QA : CCNA Cyber Ops - SECOPS # 210-255

Which function of the CSIRT incident handling service provides a single point of contact and the focal point for accepting, collecting, sorting, ordering, and passing on incoming information for the service?

Options are :

  • triage function (Correct)
  • handling function
  • feedback function
  • optional announcement function

Answer : triage function

What does the handling function of the CSIRT incident handling service provide?

Options are :

  • a single point of contact and the focal point for accepting, collecting, sorting, ordering, and passing on incoming information for the service
  • support for giving feedback on issues that are not directly related to specific incidents
  • support and guidance that is related to suspected or confirmed computer security incidents, threats, and attacks (Correct)
  • generation of information that is tailored for the constituency in various formats

Answer : support and guidance that is related to suspected or confirmed computer security incidents, threats, and attacks

QA : CCNA Cyber Ops - SECOPS # 210-255

In the category of social action that is defined by VERIS, which three communication channels can be classified under the vector attribute? (Choose three.)

Options are :

  • email (Correct)
  • IM (Correct)
  • FTP
  • social media (Correct)
  • Telnet
  • VPN
  • command shell
  • remote file Injection

Answer : email IM social media

In the categories of threat actions, how is misuse defined by VERIS?

Options are :

  • Misuse is defined as “all attempts to intentionally access or harm information assets without (or exceeding) authorization by circumventing or thwarting logical security mechanisms."
  • Misuse is defined as “use of deception, intimidation, or manipulation to exploit the human element.?
  • Misuse is defined as “any malicious software, script, or code that is run on a device that alters its state or function without the owner’s informed consent.?
  • Misuse is defined as the use of entrusted organizational resources or privileges for any purpose contrary to what was intended. (Correct)

Answer : Misuse is defined as the use of entrusted organizational resources or privileges for any purpose contrary to what was intended.

When performing threat hunting against a DNS server, which traffic toward the affected domain is considered a starting point?

Options are :

  • HTTPS traffic
  • TCP traffic
  • HTTP traffic
  • UDP traffic (Correct)

Answer : UDP traffic

Certification : CCNA Cyber Ops - SECOPS # 210-255

Which type of analysis assigns values to scenarios to see what the outcome might be in each scenario?

Options are :

  • deterministic (Correct)
  • exploratory
  • probabilistic
  • descriptive

Answer : deterministic

Which data element must be protected with regards to PCI?

Options are :

  • past health condition
  • geographic location
  • full name (Correct)
  • recent payment amount

Answer : full name

Mock : CCNA Cyber Ops - SECOPS # 210-255

You receive an alert for malicious code that exploits Internet Explorer and runs arbitrary code on the site visitor machine. The malicious code is on an external site that is being visited by hosts on your network. Which user agent in the HTTP headers in the requests from your internal hosts warrants further investigation?

Options are :

  • Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident 6.0) (Correct)
  • Mozilla/5.0 (XII; Linux i686; rv: 1.9.2.20) Gecko/20110805
  • Mozilla/5.0 (Windows NT 6.1; WOW64; rv:400) Gecko/20100101
  • Opera/9.80 (XII; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16

Answer : Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident 6.0)

You have run a suspicious file in a sandbox analysis tool to see what the file does. The analysis report shows that outbound callouts were made post infection. Which two pieces of information from the analysis report are needed or required to investigate the callouts? (Choose two.)

Options are :

  • file size
  • domain names (Correct)
  • dropped files
  • signatures
  • host IP addresses (Correct)

Answer : domain names host IP addresses

Test : CCNA Cyber Ops - SECOPS # 210-255

A CMS plugin creates two filters that are accessible from the Internet: myplugin.html and exploitable.php. A newly discovered exploit takes advantage of an injection vulnerability in exploitable.php. To exploit the vulnerability, one must send an HTTP POST with specific variables to exploitable.php. You see traffic to your webserver that consists of only HTTP GET requests to myplugin.html. Which category best describes this activity?

Options are :

  • weaponization
  • exploitation
  • installation
  • reconnaissance (Correct)

Answer : reconnaissance

During which phase of the forensic process are tools and techniques used to extract the relevant information from the collective data?

Options are :

  • examination (Correct)
  • reporting
  • collection
  • investigation

Answer : examination

Which feature is used to find possible vulnerable services running on a server?

Options are :

  • CPU utilization
  • security policy
  • temporary internet files
  • listening ports (Correct)

Answer : listening ports

Practice : CCNA Cyber Ops - SECOPS # 210-255

Which element can be used by a threat actor to discover a possible opening into a target network and can also be used by an analyst to determine the protocol of the malicious traffic?

Options are :

  • TTLs
  • ports (Correct)
  • SMTP replies
  • IP addresses

Answer : ports

Which of the following is not a metadata feature of the Diamond Model?

Options are :

  • Direction
  • Result
  • Devices (Correct)
  • Resources

Answer : Devices

Which of the following has been used to evade IDS and IPS devices?

Options are :

  • SNMP
  • HTTP
  • TNP
  • Fragmentation (Correct)

Answer : Fragmentation

Test : CCNA Cyber Ops - SECOPS # 210-255

The Computer Security Incident Response Team (CSIRT) within an organization is an example of an incident response team. Which of the following are incident response teams from an external perspective? (Choose three.)

Options are :

  • PSIRT (Correct)
  • CERT (Correct)
  • MSIRT
  • Coordination center (Correct)

Answer : PSIRT CERT Coordination center

A common source of finding a non vendor-specified and external vulnerability is CVE. What does CVE stand for?

Options are :

  • Critical Vulnerability and Exposures
  • Critical Vulnerabilities and Exploits
  • Common Vulnerabilities and Exploits
  • Common Vulnerabilities and Exposures (Correct)

Answer : Common Vulnerabilities and Exposures

An organization is going through post vulnerability assessment reports. Reports were generated from vulnerability scans run on a heterogeneous environment comprised of different vendor products. To prioritize issues from different sources and address the vulnerabilities in terms of severity which of the following can the organization leverage?

Options are :

  • CVSS (Correct)
  • CVE
  • CPSS
  • CCDI

Answer : CVSS

Certification : CCNA Cyber Ops - SECOPS # 210-255

A security researcher recently discovered a new security vulnerability. Upon computing its CVSS base score, the score was 3. What risk category would this vulnerability fall into?

Options are :

  • Low (Correct)
  • Medium
  • High
  • Critical

Answer : Low

Protected Health Information (PHI) needs to be protected as mandated by which of the following U.S. laws?

Options are :

  • HIPAA (Correct)
  • HIPPAA
  • PCI DSS
  • FISMA

Answer : HIPAA

An organization performs PCI-DSS vulnerability scans on a contractual basis for a large retail store chain. The organization conducted a vulnerability scan about a week ago. The stores upgraded their Point-of-Sale (PoS) systems because of a critical security update. When should the retail store chain have the vulnerability scans conducted, if at all?

Options are :

  • When the next compliance cycle is due
  • After six months
  • Immediately (Correct)
  • No scans are required as the audit was just conducted.

Answer : Immediately

QA : CCNA Cyber Ops - SECOPS # 210-255

Which two items affect the success of deploying a SIEM project? (Choose two.)

Options are :

  • form factor of a SIEM appliance
  • SIEM vendor
  • business requirements (Correct)
  • engineering specifications of the SIEM (Correct)

Answer : business requirements engineering specifications of the SIEM

Test : CCNA Cyber Ops - SECOPS # 210-255

Which incident response action may occur before and after the containment phase?

Options are :

  • reporting
  • identification
  • preparation
  • analysis (Correct)

Answer : analysis

What does it imply to validate the investigation findings as part of a forensic exercise?

Options are :

  • To repeat the test with a different tool, however, use the same methodology (Correct)
  • To rerun the same tool (used the first time) and compare the result of findings
  • To have the findings peer reviewed and validate them
  • To revisit the investigation notes and ensure that the findings are valid for presentation in court

Answer : To repeat the test with a different tool, however, use the same methodology

Practice : CCNA Cyber Ops - SECFND # 210-250

Which of the following can be identified by correlating DNS intelligence and other security events? (Choose two.)

Options are :

  • Routing problems
  • Configuration issues
  • Malicious domains based on reputation (Correct)
  • Communication to CnC servers (Correct)

Answer : Malicious domains based on reputation Communication to CnC servers

What is implied by a listening port?

Options are :

  • A listening port does not reply to network and security scans.
  • A listening port is a half-open TCP connection that an application maintains to accept inbound connections.
  • A listening port is used by the applications that need constant outside access for outbound connections.
  • A listening port is held open by an application or process to accept inbound connections. (Correct)

Answer : A listening port is held open by an application or process to accept inbound connections.

Which method can a threat actor use to evade detection and IP blacklisting defensive capabilities?

Options are :

  • fast fluxing (Correct)
  • register the server’s FQDN in another country.
  • deploy a new operating system on their malicious server.
  • data log analysis

Answer : fast fluxing

Certification : CCNA Cyber Ops - SECOPS # 210-255

Which statement is true about NetFlow analyzers?

Options are :

  • NetFlow is a network utilization monitoring tool that is not applicable to use as a network security tool.
  • NetFlow analyzers are an interpretation of a chain of consecutive events that occur during a set period.
  • NetFlow analyzers allow you to pinpoint machines and devices that are hogging bandwidth, to find bottlenecks in your system, and, ultimately, to improve your network’s overall efficiency. (Correct)
  • NetFlow analyzers can be used to reconstruct network traffic or to follow it.

Answer : NetFlow analyzers allow you to pinpoint machines and devices that are hogging bandwidth, to find bottlenecks in your system, and, ultimately, to improve your network’s overall efficiency.

Which of the following is not a step in the Cyber Kill Chain Model?

Options are :

  • Weaponization
  • Back trailing (Correct)
  • Reconnaissance
  • Exploitation

Answer : Back trailing

What security product or solution can help security professionals identify, analyze, and report on threats in real time?

Options are :

  • SIEM (Correct)
  • Cisco ISE
  • IPS
  • VPN

Answer : SIEM

Certification : CCNA Cyber Ops - SECFND # 210-250

When implementing a SIEM solution, why is it important to have a good estimate of the rate of events per second that are coming into the SIEM and the historical events storage requirements?

Options are :

  • determine the form factor of the SIEM
  • estimate the disk size of the back-end events storage (Correct)
  • establish the analyst workflow requirements
  • determine the API requirements between the SIEM and the other security devices that are feeding events into the SIEM

Answer : estimate the disk size of the back-end events storage

Which of the following are core responsibilities of a national CSIRT and CERT?

Options are :

  • Provide vulnerability brokering to vendors within a country
  • Protect their citizens by providing security vulnerability information, security awareness training, best practices, and other information (Correct)
  • Create regulations around cybersecurity within the country
  • Provide solutions for bug bounties

Answer : Protect their citizens by providing security vulnerability information, security awareness training, best practices, and other information

Referring to the URL being accessed that is shown here, which encoding is used to represent the URL in ASCII?www.xn--gwtq9nb2a.jp

Options are :

  • Unicode
  • EUC
  • UTF-32
  • Punycode (Correct)

Answer : Punycode

QA : CCNA Cyber Ops - SECOPS # 210-255

During incident classification, cross-site scripting attacks can be classified as which type of attack?

Options are :

  • web (Correct)
  • improper usage
  • email
  • attrition

Answer : web

Taking data that is collected and formatted by any of a diverse set of security event sources and putting the data into a common schema is called what?

Options are :

  • aggregation
  • correlation
  • corroboration
  • summarization
  • normalization (Correct)

Answer : normalization

Which of the following is an example of a managed security offering where incident response experts monitor and respond to security alerts in a security operations center (SOC)?

Options are :

  • Cisco's Active Threat Analytics (ATA) (Correct)
  • Cisco CloudLock
  • Cisco Managed Firepower Service
  • Cisco Jasper

Answer : Cisco's Active Threat Analytics (ATA)

Practice : CCNA Cyber Ops - SECOPS # 210-255

What are the two components of the China Chopper RAT? (Choose two.)

Options are :

  • cryptoware that is placed on the compromised server
  • the web shell file placed on the compromised web server (Correct)
  • caidao.exe which is the attacker's client interface (Correct)
  • the RAT malware placed on the compromised host that is always written in Perl

Answer : the web shell file placed on the compromised web server caidao.exe which is the attacker's client interface

An organization is gearing up on improving its detection and analysis capabilities. The security administrators would like to implement a system that can receive and correlate logs from multiple sources to detect (otherwise incoherent and distributed) potential security incidents. Which of the following will address this requirement?

Options are :

  • Firewall
  • NAC
  • IDS
  • SIEM (Correct)

Answer : SIEM

Which two systems are typically integrated with the SOC WMS in order to improve the efficiency of SOC operations? (Choose two.)

Options are :

  • enterprise resource planning system
  • ticketing system (Correct)
  • SIEM (Correct)
  • password management system

Answer : ticketing system SIEM

Mock : CCNA Cyber Ops - SECOPS # 210-255

Which of the following is typically a responsibility of a PSIRT?

Options are :

  • Configure the organization's firewall
  • Disclose vulnerabilities in the organization's products and services (Correct)
  • Investigate security incidents in a security operations center (SOC)
  • Monitor security logs

Answer : Disclose vulnerabilities in the organization's products and services

What is the purpose of having a “known-good? profile?

Options are :

  • configure and test NMS tools
  • define set of rules that an IDS and an IPS uses to detect typical intrusive activity
  • audit remote log locations
  • help the security analyst flag anomalies (Correct)

Answer : help the security analyst flag anomalies

Certification : CCNA Cyber Ops - SECOPS # 210-255

Which of the following is one of the main goals of the CSIRT?

Options are :

  • To hire security professionals who will be part of the InfoSec team of the organization.
  • To monitor the organization's IPS devices
  • To configure the organization's firewalls
  • To minimize and control the damage associated with incidents, provide guidance for mitigation, and work to prevent future incidents (Correct)

Answer : To minimize and control the damage associated with incidents, provide guidance for mitigation, and work to prevent future incidents

Which of the following is an example of a coordination center?

Options are :

  • Cisco PSIRT
  • Microsoft MSRC
  • CERT division of the Software Engineering Institute (SEI) (Correct)
  • FIRST

Answer : CERT division of the Software Engineering Institute (SEI)

Which of the following are elements of the 5-tuple rule? (Choose three.)

Options are :

  • Destination IP address (Correct)
  • Protocol (Correct)
  • Source IP address (Correct)
  • Source device ID

Answer : Destination IP address Protocol Source IP address

Certification : CCNA Cyber Ops - SECOPS # 210-255

Which of the following is one of the main goals of data normalization?

Options are :

  • To save duplicate logs for redundancy
  • To correlate IPS and IDS logs with DNS
  • To correlate IPS/IDS logs with firewall logs
  • To purge redundant data while maintaining data integrity (Correct)

Answer : To purge redundant data while maintaining data integrity

In the OSI model which layer is responsible for running TCP or UDP protocols?

Options are :

  • Session
  • Application
  • Data Link
  • Transport (Correct)

Answer : Transport

Test : CCNA Cyber Ops - SECOPS # 210-255

Which of the following are not components of the 5-tuple of a flow in NetFlow? (Choose two.)

Options are :

  • Flow record ID (Correct)
  • Source port
  • Gateway (Correct)
  • Destination port
  • Source IP address

Answer : Flow record ID Gateway

Which function will provide at least a minimum set of support for frequently asked questions and might be seen as an interface for media requests or input to the CSIRT at large?

Options are :

  • optional announcement function
  • triage function
  • handling function
  • feedback function (Correct)

Answer : feedback function

Certification : CCNA Cyber Ops - SECOPS # 210-255

Which three options can be classified as network assets according to VERIS? (Choose three.)

Options are :

  • mail servers
  • end users
  • switch (Correct)
  • VoIP phones
  • laptops
  • router (Correct)
  • firewall (Correct)
  • DHCP servers

Answer : switch router firewall

What is the purpose of using REGEX during PCAP analysis?

Options are :

  • define a search pattern (Correct)
  • log event data and establish baseline
  • deliver payloads from PCAP analysis
  • reverse engineer suspicious files

Answer : define a search pattern

QA : CCNA Cyber Ops - SECOPS # 210-255

What are the two primary methods for security analysis that have been described and implemented in the industry?

Options are :

  • Deterministic and probabilistic (Correct)
  • Intrinsic and extrinsic
  • Fact based and probabilistic
  • None of these is the right answer.

Answer : Deterministic and probabilistic

The discovery and response section focuses on which three options? (Choose three.)

Options are :

  • capturing a qualitative assessment of the overall effect on the organization
  • estimating the magnitude of the losses
  • organization that is affected by the incident
  • timeline of the events (Correct)
  • how the incident was discovered (Correct)
  • general information about the incident
  • categorizing the varieties of losses experienced
  • lessons learned during the response and remediation process (Correct)

Answer : timeline of the events how the incident was discovered lessons learned during the response and remediation process

Mock : CCNA Cyber Ops - SECOPS # 210-255

Which section of the play is intended to provide background information and a good reason why the play exists?

Options are :

  • objective (Correct)
  • analysis
  • action
  • working
  • reference
  • report identification

Answer : objective

Which of the following is not an example of weaponization?

Options are :

  • Developing an automated script to inject commands on a USB device
  • Creating a backdoor in an application
  • Connecting to a command and control server (Correct)
  • Wrapping software with a RAT

Answer : Connecting to a command and control server

In Microsoft Windows, as files are deleted the space they were allocated eventually is considered available for use by other files. This creates alternating used and unused areas of various sizes. What is this called?

Options are :

  • network file storing
  • defragmentation
  • free space fragmentation (Correct)
  • alternate data streaming

Answer : free space fragmentation

Which section of the play references the data query to be run against a SIEM?

Options are :

  • working (Correct)
  • report identification
  • action
  • reference
  • analysis
  • objective

Answer : working

Which of the following are the three metrics, or "scores," of the Common Vulnerability Scoring System (CVSS)? (Choose three.)

Options are :

  • Base score (Correct)
  • Temporal score (Correct)
  • Environmental score (Correct)
  • Baseline score

Answer : Base score Temporal score Environmental score

What is a simple and effective way to correlate events?

Options are :

  • different TCP source ports
  • same alert timestamp
  • same IP 5-tuple (Correct)
  • same alert severity level
  • different TCP destination ports

Answer : same IP 5-tuple

Which function of the CSIRT incident handling service generates information that is tailored for the constituency in various formats to disclose details of ongoing threats?

Options are :

  • optional announcement function (Correct)
  • handling function
  • triage function
  • feedback function

Answer : optional announcement function

Which organization can provide information to the security analysts about DNS?

Options are :

  • Farsight (Correct)
  • Spamhaus
  • Alexa
  • OWASP

Answer : Farsight

Intrusion Detection and Prevention (IDP) can be used to detect/prevent malicious traffic entering or leaving a host or network device. Multiple IDPs, both commercial and free, are available. Which of the following is an example of a well-known free and open source IDP?

Options are :

  • Snort (Correct)
  • Firepower
  • Nessus
  • Nmap

Answer : Snort

Choose the best two correct answers as to why it is important for the SOC analysts not to quickly formulate a conclusion that identifies the threat actor of the attack based on a single IDS alert? (Choose two.)

Options are :

  • Because if the threat actor is using a backdoor remote access trojan to access the compromised host, then the resulting alert may contain false source and destination IP address information
  • Because a single alert usually can't provide enough conclusive evidence, and should be correlated with other event data (Correct)
  • Because the alert maybe a true positive alert
  • Because the threat actor may be pivoting through another compromised device to obscure their true identity and location (Correct)

Answer : Because a single alert usually can't provide enough conclusive evidence, and should be correlated with other event data Because the threat actor may be pivoting through another compromised device to obscure their true identity and location

What is a type of web-based attack that uses malicious scripts that are injected into otherwise benign and trusted websites? The malicious scripts are then served to other victims who are visiting the infected websites.

Options are :

  • directory traversal
  • XSS (Correct)
  • web redirection
  • HTTP 302 cushioning

Answer : XSS

Which of the following are examples of some of the responsibilities of a corporate CSIRT and the policies it helps create? (Choose three.)

Options are :

  • Scanning vendor customer network Incident classification and handling
  • Information dissemination (Correct)
  • Record retentions and destruction (Correct)
  • Information classification and protection (Correct)

Answer : Information dissemination Record retentions and destruction Information classification and protection

What is typically used by the attackers as a launching platform to deliver the payload to the targeted system?

Options are :

  • day zero malware
  • SQL injections
  • CnC channel
  • exploit kit (Correct)

Answer : exploit kit

Which of the following steps in the kill chain would come before the others?

Options are :

  • Exploitation
  • C2
  • Delivery (Correct)
  • Installation

Answer : Delivery

One of the major goals in security data normalization is to eliminate the risk of evasions and ambiguities. What are the three types of normalization techniques?

Options are :

  • First normal form (1NF), Second normal form (2NF), and Third normal form (3NF) (Correct)
  • Primary normal form (PNF), Secondary normal form (SNF), and Tertiary normal form (TNF)
  • Base normal form (BANF), Advance normal form (ADNF), and Absolute normal form (ABNF)
  • First normalization form (1stNF), Second normalization form (2ndNF), and Third normalization form (3rdNF)

Answer : First normal form (1NF), Second normal form (2NF), and Third normal form (3NF)

Identify two additional defensive measures an analyst should utilize for inspecting DNS traffic. (Choose Two.)

Options are :

  • Utilize Cisco’s FirePower DNS Inspection Policy. (Correct)
  • Block all traffic from hosts originating from whitelisted domains with high reputation scores.
  • Flag DNS packets that contain hostnames of lengths greater than 52 characters and do not match common, dictionary-derived words and phrases. (Correct)
  • Whitelist traffic from sites where the domain registrar has a poor reputation score that is reported by domaintools.com.

Answer : Utilize Cisco’s FirePower DNS Inspection Policy. Flag DNS packets that contain hostnames of lengths greater than 52 characters and do not match common, dictionary-derived words and phrases.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions