql-storman, ACX] Seq=0 Sck=1 Wind-8192 Len-0 WSS=3460 SACK_PER=1| Negotiate Protocol Response Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS MORE PROCESSING REQUIRED Session Setup AndX Response, Error: STATUS_LOGON_FAILURE microsoft-ds-sgf-storman [ACK] Seq=757 Ack=759 win=63620 Len=0 microsoft-ds-sgl-storman [RST, ACK] Seq=757 Ack=759 Win=0 Len=0 microsoft-ds+llsurfup-https (SYN, ACK] Seq=0 Ack=1 Win=8192 Len-0 WSS=1460 SACK_PERM=1 Negotiate Protocol Response microsoft-ds-llsurfup-https [ACK] Seq=198 Ack=3006 win=64240 Len=0 Session Setup AndX Response Tree Connect AndX Response MT Create AndX Response, FID: 0x4000 65 0.000440000 0.000249000 67 0.000336000 0.000232000 69 0.000528000 0.000429000 192. 71 0.000417000 0.000317000 192. 73 0.000324000 0.000215000 192. 76 0.232074000 0.000322000 192. 78 0.000420000 0.000242000 192. 80 0.000332000 0.000228000 192. 82 0.000472000 0.000372000 192. 84 0.000433000 0.000320000 192 86 0.000416000 0.000310000 192. 88 0.000046500 0.000366000 192. 90 0.067630000 0.967518000 192 92 0.000515000 0.000391000 192 94 0.000477000 0.000368000 192. 96 0.090664000 0.090363000 192 98 0.006860000 0.000280000 192. 100 0.000312000 0.000229000 192. 102 0.000329000 0.000217000 192. 104 0.000212900 0.000200000 192. 192. 192. SMB Write AndX Response, FID: 0x4000, 72 bytes 192. 192. 192. 192. 192. 192. SMB 192. SMB NT Create AndX Response, FID: 0x4001 Write AndX Response, FID: 0x4001, 72 bytes 192. 192. 192. 192. 192. 192. 192. 192. 192 192. 192. 192 192. SMB Close Response, FID: 0x4001.
An engineer is analyzing a TCP stream in a Wireshark after a suspicious email with a URL. What should be determined about the SMB traffic from this stream? Choose one: It is exploiting redirect vulnerability It is redirecting to a malicious phishing website It is sharing access to files and printers. It is requesting authentication on the user site.
Based on the information provided, it is not clear whether the SMB traffic in the Wireshark stream is related to the suspicious email with a URL. The given information only shows that an engineer is analyzing a TCP stream in Wireshark after receiving a suspicious email with a URL. The specific details of the SMB traffic in the stream are not provided in the question.

Therefore, without additional information about the specific contents and characteristics of the SMB traffic in the stream, it is not possible to determine what it is doing or whether it is related to any type of vulnerability, phishing, file sharing, or authentication requests.

Time 2019-12-04 2019-12-04 18:46 Dst port Host Info 18:44… 185.188.182.76 80 ghinatronx.com GET ledgron/siloft.php?l=yourght6.cab 45.143.93.81 80 bjanicki.com GET GET /images/8hvXKM 2F40bgi3onEOH_2/ /favicon.ico HTTP/1.1 GET images/6a7GzE2PovJhysjaQ HULLB GET images/aiXla28QV6duat PF_2BY9stc 2019-12-04 18:46 45.143.93.81 80 bjanicki.com 2019-12-04 18:46 45.143.93.81 2019-12-04 18:46. 2019-12-04 2019-12-04 2019-12-04 45.143.93.81 80 bjanicki.com 80 bjanicki.com 18:47…194.61.1.178 443 prodrigo29bk20.com Client Hello 18:48… 194.61.1.178 443 prodrigo29bk120.com Client Hello 18:52. 194.61.1.178 443 prodrigo29bk120.com Client Hello 2019-12-04 18:57… 194.61.1.178 443 prodrigo29bk120.com Client Hello 2019-12-04 19:02… 194.61.1.178 443 prodrigo29bk120.com Client Hello 2019-12-04 19:07… 194.61.1.178 443 prodrigo29bkf20.com Client Hello 19:08… 194.61.1.178 443 prodrigo29bk20.com Client Hello 19:13…194.61.1.178 443 prodrigo29bkf20.com Client Hello 19:18… 194.61.1.178 443 prodrigo29bk120.com Client Hello 19:19… 194.61.1.178 443 prodrigo29bkf20.com Client Hello 2019-12-04 2019-12-04 2019-12-04 2019-12-04 Frame 6: 386 bytes on wire (3088 bits), 386 bytes captured (3088 bits) Ethernet II, Src: HewlettP_1c:47:ae (00:08:02:1c:47:ae), Dst: Netgear_b6:93:f1 (20:e5:2a:b6:93:f1) › Internet Protocol Version 4, Src: 160.192.4.101, Dst: 185.188.182.76 0000 20 e5 2a b6 93 f1 00 08 02 1c 47 ae 08 00 45 00 G E
The given information appears to be a Wireshark capture of network traffic. The specific type and purpose of the traffic is not provided in the question, and the formatting of the information is difficult to interpret.

Without additional context or information, it is not possible to determine what should be determined about the network traffic from this stream. To analyze network traffic, a security analyst would typically need more information about the type of network traffic being observed, the source and destination of the traffic, and the content and behavior of the traffic.

Therefore, more information is needed to provide a meaningful answer to this question.

A network engineer is analyzing a Wireshark file to determine the HTTP request that caused the initial Ursnif banking Trojan binary to download. Which filter did the engineer apply to sort the Wireshark traffic logs?
Choose one:
tls.handshake.type ==1
tcp.window_size ==0
tcp.port eq 25
http.request.un matches
To determine the HTTP request that caused the initial Ursnif banking Trojan binary to download, the network engineer would typically apply a filter to sort the Wireshark traffic logs based on HTTP traffic.

The most likely filter for this purpose would be “http.request.method == GET” or “http.request.method == POST”, which would show only the HTTP requests that use the GET or POST method. The engineer could then review the traffic logs to find the specific HTTP request that initiated the download of the Ursnif banking Trojan binary.

Therefore, the correct answer is: http.request.method == GET or http.request.method == POST.