How does an SSL certificate impact security between the client and the server?
A user received a targeted spear-phishing email and identified it as suspicious before opening the content. To which category of the Cyber Kill Chain model does to this type of event belong?
According to the September 2020 threat intelligence feeds a new malware called Egregor was introduced and used in many attacks. Distnbution of Egregor is pnmanly through a Cobalt Strike that has been installed on victim's workstations using RDP exploits Malware exfiltrates the victim's data to a command and control server. The data is used to force victims pay or lose it by publicly releasing it. Which type of attack is described?
What does cyber attribution identify in an investigation?
Refer to the exhibit.
Which type of log is displayed?
Refer to the exhibit.
An engineer is analyzing this Cuckoo Sandbox report for a PDF file that has been downloaded from an email. What is the state of this file?
An investigator is examining a copy of an ISO file that is stored in CDFS format. What type of evidence is this file?
Which two elements of the incident response process are stated in NIST Special Publication 800-61 r2? (Choose two.)
Which two components reduce the attack surface on an endpoint? (Choose two.)
An analyst is using the SIEM platform and must extract a custom property from a Cisco device and capture the phrase, "File: Clean." Which regex must the analyst import?
Which attack is the network vulnerable to when a stream cipher like RC4 is used twice with the same key?
What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.)
A security specialist notices 100 HTTP GET and POST requests for multiple pages on the web servers. The agent in the requests contains PHP code that, if executed, creates and writes to a new PHP file on the webserver. Which event category is described?
An analyst received a ticket regarding a degraded processing capability for one of the HR department's servers. On the same day, an engineer noticed a disabled antivirus software and was not able to determine when or why it occurred. According to the NIST Incident Handling Guide, what is the next phase of this investigation?
What is a description of a social engineering attack?
A malicious file has been identified in a sandbox analysis tool.
Which piece of information is needed to search for additional downloads of this file by other hosts?
The security team has detected an ongoing spam campaign targeting the organization. The team's approach is to push back the cyber kill chain and mitigate ongoing incidents. At which phase of the cyber kill chain should the security team mitigate this type of attack?
Which tool provides a full packet capture from network traffic?
What are two denial of service attacks? (Choose two.)
According to the NIST SP 800-86. which two types of data are considered volatile? (Choose two.)
What is vulnerability management?
During which phase of the forensic process are tools and techniques used to extract information from the collected data?
Refer to the exhibit. An employee received an email from an unknown sender with an attachment and reported it as a phishing attempt. An engineer uploaded the file to Cuckoo for further analysis. What should an engineer interpret from the provided Cuckoo report?
An engineer needs to fetch logs from a proxy server and generate actual events according to the data received. Which technology should the engineer use to accomplish this task?
Which security monitoring data type requires the largest storage space?
An engineer must compare NIST vs ISO frameworks The engineer deeded to compare as readable documentation and also to watch a comparison videoreview. Using Windows 10 OS. the engineer started a browser and searched for a NIST document and then opened a new tab in the same browser and searched for an ISO document for comparison
The engineer tried to watch the video, but there 'was an audio problem with OS so the engineer had to troubleshoot it At first the engineer started CMD and looked fee a driver path then locked for a corresponding registry in the registry editor The engineer enabled "Audiosrv" in task manager and put it on auto start and the problem was solved Which two components of the OS did the engineer touch? (Choose two)
How does a certificate authority impact security?
Which filter allows an engineer to filter traffic in Wireshark to further analyze the PCAP file by only showing the traffic for LAN 10.11.x.x, between workstations and servers without the Internet?
An engineer received a flood of phishing emails from HR with the source address HRjacobm@companycom. What is the threat actor in this scenario?
Which process represents the application-level allow list?
A security incident occurred with the potential of impacting business services. Who performs the attack?
What is an advantage of symmetric over asymmetric encryption?
An engineer needs to discover alive hosts within the 192.168.1.0/24 range without triggering intrusive portscan alerts on the IDS device using Nmap. Which command will accomplish this goal?
Refer to the exhibit.
An attacker gained initial access to the company s network and ran an Nmap scan to advance with the lateral movement technique and to search the sensitive data Which two elements can an attacker identify from the scan? (Choose two.)
What is the communication channel established from a compromised machine back to the attacker?
Drag and drop the event term from the left onto the description on the right.
Which option describes indicators of attack?
Which NIST IR category stakeholder is responsible for coordinating incident response among various business units, minimizing damage, and reporting to regulatory agencies?
How does TOR alter data content during transit?
What is the difference between mandatory access control (MAC) and discretionary access control (DAC)?
What is personally identifiable information that must be safeguarded from unauthorized access?
Refer to the exhibit.
A workstation downloads a malicious docx file from the Internet and a copy is sent to FTDv. The FTDv sends the file hash to FMC and the tile event is recorded What would have occurred with stronger data visibility?
What is a difference between a threat and a risk?
Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model.
Refer to the exhibit.
What does the output indicate about the server with the IP address 172.18.104.139?
Which evasion technique is indicated when an intrusion detection system begins receiving an abnormally high volume of scanning from numerous sources?
An engineer is investigating a case of the unauthorized usage of the “Tcpdump” tool. The analysis revealed that a malicious insider attempted to sniff traffic on a specific interface. What type of information did the malicious insider attempt to obtain?
Refer to the exhibit.
What is occurring?
Refer to the exhibit.
Which field contains DNS header information if the payload is a query or a response?
What is the difference between inline traffic interrogation and traffic mirroring?
A user received a malicious attachment but did not run it. Which category classifies the intrusion?
Refer to the exhibit.
Which alert is identified from this packet capture?
Which regex matches only on all lowercase letters?
What describes a buffer overflow attack?
Refer to the exhibit.
Drag and drop the element name from the left onto the correct piece of the PCAP file on the right.
When communicating via TLS, the client initiates the handshake to the server and the server responds back with its certificate for identification.
Which information is available on the server certificate?
Which two elements are used for profiling a network? (Choose two.)
How is NetFlow different from traffic mirroring?
What is a difference between inline traffic interrogation and traffic mirroring?
What is a difference between signature-based and behavior-based detection?
What are the two characteristics of the full packet captures? (Choose two.)
Refer to the exhibit.
What must be interpreted from this packet capture?
Which signature impacts network traffic by causing legitimate traffic to be blocked?
What is the impact of false positive alerts on business compared to true positive?
Refer to the exhibit.
Which event is occurring?
A cyberattacker notices a security flaw in a software that a company is using They decide to tailor a specific worm to exploit this flaw and extract saved passwords from the software To which category of the Cyber Kill Cham model does this event belong?
Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model.
An analyst is investigating a host in the network that appears to be communicating to a command and control server on the Internet. After collecting this packet capture, the analyst cannot determine the technique and payload used for the communication.
Which obfuscation technique is the attacker using?
While viewing packet capture data, an analyst sees that one IP is sending and receiving traffic for multiple devices by modifying the IP header.
Which technology makes this behavior possible?
What describes the concept of data consistently and readily being accessible for legitimate users?
What is the difference between the ACK flag and the RST flag?
What are two differences between tampered disk images and untampered disk images'? (Choose two.)
An engineer must configure network systems to detect command-and-control communications by decrypting ingress and egress perimeter traffic and allowing network security devices to detect malicious outbound communications. Which technology must be used to accomplish this task?
What is a difference between SI EM and SOAR security systems?
A network engineer discovers that a foreign government hacked one of the defense contractors in their home country and stole intellectual property. What is the threat agent in this situation?
Refer to the exhibit.
What is shown in this PCAP file?
An employee reports that someone has logged into their system and made unapproved changes, files are out of order, and several documents have been placed in the recycle bin.The security specialist reviewed the system logs, found nothing suspicious, and was not able to determine what occurred. The software is up to date; there are no alerts from antivirus and no failed login attempts. What is causing the lack of data visibility needed to detect the attack?
What makes HTTPS traffic difficult to monitor?
Which action matches the weaponization step of the Cyber Kill Chain model?
What is the difference between inline traffic interrogation (TAPS) and traffic mirroring (SPAN)?
Refer to the exhibit.
Which technology produced the log?
Which classification of cross-site scripting attack executes the payload without storing it for repeated use?
What is the difference between discretionary access control (DAC) and role-based access control (RBAC)?
Why is encryption challenging to security monitoring?
Which security principle requires more than one person is required to perform a critical task?
A security engineer has a video of a suspect entering a data center that was captured on the same day that files in the same data center were transferred to a competitor.
Which type of evidence is this?
Syslog collecting software is installed on the server For the log containment, a disk with FAT type partition is used An engineer determined that log files are being corrupted when the 4 GB tile size is exceeded. Which action resolves the issue?
Endpoint logs indicate that a machine has obtained an unusual gateway address and unusual DNS servers via DHCP Which type of attack is occurring?
Which metric in CVSS indicates an attack that takes a destination bank account number and replaces it with a different bank account number?
How does agentless monitoring differ from agent-based monitoring?
Which are two denial-of-service attacks? (Choose two.)
How is attacking a vulnerability categorized?
What is threat hunting?