The automated malware analysis tool that Jose is using uses a disassembler and performs
binary diffing across multiple malware binaries. What information is the tool looking for?
A. Calculating minimum viable signature length B. Binary fingerprinting to identify the malware author C. Building a similarity graph of similar functions across binaries D. Heuristic code analysis of development techniques.
How is integrated intelligence most commonly used in a firewall system?
A. The firewall searches for new IPs to block and creates a STIX feed entry. B. The intelligence feed provides firewall rules that are implemented on the firewall in
real time. C. Threat intelligence is used to provide IP information for rules. D. Named threat actors are blocked based on their threat level and resource model.
What does execution of wmic.exe, powershell.exe, or winrm.vbs most likely indicate
if you discover one or more was run on a typical end user’s workstation? A. A scripted application installation B. Remote execution of code C. A scripted application uninstallation D. A zero-day attack.
Lucy is an SOC operator for her organization and is responsible for monitoring her organization’s
SIEM and other security devices. Her organization has both domestic and international
sites, and many of their employees travel frequently.
8. While Lucy is monitoring the SIEM, she notices that all of the log sources from her organization’s
New York branch have stopped reporting for the past 24 hours. What type of
detection rules or alerts should she configure to make sure she is aware of this sooner next time? A. Heuristic B. Behavior C. Availability D. Anomaly.
When Pete connects to his organization’s network, his PC runs the NAC software his systems
administrator installed. The software communicates to the edge switch he is plugged
into, which validates his login and system security state. What type of NAC solution is Pete using? A. Agent-based, in-band B. Agentless, in-band C. Agent-based, out-of-band D. Agentless, out-of-band.
Brian writes a Snort rule that reads
Alert tcp any -> 10.10.11.0/24 3306
What type of traffic will he detect?
A. MySQL traffic B. RDP traffic C. LDAP traffic D. BGP traffic.
While reviewing Windows event logs for a Windows 10 system with reported odd
behavior, Kai discovers that the system she is reviewing shows Event ID 1005
MALWAREPROTECTION_SCAN_FAILED every day at the same time. What is the most likely cause of this issue?
A. The system was shut down. B. Another antivirus program has interfered with the scan. C. The user disabled the scan. D. The scan found a file it was unable to scan.
Rule 4 is designed to allow SSH access from external networks to the server located at
10.15.1.3. Users are reporting that they cannot access the server. What is wrong? A. The protocol is incorrect. B. The rules are misordered. C. The destination port is incorrect. D. There is no error in the rule, and Chris should check for other issues.
Alex needs to deploy a solution that will limit access to his network to only authorized
individuals while also ensuring that the systems that connect to the network meet his organization’s
patching, antivirus, and configuration requirements. Which of the following
technologies will best meet these requirements? A. Whitelisting B. Port Security C. NAC D. EAP.
During a log review, Mei sees repeated firewall entries as shown here:
Sep 16 2019 23:01:37: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by
access-group "OUTSIDE" [0x5063b82f, 0x0]
Sep 16 2019 23:01:38: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by
access-group "OUTSIDE" [0x5063b82f, 0x0]
Sep 16 2019 23:01:39: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by
access-group "OUTSIDE" [0x5063b82f, 0x0]
Sep 16 2019 23:01:40: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by
access-group "OUTSIDE" [0x5063b82f, 0x0]
What service is the remote system most likely attempting to access? A. H.323 B. SNMP C. MS-SQL D. Oracle.
A system that Carlos is responsible for has been experiencing consistent denial of service
attacks using a version of the Low Orbit Ion Cannon (LOIC), which leverages personal
computers in a concerted attack by sending large amounts of traffic from each system to
flood a server, thus making it unable to respond to legitimate requests. What type of firewall
rule should Carlos use to limit the impact of a tool like this if bandwidth consumption
from the attack itself is not the root problem? A. IP-based blacklisting B. Dropping all SYN packets C. Using a connection rate or volume-limiting filter per IP D. Using a route-blocking filter that analyzes common LOIC routes.
Eleanor is using the US-CERT NCISS observed activity levels to assess threat actor activity.
If she has systems with active ransomware infections that have encrypted data on the systems
but the systems have available and secure backups, at what level should she rate the
observed activity? A. Prepare B. Engage C. Presence D. Effect.
Cormac needs to lock down a Windows workstation that has recently been scanned using nmap on a Kali Linux–based system, with the results shown here. He knows that the workstation needs to access websites and that the system is part of a Windows domain. What
ports should he allow through the system’s firewall for externally initiated connections? A. 80, 135, 139, and 445 B. 80, 445, and 3389 C. 135, 139, and 445 D. No ports should be open.
During Cormac’s configuration of his organization’s network access control policies, he sets
up client OS rules that include the following statements:
ALLOW Windows 7 version *, Windows 10 version *
ALLOW OSX version *
ALLOW iOS 8.1, iOS 9 version *
ALLOW Android 7.*
After deploying this rule, he discovers that many devices on his network cannot connect.
What issue is most likely occurring? A. Insecure clients B. Incorrect NAC client versions C. OS version mismatch D. Patch level mismatch.
Maria is an Active Directory domain administrator for her company, and she knows that a
quickly spreading botnet relies on a series of domain names for command and control, and
that preventing access to those domain names will cause the malware infection that connects
to the botnet to fail to take further action. Which of the following actions is her best
option if she wants to prevent off-site Windows users from connecting to botnet command and control systems?
A. Force a BGP update B. Set up a DNS sinkhole C. Modify the hosts file D. Install an antimalware application.
While analyzing a malware package, Ryan finds a list of hostnames shown here:
earnestnessrealsitetest.com rvcxestnessrealsitetest.com
hjbtestnessrealsitetest.com agekestnessrealsitetest.com
sgjxestnessrealsitetest.com igjyestnessrealsitetest.com
zxahestnessrealsitetest.com zfrpestnessrealsitetest.com
hdquestnessrealsitetest.com umcuestnessrealsitetest.com
hrbyestnessrealsitetest.com ysrtestnessrealsitetest.com
kgteestnessrealsitetest.com hfsnestnessrealsitetest.com
njxfestnessrealsitetest.com
What has he likely found in the malware package? A. A RPG B. A DGA C. A SPT D. A FIN.
Mark writes a script to pull data from his security data repository. The script includes the following query:
select source.name, data.process.cmd, count(*) AS hostcount from windows-events where type = 'sysmon' AND
data.process.action = 'launch' AND data.process. image.file = 'reg.exe' AND data.process.parentImage.file = 'cmd.exe'
He then queries the returned data using the following script:
select source.name, data.process.cmd, count(*) AS hostcount
from network-events where type = 'sysmon' AND
data.process.action = 'launch' AND data.process. image.file =
'cmd.exe' AND data.process.parentImage.file = 'explorer.exe'
What events will Mark see? A. Uses of explorer.exe where it is launched by cmd.exe B. Registry edits launched via the command line from Explorer C. Registry edits launched via explorer.exe that modify cmd.exe D. Uses of cmd.exe where it is launched by reg.exe.
Pranab is implementing cryptographic controls to protect his organization and would like
to use defense-in-depth controls to protect sensitive information stored and transmitted by
a web server. Which one of the following controls would be least suitable to directly provide this protection? A. TLS B. VPN C. DLP D. FDE.
Tracy is validating the web application security controls used by her organization. She
wants to ensure that the organization is prepared to conduct forensic investigations of
future security incidents. Which one of the following OWASP control categories is most
likely to contribute to this effort? A. Implement logging B. Validate all inputs C. Parameterize queries D. Error and exception handling.
Kaitlyn’s organization recently set a new password policy that requires that all passwords
have a minimum length of 10 characters and meet certain complexity requirements. She
would like to enforce this requirement for the Windows systems in her domain. What type
of control would most easily allow this? A. Group Policy Object B. Organizational unit C. Active Directory forest D. Domain controller.
Angela wants to block traffic sent to a suspected malicious host. What iptables rule entry
can she use to block traffic to a host with IP address 10.24.31.11? A. iptables -A OUTPUT -d 10.24.31.11 -j DROP B. iptables -A INPUT -d 10.24.31.11 -j ADD C. iptables -block -host 10.24.31.11 -j DROP D. iptables -block -ip 10.24.31.11 -j ADD.
What issue should Amanda report to the system administrator? A. High network utilization B. High memory utilization C. Insufficient swap space D. High CPU utilization.
What type of attack does a network administrator need to be aware of when deploying port security? A. MAC address spoofing B. IP address spoofing C. Denial-of-service attacks D. ARP spoofing.
While reviewing output from the netstat command, John sees the following output.
What should his next action be?
[minesweeper.exe] TCP 127.0.0.1:62522 dynamo:0 LISTENING
[minesweeper.exe] TCP 192.168.1.100 151.101.2.69:https ESTABLISHED
A. Capture traffic to 151.101.2.69 using Wireshark B. Initiate the organization’s incident response plan C. Check to see if 151.101.2.69 is a valid Microsoft address D. Ignore it; this is a false positive.
Charles wants to determine if a message he received was forwarded by analyzing the
headers of the message. How can he determine this?
A. Reviewing the Message-ID to see if it has been incremented B. Checking for the In-Reply-To field C. Checking for the References field D. You cannot determine if a message was forwarded by analyzing the headers.
Which of the following is not a limitation of a DNS sinkhole? A. They do not work on traffic sent directly to an IP address. B. They do not prevent malware from being executed. C. They can be bypassed using a hard-coded DNS server. D. They cannot block drive-by-download attempts.
While investigating a compromise, Glenn encounters evidence that a user account has been added to the system he is reviewing. He runs a diff of /etc/shadow and /etc/passwd and sees the following output. What has occurred?
root:$6$XHxtN5iB$5WOyg3gGfzr9QHPLo.7z0XIQIzEW6Q3/
K7iipxG7ue04CmelkjC51SndpOcQlxTHmW4/AKKsKew4f3cb/.BK8/:16828:0:99999:7:::
> daemon:*:16820:0:99999:7:::
> bin:*:16820:0:99999:7:::
> sys:*:16820:0:99999:7:::
> sync:*:16820:0:99999:7:::
> games:*:16820:0:99999:7:::
> man:*:16820:0:99999:7:::
> lp:*:16820:0:99999:7:::
> mail:*:16820:0:99999:7:::
> news:*:16820:0:99999:7:::
> uucp:*:16820:0:99999:7:::
> proxy:*:16820:0:99999:7:::
> www-data:*:16820:0:99999:7:::
> backup:*:16820:0:99999:7:::
> list:*:16820:0:99999:7:::
> irc:*:16820:0:99999:7::: A. The root account has been compromised. B. An account named daemon has been added. C. The shadow password file has been modified. D. /etc/shadow and /etc/passwd cannot be diffed to create a useful comparison.
Ric is working on reverse-engineering a malware sample and wants to run the binary but
also control the execution as it occurs. What type of tool should he select for this? A. A disassembler B. A decompiler C. A debugger D. An unpacker.
Fred has been tasked with configuring his organization’s NAC rules to ensure that
employees only have access that matches their job functions. Which of the following NAC
criteria are least suited to filtering based on a user’s job? A. Time-based B. Rule-based C. Role-based D. Location-based.
While reviewing his Apache logs, Oscar discovers the following entry. What has occurred?
10.1.1.1 - - [27/Jun/2019:11:42:22 -0500] "GET
/query.php?searchterm=stuff&%20lid=1%20UNION%20SELECT%200,
username,user_id,password,name,%20email,%20FROM%20users
HTTP/1.1" 200 9918 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
A. A successful database query B. A php overflow attack C. A SQL injection attack D. An unsuccessful database query.
Jason wants to reverse-engineer a malware package. Which of the following tools should
he use if he wants to do behavior-based analysis of a worm? A. A disassembler B. A network analyzer C. A PE viewer D. A debugger.
Melissa wants to deploy a tool to coordinate information from a wide range of platforms
so that she can see it in a central location and then automate responses as part of security
workflows. What type of tool should she deploy? A. UEBA B. SOAR C. SIEM D. MDR.
While attempting to stop a rogue service, Monica issues the following Linux command on
an Ubuntu system using upstart:
service rogueservice stop
After a reboot, she discovers the service running again. What happened, and what does
she need to do to prevent this? A. The service restarted at reboot, so she needs to include the -p, or permanent, flag. B. The service restarted itself, so she needs to delete the binary associated with the service. C. The service restarted at reboot, so she should add an .override file to stop the service from starting. D. A malicious user restarted the service, so she needs to ensure users cannot restart services.
114/cap3 While reviewing the Wireshark packet capture shown here, Ryan notes an extended session using the ESP protocol. When he clicks on the packets, he is unable to make sense of the content. What should Ryan look for on the workstation with IP address 10.0.0.1 if he investigates it in person? A. An encrypted RAT B. A VPN application C. A secure web browser D. A base64 encoded packet transfer utility.
Bohai uses the following command while investigating a Windows workstation used by his organization’s vice president of Finance, who only works during normal business hours. Bohai believes that the workstation has been used without permission by members of his
organization’s cleaning staff after hours. What does he know if the userID shown is the only userID able to log in to the system, and he is investigating on August 12, 2019?
C:\Users\bigfish>wmic netlogin get name,lastlogon,badpasswordcount
BadPasswordCount LastLogon Name NT AUTHORITY\SYSTEM
0 20190811203748.000000-240 Finance\bigfish A. The account has been compromised. B. No logins have occurred. C. The last login was during business hours. D. Bohai cannot make any determinations from this information.
Alaina has configured her SOAR system to detect irregularities in geographical
information for logins to her organization’s administrative systems. The system alarms,
noting that an administrator has logged in from a location that they do not typically log in
from. What other information would be most useful to correlate with this to determine if the login is a threat? A. Anomalies in privileged account usage B. Time-based login information C. A mobile device profile change D. DNS request anomalies.
Megan wants to check memory utilization on a Macintosh system. What Apple tool can
she use to do this? A. Activity Monitor B. MemControl C. Run memstat from the command line D. Run memctl from the command line.
Fiona is considering a scenario in which components that her organization uses in their
software that come from public GitHub repositories are trojaned. What should she do first
to form the basis of her proactive threat hunting effort? A. Search for examples of a similar scenario B. Validate the software currently in use from the repositories C. Form a hypothesis D. Analyze the tools available for this type of attack.
Jason is profiling a threat actor using STIX 2.0 and can choose among the following labels.
Individual
Club
Contest
Team
Organization
Government
What is he identifying?
A. Affiliation B. Attack resource level C. Certification level D. Threat name.
Micah wants to use the data he has collected to help with his threat hunting practice.
What type of approach is best suited to using large volumes of log and analytical data? A. Hypothesis-driven investigation B. Investigation based on indicators of compromise C. Investigation based on indications of attack D. AI/ML-based investigation.
After conducting an nmap scan of his network from outside of his network, James notes
that a large number of devices are showing three TCP ports open on public IP addresses:
9100, 515, and 631. What type of devices has he found, and how could he reduce his organization’s
attack surface? A. Wireless access points, disable remote administration B. Desktop workstations, enable the host firewall C. Printers, move the printers to an internal only IP range D. Network switches, enable encrypted administration mode.
As part of her threat-hunting activities, Olivia bundles her critical assets into groups. Why
would she choose to do this? A. To increase complexity of analysis B. To leverage similarity of threat profiles C. To mix sensitivity levels D. To provide a consistent baseline for threats.
Syslog, APIs, email, STIX/TAXII, and database connections are all examples of what
for a SOAR?
A. IOCs B. Methods of data ingestion C. SCAP connections D. Attack vectors.
What protocol does the U.S. government use to represent the data stored in the National Vulnerability Database?
A. STIX B. CVSS C. SCAP D. CPE.
Mila is categorizing an actor using STIX 2.0 and wants to describe an actor that is
responsible for APT-level attacks. What STIX threat actor sophistical level best fits thistype of actor? A. Intermediate B. Advanced C. Expert D. Strategic.
Rowan wants to block drive-by-downloads and bot command and control channels while
redirecting potentially impacted systems to a warning message. What should she implement
to do this?
A. A DNS sinkhole B. A WAF C. An IDS D. A UEBA.
What type of malware technique hides its command and control servers within a large
number of possible suspects? A. Polymorphic domain malware B. Domain generation algorithms C. Hostname multipliers
D. ICA spoofers.
Nina configures her IPS to detect and stop attacks based on signatures. What type of
attacks will she block?
A. New attacks based on behavior B. Previously documented attacks that match the signatures C. Previously documented attacks and similar attacks based on the signatures D. All of the above.
Nathan’s organization uses a software-as-a-service (SaaS) tool to manage their customer
mailing lists, which they use to inform customers of upcoming sales a week in advance.
The organization’s primary line of business software continues to function and merchandise
can be sold. Due to a service outage, they are unable to add new customers to the list
for a full business day. How should Nathan rate this local impact issue during the outage?
A. Minimal impact to noncritical services B. Minimal impact to critical services C. Significant impact to noncritical services D. Denial of noncritical services.
175. Annie is reviewing a packet capture that she believes includes the download of malware.
What host should she investigate further as the source of the malware based on the activity
shown in the following image from her packet analysis efforts? A. 172.17.8.8 B. 49.51.172.56 C. 172.17.8.172 D. 56.172.51.49.
While reviewing IPS logs, Annie finds the following entry:
ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
What should her next action be? A. Run an antimalware scan of the system associated with the detection B. Block inbound traffic from the external system associated with the infection C. Block outbound traffic to the external system associated with the infection D. Nothing, as this is a false positive due to an expired certificate.
Melissa is using the US-CERT’s scale to measure the impact of the location of observed
activity by a threat actor. Which of the following should be the highest rated threat
activity location? A. Critical system DMZ B. Business network C. Business DMZ D. Safety systems.
What do DLP systems use to classify data and to ensure that it remains protected? A. Data signatures B. Business rules C. Data egress filters D. Data at rest.
Eric wants to analyze a malware binary in the safest way possible. Which of the following
methods has the least likelihood of allowing the malware to cause problems?
A. Run the malware on an isolated VM B. Perform dynamic analysis of the malware in a sandbox C. Perform static analysis of the malware D. Run the malware in a container service.
A production environment with “blue” and “green” deployments in parallel, with one live
and one updated to the newest code, is an example of what type of pipeline? A. Continuous integration B. Waterfall C. Spiral D. Continuous delivery.
Joseph’s antimalware package detects new malware by examining code for suspicious
properties. What type of technique is this an example of?
A. Fagan code inspection B. Heuristic analysis C. Machine learning D. Artificial intelligence.
Derek’s organization has been working to recover from a recent malware infection that
caused outages across the organization during an important part of their business cycle. In
order to properly triage, what should Derek pay the most attention to first? A. The immediate impact on operations so that his team can restore functionality B. The total impact of the event so that his team can provide an accurate final report C. The immediate impact on operations so that his team can identify the likely threat
actor D. The total impact of the event so that his team can build a new threat model for future
use.
|
