An employee receives an email from a "trusted" person containing a hyperlink that is malvertising. The employee clicks the link and the malware downloads. An information analyst observes an alert at the SIEM and engages the cybersecurity team to conduct an analysis of this incident in accordance with the incident response plan. Which event detail should be included in this root cause analysis?
Aphishing email sent to the victim
Balarm raised by the SIEM
Cinformation from the email header
Dalert identified by the cybersecurity team
Refer to the exhibit. Which encoding technique is represented by this HEX string?
AUnicode
BBinary
CBase64
DCharcode
Refer to the exhibit. Which two determinations should be made about the attack from the Apache access logs? (Choose two.)
AThe attacker used r57 exploit to elevate their privilege.
BThe attacker uploaded the word press file manager trojan.
CThe attacker performed a brute force attack against word press and used sql injection against the backend database.
DThe attacker used the word press file manager plugin to upoad r57.php.
EThe attacker logged on normally to word press admin page.
An incident response team is recommending changes after analyzing a recent compromise in which:
✑ a large number of events and logs were involved;
✑ team members were not able to identify the anomalous behavior and escalate it in a timely manner;
✑ several network systems were affected as a result of the latency in detection;
✑ security engineers were able to mitigate the threat and bring systems back to a stable state; and
✑ the issue reoccurred shortly after and systems became unstable again because the correct information was not gathered during the initial identification phase.
Which two recommendations should be made for improving the incident response process? (Choose two.)
AFormalize reporting requirements and responsibilities to update management and internal stakeholders throughout the incident-handling process effectively.
BImprove the mitigation phase to ensure causes can be quickly identified, and systems returned to a functioning state.
CImplement an automated operation to pull systems events/logs and bring them into an organizational context.
DAllocate additional resources for the containment phase to stabilize systems in a timely manner and reduce an attack's breadth.
EModify the incident handling playbook and checklist to ensure alignment and agreement on roles, responsibilities, and steps before an incident occurs.
Question 6
Forensics Techniques
0
Question 7
Forensics Techniques
Question 8
Incident Response Processes
Question 9
Incident Response Techniques
Question 10
Incident Response Processes
Question 11
Forensics Techniques
Question 12
Forensics Techniques
Question 13
Forensics Techniques
Question 14
Forensics Techniques
Question 15
Forensics Techniques
Question 16
Forensics Techniques
Question 17
Fundamentals
Question 18
Forensics Techniques
Question 19
Forensics Techniques
Question 20
Forensics Techniques
Question 21
Incident Response Techniques
Question 22
Incident Response Techniques
Question 23
Forensics Techniques
Question 24
Forensics Processes
Question 25
Forensics Processes
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ad
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Refer to the exhibit. An HR department submitted a ticket to the IT helpdesk indicating slow performance on an internal share server. The helpdesk engineer checked the server with a real-time monitoring tool and did not notice anything suspicious. After checking the event logs, the engineer noticed an event that occurred 48 hour prior. Which two indicators of compromise should be determined from this information? (Choose two.)
Aunauthorized system modification
Bprivilege escalation
Cdenial of service attack
Dcompromised root access
Emalware outbreak
Refer to the exhibit. What is the IOC threat and URL in this STIX JSON snippet?
A security team detected an above-average amount of inbound tcp/135 connection attempts from unidentified senders. The security team is responding based on their incident response playbook. Which two elements are part of the eradication phase for this incident? (Choose two.)
Aanti-malware software
Bdata and workload isolation
Ccentralized user management
Dintrusion prevention system
Eenterprise block listing solution
Refer to the exhibit. Which two actions should be taken as a result of this information? (Choose two.)
AUpdate the AV to block any file with hash "cf2b3ad32a8a4cfb05e9dfc45875bd70".
BBlock all emails sent from an @state.gov address.
CBlock all emails with pdf attachments.
DBlock emails sent from [email protected] with an attached pdf file with md5 hash "cf2b3ad32a8a4cfb05e9dfc45875bd70".
EBlock all emails with subject containing "cf2b3ad32a8a4cfb05e9dfc45875bd70".
A security team is discussing lessons learned and suggesting process changes after a security breach incident. During the incident, members of the security team failed to report the abnormal system activity due to a high project workload. Additionally, when the incident was identified, the response took six hours due to management being unavailable to provide the approvals needed. Which two steps will prevent these issues from occurring in the future? (Choose two.)
AIntroduce a priority rating for incident response workloads.
BProvide phishing awareness training for the fill security team.
CConduct a risk audit of the incident response workflow.
DCreate an executive team delegation plan.
EAutomate security alert timeframes with escalation triggers.
Refer to the exhibit. What should an engineer determine from this Wireshark capture of suspicious network traffic?
AThere are signs of SYN flood attack, and the engineer should increase the backlog and recycle the oldest half-open TCP connections.
BThere are signs of a malformed packet attack, and the engineer should limit the packet size and set a threshold of bytes as a countermeasure.
CThere are signs of a DNS attack, and the engineer should hide the BIND version and restrict zone transfers as a countermeasure.
DThere are signs of ARP spoofing, and the engineer should use Static ARP entries and IP address-to-MAC address mappings as a countermeasure.
Refer to the exhibit. An engineer is analyzing a .LNK (shortcut) file recently received as an email attachment and blocked by email security as suspicious. What is the next step an engineer should take?
ADelete the suspicious email with the attachment as the file is a shortcut extension and does not represent any threat.
BUpload the file to a virus checking engine to compare with well-known viruses as the file is a virus disguised as a legitimate extension.
CQuarantine the file within the endpoint antivirus solution as the file is a ransomware which will encrypt the documents of a victim.
DOpen the file in a sandbox environment for further behavioral analysis as the file contains a malicious script that runs on execution.
What are YARA rules based upon?
Abinary patterns
BHTML code
Cnetwork artifacts
DIP addresses
What is the transmogrify anti-forensics technique?
Ahiding a section of a malicious file in unused areas of a file
Bsending malicious files over a public network by encapsulation
Cconcealing malicious files in ordinary or unsuspecting places
Dchanging the file header of a malicious file to another file type
A security team receives reports of multiple files causing suspicious activity on users' workstations. The file attempted to access highly confidential information in a centralized file server. Which two actions should be taken by a security analyst to evaluate the file in a sandbox? (Choose two.)
AInspect registry entries
BInspect processes.
CInspect file hash.
DInspect file type.
EInspect PE header.
An investigator is analyzing an attack in which malicious files were loaded on the network and were undetected. Several of the images received during the attack include repetitive patterns. Which anti-forensic technique was used?
Aspoofing
Bobfuscation
Ctunneling
Dsteganography
Refer to the exhibit. Which type of code is being used?
AShell
BVBScript
CBASH
DPython
What is a concern for gathering forensics evidence in public cloud environments?
AHigh Cost: Cloud service providers typically charge high fees for allowing cloud forensics.
BConfiguration: Implementing security zones and proper network segmentation.
CTimeliness: Gathering forensics evidence from cloud service providers typically requires substantial time.
DMultitenancy: Evidence gathering must avoid exposure of data from other tenants.
Refer to the exhibit. A network engineer is analyzing a Wireshark file to determine the HTTP request that caused the initial Ursnif banking Trojan binary to download. Which filter did the engineer apply to sort the Wireshark traffic logs?
Ahttp.request.un matches
Btls.handshake.type ==1
Ctcp.port eq 25
Dtcp.window_size ==0
Which magic byte indicates that an analyzed file is a pdf file?
AcGRmZmlsZQ
B706466666
C255044462d
D0a0ah4cg
An engineer received a call to assist with an ongoing DDoS attack. The Apache server is being targeted, and availability is compromised. Which step should be taken to identify the origin of the threat?
AAn engineer should check the list of usernames currently logged in by running the command $ who | cut ""d' "˜ -f1| sort | uniq
BAn engineer should check the server's processes by running commands ps -aux and sudo ps -a.
CAn engineer should check the services on the machine by running the command service -status-all.
DAn engineer should check the last hundred entries of a web server with the command sudo tail -100 /var/log/apache2/access.log.
Refer to the exhibit. A company that uses only the Unix platform implemented an intrusion detection system. After the initial configuration, the number of alerts is overwhelming, and an engineer needs to analyze and classify the alerts. The highest number of alerts were generated from the signature shown in the exhibit.
Which classification should the engineer assign to this event?
ATrue Negative alert
BFalse Negative alert
CFalse Positive alert
DTrue Positive alert
Refer to the exhibit. According to the SNORT alert, what is the attacker performing?
Abrute-force attack against the web application user accounts
BXSS attack against the target webserver
Cbrute-force attack against directories and files on the target webserver
DSQL injection attack against the target webserver
An engineer is analyzing a ticket for an unexpected server shutdown and discovers that the web-server ran out of useable memory and crashed.
Which data is needed for further investigation?
A/var/log/access.log
B/var/log/messages.log
C/var/log/httpd/messages.log
D/var/log/httpd/access.log
Refer to the exhibit. What should be determined from this Apache log?
AA module named mod_ssl is needed to make SSL connections.
BThe private key does not match with the SSL certificate.
CThe certificate file has been maliciously modified
