A cybersecurity analyst is establishing a threat-hunting and intelligence group at a growing organization. Which of the following is a collaborative resource that would MOST likely be used for this purpose?

A. IoC feeds

B. CVSS scores

C. Scrum

D. ISAC

A security team identified some specific known tactics and techniques to help mitigate repeated credential access threats, such as account manipulation and brute forcing. Which of the flowing frameworks or models did the security team MOST likely use to identify the tactics and techniques?

A. MITRE ATT&CK

B. ITIL

C. Kill chain

D. Diamond Model of intrusion Analysis

An analyst received an alert regarding an application spawning a suspicious command shell process. Upon further investigation, the analyst observes the following registry change occurring immediately after the suspicious event:
 
Which of the following was the suspicious event able to accomplish?

A. Impair defenses.

B. Establish persistence.

C. Bypass file access controls.

D. Implement beaconing.

A security analyst is deploying a new application in the environment. The application needs to be integrated with several existing applications that contain SPI.
Prior to the deployment, the analyst should conduct:

A. a tabletop exercise.

B. a business impact analysis.

C. a PCI assessment.

D. an application stress test

A security analyst notices the following entry while reviewing the server logs:
OR 1=1' ADD USER attacker' PW 1337password' --
Which of the following events occurred?

A. CSRF

B. XSS

C. SQLi

D. RCE

A security analyst is handling an incident in which ransomware has encrypted the disks of several company workstations. Which of the following would work BEST to prevent this type of incident in the future?

A. Implement a UTM instead of a stateful firewall and enable gateway antivirus.

B. Back up the workstations to facilitate recovery and create a gold image.

C. Establish a ransomware awareness program and implement secure and verifiable backups.

D. Virtualize all the endpoints with daily snapshots of the virtual machines.

Which of the following describes the main difference between supervised and unsupervised machine-learning algorithms that are used in cybersecurity applications?

A. Supervised algorithms can be used to block attacks, while unsupervised algorithms cannot.

B. Supervised algorithms require security analyst feedback, while unsupervised algorithms do not.

C. Unsupervised algorithms are not suitable for IDS systems, while supervised algorithms are.

D. Unsupervised algorithms produce more false positives than supervised algorithms.

A security analyst discovers the following firewall log entries during an incident:
 
Which of the following is MOST likely occurring?

A. Banner grabbing

B. Port scanning

C. Beaconing

D. Data exfiltration

A cybersecurity analyst is working with a SIEM tool and reviewing the following table:
 
When creating a rule in the company's SIEM, which of the following would be the BEST approach for the analyst to use to assess the risk level of each vulnerability that is discovered by the vulnerability assessment tool?

A. Create a trend with the table and join the trend with the desired rule to be able to extract the risk level of each vulnerability

B. Use Boolean filters in the SIEM rule to take advantage of real-time processing and RAM to store the table dynamically, generate the results faster, and be able to display the table in a dashboard or export it as a report

C. Use a static table stored on the disk of the SIEM system to correlate its data with the data ingested by the vulnerability scanner data collector

D. Use the table as a new index or database for the SIEM to be able to use multisearch and then summarize the results as output

An organization has a policy that requires servers to be dedicated to one function and unneeded services to be disabled. Given the following output from an Nmap scan of a web server:
 
Which of the following ports should be closed?

A. 22

B. 80

C. 443

D. 1433

A company’s change management team has asked a security analyst to review a potential change to the email server before itis released into production. The analyst reviews the following change request:
Change request date: 2020-01-30 -
Change requester. Cindy Richardson
Change asset: WIN2K-EMAILOOI -
Change requested: Modify the following SPF record to change +all to –all
Which of the following is the MOST likely reason for the change?

A. To reject email from servers that are not listed in the SPF record

B. To reject email from email addresses that are not digitally signed

C. To accept email to the company’s domain

D. To reject email from users who are not authenticated to the network

Which of the following data security controls would work BEST to prevent real PII from being used in an organization's test cloud environment?

A. Encryption

B. Data loss prevention

C. Data masking

D. Digital rights management

E. Access control

A security engineer must deploy X 509 certificates to two web servers behind a load balancer. Each web server is configured identically. Which of the following should be done to ensure certificate name mismatch errors do not occur?

A. Create two certificates, each with the same fully qualified domain name, and associate each with the web servers’ real IP addresses on the load balancer.

B. Create one certificate on the load balancer and associate the site with the web servers’ real IP addresses.

C. Create two certificates, each with the same fully qualified domain name, and associate each with a corresponding web server behind the load balancer.

D. Create one certificate and export it to each web server behind the load balancer.

A routine vulnerability scan detected a known vulnerability in a critical enterprise web application. Which of the following would be the BEST next step?

A. Submit a change request to have the system patched.

B. Evaluate the risk and criticality to determine if further action is necessary.

C. Notify a manager of the breach and initiate emergency procedures.

D. Remove the application from production and inform the users.

Which of the following organizational initiatives would be MOST impacted by data sovereignty issues?

A. Moving to a cloud-based environment

B. Migrating to locally hosted virtual servers

C. Implementing non-repudiation controls

D. Encrypting local database queries

Which of the following is an advantage of SOAR over SIEM?

A. SOAR is much less expensive.

B. SOAR reduces the amount of human intervention required.

C. SOAR can aggregate data from many sources.

D. SOAR uses more robust encryption protocols.

A company wants to ensure confidential data from its storage media files is sanitized so the drives cannot be reused. Which of the following is the BEST approach?

A. Degaussing

B. Shredding

C. Formatting

D. Encrypting

An executive assistant wants to onboard a new cloud-based product to help with business analytics and dashboarding. Which of the following would be the BEST integration option for this service?

A. Manually log in to the service and upload data files on a regular basis.

B. Have the internal development team script connectivity and file transfers to the new service.

C. Create a dedicated SFTP site and schedule transfers to ensure file transport security.

D. Utilize the cloud product’s API for supported and ongoing integrations.

A manager asks a security analyst to provide the web-browsing history of an employee. Which of the following should the analyst do first?

A. Obtain permission to perform the search.

B. Obtain the web-browsing history from the proxy.

C. Obtain the employee’s network ID to form the query.

D. Download the browsing history, encrypt it, and hash it.

An employee was found to have performed fraudulent activities. The employee was dismissed, and the employee's laptop was sent to the IT service desk to undergo a data sanitization procedure. However, the security analyst responsible for the investigation wants to avoid data sanitization. Which of the following can the security analyst use to justify the request?

A. GDPR

B. Data correlation procedure

C. Evidence retention

D. Data retention

A security operations manager wants some recommendations for improving security monitoring. The security team currently uses past events to create an IoC list for monitoring. Which of the following is the best suggestion for improving monitoring capabilities?

A. Update the IPS and IDS with the latest rule sets from the provider.

B. Create an automated script to update the IPS and IDS rule sets.

C. Use an automated subscription to select threat feeds for IDS.

D. Implement an automated malware solution on the IPS.

A security analyst is evaluating the following support ticket:
Issue: Marketing campaigns are being filtered by the customer’s email servers.
Description: Our marketing partner cannot send emails using our email address. The following log messages were collected from multiple customers:
•	The SPF result is PermError.
•	The SPF result is SoftFail or Fail.
•	The 550 SPF check failed.
Which of the following should the analyst do next?

A. Ask the marketing partner’s ISP to disable the DKIM setting.

B. Request approval to disable DMARC on the company’s ISP.

C. Ask the customers to disable SPF validation.

D. Request a configuration change on the company’s public DNS.

Which of the following weaknesses associated with common SCADA systems are the MOST critical for organizations to address architecturally within their networks? (Choose two.)

A. Boot processes that are neither measured nor attested

B. Legacy and unpatchable systems software

C. Unnecessary open ports and protocols

D. No OS kernel mandatory access controls

E. Unauthenticated commands

F. Insecure filesystem permissions

Portions of a legacy application are being refactored to discontinue the use of dynamic SQL. Which of the following would be BEST to implement in the legacy application?

A. Input validation

B. SQL injection

C. Parameterized queries

D. Web-application firewall

E. Multifactor authentication

An analyst needs to provide recommendations based on a recent vulnerability scan:
 
Which of the following should the analyst recommend addressing to ensure potential vulnerabilities are identified?

A. SMB use domain SID to enumerate users

B. SYN scanner

C. SSL certificate cannot be trusted

D. Scan not performed with admin privileges

An analyst is participating in the solution analysis process for a cloud-hosted SIEM platform to centralize log monitoring and alerting capabilities in the SOC. Which of the following is the BEST approach for supply chain assessment when selecting a vendor?

A. Gather information from providers, including data center specifications and copies of audit reports

B. Identify SLA requirements for monitoring and logging

C. Consult with the senior management team for recommendations

D. Perform a proof of concept to identify possible solutions

Which of the following is the best method to ensure secure boot UEFI features are enabled to prevent boot malware?

A. Enable secure boot in the hardware and reload the operating system.

B. Reconfigure the system’s MBR and enable NTFS.

C. Set UEFI to legacy mode and enable security features.

D. Convert the legacy partition table to UEFI and repair the operating system.

A network attack that is exploiting a vulnerability in the SNMP is detected. Which of the following should the cybersecurity analyst do FIRST?

A. Apply the required patches to remediate the vulnerability

B. Escalate the incident to the senior management team for guidance

C. Disable all privileged user accounts on the network

D. Temporarily block the attacking IP address

A security analyst notices the following proxy log entries:
 
Which of the following is the user attempting to do based on the log entries?

A. Use a DoS attack on external hosts.

B. Exfiltrate data.

C. Scan the network.

D. Relay email.

During an investigation, an analyst discovers the following rule in an executive’s email client:
 
The executive is not aware of this rule. Which of the following should the analyst do first to evaluate the potential impact of this security incident?

A. Check the server logs to evaluate which emails were sent to .

B. Use the SIEM to correlate logging events from the email server and the domain server.

C. Remove the rule from the email client and change the password.

D. Recommend that the management team implement SPF and DKIM.

As a proactive threat-hunting technique, hunters must develop situational cases based on likely attack scenarios derived from the available threat intelligence information. After forming the basis of the scenario, which of the following may the threat hunter construct to establish a framework for threat assessment?

A. Critical asset list

B. Threat vector

C. Attack profile

D. Hypothesis

A consumer credit card database was compromised, and multiple representatives are unable to review the appropriate customer information. Which of the following should the cybersecurity analyst do first?

A. Start the containment effort.

B. Confirm the incident.

C. Notify local law enforcement officials.

D. Inform the senior management team.

While reviewing incident reports from the previous night, a security analyst notices the corporate websites were defaced with political propaganda. Which of the following BEST describes this type of actor?

A. Hacktivist

B. Nation-state

C. Insider threat

D. Organized crime

An analyst is reviewing the following output:
 
Vulnerability found: Improper neutralization of script-related HTML tag.
Which of the following was MOST likely used to discover this?

A. Reverse engineering using a debugger

B. A static analysis vulnerability scan

C. A passive vulnerability scan

D. A web application vulnerability scan

A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output:
 
Which of the following commands should the administrator run NEXT to further analyze the compromised system?

A. strace /proc/1301

B. rpm -V openssh-server

C. /bin/ls -1 /proc/1301/exe

D. kill -9 1301

Which of the following is MOST closely related to the concept of privacy?

A. The implementation of confidentiality, integrity, and availability

B. A system’s ability to protect the confidentiality of sensitive information

C. An individual’s control over personal information

D. A policy implementing strong identity management processes

After a series of Group Policy Object updates, multiple services stopped functioning. The systems administrator believes the issue resulted from a Group Policy
Object update but cannot validate which update caused the issue. Which of the following security solutions would resolve this issue?

A. Privilege management

B. Group Policy Object management

C. Change management

D. Asset management

A security analyst is reviewing a vulnerability scan report and notes the following finding:
 
As part of the detection and analysis procedures, which of the following should the analyst do NEXT?

A. Patch or reimage the device to complete the recovery.

B. Restart the antiviruses running processes.

C. Isolate the host from the network to prevent exposure.

D. Confirm the workstation’s signatures against the most current signatures.

A digital forensics investigator works from duplicate images to preserve the integrity of the original evidence. Which of the following types of media are MOST volatile and should be preserved? (Choose two.)

A. Memory cache

B. Registry file

C. SSD storage

D. Temporary filesystems

E. Packet decoding

F. Swap volume

A security analyst who works in the SOC receives a new requirement to monitor for indicators of compromise. Which of the following is the first action the analyst should take in this situation?

A. Develop a dashboard to track the indicators of compromise.

B. Develop a query to search for the indicators of compromise.

C. Develop a new signature to alert on the indicators of compromise.

D. Develop a new signature to block the indicators of compromise.

A security analyst reviews the following aggregated output from an Nmap scan and the border firewall ACL:
 
Which of the following should the analyst reconfigure to BEST reduce organizational risk while maintaining current functionality?

A. PC1

B. PC2

C. Server1

D. Server2

E. Firewall

The threat intelligence department recently learned of an advanced persistent threat that is leveraging a new strain of malware, exploiting a system router. The company currently uses the same device mentioned in the threat report. Which of the following configuration changes would BEST improve the organization's security posture?

A. Implement an IPS rule that contains content for the malware variant and patch the routers to protect against the vulnerability.

B. Implement an IDS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability.

C. Implement an IPS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability.

D. Implement an IDS rule that contains content for the malware variant and patch the routers to protect against the vulnerability

A security analyst is investigating an incident related to an alert from the threat detection platform on a host (10.0.1.25) in a staging environment that could be running a cryptomining tool because it is sending traffic to an IP address that is related to Bitcoin.
The network rules for the instance are the following:
 
Which of the following is the BEST way to isolate and triage the host?

A. Remove rules 1, 2, and 3.

B. Remove rules 1, 2, 4, and 5.

C. Remove rules 1, 2, 3, 4, and 5.

D. Remove rules 1. 2, and 5.

E. Remove rules 1, 4, and 5.

F. Remove rules 4 and 5.

A security analyst is reviewing WAF alerts and sees the following request:
Request="GET /public/report.html?iewt=9064 AND 1=1 UNION ALL SELECT 1,NULL,table_name FROM information_schema.tables WHERE 2>1--/**/; HTTP/1.1 Host=mysite.com
Which of the following BEST describes the attack?

A. SQL injection

B. LDAP injection

C. Command injection

D. Denial of service

A small business does not have enough staff in the accounting department to segregate duties. The comptroller writes the checks for the business and reconciles them against the ledger. To ensure there is no fraud occurring, the business conducts quarterly reviews in which a different officer in the business compares all the cleared checks against the ledger. Which of the following BEST describes this type of control?

A. Deterrent

B. Preventive

C. Compensating

D. Detective

While planning segmentation for an ICS environment, a security engineer determines IT resources will need access to devices within the ICS environment without compromising security. To provide the MOST secure access model in this scenario, the jumpbox should be:

A. placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS network.

B. placed on the ICS network with a static firewall rule that allows IT network resources to authenticate.

C. bridged between the IT and operational technology networks to allow authenticated access.

D. placed on the IT side of the network, authenticated, and tunneled into the ICS environment.

A security analyst is reviewing the following Internet usage trend report:
 
Which of the following usernames should the security analyst investigate further?

A. User 1

B. User 2

C. User 3

D. User 4

A security analyst needs to determine the best method for securing access to a top-secret datacenter. Along with an access card and PIN code, which of the following additional authentication methods would be BEST to enhance the datacenter’s security?

A. Physical key

B. Retinal scan

C. Passphrase

D. Fingerprint

An analyst is responding to an incident within a cloud infrastructure. Based on the logs and traffic analysis, the analyst thinks a container has been compromised.
Which of the following should the analyst do FIRST?

A. Perform threat hunting in other areas of the cloud infrastructure.

B. Contact law enforcement to report the incident.

C. Perform a root cause analysis on the container and the service logs.

D. Isolate the container from production using a predefined policy template.

A company stores all of its data in the cloud. All company-owned laptops are currently unmanaged, and all users have administrative rights. The security team is having difficulty identifying a way to secure the environment. Which of the following would be the BEST method to protect the company's data?

A. Implement UEM on all systems and deploy security software.

B. Implement DLP on all workstations and block company data from being sent outside the company.

C. Implement a CASB and prevent certain types of data from being downloaded to a workstation.

D. Implement centralized monitoring and logging for all company systems.