1. Which statement describes an operational characteristic of NetFlow?
NetFlow collects metadata about the packet flow, not the flow data itself.
2. What is the purpose of Tor?
to allow users to browse the Internet anonymously
3. Threat actors may attack the infrastructure in order to corrupt network log timestamps and disguise any traces that they have left behind.
4. Which type of server daemon accepts messages sent by network devices to create a collection of log entries?
syslog
5. A NIDS/NIPS has identified a threat. Which type of security data will be generated and sent to a logging device?
alert
6. Which statement describes the tcpdump tool?
It is a command-line packet analyzer.
7. What type of server can threat actors use DNS to communicate with?
CnC
8. A security analyst reviews network logs. The data shows user network activities such as user name, IP addresses, web pages accessed, and timestamp. Which type of data is the analyst reviewing?
transaction
9. Which Windows host log event type describes the successful operation of an application, driver, or service?
information
10. Which two protocols may devices use in the application process that sends email? (Choose two.)
SMTP
DNS
11. In a Cisco AVC system, in which module is NBAR2 deployed?
Application Recognition
12. True or False?
ICMP can be used inside the corporation to pose a threat.
true
13. Which Windows tool can be used to review host logs?
Event Viewer
14. Which type of security data can be used to describe or predict network behavior?
statistical
15. Refer to the exhibit. A network administrator is reviewing an Apache access log message. What does the hyphen symbol (-) before “jsmith” indicate?
The client information is unavailable or unreliable.
16. True of False?
Sguil is optimized to provide cyberoperations workflow management to large operations with many employees.
false
17. What is the host-based intrusion detection tool that is integrated into Security Onion?
OSSEC
18. Which alert classification indicates that exploits are not being detected by installed security systems?
false negative
19. Which two technologies are used in the Enterprise Log Search and Archive (ELSA) tool? (Choose two.)
MySQL
Sphinx Search
20. Fill in the blank.
Cisco provides an interactive dashboard that allows investigation of the threat landscape.
21. True or False?
Modern cybersecurity tools are sophisticated enough to detect and prevent all exploits.
false
22. Fill in the blank.
The act of determining the individual, organization, or nation responsible for a successful intrusion or attack incident is known as threat ?
23. What is the purpose for data normalization?
to simplify searching for correlated events
24. Which two strings will be matched by the regular expression? (Choose two.)
Level2
Level4
25. Which term describes evidence that is in its original state?
best evidence
26. Fill in the blank.
A positive alert classification wastes the time of cybersecurity analysts who end up investigating events that turn out not to pose a threat.
27. True or False?
Source and destination MAC addresses are part of the five-tuple used to track the conversation between a source and destination application.
false
28. A cybersecurity analyst is going to verify security alerts using the Security Onion. Which tool should the analyst visit first?
Sguil
29. Fill in the blank.
Decision makers can use deterministic analysis to evaluate risk based on what is known about a vulnerability.
30. According to NIST, which step in the digital forensics process involves drawing conclusions from data?
analysis
31. Which field in the Sguil application window indicates the priority of an event or set of correlated events?
ST
32.Which top-level element of the VERIS schema would allow a company to document the incident timeline?
incident tracking
33. What is a chain of custody?
the documentation surrounding the preservation of evidence related to an incident
34. When dealing with a security threat and using the Cyber Kill Chain model, which two approaches can an organization use to help block potential exploitations on a system? (Choose two.)
Train web developers for securing code.
Perform regular vulnerability scanning and penetration testing.
35. VERIS……. is a set of metrics designed to create a way to describe security incidents in a structured and repeatable way.
36. Which meta-feature element in the Diamond Model describes tools and information (such as software, black hat knowledge base, username and password) that the adversary uses for the intrusion event?
Resources
37. Which NIST incident response life cycle phase includes continuous monitoring by the CSIRT to quickly identify and validate an incident?
detection and analysis
38. What type of CSIRT organization is responsible for determining trends to help predict and provide warning of future security incidents?
analysis center
39. Which NIST incident response life cycle phase includes training for the computer security incident response team on how to respond to an incident?
preparation
40. After a threat actor completes a port scan of the public web server of an organization and identifies a potential vulnerability, what is the next phase for the threat actor in order to prepare and launch an attack as defined in the Cyber Kill Chain?
Weaponization
41. Match the intrusion event defined in the Diamond Model of intrusion to the description.
42. In the NIST incident response process life cycle, which type of attack vector involves the use of brute force against devices, networks, or services?
attrition
43. According to NIST standards, which incident response stakeholder is responsible for coordinating an incident response with other stakeholders to minimize the damage of an incident?
management
44. Which three aspects of a target system are most likely to be exploited after a weapon is delivered? (Choose three.)
applications
user accounts
OS vulnerabilities
45. Which approach can help block potential malware delivery methods, as described in the Cyber Kill Chain model, on an Internet-faced web server?
Analyze the infrastructure storage path used for files.
46. Which activity is typically performed by a threat actor in the installation phase of the Cyber Kill Chain?
Install a web shell on the target web server for persistent access.
For no 32
Which top-level element of the VERIS schema would allow a company to document the incident timeline?
Answer = discovery and response
Refer to curriculum topic: 13.1.3
The discovery and response element is used to record the timeline of events, the method of incident discovery, and what the response was to the incident. Incident tracking is for recording general information about the incident.
A ….. positive alert classification wastes the time of cybersecurity analysts who end up investigating events that turn out not to pose a threat.
answer = false
Refer to curriculum topic: 12.1.2
False positive alerts are not desirable. They waste the time of cybersecurity analysts because the analysts end up investigating events that turn out not to be a threat.
The act of determining the individual, organization, or nation responsible for a successful intrusion or attack incident is known as threat …… ?
Answer = attribute
Refer to curriculum topic: 12.3.1
Threat attribution refers to the act of determining the individual, organization, or nation responsible for a successful intrusion or attack incident. Identifying responsible threat actors should occur through the principled and systematic investigation of the evidence.
Cisco ….. provides an interactive dashboard that allows investigation of the threat landscape.
Answer = Talos
Refer to curriculum topic: 12.2.3
Cisco Talos provides an interactive dashboard that allows investigation of the threat landscape.
Threat actors may attack the ……. infrastructure in order to corrupt network log timestamps and disguise any traces that they have left behind.
the answer = NTP
Refer to curriculum topic: 11.1.1
Correctly timestamped network logs are essential to the cybersecurity analyst. The NTP protocol is used to provide consistent time on network messages and logged events.