Test : CCNA Cyber Ops - SECOPS # 210-255

What is the first phase in the incident response life cycle?

Options are :

  • identification
  • containment
  • preparation (Correct)
  • reporting

Answer : preparation

Which CSIRT category provides incident handling services to a country?

Options are :

  • internal CSIRT
  • national CSIRT (Correct)
  • coordination centers
  • analysis centers
  • vendor teams
  • incident response providers

Answer : national CSIRT

Which CSIRT category coordinates and facilitates the handling of incidents across various CSIRTs?

Options are :

  • internal CSIRT
  • national CSIRT
  • coordination centers (Correct)
  • analysis centers
  • vendor teams
  • incident response providers

Answer : coordination centers

What does the CSIRT incident analysis center usually do?

Options are :

  • provide incident handling services to their parent organization
  • provide incident handling services to a country
  • coordinate and facilitate the handling of incidents across various CSIRTs
  • focus on synthesizing data from various sources to determine trends and patterns in incident activity (Correct)
  • handle reports of vulnerabilities in their software or hardware products
  • offer incident handling services as a for-fee service to other organizations

Answer : focus on synthesizing data from various sources to determine trends and patterns in incident activity

Which four VERIS components are used to describe an incident? (Choose four.)

Options are :

  • authorization
  • actions (Correct)
  • authentication
  • attributes (Correct)
  • assets (Correct)
  • accounting
  • access control list
  • actors (Correct)
  • alarm
  • adjacency

Answer : actions attributes assets actors

Which two statements are true regarding the delivery phase in the cyber kill chain model? (Choose two.)

Options are :

  • Delivery is the transmission of the payload to the target via a communication vector. (Correct)
  • Obfuscating the payload’s code is not a valid technique for minimizing the chance of detection during the delivery process.
  • Methods for accomplishing delivery can include email attachments, phishing emails, directing individuals to websites, and USB devices. (Correct)
  • Transmission cannot take multiple forms, and most delivery techniques cannot be uniquely tailored to the targeted individual or system.

Answer : Delivery is the transmission of the payload to the target via a communication vector. Methods for accomplishing delivery can include email attachments, phishing emails, directing individuals to websites, and USB devices.

Which element is included in an incident response plan?

Options are :

  • junior analyst approval
  • day-to-day firefighting
  • organization mission (Correct)
  • siloed approach to communications

Answer : organization mission

Which Security Operations Center’s goal is to provide incident handling to a country?

Options are :

  • Internal CSIRT
  • Analysis Center
  • Coordination Center
  • National CSIRT (Correct)

Answer : National CSIRT

Which source provides reports of vulnerabilities in software and hardware to a Security Operations Center?

Options are :

  • National CSIRT
  • Analysis Center
  • Physical Security
  • Internal CSIRT (Correct)

Answer : Internal CSIRT

Evidence is vital in resolving cyber crimes. It is a must to find, preserve, protect, and present evidence until either the case is resolved or the perpetrator of the cyber crime is prosecuted in court. Which of the following term best describes the course that evidence takes from the time it’s found until the case is closed or goes to court for prosecution?

Options are :

  • Chain of custody (Correct)
  • Path of justice
  • Chain of evidence
  • Law of probability

Answer : Chain of custody

Which two HTTP header fields relate to intrusion analysis? (Choose two.)

Options are :

  • user-agent (Correct)
  • host (Correct)
  • connection
  • handshake type
  • language

Answer : user-agent host

In NSM data types, which two statements are true regarding alert data and metadata? (Choose two.)

Options are :

  • Metadata can be used to augment the NSM data that is directly collected in the SOC. (Correct)
  • Alert data can be used to augment the NSM data that is directly collected in the SOC.
  • Metadata is typically produced by IPS systems.
  • Alert data is typically produced by IPS systems. (Correct)

Answer : Metadata can be used to augment the NSM data that is directly collected in the SOC. Alert data is typically produced by IPS systems.

What information from HTTP logs can be used to find a threat actor?

Options are :

  • URL
  • IP address (Correct)
  • user-agent
  • referer

Answer : IP address

How many clusters can a FAT32 file system manage?

Options are :

  • 268,435,456 (Correct)
  • 65,536
  • 4,096
  • 4,294,967,296

Answer : 268,435,456

Which type of analysis allows you to see how likely an exploit could affect your network?

Options are :

  • inferential
  • casual
  • descriptive
  • probabilistic (Correct)

Answer : probabilistic

Which two of the following are best practices to help reduce the possibility of malware arriving on the target systems? (Choose two.)

Options are :

  • When developing software, implement secure coding practices, which may help reduced Remote Code Execution (RCE) exploits. (Correct)
  • Provide each workstation the ability to perform full-packet capture, providing the users the ability to perform "self-inspection" on local network events.
  • Allow users to configure their web browser’s security profiles so they can browse the Internet with fewer warning messages.
  • Provide the SOC analysts with tools such as ELSA to provide the ability to search and correlated security events. (Correct)
  • With client-side attacks being a very common attack vector, disable the safe browsing feature on the browser.

Answer : When developing software, implement secure coding practices, which may help reduced Remote Code Execution (RCE) exploits. Provide the SOC analysts with tools such as ELSA to provide the ability to search and correlated security events.

Which of the following statements are true regarding the NTFS file system? (Choose three.)

Options are :

  • NTFS has a file called $MFT where there is an entry for each file in the partition. (Correct)
  • Data for very small files can be stored in the MFT itself. This is referred to as resident data. (Correct)
  • The cluster allocation is tracked in the FAT table.
  • NTFS supports time-stamping for files (MACE). (Correct)

Answer : NTFS has a file called $MFT where there is an entry for each file in the partition. Data for very small files can be stored in the MFT itself. This is referred to as resident data. NTFS supports time-stamping for files (MACE).

Which of the following is not an environmental threat to the digital evidence?

Options are :

  • High decibel noise (Correct)
  • Fire or extreme heat
  • Water logging or flooding
  • Presence of extreme electric-magnetic fields or Electromagnetic Interference (EMI)

Answer : High decibel noise

Which element is part of an incident response plan?

Options are :

  • backups
  • disaster recovery
  • organizational approach to security
  • organizational approach to incident response (Correct)

Answer : organizational approach to incident response

Security Onion is composed of which two components? (Choose two.)

Options are :

  • Metasploit
  • ELSA (Correct)
  • Snort (Correct)
  • Nessus
  • Netwitness

Answer : ELSA Snort

During the cyber threat hunting cycle, what is the next step after the analyst created a hypothesis?

Options are :

  • investigate the specific IOCs to determine what activities support them
  • based on the hypothesis, discover a pattern or the attacker’s tactics, techniques, and procedures
  • document the hypothesis
  • perform an investigation to validate the hypothesis (Correct)

Answer : perform an investigation to validate the hypothesis

Which of the following statements describe a partition table? (Choose two.)

Options are :

  • It is only available in FAT32 not in NTFS.
  • It is available on solid state disks only.
  • It is located in the master boot record (MBR). (Correct)
  • It keeps track of the various partitions on a hard drive. (Correct)

Answer : It is located in the master boot record (MBR). It keeps track of the various partitions on a hard drive.

Which stakeholder group is responsible for containment, eradication, and recovery in incident handling?

Options are :

  • practitioners
  • facilitators
  • decision makers
  • leaders and managers (Correct)

Answer : leaders and managers

Which option is a misuse variety per VERIS enumerations?

Options are :

  • hacking
  • snooping
  • theft
  • assault
  • Knowledge abuse (Correct)

Answer : Knowledge abuse

What is the most important step when identifying the company’s assets?

Options are :

  • identify all the users of the asset
  • group the assets by its age
  • determine the asset hardware monetary value
  • categorize the asset criticality (Correct)

Answer : categorize the asset criticality

What are the three broad categories of cyber security investigations?

Options are :

  • Direct investigation, indirect investigation, and open investigation
  • Best evidence, corroborating evidence, and indirect or circumstantial evidence
  • Open-ended questioning investigation, closed-ended questioning investigation, and court questioning investigation
  • Public investigations, private investigations, and individual investigations (Correct)

Answer : Public investigations, private investigations, and individual investigations

What does the CSIRT incident response provider usually do?

Options are :

  • provide incident handling services to their parent organization
  • provide incident handling services to a country
  • handle reports of vulnerabilities in their software or hardware products
  • coordinate and facilitate the handling of incidents across various CSIRTs
  • offer incident handling services as a for-fee service to other organizations (Correct)
  • focus on synthesizing data from various sources to determine trends and patterns in incident activity

Answer : offer incident handling services as a for-fee service to other organizations

Evidence tendered in legal cases, such as criminal trials, is classified as witness testimony or direct evidence, or as indirect evidence in the form of an object, such as a physical document, the property owned by a person, and so forth. What type of evidence will be considered most dependable in a court of law?

Options are :

  • Indirect
  • Direct (Correct)
  • Best
  • Circumstantial

Answer : Direct

What mechanism does the Linux operating system provide to control access to files?

Options are :

  • file permissions (Correct)
  • access complexity
  • user interaction
  • privileges required

Answer : file permissions

Which CSIRT category handles reports of vulnerabilities in their software or hardware products?

Options are :

  • coordination centers
  • analysis centers
  • vendor teams (Correct)
  • national CSIRT
  • internal CSIRT
  • incident response providers

Answer : vendor teams

A court would only accept digital evidence based on its originality and the ruling will be based on the same. Which of the following evidence collection method is most likely to be acceptable in a court case?

Options are :

  • Provide a mirror image of the hard drive related to the incident. (Correct)
  • Provide a disk image that contains bits and fragments specific to the incident.
  • Provide list of all applications and files accessed at the time of the incident.
  • Provide a full system backup and network inventory at time of incident.

Answer : Provide a mirror image of the hard drive related to the incident.

What type of logs could possibly offer evidence that an attacker compromised the SQL database?

Options are :

  • MSSQL logs
  • DBAlogs
  • Event logs (Correct)
  • System logs

Answer : Event logs

What is a free and open transport mechanism that standardizes the automated exchange of cyber threat information?

Options are :

  • RESTful
  • NetFlow
  • TAXII (Correct)
  • VERIS
  • TLP

Answer : TAXII

Which two statements are true regarding the exploitation phase in the cyber kill chain model? (Choose two.)

Options are :

  • The exploitation phase describes what occurs once the malicious code is executed before the weapon delivery.
  • When the exploit is conducted, the attacker “breaks? the vulnerability to gain control of the machine. (Correct)
  • Selection of the exploit is not important in the exploitation phase.
  • Threat actors commonly exploit or target one of three critical weaknesses in the defensive posture: an application, an operating system vulnerability, or the users. (Correct)

Answer : When the exploit is conducted, the attacker “breaks? the vulnerability to gain control of the machine. Threat actors commonly exploit or target one of three critical weaknesses in the defensive posture: an application, an operating system vulnerability, or the users.

During the seizure of digital evidence such as a PC or a router, which of the following statements stands true?

Options are :

  • The suspect cannot be allowed to access the digital evidence under any circumstances. (Correct)
  • The suspect cannot be allowed to access the digital evidence unless under supervision by security personnel.
  • The suspect can be allowed to access the digital evidence with no precursors.
  • The suspect can be allowed to access the digital evidence with some mandatory precursors in place, as defined by law.

Answer : The suspect cannot be allowed to access the digital evidence under any circumstances.

Which type of workflow is flow-based, progresses from one stage to the next, and does not step backward?

Options are :

  • state machine
  • sequential (Correct)
  • rules-driven
  • object-based
  • process-based

Answer : sequential

Which statement about the dwell time is correct?

Options are :

  • It is the same as the time to triage.
  • It is the same as the time to detection. (Correct)
  • It is the same as the time to containment.
  • It is the same as the time to mitigation.

Answer : It is the same as the time to detection.

In NSM data types, which two statements describe full packet capture and extracted content? (Choose two.)

Options are :

  • Extracted content records all the network traffic at some particular locations in the network.
  • Most often, full packet capture takes the form of files such as images retrieved by a web browser or attachments to email messages.
  • Most often, extracted content takes the form of files such as images retrieved by a web browser or attachments to email messages. (Correct)
  • Full packet capture records all the network traffic at some particular locations in the network. (Correct)
  • A SOC analyst examining extracted content is analogous to a detective reviewing a wiretap.

Answer : Most often, extracted content takes the form of files such as images retrieved by a web browser or attachments to email messages. Full packet capture records all the network traffic at some particular locations in the network.

Which three perspectives does the impact assessment section leverage in order to provide an understanding and measure of consequence that is associated with the incident? (Choose three.)

Options are :

  • estimates the magnitude of the varieties of losses (Correct)
  • translates the details of the incident into a form that is more suitable for trending and analysis
  • stores the general information about the incident to analyze later
  • captures the timeline of the events and how the incident was discovered
  • captures a qualitative assessment of the overall effect on the organization (Correct)
  • captures the details of the organization that is affected by the incident
  • categorizes the varieties of losses experienced (Correct)

Answer : estimates the magnitude of the varieties of losses captures a qualitative assessment of the overall effect on the organization categorizes the varieties of losses experienced

Which of the following statements best describes file carving?

Options are :

  • Removing infected files
  • Using a different OS to analyze files
  • Breaking a file into smaller pieces for analysis
  • Finding the header and footer of a file and carving out what is in between (Correct)

Answer : Finding the header and footer of a file and carving out what is in between

Which option allows a file to be extracted from a TCP stream within Wireshark?

Options are :

  • View > Extract
  • Tools > Export > TCP
  • File > Export Objects (Correct)
  • Analyze > Extract

Answer : File > Export Objects

What is the main purpose of write-protecting a drive?

Options are :

  • All of these answers are correct.
  • To ensure evidence is not accidentally contaminated by the addition or amending of critical data. (Correct)
  • To ensure that the drive is still usable once retrieved from crime scene.
  • This is the Standard Operating Procedure as outlined by NIST.

Answer : To ensure evidence is not accidentally contaminated by the addition or amending of critical data.

Which is not a primary element of an incident response policy?

Options are :

  • penetration testing requirements (Correct)
  • how the incident response team will communicate with the other teams
  • getting buy-in from senior management
  • the missions, strategies, and goals of the organization

Answer : penetration testing requirements

What is the typical next step after the analyst runs the plays in the playbook?

Options are :

  • mitigation and remediation (Correct)
  • collect and analyze
  • information sharing
  • detection

Answer : mitigation and remediation

What are the three types of evidence?

Options are :

  • Best evidence, corroborating evidence, and indirect or circumstantial evidence (Correct)
  • Broad evidence, supportive evidence, and circumstantial evidence
  • Best evidence, corroborating evidence, and internal investigation lead evidence
  • Broad evidence, corroborating evidence, and investigative evidence

Answer : Best evidence, corroborating evidence, and indirect or circumstantial evidence

During forensic analysis of a PC, it is highly desirable to analyze the information in a particular order. The objects to be analyzed are hard drive, RAM, DVD, and swap file. Which of the following illustrates the best way to conduct the analysis?

Options are :

  • Hard drive, DVD, swap file, RAM
  • Hard drive, RAM, DVD, swap file
  • RAM, hard drive, swap file, DVD
  • RAM, swap file, hard drive, DVD (Correct)

Answer : RAM, swap file, hard drive, DVD

Before powering off a computer system that is a possible evidence of a cyber crime, the investigator should note the contents of the display screen and do what else?

Options are :

  • Back up the hard drive
  • Don’t switch off the system; put it into sleep or hibernation mode
  • Save the contents of applications to a disk
  • Dump the memory contents to a disk (Correct)

Answer : Dump the memory contents to a disk

Which data type is protected under the PCI compliance framework?

Options are :

  • health conditions
  • credit card type
  • primary account number (Correct)
  • provision of individual care

Answer : primary account number

Which component of the NIST SP800-61 r2 incident handling strategy reviews data?

Options are :

  • post-incident analysis (Correct)
  • containment, eradication, and recovery
  • detection and analysis
  • preparation

Answer : post-incident analysis

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions