What does an attacker use to determine which network ports are listening on a potential target device?
How does agentless monitoring differ from agent-based monitoring?
A cyberattacker notices a security flaw in a software that a company is using They decide to tailor a specific worm to exploit this flaw and extract saved passwords from the software To which category of the Cyber Kill Cham model does this event belong?
What is obtained using NetFlow?
Which technology should be used to implement a solution that makes routing decisions based on HTTP header, uniform resource identifier, and SSL session ID attributes?
What describes a buffer overflow attack?
STION NO: 102
Refer to the exhibit.
What is the potential threat identified in this Stealthwatch dashboard?
An engineer discovered a breach, identified the threat’s entry point, and removed access. The engineer was able to identify the host, the IP address of the threat actor, and the application the threat actor targeted. What is the next step the engineer should take according to the NIST SP 800-61 Incident handling guide?
An engineer needs to configure network systems to detect command and control communications by decrypting ingress and egress perimeter traffic and allowing network security devices to detect malicious outbound communications. Which technology should be used to accomplish the task?
Which security monitoring data type requires the largest storage space?
What is vulnerability management?
A user received a malicious attachment but did not run it. Which category classifies the intrusion?
Refer to the exhibit.
Which kind of attack method is depicted in this string?
What is an example of social engineering attacks?
During which phase of the forensic process are tools and techniques used to extract information from the collected data?
What is a difference between signature-based and behavior-based detection?
Which evasion method involves performing actions slower than normal to prevent detection?
Which statement describes patch management?
What is a difference between SIEM and SOAR?
How does a certificate authority impact security?
Drag and drop the technology on the left onto the data type the technology provides on the right.
While viewing packet capture data, an analyst sees that one IP is sending and receiving traffic for multiple devices by modifying the IP header.
Which technology makes this behavior possible?
Refer to the exhibit.
Which field contains DNS header information if the payload is a query or a response?
Which HTTP header field is used in forensics to identify the type of browser used?
An analyst is investigating an incident in a SOC environment. Which method is used to identify a session from a group of logs?
How does an attack surface differ from an attack vector?
Refer to the exhibit.
A security analyst is investigating unusual activity from an unknown IP address Which type of evidence is this file1?
How does statistical detection differ from rule-based detection?
Refer to the exhibit.
What is the potential threat identified in this Stealthwatch dashboard?
An engineer is investigating a case of the unauthorized usage of the “Tcpdump” tool. The analysis revealed that a malicious insider attempted to sniff traffic on a specific interface. What type of information did the malicious insider attempt to obtain?
Refer to the exhibit.
Which technology generates this log?
How can TOR impact data visibility inside an organization?
Which incidence response step includes identifying all hosts affected by an attack?
What is the difference between a threat and an exploit?
What is the impact of encryption?
An engineer is working on a ticket for an incident from the incident management team A week ago. an external web application was targeted by a DDoS attack Server resources were exhausted and after two hours it crashed. An engineer was able to identify the attacker and technique used Three hours after the attack, the server was restored and the engineer recommended implementing mitigation by Blackhole filtering and transferred the incident ticket back to the IR team According to NIST SP800-61, at which phase of the incident response did the engineer finish work?
What is threat hunting?
Which metric is used to capture the level of access needed to launch a successful attack?
Which vulnerability type is used to read, write, or erase information from a database?
Refer to the exhibit Drag and drop the element names from the left onto the corresponding pieces of the PCAP file on the right.
Which two elements of the incident response process are stated in NIST Special Publication 800-61 r2? (Choose two.)
Which security technology allows only a set of pre-approved applications to run on a system?
Which type of evidence supports a theory or an assumption that results from initial evidence?
What is a difference between an inline and a tap mode traffic monitoring?
Which attack method is being used when an attacker tries to compromise a network with an authentication system that uses only 4-digit numeric passwords and no username?
Which regular expression matches "color" and "colour"?
What is the difference between indicator of attack (loA) and indicators of compromise (loC)?
Refer to the exhibit.
What does this output indicate?
What is the function of a command and control server?
Which event artifact is used to identify HTTP GET requests for a specific file?
A SOC analyst detected connections to known C&C and port scanning activity to main HR database servers from one of the HR endpoints via Cisco StealthWatch. What are the two next steps of the SOC team according to the NISTSP800-61 incident handling process? (Choose two)
An offline audit log contains the source IP address of a session suspected to have exploited a vulnerability resulting in system compromise.
Which kind of evidence is this IP address?
An organization that develops high-end technology is going through an internal audit The organization uses two databases The main database stores patent information and a secondary database stores employee names and contact information A compliance team is asked to analyze the infrastructure and identify protected data Which two types of protected data should be identified? (Choose two)
What is an attack surface as compared to a vulnerability?
According to the September 2020 threat intelligence feeds a new malware called Egregor was introduced and used in many attacks. Distnbution of Egregor is pnmanly through a Cobalt Strike that has been installed on victim's workstations using RDP exploits Malware exfiltrates the victim's data to a command and control server. The data is used to force victims pay or lose it by publicly releasing it. Which type of attack is described?
Which element is included in an incident response plan as stated m NIST SP800-617
Refer to the exhibit.
Which type of log is displayed?
A security engineer has a video of a suspect entering a data center that was captured on the same day that files in the same data center were transferred to a competitor.
Which type of evidence is this?
Refer to the exhibit.
What is occurring?
Which two elements are used for profiling a network? (Choose two.)
An engineer received a flood of phishing emails from HR with the source address HRjacobm@companycom. What is the threat actor in this scenario?
A system administrator is ensuring that specific registry information is accurate.
Which type of configuration information does the HKEY_LOCAL_MACHINE hive contain?
What is a difference between tampered and untampered disk images?
Refer to the exhibit.
What is occurring in this network?
Refer to the exhibit.
An analyst received this alert from the Cisco ASA device, and numerous activity logs were produced. How should this type of evidence be categorized?
Refer to the exhibit.
What does the message indicate?
Drag and drop the access control models from the left onto the correct descriptions on the right.
Which regex matches only on all lowercase letters?
Refer to the exhibit.
Drag and drop the element name from the left onto the correct piece of the PCAP file on the right.
What is the relationship between a vulnerability and a threat?
What is the difference between an attack vector and attack surface?
Refer to the exhibit.
This request was sent to a web application server driven by a database. Which type of web server attack is represented?
What is a benefit of agent-based protection when compared to agentless protection?
Refer to the exhibit.
An engineer received a ticket about a slowed-down web application. The engineer runs the #netstat -an command. How must the engineer interpret the results?
Which data format is the most efficient to build a baseline of traffic seen over an extended period of time?
Drag and drop the event term from the left onto the description on the right.
When an event is investigated, which type of data provides the investigate capability to determine if data exfiltration has occurred?
Which security model assumes an attacker within and outside of the network and enforces strict verification before connecting to any system or resource within the organization?
Which piece of information is needed for attribution in an investigation?
Which technique is a low-bandwidth attack?
Which system monitors local system operation and local network access for violations of a security policy?
An engineer must compare NIST vs ISO frameworks The engineer deeded to compare as readable documentation and also to watch a comparison video review. Using Windows 10 OS. the engineer started a browser and searched for a NIST document and then opened a new tab in the same browser and searched for an ISO document for comparison
The engineer tried to watch the video, but there 'was an audio problem with OS so the engineer had to troubleshoot it At first the engineer started CMD and looked fee a driver path then locked for a corresponding registry in the registry editor The engineer enabled "Audiosrv" in task manager and put it on auto start and the problem was solved Which two components of the OS did the engineer touch? (Choose two)
Refer to the exhibit.
A network administrator is investigating suspicious network activity by analyzing captured traffic. An engineer notices abnormal behavior and discovers that the default user agent is present in the headers of requests and data being transmitted What is occurring?
What is an advantage of symmetric over asymmetric encryption?
Refer to the exhibit.
An attacker scanned the server using Nmap.
What did the attacker obtain from this scan?
Refer to the exhibit.
In which Linux log file is this output found?
What do host-based firewalls protect workstations from?
Which security principle is violated by running all processes as root or administrator?
Which principle is being followed when an analyst gathers information relevant to a security incident to determine the appropriate course of action?
Refer to the exhibit.
Which two elements in the table are parts of the 5-tuple? (Choose two.)
Which event is a vishing attack?
A network engineer noticed in the NetFlow report that internal hosts are sending many DNS requests to external DNS servers A SOC analyst checked the endpoints and discovered that they are infected and became part of the botnet Endpoints are sending multiple DNS requests but with spoofed IP addresses of valid external sources What kind of attack are infected endpoints involved in1?
Which filter allows an engineer to filter traffic in Wireshark to further analyze the PCAP file by only showing the traffic for LAN 10.11.x.x, between workstations and servers without the Internet?