What is rule-based detection when compared to statistical detection?
- A . proof of a user's identity
- B . proof of a user's action
- C . likelihood of user's action
- D . falsification of a user's identity
What is the difference between deep packet inspection and stateful inspection?
- A . Deep packet inspection is more secure than stateful inspection on Layer 4
- B . Stateful inspection verifies contents at Layer 4 and deep packet inspection verifies connection at Layer 7
- C . Stateful inspection is more secure than deep packet inspection on Layer 7
- D . Deep packet inspection allows visibility on Layer 7 and stateful inspection allows visibility on Layer 4
Refer to the exhibit.
An engineer received an event log file to review.
Which technology generated the log?
- A . NetFlow
- B . proxy
- C . firewall
- D . IDS/IPS
What is a difference between an inline and a tap mode traffic monitoring?
- A . Inline monitors traffic without examining other devices, while a tap mode tags traffic and examines the data from monitoring devices.
- B . Tap mode monitors traffic direction, while inline mode keeps packet data as it passes through the monitoring devices.
- C . Tap mode monitors packets and their content with the highest speed, while the inline mode draws a packet path for analysis.
- D . Inline mode monitors traffic path, examining any traffic at a wire speed, while a tap mode monitors traffic as it crosses the network.
Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html
Which two elements are assets in the role of attribution in an investigation? (Choose two.)
- A . context
- B . session
- C . laptop
- D . firewall logs
- E . threat actor
Explanation:
The following are some factors that are used during attribution in an investigation: Assets, Threat actor, Indicators of Compromise (IoCs), Indicators of Attack (IoAs), Chain of custody Asset: This factor identifies which assets were compromised by a threat actor or hacker. An example of an asset can be an organization's domain controller (DC) that runs Active Directory Domain Services (AD DS). AD is a service that allows an administrator to manage user accounts, user groups, and policies across a Microsoft Windows environment. Keep in mind that an asset is anything that has value to an organization; it can be something physical, digital, or even people. Cisco Certified CyberOps Associate 200-201 Certification Guide
Which incidence response step includes identifying all hosts affected by an attack?
- A . detection and analysis
- B . post-incident activity
- C . preparation
- D . containment, eradication, and recovery
Explanation:
What is vulnerability management?
- A . A security practice focused on clarifying and narrowing intrusion points.
- B . A security practice of performing actions rather than acknowledging the threats.
- C . A process to identify and remediate existing weaknesses.
- D . A process to recover from service interruptions and restore business-critical applications
Explanation:
Reference: https://www.brinqa.com/vulnerability-management-primer-part-2-challenges/
Vulnerability management is the "cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating" software vulnerabilities.[1] Vulnerability management is integral to computer security and network security, and must not be confused with Vulnerability assessment" source: https://en.wikipedia.org/wiki/Vulnerability_management
When trying to evade IDS/IPS devices, which mechanism allows the user to make the data incomprehensible without a specific key, certificate, or password?
- A . fragmentation
- B . pivoting
- C . encryption
- D . stenography
Explanation:
https://techdifferences.com/difference-between-steganography-and-cryptography.html#:~:text=The%20steganography%20and%20cryptography%20are,the%20structure %20of%20the%20message.
Which metric in CVSS indicates an attack that takes a destination bank account number and replaces it with a different bank account number?
- A . integrity
- B . confidentiality
- C . availability
- D . scope
What is an incident response plan?
- A . an organizational approach to events that could lead to asset loss or disruption of operations
- B . an organizational approach to security management to ensure a service lifecycle and continuous improvements
- C . an organizational approach to disaster recovery and timely restoration of operational services
- D . an organizational approach to system backup and data archiving aligned to regulations
A security expert is working on a copy of the evidence, an ISO file that is saved in CDFS format.
Which type of evidence is this file?
- A . CD data copy prepared in Windows
- B . CD data copy prepared in Mac-based system
- C . CD data copy prepared in Linux system
- D . CD data copy prepared in Android-based system
Refer to the exhibit.
What does the message indicate?
- A . an access attempt was made from the Mosaic web browser
- B . a successful access attempt was made to retrieve the password file
- C . a successful access attempt was made to retrieve the root of the website
- D . a denied access attempt was made to retrieve the password file
An employee reports that someone has logged into their system and made unapproved changes, files are out of order, and several documents have been placed in the recycle bin. The security specialist reviewed the system logs, found nothing suspicious, and was not able to determine what occurred. The software is up to date; there are no alerts from antivirus and no failed login attempts.
What is causing the lack of data visibility needed to detect the attack?
- A . The threat actor used a dictionary-based password attack to obtain credentials.
- B . The threat actor gained access to the system by known credentials.
- C . The threat actor used the teardrop technique to confuse and crash login services.
- D . The threat actor used an unknown vulnerability of the operating system that went undetected.
Which attack method intercepts traffic on a switched network?
- A . denial of service
- B . ARP cache poisoning
- C . DHCP snooping
- D . command and control
Explanation:
An ARP-based MITM attack is achieved when an attacker poisons the ARP cache of two devices with the MAC address of the attacker's network interface card (NIC). Once the ARP caches have been successfully poisoned, each victim device sends all its packets to the attacker when communicating to the other device and puts the attacker in the middle of the communications path between the two victim devices. It allows an attacker to easily monitor all communication between victim devices. The intent is to intercept and view the information being passed between the two victim devices and potentially introduce sessions and traffic between the two victim devices
Refer to the exhibit.
What is the potential threat identified in this Stealthwatch dashboard?
- A . A policy violation is active for host 10.10.101.24.
- B . A host on the network is sending a DDoS attack to another inside host.
- C . There are three active data exfiltration alerts.
- D . A policy violation is active for host 10.201.3.149.
Explanation:
"EX" = exfiltration
And there are three.
Also the "suspect long flow" and "suspect data heading" suggest, for example, DNS exfiltration
https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/smc_users_guide/SW_6_9_0_SMC_Users_Guide_DV_1_2.pdf page 177.