Which type of attack is a blank email with the subject "price deduction" that contains a malicious attachment?
Which incidence response step includes identifying all hosts affected by an attack?
Which signature impacts network traffic by causing legitimate traffic to be blocked?
Which HTTP header field is used in forensics to identify the type of browser used?
Which step in the incident response process researches an attacking host through logs in a SIEM?
A network engineer noticed in the NetFlow report that internal hosts are sending many DNS requests to external DNS servers A SOC analyst checked the endpoints and discovered that they are infected and became part of the botnet Endpoints are sending multiple DNS requests but with spoofed IP addresses of valid external sources What kind of attack are infected endpoints involved in1?
What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.)
What is the difference between deep packet inspection and stateful inspection?
What is the difference between inline traffic interrogation and traffic mirroring?
What is the difference between deep packet inspection and stateful inspection?
What describes the impact of false-positive alerts compared to false-negative alerts?
Refer to the exhibit.
Which stakeholders must be involved when a company workstation is compromised?
Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model.
An engineer is investigating a case of the unauthorized usage of the “Tcpdump†tool. The analysis revealed that a malicious insider attempted to sniff traffic on a specific interface. What type of information did the malicious insider attempt to obtain?
An engineer needs to configure network systems to detect command and control communications by decrypting ingress and egress perimeter traffic and allowing network security devices to detect malicious outbound communications. Which technology should be used to accomplish the task?
Refer to the exhibit.
Drag and drop the element name from the left onto the correct piece of the PCAP file on the right.
A user received an email attachment named "Hr405-report2609-empl094.exe" but did not run it. Which category of the cyber kill chain should be assigned to this type of event?
Which evasion method involves performing actions slower than normal to prevent detection?
Refer to the exhibit.
What is the potential threat identified in this Stealthwatch dashboard?
An analyst is investigating an incident in a SOC environment. Which method is used to identify a session from a group of logs?
Which open-sourced packet capture tool uses Linux and Mac OS X operating systems?
An engineer needs to have visibility on TCP bandwidth usage, response time, and latency, combined with deep packet inspection to identify unknown software by its network traffic flow. Which two features of Cisco Application Visibility and Control should the engineer use to accomplish this goal? (Choose two.)
What is the difference between statistical detection and rule-based detection models?
A system administrator is ensuring that specific registry information is accurate.
Which type of configuration information does the HKEY_LOCAL_MACHINE hive contain?
Refer to the exhibit.
A company employee is connecting to mail google.com from an endpoint device. The website is loaded but with an error. What is occurring?
Syslog collecting software is installed on the server For the log containment, a disk with FAT type partition is used An engineer determined that log files are being corrupted when the 4 GB tile size is exceeded. Which action resolves the issue?
Which data format is the most efficient to build a baseline of traffic seen over an extended period of time?
Which information must an organization use to understand the threats currently targeting the organization?
Which evasion technique is indicated when an intrusion detection system begins receiving an abnormally high volume of scanning from numerous sources?
What is the difference between discretionary access control (DAC) and role-based access control (RBAC)?
What is the difference between inline traffic interrogation (TAPS) and traffic mirroring (SPAN)?
A security expert is working on a copy of the evidence, an ISO file that is saved in CDFS format. Which type of evidence is this file?
What is the difference between the ACK flag and the RST flag in the NetFlow log session?
Which principle is being followed when an analyst gathers information relevant to a security incident to determine the appropriate course of action?
Drag and drop the security concept on the left onto the example of that concept on the right.
When trying to evade IDS/IPS devices, which mechanism allows the user to make the data incomprehensible without a specific key, certificate, or password?
Refer to the exhibit.
An engineer is analyzing this Cuckoo Sandbox report for a PDF file that has been downloaded from an email. What is the state of this file?
Refer to the exhibit.
What is the potential threat identified in this Stealthwatch dashboard?
Which NIST IR category stakeholder is responsible for coordinating incident response among various business units, minimizing damage, and reporting to regulatory agencies?
Refer to the exhibit.
A company's user HTTP connection to a malicious site was blocked according to configured policy What is the source technology used for this measure'?
An analyst is investigating a host in the network that appears to be communicating to a command and control server on the Internet. After collecting this packet capture, the analyst cannot determine the technique and payload used for the communication.
Which obfuscation technique is the attacker using?
An engineer is addressing a connectivity issue between two servers where the remote server is unable to establish a successful session. Initial checks show that the remote server is not receiving an SYN-ACK while establishing a session by sending the first SYN. What is causing this issue?
What is the practice of giving an employee access to only the resources needed to accomplish their job?
Which element is included in an incident response plan as stated m NIST SP800-617
A network engineer discovers that a foreign government hacked one of the defense contractors in their home country and stole intellectual property. What is the threat agent in this situation?
An investigator is examining a copy of an ISO file that is stored in CDFS format. What type of evidence is this file?
An analyst received a ticket regarding a degraded processing capability for one of the HR department's servers. On the same day, an engineer noticed a disabled antivirus software and was not able to determine when or why it occurred. According to the NIST Incident Handling Guide, what is the next phase of this investigation?
According to the NIST SP 800-86. which two types of data are considered volatile? (Choose two.)
Refer to the exhibit. An attacker scanned the server using Nmap. What did the attacker obtain from this scan?
What is a difference between inline traffic interrogation and traffic mirroring?
An employee received an email from a colleague’s address asking for the password for the domain controller. The employee noticed a missing letter within the sender’s address. What does this incident describe?
An engineer is analyzing a recent breach where confidential documents were altered and stolen by the receptionist. Further analysis shows that the threat actor connected an externa USB device to bypass security restrictions and steal data. The engineer could not find an external USB device Which piece of information must an engineer use for attribution in an investigation?
What is the difference between deep packet inspection and stateful inspection?
An analyst is using the SIEM platform and must extract a custom property from a Cisco device and capture the phrase, "File: Clean." Which regex must the analyst import?
Which two elements are assets in the role of attribution in an investigation? (Choose two.)
Refer to the exhibit.
An engineer is reviewing a Cuckoo report of a file. What must the engineer interpret from the report?
Drag and drop the data source from the left onto the data type on the right.
Drag and drop the event term from the left onto the description on the right.
Which data type is necessary to get information about source/destination ports?
Which two elements of the incident response process are stated in NIST SP 800-61 r2? (Choose two.)
Refer to the exhibit.
A network administrator is investigating suspicious network activity by analyzing captured traffic. An engineer notices abnormal behavior and discovers that the default user agent is present in the headers of requests and data being transmitted What is occurring?