CNL_CH_13

95問 • 2年前

問題一覧

The Chief Information Security Officer (CISO) requested a report on potential areas of improvement following a security incident. Which of the following incident response processes is the CISO requesting?

Lessons learned

A security incident has been resolved. Which of the following BEST describes the importance of the final phase of the incident response plan?

It examines and documents how well the team responded discovers what caused the incident, and determines how the incident can be avoided in the future

Which of the following actions would be recommended to improve an incident response process?

Train the team to identify the difference between events and incidents

During a trial, a judge determined evidence gathered from a hard drive was not admissible. Which of the following BEST explains this reasoning?

The forensic investigator forgot to run a checksum on the disk image after creation

A security analyst is working on a project to implement a solution that monitors network communications and provides alerts when abnormal behavior is detected. Which of the following is the security analyst MOST likely implementing?

User Behavior Analysis

Which of the following would be the BEST way to analyze diskless malware that has infected a VDI?

Take a memory snapshot of the running system.

During an incident response, an analyst applied rules to all inbound traffic on the border firewall and implemented ACLs on each critical server. Following an investigation, the company realizes it is still vulnerable because outbound traffic is not restricted and the adversary is able to maintain a presence in the network. In which of the following stages of the Cyber Kill Chain is the adversary currently operating?

Command and control

Which of the following is the MOST effective way to detect security flaws present on third-party libraries embedded on software before it is released into production?

Implement a vulnerability scan to assess dependencies earlier on SDLC.

A small business just recovered from a ransomware attack against its file servers by purchasing the decryption keys from the attackers. The issue was triggered by a phishing email and the IT administrator wants to ensure it does not happen again. Which of the following should the IT administrator do FIRST after recovery?

Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis.

A systems analyst is responsible for generating a new digital forensics chain-of-custody form. Which of the following should the analyst include in this documentation? (Select TWO).

The provenance of the artifacts, The date time

In the middle of a cybersecurity, a security engineer removes the infected devices from the network and lock down all compromised accounts. In which of the following incident response phases is the security engineer currently operating?

Containment

A company recently moved sensitive videos between on-premises. Company-owned websites. The company then learned the videos had been uploaded and shared to the internet. Which of the following would MOST likely allow the company to find the cause?

A log analysis

Joe, a user at a company, clicked an email link led to a website that infected his workstation. Joe, was connected to the network, and the virus spread to the network shares. The protective measures failed to stop this virus, and It has continues to evade detection. Which of the following should administrator implement to protect the environment from this malware?

Implement a heuristic behavior-detection solution.

An organization is planning to open other data centers to sustain operations in the event of a natural disaster. Which of the following considerations would BEST support the organization's resiliency?

Geographic dispersal ***

During an incident response process involving a laptop, a host was identified as the entry point for malware. The management team would like to have the laptop restored and given back to the user. The cybersecurity analyst would like to continue investigating the intrusion on the host. Which of the following would allow the analyst to continue the investigation and also return the laptop to the user as soon as possible?

A security analyst is preparing a threat for an upcoming internal penetration test. The analyst needs to identify a method for determining the tactics, techniques, and procedures of a threat against the organization’s network. Which of the following will the analyst MOST likely use to accomplish the objective?

MITREATT&CK

A host was infected with malware. During the incident response, Joe, a user, reported that he did not receive any emails with links, but he had been browsing the Internet all day. Which of the following would MOST likely show where the malware originated?

The DNS logs

An incident, which is affecting dozens of systems, involves malware that reaches out to an Internet service for rules and updates. The IP addresses for the Internet host appear to be different in each case. The organization would like to determine a common IoC to support response and recovery actions. Which of the following sources of information would BEST support this solution?

DNS query logs

A security researcher is tracking an adversary by noting its attack and techniques based on its capabilities, infrastructure, and victims. Which of the following is the researcher MOST likely using?

The Diamond Model of intrusion Analysis

An enterprise has hired an outside security firm to facilitate penetration testing on its network and applications. The firm has agreed to pay for each vulnerability that is discovered. Which of the following BEST represents the type of testing that is being used?

Bug bounty

An organization's Chief Security Officer (CSO) wants to validate the business's involvement in the incident response plan to ensure its validity and thoroughness. Which of the following will the CSO MOST likely use?

A tabletop exercise

A cybersecurity manager has scheduled biannual meetings with the IT team and department leaders to discuss how they would respond to hypothetical cyberattacks. During these meetings, the manager presents a scenario and injects additional information throughout the session to replicate what might occur in a dynamic cybersecurity event involving the company, its facilities, its data, and its staff. Which of the following describes what the manager is doing?

Conducting a tabletop exercise

A security operations analyst is using the company's SIEM solution to correlate alerts. Which of the following stages of the incident response process is this an example of?

Identification

A security analyst is running a vulnerability scan to check for missing patches during a suspected security incident. Which of the following phases of the response process is this activity MOST likely occurring?

Identification

A financial analyst has been accused of violating the company’s AUP and there is forensic evidence to substantiate the allegation. Which of the following would dispute the analyst’s claim of innocence?

Non-repudiation

A security analyst needs to produce a document that details how a security incident occurred, the steps that were taken for recovery, and how future incidents can be avoided. During which of the following stages of the response process will this activity take place?

Lessons learned

Moving laterally within a network once an initial exploit is used to gain persistent access, for the purpose of establishing further control of a system is known as:

Pivoting

A commercial cyber-threat intelligence organization observes IoCs across a variety of unrelated customers. Prior to releasing specific threat intelligence to other paid subscribers, the organization is MOST likely obligated by contracts to:

Anonymize any PII that is observed within the IoC data.

An organization is concerned about video emissions from users’ desktops. Which of the following is the BEST solution to implement?

Screen filters

A forensics examiner is attempting to dump password cached in the physical memory of a live system but keeps receiving an error message. Which of the following BEST describes the cause of the error?

The examiner does not have administrative privileges to the system

A security researcher has alerted an organization that its sensitive user data was found for sale on a website. Which of the following should the organization use to inform the affected parties?

A communications plan

Which of the following terms should be included in a contract to help a company monitor the ongoing security maturity of a new vendor?

A right-to-audit clause allowing for annual security audits

A security administrator currently spends a large amount of time on common security tasks, such a report generation, phishing investigations, and user provisioning and deprovisioning. This prevents the administrator from spending time on other security projects. The business does not have the budget to add more staff members. Which of the following should the administrator implement?

SOAR

Question #34: Which of the following is the correct order of volatility from MOST to LEAST volatile?

Cache, memory, temporary filesystems, disk, archival media

A security administrator suspects an employee has been emailing proprietary information to a competitor. Company policy requires the administrator to capture an exact copy of the employee’s hard disk. Which of the following should the administrator use?

dd (disk duplication)

On which of the following is the live acquisition of data for forensic analysis MOST dependent? (Choose two)

Data accessibility, Value and volatility of data

An employee has been charged with fraud and is suspected of using corporate assets. As authorities collect evidence, and to preserve the admissibility of the evidence, which of the following forensic techniques should be used?

Chain of custody

The SOC is reviewing processes and procedures after a recent incident. The review indicates it took more than 30 minutes to determine that quarantining an infected host was the best course of action. This allowed the malware to spread to additional hosts before it was contained. Which of the following would be BEST to improve the incident response process?

Updating the playbooks with better decision points

An analyst needs to identify the applications a user was running and the files that were open before the user’s computer was shut off by holding down the power button. Which of the following would MOST likely contain that information?

Pagefile

An organization hired a consultant to assist with an active attack, and the consultant was able to identify the compromised accounts and computers. Which of the following is the consultant MOST likely to recommend to prepare for eradication?

Isolating the compromised accounts and computers, cutting off all network and internet access.

An incident response technician collected a mobile device during an investigation. Which of the following should the technician do to maintain the chain of custody?

Document the collection and require a sign-off when possession changes.

Which of the following incident response steps involves actions to protect critical systems while maintaining business operations?

Containment

Which of the following in a forensic investigation should be priorities based on the order of volatility? (Select TWO).

RAM, Cache

As part of the lessons-learned phase, the SOC is tasked with building methods to detect if a previous incident is happening again. Which of the following would allow the security analyst to alert the SOC if an event is reoccurring?

Creating a playbook within the SOAR

A malicious actor recently penetrated a company’s network and moved laterally to the datacenter. Upon investigation, a forensics firm wants to know what was in the memory on the compromised server. Which of the following files should be given to the forensics firm?

Dump

Which of the following BEST helps to demonstrate integrity during a forensic investigation?

Hashing

A security manager needs to assess the security posture of one of the organization's vendors. The contract with the vendor does not allow for auditing of the vendor's security controls. Which of the following should the manager request to complete the assessment?

A SOC 2 Type 2 report

Law enforcement officials sent a company a notification that states electronically stored information and paper documents cannot be destroyed. Which of the following explains this process?

Legal hold

An organization wants to integrate its incident response processes into a workflow with automated decision points and actions based on predefined playbooks. Which of the following should the organization implement?

SOAR

Lessons learned

An analyst just discovered an ongoing attack on a host that is on the network. The analyst observes the below taking place: • The computer performance is slow • Ads are appearing from various pop-up windows • Operating system files are modified • The computer is receiving AV alerts for execution of malicious processes Which of the following steps should the analyst consider FIRST?

Put the machine in containment

A help desk technician receives an email from the Chief Information Officer (CIO) asking for documents. The technician knows the CIO is on vacation for a few weeks. Which of the following should the technician do to validate the authenticity of the email?

Check the metadata in the email header of the received path in reverse order to follow the email's path.

Which of the following incident response steps occurs before containment?

Identification

Which of the following is the BEST action to foster a consistent and auditable incident response process?

Publish the document in a central repository that is easily accessible to the organization.

Stakeholders at an organization must be kept aware of any incidents and receive updates on status changes as they occur. Which of the following plans would fulfill this requirement?

Communication plan

Which of the following should an organization consider implementing In the event executives need to speak to the media after a publicized data breach?

Communication plan

Security analysts have noticed the network becomes flooded with malicious packets at specific times of the day. Which of the following should the analysts use to investigate this issue?

Bandwidth monitors

Which of the following is the correct order of evidence from most to least volatile in forensic analysis?

CPU cache, memory, temporary filesystems, disk

A security analyst is currently addressing an active cyber incident. The analyst has been able to identify affected devices that are running a malicious application with a unique hash. Which of the following is the next step according to the incident response process?

Containment

The help desk has received calls from users in multiple locations who are unable to access core network services The network team has identified and turned off the network switches using remote commands. Which of the following actions should the network team take NEXT?

Initiate the organization's incident response plan

A company uses specially configured workstations for any work that requires administrator privileges to its Tier 0 and Tier 1 systems. The company follows a strict process to harden systems immediately upon delivery. Even with these strict security measures in place, an incident occurred from one of the workstations. The root cause appears to be that the SoC (system on chip) was tampered with or replaced. Which of the following MOST likely occurred?

A supply-chain attack

A company is under investigation for possible fraud. As part of the investigation. The authorities need to review all emails and ensure data is not deleted. Which of the following should the company implement to assist in the investigation?

Legal hold

Which of the following describes software on network hardware that needs to be updated on a routine basis to help address possible vulnerabilities?

Firmware

A security administrator is using UDP port 514 to send a syslog through an unsecure network to the SIEM server. Which of the following is the best way for the administrator to improve the process?

Add SSL/TLS encryption and use a TCP 6514 port to send logs.

An analyst is working on an investigation with multiple alerts for multiple hosts. The hosts are showing signs of being compromised by a fast-spreading worm. Which of the following should be the next step in order to stop the spread?

Place all known-infected hosts on an isolated network

An email security vendor recently added a retroactive alert after discovering a phishing email had already been delivered to an inbox. Which of the following would be the best way for the security administrator to address this type of alert in the future?

Utilize a SOAR playbook to remove the phishing message.

A security engineer learns that a non-critical application was compromised. The most recent version of the application includes a malicious reverse proxy while the application is running. Which of the following should the engineer be to quickly contain the incident with the least amount of impact?

Manually uninstall the update that contains the backdoor.

An organization recently released a zero-trust policy that will enforce who is able to remotely access certain data. Authenticated users who access the data must have a need to know, depending on their level of permissions. Which of the following is the first step the organization should take when implementing the policy?

Classify all data on the file servers.

Which of the following incident response phases should the proper collection of the detected IoCs and establishment of a chain of custody be performed before?

Containment

A company is launching a website in a different country in order to capture user information that a marketing business can use. The company itself will not be using the information. Which of the following roles is the company assuming?

Data collector

A small, local company experienced a ransomware attack. The company has one web-facing server and a few workstations. Everything is behind an ISP firewall. A single web-facing server is set up on the router to forward all ports so that the server is viewable from the internet. The company uses an older version of third-party software to manage the website. The assets were never patched. Which of the following should be done to prevent an attack like this from happening again? (Select three).

Use the latest version of software., Implement a screened subnet for the web server., Install an endpoint security solution.

Which of the following processes would most likely help an organization that has conducted an incident response exercise to improve performance and identify challenges?

Lessons learned

A security analyst receives an alert that indicates a user's device is displaying anomalous behavior. The analyst suspects the device might be compromised. Which of the following should the analyst do first?

Isolate the device

A systems engineer thinks a business system has been compromised and is being used to exfiltrated data to a competitor. The engineer contacts the CSIRT The CSIRT tells the engineer to immediately disconnect the network cable and to not do anything else. Which of the following is the most likely reason for this request?

Memory contents including fileless malware are lost when the power is turned off

An employee's laptop was stolen last month. This morning, the laptop was returned. A cybersecurity analyst retrieved laptop and has since executed a cybersecurity incident checklist. Four incident handlers are responsible for executing the checklist. Which of the following best describes the process for evidence collection assurance?

Chain of custody

A security researcher is using an adversary's infrastructure and TTPs and creating a named group to track those targeted. Which of the following is the researcher MOST likely using?

MITREATT&CK

A security analyst has identified malware spreading through the corporate network and has activated the CSIRT. Which of the following should the analyst do NEXT?

Attempt to quarantine all infected hosts to limit further spread.

A security analyst has been reading about a newly discovered cyber attack from a known threat actor. Which of the following would BEST support the analyst's review of the tactics, techniques, and protocols the threat actor was observed using in previous campaigns?

The MITRE ATT&CK framework

A security analyst is taking part in an evaluation process that analyzes and categorizes threat actors of real-world events in order to improve the incident response team's process. Which of the following is the analyst MOST likely participating in?

MITRE ATT&CK

An analyst is working on an email incident in which the target opened an attachment containing a worm. The analyst wants to implement mitigation techniques to prevent further spread. Which of the following is the BEST course of action for the analyst to take?

Isolate the infected attachment

A recent phishing campaign resulted in several compromised user accounts. The security incident response team has been tasked with reducing the manual labor of filtering through all the phishing emails as they arrive and blocking the sender's email address, along with other time-consuming mitigation actions. Which of the following can be configured to streamline those tasks?

SOAR playbook

A help desk technician receives a phone call from someone claiming to be a part of the organization's cybersecurity incident response team. The caller asks the technician to verify the network's internal firewall IP address. Which of the following is the technician's BEST course of action?

Write down the phone number of the caller, if possible, the name of the person requesting the information, hang up and notify the organization's cybersecurity officer.

An organization is tuning SIEM rules based off of threat intelligence reports. Which of the following phases of the incident response process does this scenario represent?

Preparation

A client sent several inquiries to a project manager about the delinquent delivery status of some critical reports. The project manager claimed the reports were previously sent via email but then quickly generated and backdated the reports before submitting them via a new email message. Which of the following actions MOST likely supports an investigation for fraudulent submission?

Inspect the file metadata

A digital forensics team at a large company is investigating a case in which malicious code was downloaded over an HTTPS connection and was running in memory, but was never committed to disk. Which of the following techniques should the team use to obtain a sample of the malware binary?

Image volatile memory

A security analyst is responding to an alert from the SIEM. The alert states that malware was discovered on a host and was not automatically deleted. Which of the following would be BEST for the analyst to perform?

.Quarantine the host from other parts of the network

Which of the following is used to ensure that evidence is admissible in legal proceedings when it is collected and provided to the authorities?

Chain of custody

Which of the following procedures would be performed after the root cause of a security incident has been identified to help avoid future incidents from occurring? A. Walk-throughs

Lessons learned

Which of the following is a security best practice that ensures the integrity of aggregated log files within a SIEM?

Set up hashing on the source log file servers that complies with local regulatory requirements.

A security administrator needs to block a TCP connection using the corporate firewall, Because this connection is potentially a threat. the administrator does not want to send back an RST Which of the following actions in rule would work best?

Drop

A security incident may have occurred on the desktop PC of an organization's Chief Executive Officer (CEO) A duplicate copy of the CEO's hard drive must be stored securely to ensure appropriate forensic processes and the chain of custody are followed. Which of the following should be performed to accomplish this task?

Connect a write blocker to the hard drive Then leveraging a forensic workstation, utilize the dd command on a live Linux environment to create a duplicate copy

A security analyst has identified malware spreading through the corporate network and has activated the CSIRT Which of the following should the analyst do NEXT?

Attempt to quarantine all infected hosts to limit further spread

Which of the following in the incident response process is the BEST approach to improve the speed of the identification phase?

Tune monitoring in order to reduce false positive rates.

A new vulnerability enables a type of malware that allows the unauthorized movement of data from a system. Which of the following would detect this behavior?

Monitoring outbound traffic

Which of the following is a reason why a forensic specialist would create a plan to preserve data after an incident and prioritize the sequence for performing forensic analysis?

Order of volatility

CNL_CH_1

Son Cagrı · 3回閲覧 · 185問 · 2年前

CNL_CH_1