Which transport layer protocol is the most likely to be used for the destination: 192.168.1.254:snmp?
DNS
TCP
HTTP
UDP
Which of the following will be matched by the regex statement, [PacktPub]{8}?
packtpub
Packt Pub
PACKTPUB
backtack
What element of a network profile describes how much data is successfully transmitted over the network per second?
Total throughput
Session duration
Critical asset utilization
Running tasks
Which of the following is a reason to conduct probabilistic analysis?
Innovative threats
Inconsistent timestamps on logs
Incomplete logs
Integrity concerns on processed logs
How can an operator extract an application that's been downloaded from a website using Wireshark?
File | Export Objects | HTTP....
File | Export Objects | UDP....
File | Export Objects | Application/octet-stream.
Applications can only be downloaded from a TCP stream.
Which of the following is true of trends in the analysis for cybersecurity?
Increasing processing power means analysts are ahead of attackers.
Increased information sharing means deterministic analysis is becoming accessible for smaller companies.
Machine learning techniques are increasingly being used to support probabilistic analysis.
Increasingly sophisticated attacks are pushing deterministic analysis into popularity.
A user in finance follows a link that's sent to them from HACME bank, their company's business banking supplier. The user accessed the website through Mozilla Firefox on Windows 10. Which log is suspicious?
GET HACME.com/login.php HTTP/1.1 in the proxy log
user-agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 in the Proxy Log
GET %D2%A2ACME.com/login.php HTTP/1.1 in the Proxy Log
Records to [hacme.com]:443 in NetFlow, where [hacme.com] is the correct IP address for the bank's web server
Which of the following teams may act as a response team of last resort, leading the response for organizations that may not have their own response team?
Coordination centers
Analysis centers
Managed security service providers
National CSIRT
A signature-based antivirus software is an example of what type of analysis?
Deterministic analysis
Probabilistic analysis
Narrative analysis
Predictive analysis
What is the purpose of ARP?
To map IP addresses to MAC addresses
To map IP addresses to port numbers on a switch
To map sockets to port numbers on a switch
To map sockets to MAC addresses
Which of the following might occur in the reconnaissance phase of the Cyber Kill Chain?
Unsolicited emails are sent, telling users to click a link.
Unsolicited telephone calls are made, telling users to allow a remote desktop connection.
Unsolicited professional social media requests are made, asking for information about an upcoming job opportunity.
Unsolicited merchandise, including USB pen drives.
Which of the following is not a category of a safeguard under HIPAA?
Administrative safeguards
Preemptive safeguards
Technical safeguards
Physical safeguards
Which of the following is a property of the NTFS filesystem?
Maximum file size of 4 GB
Maximum directory depth of 60 levels
Support for encryption
Full journaling (metadata and file data) support
Which of the following is a feature of sandbox detection?
Sandbox detection allows the API calls to be recorded.
Sandbox detection can negate some of the complexities associated with polymorphic malware.
Sandbox detection is faster than signature-based detection.
Sandbox detection uses file features extracted from the file itself to classify unknown files using machine learning.
Which of the following might occur in the exploitation phase of the Cyber Kill Chain?
The attack code is launched.
The attack code is downloaded to an infected host.
The attack code is constructed based on the observed vulnerabilities.
The infected host's beacon back to the command and control server.
Who will coordinate the incident response activity if there is a single, distributed CSIRT in a large organization?
Coordination center
Organizational senior management
IT support
Information assurance
What can an organization use to manually configure alert priorities?
Correlation rules in the Firepower Management Console
Traps for syslog messages
Severity scores in the IDS
Metasploit
Who is ultimately responsible for reviewing and accounting for deficiencies under SOX?
IT service managers
Executive board members
External auditors
Internal verifiers
An email attachment enters the system and is characterized as malware. Which of the following is true?
If the attachment was malicious, this is a true negative.
If the attachment was legitimate, this is a true positive.
If the attachment was legitimate, this is a false positive.
If the attachment was malicious, this is a false negative.
The network's security software went offline two days ago. An investigator suspects that malware has found its way onto a user's computer in this time. Which of the following would be considered corroborative evidence?
Antivirus scan logs that detected no threats
Network data showing a spike in traffic from that computer over the last two days
Activity logs showing that the computer has not been used in a week
Multiple files on the computer being deleted over a number of months
Which of the following is a benefit of removing partial and transitive dependencies during normalization?
Removing anomalies
Reducing duplication
Structuring metadata
Collating information
An IPv6 packet has a length field value of 0. What might this mean?
The packet header has been corrupted.
The packet has no payload.
The packet has a total length greater than 65,535 bytes.
The packet is being used to establish a session.
Which of the following items is sensitive authentication data?
Cardholder name
Service code
Magnetic-strip information
Cardholder address
Which of the following is the highest priority item for collection according to NIST.SP800-86?
Network connections
Running processes
Contents of memory
Open files
Which option allows case sensitivity to be enforced with grep?
-i
-o
grep is case-sensitive by default
-C
Which of the following precautions reduce the threat to data during an investigation? (Select all that apply.)
Antistatic wristbands used during physical handling
Performing analysis on the original drive
Storage in specialist storage facilities
Encrypting the data
Which of the following statements about the following screenshot are true? (Select two.)
Creating a new file creates duplication and, therefore, may create update anomalies.
A new file should be created with the | command.
Creating a new file with the > command maintains the integrity of the original.
A new file should be created with the mv command.
Which of the following HTTP responses might indicate that the web server is currently experiencing a denial of service attack?
HTTP/1.1 408 Gateway Timeout
HTTP/1.1 503 Service Unavailable
HTTP/1.1 301 Moved Permanently
HTTP/1.1 400 Bad Request
A network administrator issues the following command. What are they trying to do?
Shut down this unused port
Prevent an unauthorized host using this unused port
Prevent an unauthorized host from unplugging the legitimate device and using the port in its place
Reset the saved MAC addresses associated with the port
In which phase of the Cyber Kill Chain does lateral movement and privilege escalation occur?
Exploitation
Installation
Command and control
Actions on objectives
How can an investigator collect information about the network connections on a device running Windows?
The CLI command, w
The CLI command, netstat
The CLI command, ifconfig
The CLI command, ipconfig
The following screenshot shows part of a NetFlow output for an organization using PAT. What can be said about the position of the NetFlow collection device relative to the network?
The data is being collected before translation has been applied on the outbound interface and before translation has been applied on the inbound interface.
The data is being collected before translation has been applied on the outbound interface and after translation has been applied on the inbound interface.
The data is being collected after translation has been applied on the outbound interface and before translation has been applied on the inbound interface.
The data is being collected after translation has been applied on the outbound interface and after translation has been applied on the inbound interface.
A system has 10 publicly routable addresses, a publicly accessible web server, and a /8 private (internal) addressing scheme. Which of the following should be considered?
Applying a dynamic NAT to utilize the full publicly routable address pool
Applying a PAT to allow more hosts to connect to the Internet simultaneously
Applying a static NAT from one of the public addresses to the web server, pooling the other addresses for other users
Using a static IP address allocation to apply control over every host's IP address
What would be listed under Actor in a VERIS report concerning a "script kiddie" who found some code on a "dark web" site and was seeing what it would do?
Actor: External: .Motive: Grudge/.Variety: Force Majeure (chance)
Which of the following is a reason to establish asset attribution?
To prove that the item is in its original form
To assert copyrights
To prevent theft
To allow the item to be shared
At what point should the public affairs and media relations team be notified?
As soon as an incident has been verified.
As directed by senior management.
When the incident has been identified.
The Public Affairs and Media Relations team will contact the CSIRT if a comment is required.
In which phase of the Cyber Kill Chain might an attacker exfiltrate data from the system?
Reconnaissance
Actions on Objectives
Exploitation
Delivery
A vulnerability allows a remote attacker to pretend to be an employee and access internal documents. Which metric is likely to be affected the most?
Confidentiality
Privileges Required
Scope
Availability
For which phase of the Cyber Kill Chain is the use of honey pots an effective defensive tool?
Actions on Objectives
Delivery
Command and Control
Exploitation
An incident has arisen after a series of successful phishing emails were sent. Which would be the correct VERIS action?
Social
Misuse
Error
Malware
Which piece of the data is required at a minimum to qualify as CHD under PCI DSS?
CVV2
PAN
Expiry date
PIN
Which command allows the results of one function to be output to a file?
The pipe character (|)
The greater than sign (>)
The caret sign (^)
The ampersand character (&)
Which protocol allows an administrator to determine the IP addresses of routers between two hosts?
ICMP
IPv6
IPv4
TCP
Which of the following lines from Unix permissions indicates that a file can be executed by anyone within the same group as the owner?
0764
-rw-rw-rw-
0710
-rwxrw-r--
Which of the following is not a barrier to retrospective analysis?
Historic log file truncation
Incorrect/inconsistent date stamps
Log file collation and normalization
Rolling log files
Which of the following questions does not relate to the remediation phase in incident handling?
What are the communication timelines for the resumption of services to customers?
What is the effect of reverting to a previously backed up version of the data?
Will compensation be required?
How can customer relations be improved?
An administrator suspects that a vulnerability exists on one of the host computers. It is communicating with the Command and Control host using HTTP messages. The hosts are all running macOS and Safari. Why is the following user-agent string suspicious?
User-agent string: Mozilla/4.0 (compatible; MSIE 5.16; Mac_PowerPC)
The user-agent string is too short.
The user-agent string appears to be Mozilla, which is associated with Firefox.
The user-agent string appears to be running Internet Explorer, which is not installed on the hosts.
The user-agent string appears to support Mozilla/4.0 instead of Mozilla/6.0.
Which of the following entities would not be considered in the identification phase of incident handling under NIST.SP800-61 r2?
Partner organizations
Regulators
Threat actors
Customers
What command can be issued in the Terminal on macOS to display the list of tasks currently running on a device?