A security incident occurred with the potential of impacting business services. Who performs the attack?
Which are two denial-of-service attacks? (Choose two.)
An offline audit log contains the source IP address of a session suspected to have exploited a vulnerability resulting in system compromise.
Which kind of evidence is this IP address?
What is a difference between tampered and untampered disk images?
What is the practice of giving an employee access to only the resources needed to accomplish their job?
Refer to the exhibit.
What is the expected result when the "Allow subdissector to reassemble TCP streams" feature is enabled?
An engineer receives a security alert that traffic with a known TOR exit node has occurred on the network. What is the impact of this traffic?
Refer to the exhibit.
Which technology produced the log?
According to CVSS, what is a description of the attack vector score?
An engineer must compare NIST vs ISO frameworks The engineer deeded to compare as readable documentation and also to watch a comparison video review. Using Windows 10 OS. the engineer started a browser and searched for a NIST document and then opened a new tab in the same browser and searched for an ISO document for comparison
The engineer tried to watch the video, but there 'was an audio problem with OS so the engineer had to troubleshoot it At first the engineer started CMD and looked fee a driver path then locked for a corresponding registry in the registry editor The engineer enabled "Audiosrv" in task manager and put it on auto start and the problem was solved Which two components of the OS did the engineer touch? (Choose two)
While viewing packet capture data, an analyst sees that one IP is sending and receiving traffic for multiple devices by modifying the IP header.
Which technology makes this behavior possible?
What is a difference between SI EM and SOAR security systems?
What is a difference between inline traffic interrogation and traffic mirroring?
Refer to the exhibit.
Which type of attack is being executed?
How does TOR alter data content during transit?
An analyst is exploring the functionality of different operating systems.
What is a feature of Windows Management Instrumentation that must be considered when deciding on an operating system?
Endpoint logs indicate that a machine has obtained an unusual gateway address and unusual DNS servers via DHCP Which type of attack is occurring?
Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model.
A user received an email attachment named "Hr405-report2609-empl094.exe" but did not run it. Which category of the cyber kill chain should be assigned to this type of event?
How does statistical detection differ from rule-based detection?
Which type of evidence supports a theory or an assumption that results from initial evidence?
What does cyber attribution identify in an investigation?
Refer to the exhibit.
Which technology generates this log?
Which filter allows an engineer to filter traffic in Wireshark to further analyze the PCAP file by only showing the traffic for LAN 10.11.x.x, between workstations and servers without the Internet?
Refer to the exhibit.
Which frame numbers contain a file that is extractable via TCP stream within Wireshark?
An engineer needs to configure network systems to detect command and control communications by decrypting ingress and egress perimeter traffic and allowing network security devices to detect malicious outbound communications. Which technology should be used to accomplish the task?
What are two differences between tampered disk images and untampered disk images'? (Choose two.)
During which phase of the forensic process are tools and techniques used to extract information from the collected data?
What is the difference between vulnerability and risk?
What is the dataflow set in the NetFlow flow-record format?
What is a difference between data obtained from Tap and SPAN ports?
Which piece of information is needed for attribution in an investigation?
Which technology prevents end-device to end-device IP traceability?
What describes the impact of false-positive alerts compared to false-negative alerts?
An analyst discovers that a legitimate security alert has been dismissed. Which signature caused this impact on network traffic?
Which action should be taken if the system is overwhelmed with alerts when false positives and false negatives are compared?
An engineer is addressing a connectivity issue between two servers where the remote server is unable to establish a successful session. Initial checks show that the remote server is not receiving an SYN-ACK while establishing a session by sending the first SYN. What is causing this issue?
What should an engineer use to aid the trusted exchange of public keys between user tom0411976943 and dan1968754032?
What is a difference between tampered and untampered disk images?
Refer to the exhibit.
What does the message indicate?
Which technique is a low-bandwidth attack?
Which regular expression matches "color" and "colour"?
Refer to the exhibit.
A security analyst is investigating unusual activity from an unknown IP address Which type of evidence is this file1?
What is threat hunting?
What is the difference between the ACK flag and the RST flag in the NetFlow log session?
Drag and drop the access control models from the left onto the correct descriptions on the right.
Which signature impacts network traffic by causing legitimate traffic to be blocked?
Which two elements are assets in the role of attribution in an investigation? (Choose two.)
Refer to the exhibit.
What does this output indicate?
A SOC analyst detected connections to known C&C and port scanning activity to main HR database servers from one of the HR endpoints via Cisco StealthWatch. What are the two next steps of the SOC team according to the NISTSP800-61 incident handling process? (Choose two)
Refer to the exhibit.
Which application-level protocol is being targeted?
Which regular expression is needed to capture the IP address 192.168.20.232?
When an event is investigated, which type of data provides the investigate capability to determine if data exfiltration has occurred?
An engineer must configure network systems to detect command-and-control communications by decrypting ingress and egress perimeter traffic and allowing network security devices to detect malicious outbound communications. Which technology must be used to accomplish this task?
The security team has detected an ongoing spam campaign targeting the organization. The team's approach is to push back the cyber kill chain and mitigate ongoing incidents. At which phase of the cyber kill chain should the security team mitigate this type of attack?
Drag and drop the security concept on the left onto the example of that concept on the right.
When communicating via TLS, the client initiates the handshake to the server and the server responds back with its certificate for identification.
Which information is available on the server certificate?
Which principle is being followed when an analyst gathers information relevant to a security incident to determine the appropriate course of action?
According to the September 2020 threat intelligence feeds a new malware called Egregor was introduced and used in many attacks. Distnbution of Egregor is pnmanly through a Cobalt Strike that has been installed on victim's workstations using RDP exploits Malware exfiltrates the victim's data to a command and control server. The data is used to force victims pay or lose it by publicly releasing it. Which type of attack is described?
Refer to the exhibit.
What is occurring in this network?
A security engineer notices confidential data being exfiltrated to a domain "Ranso4134-mware31-895" address that is attributed to a known advanced persistent threat group The engineer discovers that the activity is part of a real attack and not a network misconfiguration. Which category does this event fall under as defined in the Cyber Kill Chain?
Refer to the exhibit.
What should be interpreted from this packet capture?
An engineer is investigating a case of the unauthorized usage of the “Tcpdump” tool. The analysis revealed that a malicious insider attempted to sniff traffic on a specific interface. What type of information did the malicious insider attempt to obtain?
What is a difference between an inline and a tap mode traffic monitoring?
Which metric in CVSS indicates an attack that takes a destination bank account number and replaces it with a different bank account number?
What is the difference between indicator of attack (loA) and indicators of compromise (loC)?
Which type of attack is a blank email with the subject "price deduction" that contains a malicious attachment?
The SOC team has confirmed a potential indicator of compromise on an endpoint. The team has narrowed the executable file's type to a new trojan family. According to the NIST Computer Security Incident Handling Guide, what is the next step in handling this event?
Which action prevents buffer overflow attacks?
An analyst is investigating an incident in a SOC environment. Which method is used to identify a session from a group of logs?
What is the difference between the rule-based detection when compared to behavioral detection?
Refer to the exhibit.
Which field contains DNS header information if the payload is a query or a response?
What describes the defense-m-depth principle?
What is the communication channel established from a compromised machine back to the attacker?
A company encountered a breach on its web servers using IIS 7 5 Dunng the investigation, an engineer discovered that an attacker read and altered the data on a secure communication using TLS 1 2 and intercepted sensitive information by downgrading a connection to export-grade cryptography. The engineer must mitigate similar incidents in the future and ensure that clients and servers always negotiate with the most secure protocol versions and cryptographic parameters. Which action does the engineer recommend?
A user received a malicious attachment but did not run it. Which category classifies the intrusion?
Refer to the exhibit.
During the analysis of a suspicious scanning activity incident, an analyst discovered multiple local TCP connection events Which technology provided these logs?
Which NIST IR category stakeholder is responsible for coordinating incident response among various business units, minimizing damage, and reporting to regulatory agencies?
What is rule-based detection when compared to statistical detection?
Refer to the exhibit.
Which component is identifiable in this exhibit?
What does an attacker use to determine which network ports are listening on a potential target device?
What is a scareware attack?
Refer to the exhibit.
Which event is occurring?
Which data type is necessary to get information about source/destination ports?
What should a security analyst consider when comparing inline traffic interrogation with traffic tapping to determine which approach to use in the network?
Which action matches the weaponization step of the Cyber Kill Chain model?
Which tool gives the ability to see session data in real time?
An analyst is investigating a host in the network that appears to be communicating to a command and control server on the Internet. After collecting this packet capture, the analyst cannot determine the technique and payload used for the communication.
Which obfuscation technique is the attacker using?
A company receptionist received a threatening call referencing stealing assets and did not take any action assuming it was a social engineering attempt. Within 48 hours, multiple assets were breached, affecting the confidentiality of sensitive information. What is the threat actor in this incident?
Which metric is used to capture the level of access needed to launch a successful attack?
What is the difference between deep packet inspection and stateful inspection?
An engineer received an alert affecting the degraded performance of a critical server. Analysis showed a heavy CPU and memory load. What is the next step the engineer should take to investigate this resource usage?
Refer to the exhibit.
A company employee is connecting to mail google.com from an endpoint device. The website is loaded but with an error. What is occurring?