An engineer wants to review the packet overviews of SNORT alerts. When printing the SNORT alerts, all the packet headers are included, and the file is too large to utilize. Which action is needed to correct this problem?

A. Modify the alert rule to ג€output alert_syslog: output logג€

B. Modify the output module rule to ג€output alert_quick: output filenameג€

C. Modify the alert rule to ג€output alert_syslog: output headerג€

D. Modify the output module rule to ג€output alert_fast: output filenameג€

Refer to the exhibit. A security analyst needs to investigate a security incident involving several suspicious connections with a possible attacker. Which tool should the analyst use to identify the source IP of the offender?
 

A. packet sniffer

B. malware analysis

C. SIEM

D. firewall manager

Refer to the exhibit. An engineer must tune the Cisco IOS device to mitigate an attack that is broadcasting a large number of ICMP packets. The attack is sending the victim's spoofed source IP to a network using an IP broadcast address that causes devices in the network to respond back to the source IP address. Which action does the engineer recommend?

A. Use command ip verify reverse-path interface

B. Use global configuration command service tcp-keepalives-out

C. Use subinterface command no ip directed-broadcast

D. Use logging trap 6

DRAG DROP -
An engineer notices that unauthorized software was installed on the network and discovers that it was installed by a dormant user account. The engineer suspects an escalation of privilege attack and responds to the incident. Drag and drop the activities from the left into the order for the response on the right.
Select and Place:
 

A threat actor used a phishing email to deliver a file with an embedded macro. The file was opened, and a remote code execution attack occurred in a company's infrastructure. Which steps should an engineer take at the recovery stage?

A. Determine the systems involved and deploy available patches

B. Analyze event logs and restrict network access

C. Review access lists and require users to increase password complexity

D. Identify the attack vector and update the IDS signature list

What is a benefit of key risk indicators?

A. clear perspective into the risk position of an organization

B. improved visibility on quantifiable information

C. improved mitigation techniques for unknown threats

D. clear procedures and processes for organizational risk

DRAG DROP -
Drag and drop the function on the left onto the mechanism on the right.
Select and Place:
 

What is a principle of Infrastructure as Code?

A. System maintenance is delegated to software systems

B. Comprehensive initial designs support robust systems

C. Scripts and manual configurations work together to ensure repeatable routines

D. System downtime is grouped and scheduled across the infrastructure

A security incident affected an organization's critical business services, and the customer-side web API became unresponsive and crashed. An investigation revealed a spike of API call requests and a high number of inactive sessions during the incident. Which two recommendations should the engineers make to prevent similar incidents in the future? (Choose two.)

A. Configure shorter timeout periods.

B. Determine API rate-limiting requirements.

C. Implement API key maintenance.

D. Automate server-side error reporting for customers.

E. Decrease simultaneous API responses.

A cloud engineer needs a solution to deploy applications on a cloud without being able to manage and control the server OS. Which type of cloud environment should be used?

A. IaaS

B. PaaS

C. DaaS

D. SaaS

A threat actor has crafted and sent a spear-phishing email with what appears to be a trustworthy link to the site of a conference that an employee recently attended. The employee clicked the link and was redirected to a malicious site through which the employee downloaded a PDF attachment infected with ransomware. The employee opened the attachment, which exploited vulnerabilities on the desktop. The ransomware is now installed and is calling back to its command and control server. Which security solution is needed at this stage to mitigate the attack?

A. web security solution

B. email security solution

C. endpoint security solution

D. network security solution

A SOC team receives multiple alerts by a rule that detects requests to malicious URLs and informs the incident response team to block the malicious URLs requested on the firewall. Which action will improve the effectiveness of the process?

A. Block local to remote HTTP/HTTPS requests on the firewall for users who triggered the rule.

B. Inform the user by enabling an automated email response when the rule is triggered.

C. Inform the incident response team by enabling an automated email response when the rule is triggered.

D. Create an automation script for blocking URLs on the firewall when the rule is triggered.

Refer to the exhibit. Which command was executed in PowerShell to generate this log?
 

A. Get-EventLog -LogName*

B. Get-EventLog -List

C. Get-WinEvent -ListLog* -ComputerName localhost

D. Get-WinEvent -ListLog*

A logistic company must use an outdated application located in a private VLAN during the migration to new technologies. The IPS blocked and reported an unencrypted communication. Which tuning option should be applied to IPS?

A. Allow list only authorized hosts to contact the application’s IP at a specific port.

B. Allow list HTTP traffic through the corporate VLANS.

C. Allow list traffic to application’s IP from the internal network at a specific port.

D. Allow list only authorized hosts to contact the application’s VLAN.

Refer to the exhibit. How are tokens authenticated when the REST API on a device is accessed from a REST API client?

A. The token is obtained by providing a password. The REST client requests access to a resource using the access token. The REST API validates the access token and gives access to the resource.

B. The token is obtained by providing a password. The REST API requests access to a resource using the access token, validates the access token, and gives access to the resource.

C. The token is obtained before providing a password. The REST API provides resource access, refreshes tokens, and returns them to the REST client. The REST client requests access to a resource using the access token.

D. The token is obtained before providing a password. The REST client provides access to a resource using the access token. The REST API encrypts the access token and gives access to the resource.

What is idempotence?

A. the assurance of system uniformity throughout the whole delivery process

B. the ability to recover from failures while keeping critical services running

C. the necessity of setting maintenance of individual deployment environments

D. the ability to set the target environment configuration regardless of the starting state

An engineer is developing an application that requires frequent updates to close feedback loops and enable teams to quickly apply patches. The team wants their code updates to get to market as often as possible. Which software development approach should be used to accomplish these goals?

A. continuous delivery

B. continuous integration

C. continuous deployment

D. continuous monitoring

Refer to the exhibit. Where is the MIME type that should be followed indicated?

A. x-test-debug

B. strict-transport-security

C. x-xss-protection

D. x-content-type-options

The network operations center has identified malware, created a ticket within their ticketing system, and assigned the case to the SOC with high-level information.
A SOC analyst was able to stop the malware from spreading and identified the attacking host. What is the next step in the incident response workflow?

A. eradication and recovery

B. post-incident activity

C. containment

D. detection and analysis

A company's web server availability was breached by a DDoS attack and was offline for 3 hours because it was not deemed a critical asset in the incident response playbook. Leadership has requested a risk assessment of the asset. An analyst conducted the risk assessment using the threat sources, events, and vulnerabilities. Which additional element is needed to calculate the risk?

A. assessment scope

B. event severity and likelihood

C. incident response playbook

D. risk model framework

Employees report computer system crashes within the same week. An analyst is investigating one of the computers that crashed and discovers multiple shortcuts in the system's startup folder. It appears that the shortcuts redirect users to malicious URLs. What is the next step the engineer should take to investigate this case?

A. Remove the shortcut files

B. Check the audit logs

C. Identify affected systems

D. Investigate the malicious URLs

DRAG DROP -
Drag and drop the phases to evaluate the security posture of an asset from the left onto the activity that happens during the phases on the right.
Select and Place:
 

Refer to the exhibit. An engineer is investigating a case with suspicious usernames within the active directory. After the engineer investigates and cross-correlates events from other sources, it appears that the 2 users are privileged, and their creation date matches suspicious network traffic that was initiated from the internal network 2 days prior. Which type of compromise is occurring?

A. compromised insider

B. compromised root access

C. compromised database tables

D. compromised network

A SOC team is investigating a recent, targeted social engineering attack on multiple employees. Cross-correlated log analysis revealed that two hours before the attack, multiple assets received requests on TCP port 79. Which action should be taken by the SOC team to mitigate this attack?

A. Disable BIND forwarding from the DNS server to avoid reconnaissance.

B. Disable affected assets and isolate them for further investigation.

C. Configure affected devices to disable NETRJS protocol.

D. Configure affected devices to disable the Finger service.

What is a limitation of cyber security risk insurance?

A. It does not cover the costs to restore stolen identities as a result of a cyber attack

B. It does not cover the costs to hire forensics experts to analyze the cyber attack

C. It does not cover the costs of damage done by third parties as a result of a cyber attack

D. It does not cover the costs to hire a public relations company to help deal with a cyber attack

A company recently started accepting credit card payments in their local warehouses and is undergoing a PCI audit. Based on business requirements, the company needs to store sensitive authentication data for 45 days. How must data be stored for compliance?

A. post-authorization by non-issuing entities if there is a documented business justification

B. by entities that issue the payment cards or that perform support issuing services

C. post-authorization by non-issuing entities if the data is encrypted and securely stored

D. by issuers and issuer processors if there is a legitimate reason

What do 2xx HTTP response codes indicate for REST APIs?

A. additional action must be taken by the client to complete the request

B. the server takes responsibility for error status codes

C. communication of transfer protocol-level information

D. successful acceptance of the client’s request

Refer to the exhibit. Cisco Advanced Malware Protection installed on an end-user desktop automatically submitted a low prevalence file to the Threat Grid analysis engine. What should be concluded from this report?

A. Threat scores are high, malicious ransomware has been detected, and files have been modified

B. Threat scores are low, malicious ransomware has been detected, and files have been modified

C. Threat scores are high, malicious activity is detected, but files have not been modified

D. Threat scores are low and no malicious file activity is detected

Refer to the exhibit. Where are the browser page rendering permissions displayed?

A. x-frame-options

B. x-xss-protection

C. x-content-type-options

D. x-test-debug

How is a SIEM tool used?

A. To collect security data from authentication failures and cyber attacks and forward it for analysis

B. To search and compare security data against acceptance standards and generate reports for analysis

C. To compare security alerts against configured scenarios and trigger system responses

D. To collect and analyze security data from network devices and servers and produce alerts

A security engineer discovers that a spreadsheet containing confidential information for nine of their employees was fraudulently posted on a competitor's website.
The spreadsheet contains names, salaries, and social security numbers. What is the next step the engineer should take in this investigation?

A. Determine if there is internal knowledge of this incident.

B. Check incoming and outgoing communications to identify spoofed emails.

C. Disconnect the network from Internet access to stop the phishing threats and regain control.

D. Engage the legal department to explore action against the competitor that posted the spreadsheet.

A security expert is investigating a breach that resulted in a $32 million loss from customer accounts. Hackers were able to steal API keys and two-factor codes due to a vulnerability that was introduced in a new code a few weeks before the attack. Which step was missed that would have prevented this breach?

A. use of the Nmap tool to identify the vulnerability when the new code was deployed

B. implementation of a firewall and intrusion detection system

C. implementation of an endpoint protection system

D. use of SecDevOps to detect the vulnerability during development

Refer to the exhibit. Cisco Advanced Malware Protection installed on an end-user desktop has automatically submitted a low prevalence file to the Threat Grid analysis engine for further analysis. What should be concluded from this report?

A. The prioritized behavioral indicators of compromise do not justify the execution of the ג€ransomwareג€ because the scores do not indicate the likelihood of malicious ransomware.

B. The prioritized behavioral indicators of compromise do not justify the execution of the ג€ransomwareג€ because the scores are high and do not indicate the likelihood of malicious ransomware.

C. The prioritized behavioral indicators of compromise justify the execution of the ג€ransomwareג€ because the scores are high and indicate the likelihood that malicious ransomware has been detected.

D. The prioritized behavioral indicators of compromise justify the execution of the ג€ransomwareג€ because the scores are low and indicate the likelihood that malicious ransomware has been detected.

Refer to the exhibit. An engineer is performing a static analysis on a malware and knows that it is capturing keys and webcam events on a company server. What is the indicator of compromise?

A. The malware is performing comprehensive fingerprinting of the host, including a processor, motherboard manufacturer, and connected removable storage.

B. The malware is a ransomware querying for installed anti-virus products and operating systems to encrypt and render unreadable until payment is made for file decryption.

C. The malware has moved to harvesting cookies and stored account information from major browsers and configuring a reverse proxy for intercepting network activity.

D. The malware contains an encryption and decryption routine to hide URLs/IP addresses and is storing the output of loggers and webcam captures in locally encrypted files for retrieval.

Employees receive an email from an executive within the organization that summarizes a recent security breach and requests that employees verify their credentials through a provided link. Several employees report the email as suspicious, and a security analyst is investigating the reports. Which two steps should the analyst take to begin this investigation? (Choose two.)

A. Evaluate the intrusion detection system alerts to determine the threat source and attack surface.

B. Communicate with employees to determine who opened the link and isolate the affected assets.

C. Examine the firewall and HIPS configuration to identify the exploited vulnerabilities and apply recommended mitigation.

D. Review the mail server and proxy logs to identify the impact of a potential breach.

E. Check the email header to identify the sender and analyze the link in an isolated environment.

A malware outbreak is detected by the SIEM and is confirmed as a true positive. The incident response team follows the playbook to mitigate the threat. What is the first action for the incident response team?

A. Assess the network for unexpected behavior

B. Isolate critical hosts from the network

C. Patch detected vulnerabilities from critical hosts

D. Perform analysis based on the established risk factors

Refer to the exhibit. What results from this script?

A. Seeds for existing domains are checked

B. A search is conducted for additional seeds

C. Domains are compared to seed rules

D. A list of domains as seeds is blocked

DRAG DROP -
Drag and drop the threat from the left onto the scenario that introduces the threat on the right. Not all options are used.
Select and Place:
 

Refer to the exhibit. Which indicator of compromise is represented by this STIX?
 

A. website redirecting traffic to ransomware server

B. website hosting malware to download files

C. web server vulnerability exploited by malware

D. cross-site scripting vulnerability to backdoor server

A SOC engineer discovers that the organization had three DDOS attacks overnight. Four servers are reported offline, even though the hardware seems to be working as expected. One of the offline servers is affecting the pay system reporting times. Three employees, including executive management, have reported ransomware on their laptops. Which steps help the engineer understand a comprehensive overview of the incident?

A. Run and evaluate a full packet capture on the workloads, review SIEM logs, and define a root cause.

B. Run and evaluate a full packet capture on the workloads, review SIEM logs, and plan mitigation steps.

C. Check SOAR to learn what the security systems are reporting about the overnight events, research the attacks, and plan mitigation step.

D. Check SOAR to know what the security systems are reporting about the overnight events, review the threat vectors, and define a root cause.

DRAG DROP -
Drag and drop the actions below the image onto the boxes in the image for the actions that should be taken during this playbook step. Not all options are used.
Select and Place:
 

What is needed to assess risk mitigation effectiveness in an organization?

A. analysis of key performance indicators

B. compliance with security standards

C. cost-effectiveness of control measures

D. updated list of vulnerable systems

An organization had an incident with the network availability during which devices unexpectedly malfunctioned. An engineer is investigating the incident and found that the memory pool buffer usage reached a peak before the malfunction. Which action should the engineer take to prevent this issue from reoccurring?

A. Disable memory limit.

B. Disable CPU threshold trap toward the SNMP server.

C. Enable memory tracing notifications.

D. Enable memory threshold notifications.

DRAG DROP -
Drag and drop the telemetry-related considerations from the left onto their cloud service models on the right.
Select and Place:
 

DRAG DROP -
Drag and drop the type of attacks from the left onto the cyber kill chain stages at which the attacks are seen on the right.
Select and Place:
 

Refer to the exhibit. How must these advisories be prioritized for handling?

A. The highest priority for handling depends on the type of institution deploying the devices

B. Vulnerability #2 is the highest priority for every type of institution

C. Vulnerability #1 and vulnerability #2 have the same priority

D. Vulnerability #1 is the highest priority for every type of institution

Refer to the exhibit. An engineer received multiple reports from employees unable to log into systems with the error: The Group Policy Client service failed to logon `" Access is denied. Through further analysis, the engineer discovered several unexpected modifications to system settings. Which type of breach is occurring?

A. malware break

B. data theft

C. elevation of privileges

D. denial-of-service

Refer to the exhibit. An engineer is analyzing this Vlan0392-int12-239.pcap file in Wireshark after detecting a suspicious network activity. The origin header for the direct IP connections in the packets was initiated by a google chrome extension on a WebSocket protocol. The engineer checked message payloads to determine what information was being sent off-site but the payloads are obfuscated and unreadable. What does this STIX indicate?

A. The extension is not performing as intended because of restrictions since ports 80 and 443 should be accessible

B. The traffic is legitimate as the google chrome extension is reaching out to check for updates and fetches this information

C. There is a possible data leak because payloads should be encoded as UTF-8 text

D. There is a malware that is communicating via encrypted channels to the command and control server

An engineer detects an intrusion event inside an organization's network and becomes aware that files that contain personal data have been accessed. Which action must be taken to contain this attack?

A. Disconnect the affected server from the network.

B. Analyze the source.

C. Access the affected server to confirm compromised files are encrypted.

D. Determine the attack surface.

Which action should be taken when the HTTP response code 301 is received from a web application?

A. Update the cached header metadata.

B. Confirm the resource’s location.

C. Increase the allowed user limit.

D. Modify the session timeout setting.