An attacker exploits the logic validation mechanisms of an e-commerce website. He successfully purchases a product worth $100 for $10 by modifying the URL exchanged between the client and the server.
Original URL: http://www.buyonline.com/product.aspx?profile=12&debit=100
Modified URL: http://www.buyonline.com/product.aspx?profile=12&debit=10
Identify the attack depicted in the above scenario.

A. Denial-of-Service Attack

B. SQL Injection Attack

C. Parameter Tampering Attack

D. Session Fixation Attack

Identify the type of attack, an attacker is attempting on www.example.com website.
 

A. Cross-site Scripting Attack

B. Session Attack

C. Denial-of-Service Attack

D. SQL Injection Attack

Shawn is a security manager working at Lee Inc Solution. His organization wants to develop threat intelligent strategy plan. As a part of threat intelligent strategy plan, he suggested various components, such as threat intelligence requirement analysis, intelligence and collection planning, asset identification, threat reports, and intelligence buy-in.
Which one of the following components he should include in the above threat intelligent strategy plan to make it effective?

A. Threat pivoting

B. Threat trending

C. Threat buy-in

D. Threat boosting

Which of the log storage method arranges event logs in the form of a circular buffer?

A. FIFO

B. LIFO

C. non-wrapping

D. wrapping

What does the HTTP status codes 1XX represents?

A. Informational message

B. Client error

C. Success

D. Redirection

In which of the following incident handling and response stages, the root cause of the incident must be found from the forensic results?

A. Evidence Gathering

B. Evidence Handling

C. Eradication

D. Systems Recovery

What does [-n] in the following checkpoint firewall log syntax represents? fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-u unification_scheme_file] [-m unification_mode(initial|semi|raw)] [-a] [-k (alert name|all)] [-g] [logfile]

A. Speed up the process by not performing IP addresses DNS resolution in the Log files

B. Display both the date and the time for each log record

C. Display account log records only

D. Display detailed log chains (all the log segments a log record consists of)

John as a SOC analyst is worried about the amount of Tor traffic hitting the network. He wants to prepare a dashboard in the SIEM to get a graph to identify the locations from where the TOR traffic is coming.
Which of the following data source will he use to prepare the dashboard?

A. DHCP/Logs capable of maintaining IP addresses or hostnames with IPtoName resolution.

B. IIS/Web Server logs with IP addresses and user agent IPtouseragent resolution.

C. DNS/ Web Server logs with IP addresses.

D. Apache/ Web Server logs with IP addresses and Host Name.

Which of the following fields in Windows logs defines the type of event occurred, such as Correlation Hint, Response Time, SQM, WDI Context, and so on?

A. Keywords

B. Task Category

C. Level

D. Source

Which of the following command is used to view iptables logs on Ubuntu and Debian distributions?

A. $ tailf /var/log/sys/kern.log

B. $ tailf /var/log/kern.log

C. # tailf /var/log/messages

D. # tailf /var/log/sys/messages

Identify the attack when an attacker by several trial and error can read the contents of a password file present in the restricted etc folder just by manipulating the URL in the browser as shown: http://www.terabytes.com/process.php./../../../../etc/passwd

A. Directory Traversal Attack

B. SQL Injection Attack

C. Denial-of-Service Attack

D. Form Tampering Attack

Robin, a SOC engineer in a multinational company, is planning to implement a SIEM. He realized that his organization is capable of performing only Correlation, Analytics, Reporting, Retention, Alerting, and Visualization required for the SIEM implementation and has to take collection and aggregation services from a Managed Security Services Provider (MSSP).
What kind of SIEM is Robin planning to implement?

A. Self-hosted, Self-Managed

B. Self-hosted, MSSP Managed

C. Hybrid Model, Jointly Managed

D. Cloud, Self-Managed

Which of the following command is used to enable logging in iptables?

A. $ iptables -B INPUT -j LOG

B. $ iptables -A OUTPUT -j LOG

C. $ iptables -A INPUT -j LOG

D. $ iptables -B OUTPUT -j LOG

Which encoding replaces unusual ASCII characters with "%" followed by the character’s two-digit ASCII code expressed in hexadecimal?

A. Unicode Encoding

B. UTF Encoding

C. Base64 Encoding

D. URL Encoding

What does Windows event ID 4740 indicate?

A. A user account was locked out.

B. A user account was disabled.

C. A user account was enabled.

D. A user account was created.

Which of the following framework describes the essential characteristics of an organization's security engineering process that must exist to ensure good security engineering?

A. COBIT

B. ITIL

C. SSE-CMM

D. SOC-CMM

Which of the following event detection techniques uses User and Entity Behavior Analytics (UEBA)?

A. Rule-based detection

B. Heuristic-based detection

C. Anomaly-based detection

D. Signature-based detection

Sam, a security analyst with INFOSOL INC., while monitoring and analyzing IIS logs, detected an event matching regex /w*((%27)|(’))((%6F)|o|(%4F))((%72)|r|(%52))/ix.
What does this event log indicate?

A. SQL Injection Attack

B. Parameter Tampering Attack

C. XSS Attack

D. Directory Traversal Attack

Jony, a security analyst, while monitoring IIS logs, identified events shown in the figure below.
 
What does this event log indicate?

A. Parameter Tampering Attack

B. XSS Attack

C. Directory Traversal Attack

D. SQL Injection Attack

Wesley is an incident handler in a company named Maddison Tech. One day, he was learning techniques for eradicating the insecure deserialization attacks.
What among the following should Wesley avoid from considering?

A. Deserialization of trusted data must cross a trust boundary

B. Understand the security permissions given to serialization and deserialization

C. Allow serialization for security-sensitive classes

D. Validate untrusted input, which is to be serialized to ensure that serialized data contain only trusted classes

Which one of the following is the correct flow for Setting Up a Computer Forensics Lab?

A. Planning and budgeting –> Physical location and structural design considerations –> Work area considerations –> Human resource considerations –> Physical security recommendations –> Forensics lab licensing

B. Planning and budgeting –> Physical location and structural design considerations–> Forensics lab licensing –> Human resource considerations –> Work area considerations –> Physical security recommendations

C. Planning and budgeting –> Forensics lab licensing –> Physical location and structural design considerations –> Work area considerations –> Physical security recommendations –> Human resource considerations

D. Planning and budgeting –> Physical location and structural design considerations –> Forensics lab licensing –>Work area considerations –> Human resource considerations –> Physical security recommendations

Which of the following Windows features is used to enable Security Auditing in Windows?

A. Bitlocker

B. Windows Firewall

C. Local Group Policy Editor

D. Windows Defender

According to the forensics investigation process, what is the next step carried out right after collecting the evidence?

A. Create a Chain of Custody Document

B. Send it to the nearby police station

C. Set a Forensic lab

D. Call Organizational Disciplinary Team

Which of the following can help you eliminate the burden of investigating false positives?

A. Keeping default rules

B. Not trusting the security devices

C. Treating every alert as high level

D. Ingesting the context data

John, a SOC analyst, while monitoring and analyzing Apache web server logs, identified an event log matching Regex /(.|(%|%25)2E)(.|(%|%25)2E)(/|(%|%25)2F||(%|%25)5C)/i.
What does this event log indicate?

A. XSS Attack

B. SQL injection Attack

C. Directory Traversal Attack

D. Parameter Tampering Attack

What does the Security Log Event ID 4624 of Windows 10 indicate?

A. Service added to the endpoint

B. A share was assessed

C. An account was successfully logged on

D. New process executed

Mike is an incident handler for PNP Infosystems Inc. One day, there was a ticket raised regarding a critical incident and Mike was assigned to handle the incident. During the process of incident handling, at one stage, he has performed incident analysis and validation to check whether the incident is a true incident or a false positive.
Identify the stage in which he is currently in.

A. Post-Incident Activities

B. Incident Recording and Assignment

C. Incident Triage

D. Incident Disclosure

In which phase of Lockheed Martin's – Cyber Kill Chain Methodology, adversary creates a deliverable malicious payload using an exploit and a backdoor?

A. Reconnaissance

B. Delivery

C. Weaponization

D. Exploitation

Banter is a threat analyst in Christine Group of Industries. As a part of the job, he is currently formatting and structuring the raw data.
He is at which stage of the threat intelligence life cycle?

A. Dissemination and Integration

B. Processing and Exploitation

C. Collection

D. Analysis and Production

Which of the following attack can be eradicated by using a safe API to avoid the use of the interpreter entirely?

A. Command Injection Attacks

B. SQL Injection Attacks

C. File Injection Attacks

D. LDAP Injection Attacks

Which of the following attack can be eradicated by disabling of "allow_url_fopen and allow_url_include" in the php.ini file?

A. File Injection Attacks

B. URL Injection Attacks

C. LDAP Injection Attacks

D. Command Injection Attacks

What type of event is recorded when an application driver loads successfully in Windows?

A. Error

B. Success Audit

C. Warning

D. Information

Ray is a SOC analyst in a company named Queens Tech. One Day, Queens Tech is affected by a DoS/DDoS attack. For the containment of this incident, Ray and his team are trying to provide additional bandwidth to the network devices and increasing the capacity of the servers.
What is Ray and his team doing?

A. Blocking the Attacks

B. Diverting the Traffic

C. Degrading the services

D. Absorbing the Attack

Which of the following contains the performance measures, and proper project and time management details?

A. Incident Response Policy

B. Incident Response Tactics

C. Incident Response Process

D. Incident Response Procedures

Which of the following are the responsibilities of SIEM Agents?
1. Collecting data received from various devices sending data to SIEM before forwarding it to the central engine.
2. Normalizing data received from various devices sending data to SIEM before forwarding it to the central engine.
3. Co-relating data received from various devices sending data to SIEM before forwarding it to the central engine.
4. Visualizing data received from various devices sending data to SIEM before forwarding it to the central engine.

A. 1 and 2

B. 2 and 3

C. 1 and 4

D. 3 and 1

Identify the password cracking attempt involving a precomputed dictionary of plaintext passwords and their corresponding hash values to crack the password.

A. Dictionary Attack

B. Rainbow Table Attack

C. Bruteforce Attack

D. Syllable Attack

Juliea a SOC analyst, while monitoring logs, noticed large TXT, NULL payloads.
What does this indicate?

A. Concurrent VPN Connections Attempt

B. DNS Exfiltration Attempt

C. Covering Tracks Attempt

D. DHCP Starvation Attempt

Which of the following is a Threat Intelligence Platform?

A. SolarWinds MS

B. TC Complete

C. Keepnote

D. Apility.io

Which of the following tool is used to recover from web application incident?

A. CrowdStrike FalconTM Orchestrator

B. Symantec Secure Web Gateway

C. Smoothwall SWG

D. Proxy Workbench

What does HTTPS Status code 403 represents?

A. Unauthorized Error

B. Not Found Error

C. Internal Server Error

D. Forbidden Error

A type of threat intelligent that find out the information about the attacker by misleading them is known as __________.

A. Threat trending Intelligence

B. Detection Threat Intelligence

C. Operational Intelligence

D. Counter Intelligence

Which of the following formula represents the risk levels?

A. Level of risk = Consequence × Severity

B. Level of risk = Consequence × Impact

C. Level of risk = Consequence × Likelihood

D. Level of risk = Consequence × Asset Value

Identify the event severity level in Windows logs for the events that are not necessarily significant, but may indicate a possible future problem.

A. Failure Audit

B. Warning

C. Error

D. Information

Which of the following formula represents the risk?

A. Risk = Likelihood × Severity × Asset Value

B. Risk = Likelihood × Consequence × Severity

C. Risk = Likelihood × Impact × Severity

D. Risk = Likelihood × Impact × Asset Value

An attacker, in an attempt to exploit the vulnerability in the dynamically generated welcome page, inserted code at the end of the company’s URL as follows: http://technosoft.com.com/alert("WARNING: The application has encountered an error");.
Identify the attack demonstrated in the above scenario.

A. Cross-site Scripting Attack

B. SQL Injection Attack

C. Denial-of-Service Attack

D. Session Attack

Which of the following technique involves scanning the headers of IP packets leaving a network to make sure that the unauthorized or malicious traffic never leaves the internal network?

A. Egress Filtering

B. Throttling

C. Rate Limiting

D. Ingress Filtering

Which attack works like a dictionary attack, but adds some numbers and symbols to the words from the dictionary and tries to crack the password?

A. Hybrid Attack

B. Bruteforce Attack

C. Rainbow Table Attack

D. Birthday Attack

Identify the HTTP status codes that represents the server error.

A. 2XX

B. 4XX

C. 1XX

D. 5XX

What is the process of monitoring and capturing all data packets passing through a given network using different tools?

A. Network Scanning

B. DNS Footprinting

C. Network Sniffing

D. Port Scanning

David is a SOC analyst in Karen Tech. One day an attack is initiated by the intruders but David was not able to find any suspicious events.
This type of incident is categorized into __________?

A. True Positive Incidents

B. False positive Incidents

C. True Negative Incidents

D. False Negative Incidents