1. Which statement describes an operational characteristic of NetFlow?
NetFlow collects metadata about the packet flow, not the flow data itself.
2. What is the purpose of Tor?
to allow users to browse the Internet anonymously
3. Threat actors may attack the infrastructure in order to corrupt network log timestamps and disguise any traces that they have left behind.
4. Which type of server daemon accepts messages sent by network devices to create a collection of log entries?
5. A NIDS/NIPS has identified a threat. Which type of security data will be generated and sent to a logging device?
6. Which statement describes the tcpdump tool?
It is a command-line packet analyzer.
7. What type of server can threat actors use DNS to communicate with?
8. A security analyst reviews network logs. The data shows user network activities such as user name, IP addresses, web pages accessed, and timestamp. Which type of data is the analyst reviewing?
9. Which Windows host log event type describes the successful operation of an application, driver, or service?
10. Which two protocols may devices use in the application process that sends email? (Choose two.)
11. In a Cisco AVC system, in which module is NBAR2 deployed?
12. True or False?
ICMP can be used inside the corporation to pose a threat.
13. Which Windows tool can be used to review host logs?
14. Which type of security data can be used to describe or predict network behavior?
15. Refer to the exhibit. A network administrator is reviewing an Apache access log message. What does the hyphen symbol (-) before "jsmith" indicate?
The client information is unavailable or unreliable.
16. True of False?
Sguil is optimized to provide cyberoperations workflow management to large operations with many employees.
17. What is the host-based intrusion detection tool that is integrated into Security Onion?
18. Which alert classification indicates that exploits are not being detected by installed security systems?
19. Which two technologies are used in the Enterprise Log Search and Archive (ELSA) tool? (Choose two.)
20. Fill in the blank.
Cisco provides an interactive dashboard that allows investigation of the threat landscape.
21. True or False?
Modern cybersecurity tools are sophisticated enough to detect and prevent all exploits.
22. Fill in the blank.
The act of determining the individual, organization, or nation responsible for a successful intrusion or attack incident is known as threat ?
23. What is the purpose for data normalization?
to simplify searching for correlated events
24. Which two strings will be matched by the regular expression? (Choose two.)
25. Which term describes evidence that is in its original state?
26. Fill in the blank.
A positive alert classification wastes the time of cybersecurity analysts who end up investigating events that turn out not to pose a threat.
27. True or False?
Source and destination MAC addresses are part of the five-tuple used to track the conversation between a source and destination application.
28. A cybersecurity analyst is going to verify security alerts using the Security Onion. Which tool should the analyst visit first?
29. Fill in the blank.
Decision makers can use deterministic analysis to evaluate risk based on what is known about a vulnerability.
30. According to NIST, which step in the digital forensics process involves drawing conclusions from data?
31. Which field in the Sguil application window indicates the priority of an event or set of correlated events?
32.Which top-level element of the VERIS schema would allow a company to document the incident timeline?
33. What is a chain of custody?
the documentation surrounding the preservation of evidence related to an incident
34. When dealing with a security threat and using the Cyber Kill Chain model, which two approaches can an organization use to help block potential exploitations on a system? (Choose two.)
Train web developers for securing code.
Perform regular vulnerability scanning and penetration testing.
35. VERIS……. is a set of metrics designed to create a way to describe security incidents in a structured and repeatable way.
36. Which meta-feature element in the Diamond Model describes tools and information (such as software, black hat knowledge base, username and password) that the adversary uses for the intrusion event?
37. Which NIST incident response life cycle phase includes continuous monitoring by the CSIRT to quickly identify and validate an incident?
detection and analysis
38. What type of CSIRT organization is responsible for determining trends to help predict and provide warning of future security incidents?
39. Which NIST incident response life cycle phase includes training for the computer security incident response team on how to respond to an incident?
40. After a threat actor completes a port scan of the public web server of an organization and identifies a potential vulnerability, what is the next phase for the threat actor in order to prepare and launch an attack as defined in the Cyber Kill Chain?
41. Match the intrusion event defined in the Diamond Model of intrusion to the description.
42. In the NIST incident response process life cycle, which type of attack vector involves the use of brute force against devices, networks, or services?
43. According to NIST standards, which incident response stakeholder is responsible for coordinating an incident response with other stakeholders to minimize the damage of an incident?
44. Which three aspects of a target system are most likely to be exploited after a weapon is delivered? (Choose three.)
45. Which approach can help block potential malware delivery methods, as described in the Cyber Kill Chain model, on an Internet-faced web server?
Analyze the infrastructure storage path used for files.
46. Which activity is typically performed by a threat actor in the installation phase of the Cyber Kill Chain?
Install a web shell on the target web server for persistent access.