Summer Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

CS0-003 Questions and Answers

Question # 6

A security analyst has just received an incident ticket regarding a ransomware attack. Which of the following would most likely help an analyst properly triage the ticket?

A.

Incident response plan

B.

Lessons learned

C.

Playbook

D.

Tabletop exercise

Full Access
Question # 7

Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?

A.

Command and control

B.

Actions on objectives

C.

Exploitation

D.

Delivery

Full Access
Question # 8

A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is the best mitigation technique?

A.

Geoblock the offending source country

B.

Block the IP range of the scans at the network firewall.

C.

Perform a historical trend analysis and look for similar scanning activity.

D.

Block the specific IP address of the scans at the network firewall

Full Access
Question # 9

An analyst receives threat intelligence regarding potential attacks from an actor with seemingly unlimited time and resources. Which of the following best describes the threat actor attributed to the malicious activity?

A.

Insider threat

B.

Ransomware group

C.

Nation-state

D.

Organized crime

Full Access
Question # 10

Which of the following best describes the reporting metric that should be utilized when measuring the degree to which a system, application, or user base is affected by an uptime availability outage?

A.

Timeline

B.

Evidence

C.

Impact

D.

Scope

Full Access
Question # 11

An organization enabled a SIEM rule to send an alert to a security analyst distribution list when ten failed logins occur within one minute. However, the control was unable to detect an attack with nine failed logins. Which of the following best represents what occurred?

A.

False positive

B.

True negative

C.

False negative

D.

True positive

Full Access
Question # 12

A company was able to reduce triage time by focusing on historical trend analysis. The business partnered with the security team to achieve a 50% reduction in phishing attempts year over year. Which of the following action plans led to this reduced triage time?

A.

Patching

B.

Configuration management

C.

Awareness, education, and training

D.

Threat modeling

Full Access
Question # 13

A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?

A.

Hacklivist

B.

Advanced persistent threat

C.

Insider threat

D.

Script kiddie

Full Access
Question # 14

In the last hour, a high volume of failed RDP authentication attempts has been logged on a critical server. All of the authentication attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following mitigating controls would be most effective to reduce the rate of success of this brute-force attack? (Select two).

A.

Increase the granularity of log-on event auditing on all devices.

B.

Enable host firewall rules to block all outbound traffic to TCP port 3389.

C.

Configure user account lockout after a limited number of failed attempts.

D.

Implement a firewall block for the IP address of the remote system.

E.

Install a third-party remote access tool and disable RDP on all devices.

F.

Block inbound to TCP port 3389 from untrusted remote IP addresses at the perimeter firewall.

Full Access
Question # 15

Which of the following statements best describes the MITRE ATT & CK framework?

A.

It provides a comprehensive method to test the security of applications.

B.

It provides threat intelligence sharing and development of action and mitigation strategies.

C.

It helps identify and stop enemy activity by highlighting the areas where an attacker functions.

D.

It tracks and understands threats and is an open-source project that evolves.

E.

It breaks down intrusions into a clearly defined sequence of phases.

Full Access
Question # 16

A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to

reduce risks associated with the application development?

A.

Perform static analyses using an integrated development environment.

B.

Deploy compensating controls into the environment.

C.

Implement server-side logging and automatic updates.

D.

Conduct regular code reviews using OWASP best practices.

Full Access
Question # 17

Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address?

A.

Join an information sharing and analysis center specific to the company ' s industry.

B.

Upload threat intelligence to the IPS in STIX/TAXII format.

C.

Add data enrichment for IPS in the ingestion pipleline.

D.

Review threat feeds after viewing the SIEM alert.

Full Access
Question # 18

A recent vulnerability scan resulted in an abnormally large number of critical and high findings that require patching. The SLA requires that the findings be remediated within a specific amount of time. Which of the following is the best approach to ensure all vulnerabilities are patched in accordance with the SLA?

A.

Integrate an IT service delivery ticketing system to track remediation and closure.

B.

Create a compensating control item until the system can be fully patched.

C.

Accept the risk and decommission current assets as end of life.

D.

Request an exception and manually patch each system.

Full Access
Question # 19

An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the system?

A.

Access rights

B.

Network segmentation

C.

Time synchronization

D.

Invalid playbook

Full Access
Question # 20

Which of the following is the best framework for assessing how attackers use techniques over an infrastructure to exploit a target’s information assets?

A.

Structured Threat Information Expression

B.

OWASP Testing Guide

C.

Open Source Security Testing Methodology Manual

D.

Diamond Model of Intrusion Analysis

Full Access
Question # 21

During an incident, some loCs of possible ransomware contamination were found in a group of servers in a segment of the network. Which of the following steps should be taken next?

A.

Isolation

B.

Remediation

C.

Reimaging

D.

Preservation

Full Access
Question # 22

A security analyst has identified outgoing network traffic leaving the enterprise at odd times. The traffic appears to pivot across network segments and target domain servers. The traffic is then routed to a geographic location to which the company has no association. Which of the following best describes this type of threat?

A.

Hacktivist

B.

Zombie

C.

Insider threat

D.

Nation-state actor

Full Access
Question # 23

A security analyst needs to identify the devices in a critical infrastructure network that handles an oil and gas pipeline. The network has devices connected over IPv4 using either HTTP or Modbus protocols running on the standard ports. Which of the following approaches should the analyst use to achieve the objective?

A.

Employ the IT vulnerability scanner to target ports 80 and 502.

B.

Use banner grabbing with Netcat on TCP ports 80 and 502.

C.

Perform an Nmap -sS -A -p 80,502 scan.

D.

Scan the ICS network using Masscan --open-only -p80,502.

Full Access
Question # 24

After a risk assessment, a server was found hosting a vulnerable legacy system that has the following characteristics:

• There is no patch or official fix available from the vendor.

• There is no official support provided by the vendor.

• Customers consider the system mission critical.

Which of the following actions will best decrease the risk posed by the legacy system?

A.

Decommission the server immediately and find a new solution to replace the legacy system.

B.

Implement firewall rules to block inbound connections and allow outbound traffic.

C.

Install and configure a web application firewall tailored to the legacy server.

D.

Apply compensating controls, including isolation, restricted access, and continuous monitoring.

Full Access
Question # 25

A company is launching a new application in its internal network, where internal customers can communicate with the service desk. The security team needs to ensure the application will be able to handle unexpected strings with anomalous formats without crashing. Which of the following processes is the most applicable for testing the application to find how it would behave in such a situation?

A.

Fuzzing

B.

Coding review

C.

Debugging

D.

Static analysis

Full Access
Question # 26

A company patches its servers using automation software. Remote SSH or RDP connections are allowed to the servers only from the service account used by the automation software. All servers are in an internal subnet without direct access to or from the internet. An analyst reviews the following vulnerability summary:

Question # 26

Which of the following vulnerability IDs should the analyst address first?

A.

1

B.

2

C.

3

D.

4

Full Access
Question # 27

A cloud team received an alert that unauthorized resources were being auto-provisioned. After investigating, the team suspects that crypto mining is occurring. Which of the following indicators would

most likely lead the team to this conclusion?

.

A.

High GPU utilization

B.

Bandwidth consumption

C.

Unauthorized changes

D.

Unusual traffic spikes

Full Access
Question # 28

During a security test, a security analyst found a critical application with a buffer overflow vulnerability. Which of the following would be best to mitigate the vulnerability at the application level?

A.

Perform OS hardening.

B.

Implement input validation.

C.

Update third-party dependencies.

D.

Configure address space layout randomization.

Full Access
Question # 29

While reviewing the web server logs a security analyst notices the following snippet

..\../..\../boot.ini

Which of the following is being attempted?

A.

Directory traversal

B.

Remote file inclusion

C.

Cross-site scripting

D.

Remote code execution

E.

Enumeration of/etc/pasawd

Full Access
Question # 30

An organization wants to establish a disaster recovery plan for critical applications that are hosted on premises. Which of the following is the first step to prepare for supporting this new requirement?

A.

Choose a vendor to utilize for the disaster recovery location.

B.

Establish prioritization of continuity from data and business owners.

C.

Negotiate vendor agreements to support disaster recovery capabilities.

D.

Advise the leadership team that a geographical area for recovery must be defined.

Full Access
Question # 31

Which of the following documents sets requirements and metrics for a third-party response during an event?

A.

BIA

B.

DRP

C.

SLA

D.

MOU

Full Access
Question # 32

An organization ' s website was maliciously altered.

INSTRUCTIONS

Review information in each tab to select the source IP the analyst should be concerned

about, the indicator of compromise, and the two appropriate corrective actions.

Question # 32

Question # 32

Question # 32

Question # 32

Full Access
Question # 33

The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk?

A.

Deploy a CASB and enable policy enforcement

B.

Configure MFA with strict access

C.

Deploy an API gateway

D.

Enable SSO to the cloud applications

Full Access
Question # 34

An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from the new data center do not get blocked by spam filters?

A.

DKIM

B.

SPF

C.

SMTP

D.

DMARC

Full Access
Question # 35

Which of the following best describes the key goal of the containment stage of an incident response process?

A.

To limit further damage from occurring

B.

To get services back up and running

C.

To communicate goals and objectives of theincidentresponse plan

D.

To prevent data follow-on actions by adversary exfiltration

Full Access
Question # 36

A security analyst has received an incident case regarding malware spreading out of control on a customer ' s network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware, based on its telemetry?

A.

Cross-reference the signature with open-source threat intelligence.

B.

Configure the EDR to perform a full scan.

C.

Transfer the malware to a sandbox environment.

D.

Log in to the affected systems and run necstat.

Full Access
Question # 37

A SOC analyst is analyzing traffic on a network and notices an unauthorized scan. Which of the following types of activities is being observed?

A.

Potential precursor to an attack

B.

Unauthorized peer-to-peer communication

C.

Rogue device on the network

D.

System updates

Full Access
Question # 38

A payroll department employee was the target of a phishing attack in which an attacker impersonated a department director and requested that direct deposit information be updated to a new account. Afterward, a deposit was made into the unauthorized account. Which of the following is one of the first actions the incident response team should take when they receive notification of the attack?

A.

Scan the employee ' s computer with virus and malware tools.

B.

Review the actions taken by the employee and the email related to the event

C.

Contact human resources and recommend the termination of the employee.

D.

Assign security awareness training to the employee involved in the incident.

Full Access
Question # 39

A vulnerability manager analyzes suspicious data after scanning a database. Which of the following should the manager do to prioritize the remediation tasks?

A.

Conduct further analysis and send the findings report to the incident response team.

B.

Perform an assessment in the command line and determine if there are true or false positives.

C.

Identify the impact level and create a ticket that includes the time frame for fixing the issue.

D.

Apply compensating controls and advise an analyst to document the problem in a risk register.

Full Access
Question # 40

A cybersecurity team lead is developing metrics to present in the weekly executive briefs. Executives are interested in knowing how long it takes to stop the spread of malware that enters the network.

Which of the following metrics should the team lead include in the briefs?

A.

Mean time between failures

B.

Mean time to detect

C.

Mean time to remediate

D.

Mean time to contain

Full Access
Question # 41

A company recently removed administrator rights from all of its end user workstations. An analyst uses CVSSv3.1 exploitability metrics to prioritize the vulnerabilities for the workstations and produces the following information:

Question # 41

Which of the following vulnerabilities should be prioritized for remediation?

A.

nessie.explosion

B.

vote.4p

C.

sweet.bike

D.

great.skills

Full Access
Question # 42

A security operations center receives the following alerts related to an organization ' s cloud tenant:

Question # 42

Which of the following should an analyst do first to identify the initial compromise?

A.

Search audit logs for all activity under project staging-01 and correlate any actions against VM edoif j34.

B.

Search audit logs for userjdoe12@myorg.com and correlate the successful API requests on project staging-oi.

C.

Review audit logs for any successful compute instance actions targeting project staging-oi during the time of the alerts.

D.

Review logs for any audit action targeting compute instance APIs during the time of the alerts on VM fd03lf .

Full Access
Question # 43

When investigating a potentially compromised host, an analyst observes that the process BGInfo.exe (PID 1024), a Sysinternals tool used to create desktop backgrounds containing host details, has bee running for over two days. Which of the following activities will provide the best insight into this potentially malicious process, based on the anomalous behavior?

A.

Changes to system environment variables

B.

SMB network traffic related to the system process

C.

Recent browser history of the primary user

D.

Activities taken by PID 1024

Full Access
Question # 44

An incident response team found indicators of compromise on a critical server. The team needs to isolate the server and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?

A.

Hard disk

B.

Primary boot partition

C.

Malicious files

D.

Routing table

E.

Static IP address

Full Access
Question # 45

Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?

A.

Mean time to detect

B.

Number of exploits by tactic

C.

Alert volume

D.

Quantity of intrusion attempts

Full Access
Question # 46

A security analyst is reviewing the logs of a web server and notices that an attacker has attempted to exploit a SQL injection vulnerability. Which of the following tools can the analyst use to analyze the attack and prevent future attacks?

A.

A web application firewall

B.

A network intrusion detection system

C.

A vulnerability scanner

D.

A web proxy

Full Access
Question # 47

A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?

A.

function w() { info=$(ping -c 1 $1 | awk -F “/” ‘END{print $1}’) & & echo “$1 | $info” }

B.

function x() { info=$(geoiplookup $1) & & echo “$1 | $info” }

C.

function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) & & echo “$1 | $info” }

D.

function z() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) & & echo “$1 | $info” }

Full Access
Question # 48

AXSS vulnerability was reported on one of the non-sensitive/non-mission-critical public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (Select two).

A.

Implement an IPS in front of the web server.

B.

Enable MFA on the website.

C.

Take the website offline until it is patched.

D.

Implement a compensating control in the source code.

E.

Configure TLS v1.3 on the website.

F.

Fix the vulnerability using a virtual patch at the WAF.

Full Access
Question # 49

Which of the following best describes the goal of a tabletop exercise?

A.

To test possible incident scenarios and how to react properly

B.

To perform attack exercises to check response effectiveness

C.

To understand existing threat actors and how to replicate their techniques

D.

To check the effectiveness of the business continuity plan

Full Access
Question # 50

During a routine review of DNS logs, a security analyst observes that Host X has been making frequent DNS requests to domains with random alphanumeric strings, such as ajd8ekthj.xyz. IPS anomaly rules are blocking these domains. This behavior started shortly after a new software installation on the host. Which of the following should the analyst do first to determine whether Host X has been compromised?

A.

Allow the domains because the DNS requests are part of a misconfigured software update.

B.

Check the software installation logs for errors and reinstall the software.

C.

Block all outbound connections from the host to prevent further DNS queries.

D.

Use threat intelligence to check if the queried domains are associated with legitimate sites.

Full Access
Question # 51

During a tabletop exercise, engineers discovered that an ICS could not be updated due to hardware versioning incompatibility. Which of the following is the most likely cause of this issue?

A.

Legacy system

B.

Business process interruption

C.

Degrading functionality

D.

Configuration management

Full Access
Question # 52

An analyst receives alerts that state the following traffic was identified on the perimeter network firewall:

Question # 52

Which of the following best describes the indicator of compromise that triggered the alerts?

A.

Anomalous activity

B.

Bandwidth saturation

C.

Cryptomining

D.

Denial of service

Full Access
Question # 53

Which of the following most accurately describes the Cyber Kill Chain methodology?

A.

It is used to correlate events to ascertain the TTPs of an attacker.

B.

It is used to ascertain lateral movements of an attacker, enabling the process to be stopped.

C.

It provides a clear model of how an attacker generally operates during an intrusion and the actions to take at each stage

D.

It outlines a clear path for determining the relationships between the attacker, the technology used, and the target

Full Access
Question # 54

The most recent vulnerability scan results show the following

Question # 54

The vulnerability team learned the following from the asset owners:

• Server hqfinoi is a financial transaction database server used in the company ' s largest business unit.

• Server hqadmin02 is utilized by an end user with administrator privileges to several critical applications.

• No compensating controls exist for either issue.

Which of the following would the vulnerability team most likely do to determine remediation prioritization?

A.

Review the BCP and prioritize the remediation of the asset that would take more time to bring online for operational use.

B.

Contact the network and desktop engineering teams to discuss prioritizing the asset that Is faster to remediate.

C.

Reference the BIA to determine the value designation and prioritize vulnerability remediation of the more critical asset.

D.

Identify the network placement and configuration of each asset, then prioritize the asset with the least recent backups.

Full Access
Question # 55

A security analyst is conducting a vulnerability assessment of a company ' s online store. The analyst discovers a critical vulnerability in the payment processing system that could be exploited, allowing attackers to steal customer payment information. Which of the following should the analyst do next?

A.

Leave the vulnerability unpatched until the next scheduled maintenance window to avoid potential disruption to business.

B.

Perform a risk assessment to evaluate the potential impact of the vulnerability and determine whether additional security measures are needed.

C.

Ignore the vulnerability since the company recently passed a payment system compliance audit.

D.

Isolate the payment processing system from production and schedule for reimaging.

Full Access
Question # 56

A corporation wants to implement an agent-based endpoint solution to help:

    Flag various threats

    Review vulnerability feeds

    Aggregate data

    Provide real-time metrics by using scripting languages

Which of the following tools should the corporation implement to reach this goal?

A.

DLP

B.

Heuristics

C.

SOAR

D.

NAC

Full Access
Question # 57

After identifying a threat, a company has decided to implement a patch management program to remediate vulnerabilities. Which of the following risk management principles is the company exercising?

A.

Transfer

B.

Accept

C.

Mitigate

D.

Avoid

Full Access
Question # 58

A security analyst reviews a packet capture and identifies the following output as anomalous:

13:49:57.553161 TP10.203.10.17.45701 > 10.203.10.22.12930:Flags[FPU],seq108331482,win1024,urg0,length0

13:49:57.553162 IP10.203.10.17.45701 > 10.203.10.22.48968:Flags[FPU],seq108331482,win1024,urg0,length0

...

Which of the following activities explains the output?

A.

Nmap Xmas scan

B.

Nikto ' s web scan

C.

Socat ' s proxying traffic using the urgent flag

D.

Angry IP Scanner output

Full Access
Question # 59

The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?

A.

Reduce the administrator and privileged access accounts

B.

Employ a network-based IDS

C.

Conduct thorough incident response

D.

Enable SSO to enterprise applications

Full Access
Question # 60

A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?

A.

function x() { info=$(geoiplookup $1) & & echo " $1 | $info " }

B.

function x() { info=$(ping -c 1 $1 | awk -F " / " ’END{print $5}’) & & echo " $1 | $info " }

C.

function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F " .in-addr " ’{print $1} ' ).origin.asn.cymru.com TXT +short) & & echo " $1 | $info " }

D.

function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) & & echo " $1 | $info " }

Full Access
Question # 61

During an internal code review, software called " ACE " was discovered to have a vulnerability that allows the execution of arbitrary code. The vulnerability is in a legacy, third-party vendor resource that is used by the ACE software. ACE is used worldwide and is essential for many businesses in this industry. Developers informed the Chief Information Security Officer that removal of the vulnerability will take time. Which of the following is the first action to take?

A.

Look for potential loCs in the company.

B.

Inform customers of the vulnerability.

C.

Remove the affected vendor resource from the ACE software.

D.

Develop a compensating control until the issue can be fixed permanently.

Full Access
Question # 62

An analyst has discovered the following suspicious command:

Question # 62

Which of the following would best describe the outcome of the command?

A.

Cross-site scripting

B.

Reverse shell

C.

Backdoor attempt

D.

Logic bomb

Full Access
Question # 63

An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy and firewall. Upon further investigation, it appears that the proxy and firewall rules that were in place were removed by a service account that is not recognized. Which of the following parts of the Cyber Kill Chain does this describe?

A.

Delivery

B.

Command and control

C.

Reconnaissance

D.

Weaporization

Full Access
Question # 64

A security analyst performs forensic analysis of a user’s computer. The analyst immediately orders the user to leave the computer powered on and not interact with it until further notice. Which of the following best describes the reason for the analyst’s orders?

A.

To prevent loss of sensitive data due to misuse

B.

To preserve artifacts related to the incident

C.

To validate that the security tools are installed and up to date

D.

To ensure there is a legal hold on the computer

Full Access
Question # 65

When undertaking a cloud migration of multiple SaaS applications, an organization’s systems administrators struggled with the complexity of extending identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?

A.

RADIUS

B.

SDN

C.

ZTNA

D.

SWG

Full Access
Question # 66

Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?

A.

Develop a call tree to inform impacted users

B.

Schedule a review with all teams to discuss what occurred

C.

Create an executive summary to update company leadership

D.

Review regulatory compliance with public relations for official notification

Full Access
Question # 67

A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script:

Question # 67

Which of the following scripting languages was used in the script?

A.

PowerShel

B.

Ruby

C.

Python

D.

Shell script

Full Access
Question # 68

A security analyst performs various types of vulnerability scans. Review the vulnerability scan results to determine the type of scan that was executed and if a false positive occurred for each device.

Instructions:

Select the Results Generated drop-down option to determine if the results were generated from a credentialed scan, non-credentialed scan, or a compliance scan.

For ONLY the credentialed and non-credentialed scans, evaluate the results for false positives and check the findings that display false positives. NOTE: If you would like to uncheck an option that is currently selected, click on the option a second time.

Lastly, based on the vulnerability scan results, identify the type of Server by dragging the Server to the results.

The Linux Web Server, File-Print Server and Directory Server are draggable.

If at any time you would like to bring back the initial state of the simulation, please select the Reset All button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.

Question # 68

Question # 68

Full Access
Question # 69

During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?

A.

Clone the virtual server for forensic analysis

B.

Log in to the affected server and begin analysis of the logs

C.

Restore from the last known-good backup to confirm there was no loss of connectivity

D.

Shut down the affected server immediately

Full Access
Question # 70

An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics for the most critical of the vulnerabilities:

CVSS: 3.1/AV:N/AC: L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:R

Which of the following represents the exploit code maturity of this critical vulnerability?

A.

E:U

B.

S:C

C.

RC:R

D.

AV:N

E.

AC:L

Full Access
Question # 71

An analyst is conducting monitoring against an authorized team that win perform adversarial techniques. The analyst interacts with the team twice per day to set the stage for the techniques to be used. Which of the following teams is the analyst a member of?

A.

Orange team

B.

Blue team

C.

Red team

D.

Purple team

Full Access
Question # 72

A security analyst is identifying vulnerabilities in laptops. Users often take their laptops out of the office while traveling, and the vulnerability scan metrics are inaccurate. Which of the following changes should the analyst propose to reduce the MTTD to fewer than four days?

A.

Deploy agents to all endpoints to scan daily for vulnerabilities.

B.

Configure the network vulnerability scan job to use credentials.

C.

Change the vulnerability scanner configuration to perform network scans more than once per day.

D.

Increase the scan maximum running time to four days to wait for missing endpoints.

Full Access
Question # 73

A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?

A.

Code analysis

B.

Static analysis

C.

Reverse engineering

D.

Fuzzing

Full Access
Question # 74

A sales application was remediated to address a critical vulnerability. The process took five business hours and was ultimately successful. However, the change advisory board informed the company’s leadership team that the process resulted in a considerable financial loss. Which of the following best explains the reason for the financial loss?

A.

The loss is a normal cost of operations that relies on IT.

B.

The Chief Information Officer did not notify the board members.

C.

The IT team should have hired a penetration test assessment before patching.

D.

The maintenance window was not properly communicated or scheduled.

Full Access
Question # 75

A security analyst is working on a server patch management policy that will allow the infrastructure team to be informed more quickly about new patches. Which of the following would most likely be required by the infrastructure team so that vulnerabilities can be remediated quickly? (Select two).

A.

Hostname

B.

Missing KPI

C.

CVE details

D.

POC availability

E.

loCs

F.

npm identifier

Full Access
Question # 76

An XSS vulnerability was reported on one of the public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (Select two).

A.

Implement an IPS in front of the web server.

B.

Enable MFA on the website.

C.

Take the website offline until it is patched.

D.

Implement a compensating control in the source code.

E.

Configure TLS v1.3 on the website.

F.

Fix the vulnerability using a virtual patch at the WAF.

Full Access
Question # 77

Based on an internal assessment, a vulnerability management team wants to proactively identify risks to the infrastructure prior to production deployments. Which of the following best supports this approach?

A.

Threat modeling

B.

Penetration testing

C.

Bug bounty

D.

SDLC training

Full Access
Question # 78

While configuring a SIEM for an organization, a security analyst is having difficulty correlating incidents across different systems. Which of the following should be checked first?

A.

If appropriate logging levels are set

B.

NTP configuration on each system

C.

Behavioral correlation settings

D.

Data normalization rules

Full Access
Question # 79

A vulnerability management team found four major vulnerabilities during an assessment and needs to provide a report for the proper prioritization for further mitigation. Which of the following vulnerabilities should have the highest priority for the mitigation process?

A.

A vulnerability that has related threats and loCs, targeting a different industry

B.

A vulnerability that is related to a specific adversary campaign, with loCs found in the SIEM

C.

A vulnerability that has no adversaries using it or associated loCs

D.

A vulnerability that is related to an isolated system, with no loCs

Full Access
Question # 80

A SOC manager is establishing a reporting process to manage vulnerabilities. Which of the following would be the best solution to identify potential loss incurred by an issue?

A.

Trends

B.

Risk score

C.

Mitigation

D.

Prioritization

Full Access
Question # 81

A Chief Information Security Officer (CISO) wants to disable a functionality on a business-critical web application that is vulnerable to RCE in order to maintain the minimum risk level with minimal increased cost.

Which of the following risk treatments best describes what the CISO is looking for?

A.

Transfer

B.

Mitigate

C.

Accept

D.

Avoid

Full Access
Question # 82

A security team needs to demonstrate how prepared the team is in the event of a cyberattack. Which of the following would best demonstrate a real-world incident without impacting operations?

A.

Review lessons-learned documentation and create a playbook.

B.

Gather all internal incident response party members and perform a simulation.

C.

Deploy known malware and document the remediation process.

D.

Schedule a system recovery to the DR site for a few applications.

Full Access
Question # 83

An employee is no longer able to log in to an account after updating a browser. The employee usually has several tabs open in the browser. Which of

the following attacks was most likely performed?

A.

RFI

B.

LFI

C.

CSRF

D.

XSS

Full Access
Question # 84

Which of following would best mitigate the effects of a new ransomware attack that was not properly stopped by the company antivirus?

A.

Install a firewall.

B.

Implement vulnerability management.

C.

Deploy sandboxing.

D.

Update the application blocklist.

Full Access
Question # 85

A regulated organization experienced a security breach that exposed a list of customer names with corresponding PH data. Which of the following is the best reason for developing the organization ' s communication plans?

A.

For the organization ' s public relations department to have a standard notification

B.

To ensure incidents are immediately reported to a regulatory agency

C.

To automate the notification to customers who were impacted by the breach

D.

To have approval from executive leadership on when communication should occur

Full Access
Question # 86

Which of the following stakeholders are most likely to receive a vulnerability scan report? (Select two).

A.

Executive management

B.

Law enforcement

C.

Marketing

D.

Legal

E.

Product owner

F.

Systems admininstration

Full Access
Question # 87

A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?

A.

Wipe the computer and reinstall software

B.

Shut down the email server and quarantine it from the network.

C.

Acquire a bit-level image of the affected workstation.

D.

Search for other mail users who have received the same file.

Full Access
Question # 88

A cybersecurity analyst is recommending a solution to ensure emails that contain links or attachments are tested before they reach a mail server. Which of the following will the analyst most likely recommend?

A.

Sandboxing

B.

MFA

C.

DKIM

D.

Vulnerability scan

Full Access
Question # 89

Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triage?

A.

Enrich the SIEM-ingested data to include all data required for triage.

B.

Schedule a task to disable alerting when vulnerability scans are executing.

C.

Filter all alarms in the SIEM with low severity.

D.

Add a SOAR rule to drop irrelevant and duplicated notifications.

Full Access
Question # 90

A security analyst performs a vulnerability scan on the corporate assets and finds the following vulnerabilities:

System | Vulnerability | CVSS Severity Score

System A | Buffer overflow | 9.5

System B | Remote code execution | 9.8

System C | DDoS | 8.2

System D | XSS | 8.6

The vulnerability manager reviews the analyst’s recommendations and asks the analyst to add more information in order to confirm prioritization. Which of the following best explains the reason the manager requests more information?

A.

Host criticality is unknown.

B.

SLA information is missing.

C.

Existing KPIs were not measured.

D.

Zero-day vulnerabilities were excluded.

Full Access
Question # 91

A vulnerability scan shows the following issues:

Asset Type

CVSS Score

Exploit Vector

Workstations

6.5

RDP vulnerability

Storage Server

9.0

Unauthorized access due to server application vulnerability

Firewall

8.9

Default password vulnerability

Web Server

10.0

Zero-day vulnerability (vendor working on patch)

Which of the following actions should the security analyst take first?

A.

Contact the web systems administrator and request that they shut down the asset.

B.

Monitor the patch releases for all items and escalate patching to the appropriate team.

C.

Run the vulnerability scan again to verify the presence of the critical finding.

D.

Forward the advisory to the web security team and initiate the prioritization strategy for the other vulnerabilities.

Full Access
Question # 92

A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being

used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

A.

Leave the proxy as is.

B.

Decomission the proxy.

C.

Migrate the proxy to the cloud.

D.

Patch the proxy

Full Access
Question # 93

A security analyst needs to develop a solution to protect a high-value asset from an exploit like a recent zero-day attack. Which of the following best describes this risk management strategy?

A.

Avoid

B.

Transfer

C.

Accept

D.

Mitigate

Full Access
Question # 94

Two employees in the finance department installed a freeware application that contained embedded malware. The network is robustly segmented based on areas of responsibility. These computers had critical sensitive information stored locally that needs to be recovered. The department manager advised all department employees to turn off their computers until the security team could be contacted about the issue. Which of the following is the first step the incident response staff members should take when they arrive?

A.

Turn on all systems, scan for infection, and back up data to a USB storage device.

B.

Identify and remove the software installed on the impacted systems in the department.

C.

Explain that malware cannot truly be removed and then reimage the devices.

D.

Log on to the impacted systems with an administrator account that has privileges to perform backups.

E.

Segment the entire department from the network and review each computer offline.

Full Access
Question # 95

A security analyst needs to mitigate a known, exploited vulnerability related not

tack vector that embeds software through the USB interface. Which of the following should the analyst do first?

A.

Conduct security awareness training on the risks of using unknown and unencrypted USBs.

B.

Write a removable media policy that explains that USBs cannot be connected to a company asset.

C.

Check configurations to determine whether USB ports are enabled on company assets.

D.

Review logs to see whether this exploitable vulnerability has already impacted the company.

Full Access
Question # 96

A SOC team lead occasionally collects some DNS information for investigations. The team lead assigns this task to a new junior analyst. Which of the following is the best way to relay the process information to the junior analyst?

A.

Ask another team member to demonstrate their process.

B.

Email a link to a website that shows someone demonstrating a similar process.

C.

Let the junior analyst research and develop a process.

D.

Write a step-by-step document on the team wiki outlining the process.

Full Access
Question # 97

A SIEM alert is triggered based on execution of a suspicious one-liner on two workstations in the organization ' s environment. An analyst views the details of these events below:

Question # 97

Which of the following statements best describes the intent of the attacker, based on this one-liner?

A.

Attacker is escalating privileges via JavaScript.

B.

Attacker is utilizing custom malware to download an additional script.

C.

Attacker is executing PowerShell script " AccessToken.psr.

D.

Attacker is attempting to install persistence mechanisms on the target machine.

Full Access
Question # 98

A company ' s security team is updating a section of the reporting policy that pertains to inappropriate use of resources (e.g., an employee who installs cryptominers on workstations in the office). Besides the security team, which

of the following groups should the issue be escalated to first in order to comply with industry best practices?

A.

Help desk

B.

Law enforcement

C.

Legal department

D.

Board member

Full Access
Question # 99

A company has decided to expose several systems to the internet, The systems are currently available internally only. A security analyst is using a subset of CVSS3.1 exploitability metrics to prioritize the vulnerabilities that would be the most exploitable when the systems are exposed to the internet. The systems and the vulnerabilities are shown below:

Which of the following systems should be prioritized for patching?

A.

brown

B.

grey

C.

blane

D.

sullivan

Full Access
Question # 100

A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. Which of the following should be implemented?

A.

Offline storage

B.

Evidence collection

C.

Integrity validation

D.

Legal hold

Full Access
Question # 101

A security analyst has prepared a vulnerability scan that contains all of the company ' s functional subnets. During the initial scan, users reported that network printers began to print pages that contained unreadable text and icons.

Which of the following should the analyst do to ensure this behavior does not oocur during subsequent vulnerability scans?

A.

Perform non-credentialed scans.

B.

Ignore embedded web server ports.

C.

Create a tailored scan for the printer subnet.

D.

Increase the threshold length of the scan timeout.

Full Access
Question # 102

An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in order to move the incident forward?

A.

Impact

B.

Vulnerability score

C.

Mean time to detect

D.

Isolation

Full Access
Question # 103

An MSSP received several alerts from customer 1, which caused a missed incident response deadline for customer 2. Which of the following best describes the document that was violated?

A.

KPI

B.

SLO

C.

SLA

D.

MOU

Full Access
Question # 104

Which of the following would help to minimize human engagement and aid in process improvement in security operations?

A.

OSSTMM

B.

SIEM

C.

SOAR

D.

QVVASP

Full Access
Question # 105

During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?

A.

Conduct regular red team exercises over the application in production

B.

Ensure that all implemented coding libraries are regularly checked

C.

Use application security scanning as part of the pipeline for the CI/CDflow

D.

Implement proper input validation for any data entry form

Full Access
Question # 106

A cybersecurity analyst is participating with the DLP project team to classify the organization ' s data. Which of the following is the primary purpose for classifying data?

A.

To identify regulatory compliance requirements

B.

To facilitate the creation of DLP rules

C.

To prioritize IT expenses

D.

To establish the value of data to the organization

Full Access
Question # 107

Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?

A.

The lead should review what is documented in the incident response policy or plan

B.

Management level members of the CSIRT should make that decision

C.

The lead has the authority to decide who to communicate with at any time

D.

Subject matter experts on the team should communicate with others within the specified area of expertise

Full Access
Question # 108

Which of the following is a nation-state actor least likely to be concerned with?

A.

Detection by MITRE ATT & CK framework.

B.

Detection or prevention of reconnaissance activities.

C.

Examination of its actions and objectives.

D.

Forensic analysis for legal action of the actions taken

Full Access
Question # 109

Which of the following is the best way to provide realistic training for SOC analysts?

A.

Phishing assessments

B.

OpenVAS

C.

Attack simulation

D.

SOAR

E.

Honeypot

Full Access
Question # 110

An analyst is reviewing system logs while threat hunting:

Question # 110

Which of the following hosts should be investigated first?

A.

PC1

B.

PC2

C.

PC3

D.

PC4

E.

PC5

Full Access
Question # 111

A security analyst is reviewing a recent vulnerability scan report for a new server infrastructure. The analyst would like to make the best use of time by resolving the most critical vulnerability first. The following information is provided:

Question # 111

Which of the following should the analyst concentrate remediation efforts on first?

A.

SVR01

B.

SVR02

C.

SVR03

D.

SVR04

Full Access
Question # 112

An analyst is designing a message system for a bank. The analyst wants to include a feature that allows the recipient of a message to prove to a third party that the message came from the sender Which of the following information security goals is the analyst most likely trying to achieve?

A.

Non-repudiation

B.

Authentication

C.

Authorization

D.

Integrity

Full Access
Question # 113

Which of the following best describes the process of requiring remediation of a known threat within a given time frame?

A.

SLA

B.

MOU

C.

Best-effort patching

D.

Organizational governance

Full Access
Question # 114

Which of the following should be updated after a lessons-learned review?

A.

Disaster recovery plan

B.

Business continuity plan

C.

Tabletop exercise

D.

Incident response plan

Full Access
Question # 115

A healthcare organization must develop an action plan based on the findings from a risk assessment. The action plan must consist of risk categorization and prioritization.

INSTRUCTIONS

-

Click on the audit report and risk matrix to review their contents.

Assign a categorization to each risk and determine the order in which the findings must be prioritized for remediation according to the risk rating score.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Question # 115

Question # 115

Question # 115

Full Access
Question # 116

A SOC analyst observes reconnaissance activity from an IP address. The activity follows a pattern of short bursts toward a low number of targets. An open-source review shows that the IP has a bad reputation. The perimeter firewall logs indicate the inbound traffic was allowed. The destination hosts are high-value assets with EDR agents installed. Which of the following is the best action for the SOC to take to protect against any further activity from the source IP?

A.

Add the IP address to the EDR deny list.

B.

Create a SIEM signature to trigger on any activity from the source IP subnet detected by the web proxy or firewalls for immediate notification.

C.

Implement a prevention policy for the IP on the WAF

D.

Activate the scan signatures for the IP on the NGFWs.

Full Access
Question # 117

A security analyst receives an alert for suspicious activity on a company laptop An excerpt of the log is shown below:

Question # 117

Which of the following has most likely occurred?

A.

An Office document with a malicious macro was opened.

B.

A credential-stealing website was visited.

C.

A phishing link in an email was clicked

D.

A web browser vulnerability was exploited.

Full Access
Question # 118

An auditor is reviewing an evidence log associated with a cybercrime. The auditor notices that a gap exists between individuals who were responsible for holding onto and transferring the evidence between individuals responsible for the investigation. Which of the following best describes the evidence handling process that was not properly followed?

A.

Validating data integrity

B.

Preservation

C.

Legal hold

D.

Chain of custody

Full Access
Question # 119

After an incident, a security analyst needs to perform a forensic analysis to report complete information to a company stakeholder. Which of the following is most likely the goal of the forensic analysis in this case?

A.

Provide a full picture of the existing risks.

B.

Notify law enforcement of the incident.

C.

Further contain the incident.

D.

Determine root cause information.

Full Access
Question # 120

A security team conducts a lessons-learned meeting after struggling to determine who should conduct the next steps following a security event. Which of the following should the team create to address this issue?

A.

Service-level agreement

B.

Change management plan

C.

Incident response plan

D.

Memorandum of understanding

Full Access
Question # 121

You are a cybersecurity analyst tasked with interpreting scan data from Company As servers You must verify the requirements are being met for all of the servers and recommend changes if you find they are not

The company ' s hardening guidelines indicate the following

• TLS 1 2 is the only version of TLS

running.

• Apache 2.4.18 or greater should be used.

• Only default ports should be used.

INSTRUCTIONS

using the supplied data. record the status of compliance With the company’s guidelines for each server.

The question contains two parts: make sure you complete Part 1 and Part 2. Make recommendations for Issues based ONLY on the hardening guidelines provided.

Part 1:

AppServ1:

Question # 121

AppServ2:

Question # 121

AppServ3:

Question # 121

AppServ4:

Question # 121

Question # 121

Part 2:

Question # 121

Question # 121

Full Access
Question # 122

An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?

A.

Proprietary systems

B.

Legacy systems

C.

Unsupported operating systems

D.

Lack of maintenance windows

Full Access
Question # 123

A security analyst reviews the following Arachni scan results for a web application that stores PII data:

Question # 123

Which of the following should be remediated first?

A.

SQL injection

B.

RFI

C.

XSS

D.

Code injection

Full Access
Question # 124

A security analyst receives the below information about the company ' s systems. They need to prioritize which systems should be given the resources to improve security.

Host

OS

Key Software

AV

Server 1

Windows Server 2008 R2

Microsoft IIS

Kaspersky

Server 2

Ubuntu Server 22.04 LTS

Apache 2.4.29

None

Computer 1

Windows 11 Professional

N/A

Windows Defender

Computer 2

Windows 10 Professional

N/A

Windows Defender

Which of the following systems should the analyst remediate first?

A.

Computer 1

B.

Server 1

C.

Computer 2

D.

Server 2

Full Access
Question # 125

An analyst is imaging a hard drive that was obtained from the system of an employee who is suspected of going rogue. The analyst notes that the initial hash of the evidence drive does not match the resultant hash of the imaged copy. Which of the following best describes the reason for the conflicting investigative findings?

A.

Chain of custody was not maintained for the evidence drive.

B.

Legal authorization was not obtained prior to seizing the evidence drive.

C.

Data integrity of the imaged drive could not be verified.

D.

Evidence drive imaging was performed without a write blocker.

Full Access
Question # 126

A vulnerability scan shows the following vulnerabilities in the environment:

Question # 126

At the same time, the following security advisory was released:

" A zero-day vulnerability with a CVSS score of 10 may be affecting your web server. The vendor is working on a patch or workaround. "

Which of the following actions should the security analyst take first?

A.

Contact the web systems administrator and request that they shut down the asset.

B.

Monitor the patch releases for all items and escalate patching to the appropriate team.

C.

Run the vulnerability scan again to verify the presence of the critical finding and the zero-day vulnerability in the environment.

D.

Forward the advisory to the web security team and initiate the prioritization strategy for the other vulnerabilities.

Full Access
Question # 127

An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server. Which of the following is the most likely cause?

A.

The finding is a false positive and should be ignored.

B.

A rollback had been executed on the instance.

C.

The vulnerability scanner was configured without credentials.

D.

The vulnerability management software needs to be updated.

Full Access
Question # 128

Which of the following best describes root cause analysis?

A.

It describes the tactics, techniques, and procedures used in an incident.

B.

It provides a detailed path outlining the origin of an issue and how to eliminate it permanently.

C.

It outlines the who-what-when-where-why, which is often used in conjunction with legal proceedings.

D.

It generates a report of ongoing activities, including what was done, what is being done, and what will be done next.

Full Access
Question # 129

An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following would be the best threat intelligence source to learn about this new campaign?

A.

Information sharing organization

B.

Blogs/forums

C.

Cybersecuritv incident response team

D.

Deep/dark web

Full Access
Question # 130

Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?

A.

Command and control

B.

Data enrichment

C.

Automation

D.

Single sign-on

Full Access
Question # 131

A company recently experienced a security incident. The security team has determined

a user clicked on a link embedded in a phishing email that was sent to the entire company. The link resulted in a malware download, which was subsequently installed and run.

INSTRUCTIONS

Part 1

Review the artifacts associated with the security incident. Identify the name of the malware, the malicious IP address, and the date and time when the malware executable entered the organization.

Part 2

Review the kill chain items and select an appropriate control for each that would improve the security posture of the organization and would have helped to prevent this incident from occurring. Each

control may only be used once, and not all controls will be used.

Question # 131

Firewall log:

Question # 131

Question # 131

File integrity Monitoring Report:

Question # 131

Question # 131

Malware domain list:

Question # 131

Vulnerability Scan Report:

Question # 131

Question # 131

Phishing Email:

Question # 131

Question # 131

Full Access
Question # 132

The Chief Information Security Officer wants the same level of security to be present whether a remote worker logs in at home or at a coffee shop. Which of the following should be recommended as a starting point?

A.

Non-persistent virtual desktop infrastructures

B.

Passwordless authentication

C.

Standard-issue laptops

D.

Serverless workloads

Full Access
Question # 133

Which of the following responsibilities does the legal team have during an incident management event? (Select two).

A.

Coordinate additional or temporary staffing for recovery efforts.

B.

Review and approve new contracts acquired as a result of an event.

C.

Advise the Incident response team on matters related to regulatory reporting.

D.

Ensure all system security devices and procedures are in place.

E.

Conduct computer and network damage assessments for insurance.

F.

Verify that all security personnel have the appropriate clearances.

Full Access
Question # 134

A security operations center analyst is reviewing a scan report and must prioritize items for remediation based on severity:

Question # 134

The Chief Information Security Officer requires the following:

• Encryption in transit

• Encryption at rest

• Encryption of customer data

Which of the following databases should the analyst remediate first?

A.

Databaset

B.

Database2

C.

Database3

D.

Database4

Full Access
Question # 135

Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?

A.

MITRE ATTACK

B.

Cyber Kill Cham

C.

OWASP

D.

STIXTAXII

Full Access
Question # 136

There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?

A.

Implement step-up authentication for administrators

B.

Improve employee training and awareness

C.

Increase password complexity standards

D.

Deploy mobile device management

Full Access
Question # 137

An analyst wants to ensure that users only leverage web-based software that has been pre-approved by the organization. Which of the following should be deployed?

A.

Blocklisting

B.

Allowlisting

C.

Graylisting

D.

Webhooks

Full Access
Question # 138

A company is concerned with finding sensitive file storage locations that are open to the public. The current internal cloud network is flat. Which of the following is the best solution to secure the network?

A.

Implement segmentation with ACLs.

B.

Configure logging and monitoring to the SIEM.

C.

Deploy MFA to cloud storage locations.

D.

Roll out an IDS.

Full Access
Question # 139

An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Select two).

A.

Drop the tables on the database server to prevent data exfiltration.

B.

Deploy EDR on the web server and the database server to reduce the adversaries capabilities.

C.

Stop the httpd service on the web server so that the adversary can not use web exploits

D.

use micro segmentation to restrict connectivity to/from the web and database servers.

E.

Comment out the HTTP account in the / etc/passwd file of the web server

F.

Move the database from the database server to the web server.

Full Access
Question # 140

A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system

owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to

categorize and prioritize the respective systems?

A.

Interview the users who access these systems,

B.

Scan the systems to see which vulnerabilities currently exist.

C.

Configure alerts for vendor-specific zero-day exploits.

D.

Determine the asset value of each system.

Full Access
Question # 141

A list of loCs released by a government security organization contains the SHA-256 hash for a Microsoft-signed legitimate binary, svchost. exe. Which of the following best describes the result if security teams add this indicator to their detection signatures?

A.

This indicator would fire on the majority of Windows devices.

B.

Malicious files with a matching hash would be detected.

C.

Security teams would detect rogue svchost. exe processesintheirenvironment.

D.

Security teams would detect event entries detailing executionofknown-malicioussvchost. exe processes.

Full Access
Question # 142

A security analyst is responding to an indent that involves a malicious attack on a network. Data closet. Which of the following best explains how are analyst should properly document the incident?

A.

Back up the configuration file for alt network devices

B.

Record and validate each connection

C.

Create a full diagram of the network infrastructure

D.

Take photos of the impacted items

Full Access
Question # 143

The developers recently deployed new code to three web servers. A daffy automated external device scan report shows server vulnerabilities that are failure items according to PCI DSS.

If the venerability is not valid, the analyst must take the proper steps to get the scan clean.

If the venerability is valid, the analyst must remediate the finding.

After reviewing the information provided in the network diagram, select the STEP 2 tab to complete the simulation by selecting the correct Validation Result and Remediation Action for each server listed using the drop-down options.

INTRUCTIONS:

The simulation includes 2 steps.

Step1:Review the information provided in the network diagram and then move to the STEP 2 tab.

Question # 143

Question # 143

STEP 2: Given the Scenario, determine which remediation action is required to address the vulnerability.

Question # 143

Full Access
Question # 144

An incident response analyst is investigating the root cause of a recent malware outbreak. Initial binary analysis indicates that this malware disables host security services and performs cleanup routines on it infected hosts, including deletion of initial dropper and removal of event log entries and prefetch files from the host. Which of the following data sources would most likely reveal evidence of the root cause?

(Select two).

A.

Creation time of dropper

B.

Registry artifacts

C.

EDR data

D.

Prefetch files

E.

File system metadata

F.

Sysmon event log

Full Access
Question # 145

A DevOps analyst implements a webhook to trigger code vulnerability scanning for submissions to the repository. Which of the following is the primary benefit of this enhancement?

A.

To increase coverage by making the process occur automatically with uploads

B.

To create a single pane of glass dashboard for the vulnerability management process

C.

To include a threat feed component into the software development life cycle

D.

To employ data enrichment for new code commits to enhance project documentation

Full Access
Question # 146

A security analyst must preserve a system hard drive that was involved in a litigation request Which of the following is the best method to ensure the data on the device is not modified?

A.

Generate a hash value and make a backup image.

B.

Encrypt the device to ensure confidentiality of the data.

C.

Protect the device with a complex password.

D.

Perform a memory scan dump to collect residual data.

Full Access