Mock : CCNA Cyber Ops - SECOPS # 210-255

You see confidential data being exfiltrated to an IP address that is attributed to a known Advanced Persistent Threat group. Assume that this is part of a real attack and not a network misconfiguration. Which category does this event fall under as defined in the Classic Kill Chain Model of Intrusion?

Options are :

  • delivery
  • action on objectives (Correct)
  • reconnaissance
  • weaponization

Answer : action on objectives

CCNA ICND1 Certification Exam

Which CVSSv3 Attack Vector metric value requires the attacker to physically touch or manipulate the vulnerable component?

Options are :

  • local
  • physical (Correct)
  • network
  • adjacent

Answer : physical

In the categories of threat actions, how is hacking defined by VERIS?

Options are :

  • Hacking is defined as “all attempts to intentionally access or harm information assets without (or exceeding) authorization by circumventing or thwarting logical security mechanisms." (Correct)
  • Hacking is defined as the use of entrusted organizational resources or privileges for any purpose contrary to what was intended.
  • Hacking is defined as “use of deception, intimidation, or manipulation to exploit the human element.?
  • Hacking is defined as “any malicious software, script, or code that is run on a device that alters its state or function without the owner’s informed consent."

Answer : Hacking is defined as “all attempts to intentionally access or harm information assets without (or exceeding) authorization by circumventing or thwarting logical security mechanisms."

Which phase of the cyber kill chain model describes actions taken by the threat actor that are objective-dependent?

Options are :

  • CnC
  • actions on objectives (Correct)
  • exploitation
  • installation

Answer : actions on objectives

CCNA ICND1 Mock

Session data provides the IP 5-tuple that is associated with an HTTP connection, along with byte counts, packet counts, and a time stamp. What three additional transaction data types can be obtained from a proxy server log? (Choose three.)

Options are :

  • HTTP server response code (Correct)
  • URL requested by the client (Correct)
  • PCAP associated with the session
  • network path that is traversed by the session
  • MAC address of the client
  • client user agent string (Correct)

Answer : HTTP server response code URL requested by the client client user agent string

Which of the following is not an IPS evasion technique?

Options are :

  • Address proxying
  • Pattern change
  • Fragmentation
  • Enumeration (Correct)

Answer : Enumeration

What is accomplished in the identification phase of incident handling?

Options are :

  • determining that a security even has occurred (Correct)
  • determining the responsible user
  • defining the limits of your authority related to a security event
  • identifying source and destination IP addresses

Answer : determining that a security even has occurred

CCNA ICND1 Mock

Ciscso'sLancopeStealthwatch solution works based on NetFlow data to identify unusual traffic patterns. Which of the following NetFlow characteristics does Lancope utilize?

Options are :

  • NetFlow helps identify the deviation of flow traffic from normal pattern(s), for example, applications causing network congestion, as well as the diagnosis of slower than expected performance. (Correct)
  • NetFlow works with Cisco products, and Lancope is one of the Cisco products; hence, the integration is very straightforward.
  • The security and network administrators can use the Class of Service (CoS) for applications.
  • NetFlow helps with the billing and accounting of network traffic flows.

Answer : NetFlow helps identify the deviation of flow traffic from normal pattern(s), for example, applications causing network congestion, as well as the diagnosis of slower than expected performance.

Who is responsible for finding the appropriate model to measure and report the effectiveness of the SOC to the organization?

Options are :

  • SOC manager
  • network manager
  • senior analyst
  • Tier 1 analyst
  • CSO (Correct)

Answer : CSO

Test : CCNA Cyber Ops - SECOPS # 210-255

Which of the following is not a part of a forensic investigation plan?

Options are :

  • How to safeguard the evidence?
  • The methodologies for analyzing the evidence
  • Who to submit the report to? (Correct)
  • How to collect the evidence?

Answer : Who to submit the report to?

Which regulation aims to protect credit card holder account data?

Options are :

  • HIPAA
  • SOX
  • Gramm-Leach-Bliley Act
  • PCI DSS (Correct)

Answer : PCI DSS

CCNA ICND1 Questions

Which option filters a LibPCAP capture that used a host as a gateway?

Options are :

  • [tcp|udp] [src|dst] port
  • [src|dst] net [{mask }|{len }]
  • ether [src|dst] host
  • gateway host (Correct)

Answer : gateway host

Which identifies both the source and destination location?

Options are :

  • IP address (Correct)
  • URL
  • Ports
  • MAC address

Answer : IP address

Syslog and packet captures are often used in network forensics. Syslog is a client/server protocol standard for forwarding log messages across an IP network. Syslog uses which protocol to transfer log messages in clear text format?

Options are :

  • FTP
  • TCP
  • SCP
  • UDP (Correct)

Answer : UDP

Test : CCNA Cyber Ops - SECOPS # 210-255

What do the following logs represent?

Date flow start           Duration Proto  Src IP Addr:PortDst IP Addr:Port     Packets  Bytes Flows

2010-09-01 00:00:00.459     0.000 UDP     127.0.0.1:24920   -> 192.168.0.1:22126        1       46     1

2010-09-01 00:00:00.363     0.000 UDP     192.168.0.1:22126 -> 127.0.0.1:24920          1       80     1


Options are :

  • nmap scan logs
  • Metasploit scan logs
  • NetFlow logs (Correct)
  • PCAP logs

Answer : NetFlow logs

DDoS attacks are often used maliciously to consume the resources of your hosts and network that would otherwise be used to serve legitimate users. Which of the following can be used as a tool for detecting traffic anomalies?

Options are :

  • Antivirus software
  • Cisco ASA
  • NetFlow (Correct)
  • Kill Chain

Answer : NetFlow

It is important that information about a cyber crime investigation be?

Options are :

  • Contained and destroyed as soon after trial as possible
  • Kept limited to as few people as possible (Correct)
  • Reviewed by executive management before being released to the public
  • Backed up to a safe system to ensure availability

Answer : Kept limited to as few people as possible

CCNA ICND1 Test

The VERIS schema is divided into five main sections. Which of the following is not one of these sections?

Options are :

  • Incident Tracking
  • Victim Demographics
  • Incident Description
  • Court Procedures (Correct)

Answer : Court Procedures

Which of the following is an example of a computer security incident?

Options are :

  • An employee accessing a secure file
  • An intruder breaking into an office premises
  • An employee knowingly crashing an e-commerce server by buffer overflow (Correct)
  • A security administrator changing permission settings of a directory

Answer : An employee knowingly crashing an e-commerce server by buffer overflow

What does VERIS stand for?

Options are :

  • Vocabulary for Event Recording and Incident Sharing (Correct)
  • Volunteering for Event Rehearsal at Incident Scene
  • Vocabulary for Events and Incident Sharing
  • Vocabulary for Event Recording and Information Sharing

Answer : Vocabulary for Event Recording and Incident Sharing

Certification : CCNA Cyber Ops - SECOPS # 210-255

In which phase of the incident response process, should an organization ideally implement appropriate controls to reduce the likelihood of a security incident?

Options are :

  • Preparation phase (Correct)
  • Containment, eradication, and recovery phase
  • Post-incident activity phase
  • Detection and analysis phase

Answer : Preparation phase

Information systems operated by federal government agencies are subject to regulatory compliance with respect to vulnerability assessments. What federal law requires the use of vulnerability scanning pertinent to federal government agencies?

Options are :

  • SOX
  • FIPS
  • GDPR
  • FISMA (Correct)

Answer : FISMA

Test : CCNA Cyber Ops - SECOPS # 210-255

What does an attacker modify to control process execution or possibly crash the process in the context of a buffer overflow attack?

Options are :

  • The target process's address space (Correct)
  • The target process’s slack space
  • The target process’s memory access mechanism
  • The target process’s DB entries

Answer : The target process's address space

NetFlow is used for which of the following purposes?

Options are :

  • Collecting logs for troubleshooting the network devices
  • To oversee the packet flows on the network
  • To capture information on the types of traffic traversing the network (Correct)
  • To gather inventory, that is, IDs, serial numbers, version details of routers, servers, switches, and so on

Answer : To capture information on the types of traffic traversing the network

Which of the following are the most common tools used for deploying DNS tunneling and can also be used to detect DNS tunneling? (Choose two.)

Options are :

  • DNScat (Correct)
  • DNScapy
  • OpenVAS
  • DNScat2 (Correct)

Answer : DNScat DNScat2

Certification : CCNA Cyber Ops - SECOPS # 210-255

In today’s world, where information holds more value than anything else, many threat actors are at work to steal intellectual property from organizations and individuals. Which of the following are examples of intellectual property?

Options are :

  • A rare formula invented by a researcher
  • An exclusive digital photograph from an invite only show
  • A blueprint and a video recording of creating a chemical formula
  • All of these answers are correct. (Correct)

Answer : All of these answers are correct.

An organization is investigating an occurrence of a possible breach signified by an IDS system. Pertinent to this specific occasion, which of the following terms best describes the occurrence of a false negative in context to the IDS system?

Options are :

  • A signature
  • An event (Correct)
  • A variance
  • An incident

Answer : An event

Incident response strategy involves creating risk assessment capabilities within the organization. Which step of the incident response process would encompass the aforementioned activity?

Options are :

  • Preparation phase (Correct)
  • Containment, eradication, and recovery phase
  • Post-incident activity phase
  • Detection and analysis phase

Answer : Preparation phase

CCNA ICND1 Certification Exam

Maintain and use a knowledge base of information and run packet sniffers to collect additional data are part of which incident response phase?

Options are :

  • Preparation phase
  • Detection and analysis phase (Correct)
  • Containment, eradication, and recovery phase
  • Post-incident activity phase

Answer : Detection and analysis phase

An incident response process addresses a number of activities by going through a number of steps. Which of the following is the last step in an incident response process?

Options are :

  • Identification and evaluation
  • Post-incident activity (Correct)
  • Containment and mitigation
  • Recovery and damage control

Answer : Post-incident activity

Which NIST publication addresses the incident response process in line with statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347?

Options are :

  • 800-61 (Correct)
  • 800-43
  • 800-37
  • 800-54

Answer : 800-61

CCNA Cyber Ops - SECFND # 210-250

Predictive analysis can use which four of the following to make predictions about future attacks or events? (Choose four.)

Options are :

  • data mining (Correct)
  • log mining (Correct)
  • IDS signature mining
  • path analysis (Correct)
  • network capacity planning analysis
  • past and current events (Correct)
  • false positive events

Answer : data mining log mining path analysis past and current events

Consider the following event that Bro generated. Which two of the options are true? (Choose two.)

host=127.0.0.1 program=bro_http class=BRO_HTTP srcip=10.10.6.10 srcport=12080 dstip=209.165.200.233 dstport=80 status_code=200 content_length=184401 method=GET site=www.services.public uri=/files/55nn-X_at_a_glance.pdf referer=http://www.services.public/files/index.php user_agent=Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 mime_type=application/pdf

Options are :

  • This event is an example of session data.
  • This event is an example of transaction data. (Correct)
  • This event is an example of full packet capture.
  • This event documents a client request for a file. (Correct)
  • This event documents the use of a suspicious source port.
  • This event documents redirection from one web server to another web server.

Answer : This event is an example of transaction data. This event documents a client request for a file.

NetFlow records provide IP flow information which is based on the IP 5-tuple and can be considered which type of NSM data?

Options are :

  • full packet capture
  • transaction
  • alert
  • session (Correct)

Answer : session

CCNA ICND1 Practice

Which node is responsible for conducting an intrusion in the diamond model?

Options are :

  • adversary (Correct)
  • capability
  • infrastructure
  • victim
  • attacker
  • vector

Answer : adversary

Regarding the diamond model, which tool or technique might the adversary use in an event?  

Options are :

  • infrastructure
  • victim
  • capability (Correct)
  • attacker
  • vector

Answer : capability

Which exploit kit component consists of code that gathers data about a victim’s computer and finds vulnerable applications?

Options are :

  • The exploit kit’s payload delivery page.
  • The exploit kit’s landing page. (Correct)
  • The exploit kit’s file downloader page.
  • The exploit kit’s command-and-control page.

Answer : The exploit kit’s landing page.

Mock : CCNA Cyber Ops - SECFND # 210-250

Which CVSS 3.0 metrics group contains metrics that enable an analyst to adjust the combined base-temporal score according to modifications that exist within the particular environment?

Options are :

  • temporal
  • environmental (Correct)
  • maturity
  • scope

Answer : environmental

Using environmental metrics, which three security requirement metric values allow the confidentiality score to be customized depending on the criticality of the affected IT asset? (Choose three.)

Options are :

  • none
  • secret
  • top secret
  • low (Correct)
  • medium (Correct)
  • high (Correct)

Answer : low medium high

Malware often takes the form of binary files. Submitting the output of a sandbox detonation report as evidence, as opposed to submitting the binary malware file itself, is an example of which concept?

Options are :

  • corroborative evidence
  • best evidence (Correct)
  • direct evidence
  • circumstantial evidence

Answer : best evidence

Certification : CCNA Cyber Ops - SECFND # 210-250

What are two types of Windows memory-based protection measures that can be deployed to combat the use of shellcode? (Choose two.)

Options are :

  • DEP (Correct)
  • defender
  • ASLR (Correct)
  • PowerShell

Answer : DEP ASLR

What two components are mandatory to implement using the network as a sensor to detect emerging threats? (Choose two.)

Options are :

  • NetFlow capable network devices that are deployed throughout the enterprise network. (Correct)
  • A NetFlow capable Identity and Address Management solution.
  • NetFlow analytics system (Correct)
  • A SIEM that can export logs data in NetFlow record format.
  • NetFlow enabled Intrusion Prevention Systems to detect abnormal traffic flow.

Answer : NetFlow capable network devices that are deployed throughout the enterprise network. NetFlow analytics system

What important information does NetFlow provide to the analyst?

Options are :

  • Packet captures to identify malicious packet’s payload.
  • Consolidated event logs from all the different security devices to provide a single-pane of glass for the analysts.
  • Denied IP connection attempts to identify malicious network activities.
  • Visibility into all the IP flows that can help identify anomalous traffic on the network. (Correct)

Answer : Visibility into all the IP flows that can help identify anomalous traffic on the network.

Certification : CCNA Cyber Ops - SECOPS # 210-255

Which two statements are true regarding sandbox? (Choose two.)

Options are :

  • A sandbox allows the file to be executed in a controlled environment. (Correct)
  • A sandbox is always connected or attached to critical systems or operational networks.
  • Analysis on the sandbox is automated and generally has a very quick turnaround time. (Correct)
  • The executable files cannot be monitored and cannot be signature based on the behavior that it exhibits.

Answer : A sandbox allows the file to be executed in a controlled environment. Analysis on the sandbox is automated and generally has a very quick turnaround time.

With the China Chopper RAT, which protocol should the analyst monitors closely to detect the caidao.exe client communications with the compromised web server?

Options are :

  • SMTP
  • HTTP or HTTPS (Correct)
  • FTP
  • DNS
  • SSH

Answer : HTTP or HTTPS

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions