March Sale Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

Understanding Cisco Cybersecurity Operations Fundamentals (200-201 CBROPS) Question and Answers

Understanding Cisco Cybersecurity Operations Fundamentals (200-201 CBROPS)

Last Update Mar 29, 2024
Total Questions : 311

We are offering FREE 200-201 Cisco exam questions. All you do is to just go and sign up. Give your details, prepare 200-201 free exam questions and then go for complete pool of Understanding Cisco Cybersecurity Operations Fundamentals (200-201 CBROPS) test questions that will help you more.

200-201 pdf

200-201 PDF

$38.5  $109.99
200-201 Engine

200-201 Testing Engine

$45.5  $129.99
200-201 PDF + Engine

200-201 PDF + Testing Engine

$59.5  $169.99
Questions 1

Why is encryption challenging to security monitoring?

Options:

A.  

Encryption analysis is used by attackers to monitor VPN tunnels.

B.  

Encryption is used by threat actors as a method of evasion and obfuscation.

C.  

Encryption introduces additional processing requirements by the CPU.

D.  

Encryption introduces larger packet sizes to analyze and store.

Discussion 0
Questions 2

An analyst discovers that a legitimate security alert has been dismissed. Which signature caused this impact on network traffic?

Options:

A.  

true negative

B.  

false negative

C.  

false positive

D.  

true positive

Discussion 0
Questions 3

Refer to the exhibit.

Which event is occurring?

Options:

A.  

A binary named "submit" is running on VM cuckoo1.

B.  

A binary is being submitted to run on VM cuckoo1

C.  

A binary on VM cuckoo1 is being submitted for evaluation

D.  

A URL is being evaluated to see if it has a malicious binary

Discussion 0
Questions 4

Which process represents the application-level allow list?

Options:

A.  

allowing everything and denying specific applications protocols

B.  

allowing everything and denying specific executable files

C.  

allowing specific format files and deny executable files

D.  

allowing specific files and deny everything else

Discussion 0
Questions 5

A security expert is working on a copy of the evidence, an ISO file that is saved in CDFS format. Which type of evidence is this file?

Options:

A.  

CD data copy prepared in Windows

B.  

CD data copy prepared in Mac-based system

C.  

CD data copy prepared in Linux system

D.  

CD data copy prepared in Android-based system

Discussion 0
Questions 6

Refer to the exhibit.

An engineer is reviewing a Cuckoo report of a file. What must the engineer interpret from the report?

Options:

A.  

The file will appear legitimate by evading signature-based detection.

B.  

The file will not execute its behavior in a sandbox environment to avoid detection.

C.  

The file will insert itself into an application and execute when the application is run.

D.  

The file will monitor user activity and send the information to an outside source.

Discussion 0
Questions 7

What matches the regular expression c(rgr)+e?

Options:

A.  

crgrrgre

B.  

np+e

C.  

c(rgr)e

D.  

ce

Discussion 0
Questions 8

A system administrator is ensuring that specific registry information is accurate.

Which type of configuration information does the HKEY_LOCAL_MACHINE hive contain?

Options:

A.  

file extension associations

B.  

hardware, software, and security settings for the system

C.  

currently logged in users, including folders and control panel settings

D.  

all users on the system, including visual settings

Discussion 0
Questions 9

How does an attack surface differ from an attack vector?

Options:

A.  

An attack vector recognizes the potential outcomes of an attack, and the attack surface is choosing a method of an attack.

B.  

An attack surface identifies vulnerable parts for an attack, and an attack vector specifies which attacks are feasible to those parts.

C.  

An attack surface mitigates external vulnerabilities, and an attack vector identifies mitigation techniques and possible workarounds.

D.  

An attack vector matches components that can be exploited, and an attack surface classifies the potential path for exploitation

Discussion 0
Questions 10

What is a scareware attack?

Options:

A.  

using the spoofed email addresses to trick people into providing login credentials

B.  

overwhelming a targeted website with fake traffic

C.  

gaming access to your computer and encrypting data stored on it

D.  

inserting malicious code that causes popup windows with flashing colors

Discussion 0
Questions 11

Refer to the exhibit.

An engineer is analyzing this Cuckoo Sandbox report for a PDF file that has been downloaded from an email. What is the state of this file?

Options:

A.  

The file has an embedded executable and was matched by PEiD threat signatures for further analysis.

B.  

The file has an embedded non-Windows executable but no suspicious features are identified.

C.  

The file has an embedded Windows 32 executable and the Yara field lists suspicious features for further analysis.

D.  

The file was matched by PEiD threat signatures but no suspicious features are identified since the signature list is up to date.

Discussion 0
Questions 12

Refer to the exhibit.

An engineer received an event log file to review. Which technology generated the log?

Options:

A.  

NetFlow

B.  

proxy

C.  

firewall

D.  

IDS/IPS

Discussion 0
Questions 13

A security engineer has a video of a suspect entering a data center that was captured on the same day that files in the same data center were transferred to a competitor.

Which type of evidence is this?

Options:

A.  

best evidence

B.  

prima facie evidence

C.  

indirect evidence

D.  

physical evidence

Discussion 0
Questions 14

Which type of attack occurs when an attacker is successful in eavesdropping on a conversation between two IP phones?

Options:

A.  

known-plaintext

B.  

replay

C.  

dictionary

D.  

man-in-the-middle

Discussion 0
Questions 15

Which evasion method involves performing actions slower than normal to prevent detection?

Options:

A.  

timing attack

B.  

traffic fragmentation

C.  

resource exhaustion

D.  

tunneling

Discussion 0
Questions 16

Refer to the exhibit.

What is occurring in this network?

Options:

A.  

ARP cache poisoning

B.  

DNS cache poisoning

C.  

MAC address table overflow

D.  

MAC flooding attack

Discussion 0
Questions 17

Which technique is a low-bandwidth attack?

Options:

A.  

social engineering

B.  

session hijacking

C.  

evasion

D.  

phishing

Discussion 0
Questions 18

How is NetFlow different from traffic mirroring?

Options:

A.  

NetFlow collects metadata and traffic mirroring clones data.

B.  

Traffic mirroring impacts switch performance and NetFlow does not.

C.  

Traffic mirroring costs less to operate than NetFlow.

D.  

NetFlow generates more data than traffic mirroring.

Discussion 0
Questions 19

Refer to the exhibit.

This request was sent to a web application server driven by a database. Which type of web server attack is represented?

Options:

A.  

parameter manipulation

B.  

heap memory corruption

C.  

command injection

D.  

blind SQL injection

Discussion 0
Questions 20

An automotive company provides new types of engines and special brakes for rally sports cars. The company has a database of inventions and patents for their engines and technical information Customers can access the database through the company's website after they register and identify themselves. Which type of protected data is accessed by customers?

Options:

A.  

IP data

B.  

PII data

C.  

PSI data

D.  

PHI data

Discussion 0
Questions 21

A security engineer deploys an enterprise-wide host/endpoint technology for all of the company's corporate PCs. Management requests the engineer to block a selected set of applications on all PCs.

Which technology should be used to accomplish this task?

Options:

A.  

application whitelisting/blacklisting

B.  

network NGFW

C.  

host-based IDS

D.  

antivirus/antispyware software

Discussion 0
Questions 22

Which metric should be used when evaluating the effectiveness and scope of a Security Operations Center?

Options:

A.  

The average time the SOC takes to register and assign the incident.

B.  

The total incident escalations per week.

C.  

The average time the SOC takes to detect and resolve the incident.

D.  

The total incident escalations per month.

Discussion 0
Questions 23

Refer to the exhibit.

A security analyst is investigating unusual activity from an unknown IP address Which type of evidence is this file1?

Options:

A.  

indirect evidence

B.  

best evidence

C.  

corroborative evidence

D.  

direct evidence

Discussion 0
Questions 24

Which metric is used to capture the level of access needed to launch a successful attack?

Options:

A.  

privileges required

B.  

user interaction

C.  

attack complexity

D.  

attack vector

Discussion 0
Questions 25

What is a difference between tampered and untampered disk images?

Options:

A.  

Tampered images have the same stored and computed hash.

B.  

Tampered images are used as evidence.

C.  

Untampered images are used for forensic investigations.

D.  

Untampered images are deliberately altered to preserve as evidence

Discussion 0
Questions 26

What is the function of a command and control server?

Options:

A.  

It enumerates open ports on a network device

B.  

It drops secondary payload into malware

C.  

It is used to regain control of the network after a compromise

D.  

It sends instruction to a compromised system

Discussion 0
Questions 27

Syslog collecting software is installed on the server For the log containment, a disk with FAT type partition is used An engineer determined that log files are being corrupted when the 4 GB tile size is exceeded. Which action resolves the issue?

Options:

A.  

Add space to the existing partition and lower the retention penod.

B.  

Use FAT32 to exceed the limit of 4 G

B.  

C.  

Use the Ext4 partition because it can hold files up to 16 TB.

D.  

Use NTFS partition for log file containment

Discussion 0
Questions 28

Refer to the exhibit.

What is the potential threat identified in this Stealthwatch dashboard?

Options:

A.  

A policy violation is active for host 10.10.101.24.

B.  

A host on the network is sending a DDoS attack to another inside host.

C.  

There are two active data exfiltration alerts.

D.  

A policy violation is active for host 10.201.3.149.

Discussion 0
Questions 29

An engineer received an alert affecting the degraded performance of a critical server. Analysis showed a heavy CPU and memory load. What is the next step the engineer should take to investigate this resource usage?

Options:

A.  

Run "ps -d" to decrease the priority state of high load processes to avoid resource exhaustion.

B.  

Run "ps -u" to find out who executed additional processes that caused a high load on a server.

C.  

Run "ps -ef" to understand which processes are taking a high amount of resources.

D.  

Run "ps -m" to capture the existing state of daemons and map required processes to find the gap.

Discussion 0
Questions 30

What is the difference between vulnerability and risk?

Options:

A.  

A vulnerability is a sum of possible malicious entry points, and a risk represents the possibility of the unauthorized entry itself.

B.  

A risk is a potential threat that an exploit applies to, and a vulnerability represents the threat itself

C.  

A vulnerability represents a flaw in a security that can be exploited, and the risk is the potential damage it might cause.

D.  

A risk is potential threat that adversaries use to infiltrate the network, and a vulnerability is an exploit

Discussion 0
Questions 31

During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve its integrity?

Options:

A.  

examination

B.  

investigation

C.  

collection

D.  

reporting

Discussion 0
Questions 32

At which layer is deep packet inspection investigated on a firewall?

Options:

A.  

internet

B.  

transport

C.  

application

D.  

data link

Discussion 0
Questions 33

A security incident occurred with the potential of impacting business services. Who performs the attack?

Options:

A.  

malware author

B.  

threat actor

C.  

bug bounty hunter

D.  

direct competitor

Discussion 0
Questions 34

What is indicated by an increase in IPv4 traffic carrying protocol 41 ?

Options:

A.  

additional PPTP traffic due to Windows clients

B.  

unauthorized peer-to-peer traffic

C.  

deployment of a GRE network on top of an existing Layer 3 network

D.  

attempts to tunnel IPv6 traffic through an IPv4 network

Discussion 0
Questions 35

How can TOR impact data visibility inside an organization?

Options:

A.  

increases data integrity

B.  

increases security

C.  

decreases visibility

D.  

no impact

Discussion 0
Questions 36

An engineer must compare NIST vs ISO frameworks The engineer deeded to compare as readable documentation and also to watch a comparison video review. Using Windows 10 OS. the engineer started a browser and searched for a NIST document and then opened a new tab in the same browser and searched for an ISO document for comparison

The engineer tried to watch the video, but there 'was an audio problem with OS so the engineer had to troubleshoot it At first the engineer started CMD and looked fee a driver path then locked for a corresponding registry in the registry editor The engineer enabled "Audiosrv" in task manager and put it on auto start and the problem was solved Which two components of the OS did the engineer touch? (Choose two)

Options:

A.  

permissions

B.  

PowerShell logs

C.  

service

D.  

MBR

E.  

process and thread

Discussion 0
Questions 37

At a company party a guest asks questions about the company’s user account format and password complexity. How is this type of conversation classified?

Options:

A.  

Phishing attack

B.  

Password Revelation Strategy

C.  

Piggybacking

D.  

Social Engineering

Discussion 0
Questions 38

Which statement describes patch management?

Options:

A.  

scanning servers and workstations for missing patches and vulnerabilities

B.  

managing and keeping previous patches lists documented for audit purposes

C.  

process of appropriate distribution of system or software updates

D.  

workflow of distributing mitigations of newly found vulnerabilities

Discussion 0
Questions 39

Refer to the exhibit.

Which type of log is displayed?

Options:

A.  

IDS

B.  

proxy

C.  

NetFlow

D.  

sys

Discussion 0
Questions 40

What is a difference between SI EM and SOAR security systems?

Options:

A.  

SOAR ingests numerous types of logs and event data infrastructure components and SIEM can fetch data from endpoint security software and external threat intelligence feeds

B.  

SOAR collects and stores security data at a central point and then converts it into actionable intelligence, and SIEM enables SOC teams to automate and orchestrate manual tasks

C.  

SIEM raises alerts in the event of detecting any suspicious activity, and SOAR automates investigation path workflows and reduces time spent on alerts

D.  

SIEM combines data collecting, standardization, case management, and analytics for a defense-in-depth concept, and SOAR collects security data antivirus logs, firewall logs, and hashes of downloaded files

Discussion 0
Questions 41

A security engineer notices confidential data being exfiltrated to a domain "Ranso4134-mware31-895" address that is attributed to a known advanced persistent threat group The engineer discovers that the activity is part of a real attack and not a network misconfiguration. Which category does this event fall under as defined in the Cyber Kill Chain?

Options:

A.  

reconnaissance

B.  

delivery

C.  

action on objectives

D.  

weaponization

Discussion 0
Questions 42

What is sliding window anomaly detection?

Options:

A.  

Detect changes in operations and management processes.

B.  

Identify uncommon patterns that do not fit usual behavior.

C.  

Define response times for requests for owned applications.

D.  

Apply lowest privilege/permission level to software

Discussion 0
Questions 43

What is the purpose of command and control for network-aware malware?

Options:

A.  

It contacts a remote server for commands and updates

B.  

It takes over the user account for analysis

C.  

It controls and shuts down services on the infected host.

D.  

It helps the malware to profile the host

Discussion 0
Questions 44

What is the difference between an attack vector and attack surface?

Options:

A.  

An attack surface identifies vulnerabilities that require user input or validation; and an attack vector identifies vulnerabilities that are independent of user actions.

B.  

An attack vector identifies components that can be exploited, and an attack surface identifies the potential path an attack can take to penetrate the network.

C.  

An attack surface recognizes which network parts are vulnerable to an attack; and an attack vector identifies which attacks are possible with these vulnerabilities.

D.  

An attack vector identifies the potential outcomes of an attack; and an attack surface launches an attack using several methods against the identified vulnerabilities.

Discussion 0
Questions 45

Which are two denial-of-service attacks? (Choose two.)

Options:

A.  

TCP connections

B.  

ping of death

C.  

man-in-the-middle

D.  

code-red

E.  

UDP flooding

Discussion 0
Questions 46

A network engineer discovers that a foreign government hacked one of the defense contractors in their home country and stole intellectual property. What is the threat agent in this situation?

Options:

A.  

the intellectual property that was stolen

B.  

the defense contractor who stored the intellectual property

C.  

the method used to conduct the attack

D.  

the foreign government that conducted the attack

Discussion 0
Questions 47

Which data format is the most efficient to build a baseline of traffic seen over an extended period of time?

Options:

A.  

syslog messages

B.  

full packet capture

C.  

NetFlow

D.  

firewall event logs

Discussion 0
Questions 48

Which event is user interaction?

Options:

A.  

gaining root access

B.  

executing remote code

C.  

reading and writing file permission

D.  

opening a malicious file

Discussion 0
Questions 49

What is an attack surface as compared to a vulnerability?

Options:

A.  

any potential danger to an asset

B.  

the sum of all paths for data into and out of the environment

C.  

an exploitable weakness in a system or its design

D.  

the individuals who perform an attack

Discussion 0
Questions 50

A company receptionist received a threatening call referencing stealing assets and did not take any action assuming it was a social engineering attempt. Within 48 hours, multiple assets were breached, affecting the confidentiality of sensitive information. What is the threat actor in this incident?

Options:

A.  

company assets that are threatened

B.  

customer assets that are threatened

C.  

perpetrators of the attack

D.  

victims of the attack

Discussion 0
Questions 51

Refer to the exhibit.

An engineer received a ticket about a slowed-down web application. The engineer runs the #netstat -an command. How must the engineer interpret the results?

Options:

A.  

The web application is receiving a common, legitimate traffic

B.  

The engineer must gather more data.

C.  

The web application server is under a denial-of-service attack.

D.  

The server is under a man-in-the-middle attack between the web application and its database

Discussion 0
Questions 52

An engineer discovered a breach, identified the threat’s entry point, and removed access. The engineer was able to identify the host, the IP address of the threat actor, and the application the threat actor targeted. What is the next step the engineer should take according to the NIST SP 800-61 Incident handling guide?

Options:

A.  

Recover from the threat.

B.  

Analyze the threat.

C.  

Identify lessons learned from the threat.

D.  

Reduce the probability of similar threats.

Discussion 0
Questions 53

The security team has detected an ongoing spam campaign targeting the organization. The team's approach is to push back the cyber kill chain and mitigate ongoing incidents. At which phase of the cyber kill chain should the security team mitigate this type of attack?

Options:

A.  

actions

B.  

delivery

C.  

reconnaissance

D.  

installation

Discussion 0
Questions 54

A developer is working on a project using a Linux tool that enables writing processes to obtain these required results:

  • If the process is unsuccessful, a negative value is returned.
  • If the process is successful, 0 value is returned to the child process, and the process ID is sent to the parent process.

Which component results from this operation?

Options:

A.  

parent directory name of a file pathname

B.  

process spawn scheduled

C.  

macros for managing CPU sets

D.  

new process created by parent process

Discussion 0
Questions 55

An engineer is working on a ticket for an incident from the incident management team A week ago. an external web application was targeted by a DDoS attack Server resources were exhausted and after two hours it crashed. An engineer was able to identify the attacker and technique used Three hours after the attack, the server was restored and the engineer recommended implementing mitigation by Blackhole filtering and transferred the incident ticket back to the IR team According to NIST SP800-61, at which phase of the incident response did the engineer finish work?

Options:

A.  

preparation

B.  

post-incident activity

C.  

containment eradication and recovery

D.  

detection and analysis

Discussion 0
Questions 56

What are two denial of service attacks? (Choose two.)

Options:

A.  

MITM

B.  

TCP connections

C.  

ping of death

D.  

UDP flooding

E.  

code red

Discussion 0
Questions 57

Which open-sourced packet capture tool uses Linux and Mac OS X operating systems?

Options:

A.  

NetScout

B.  

tcpdump

C.  

SolarWinds

D.  

netsh

Discussion 0
Questions 58

Refer to the exhibit.

What is shown in this PCAP file?

Options:

A.  

Timestamps are indicated with error.

B.  

The protocol is TCP.

C.  

The User-Agent is Mozilla/5.0.

D.  

The HTTP GET is encoded.

Discussion 0
Questions 59

What is personally identifiable information that must be safeguarded from unauthorized access?

Options:

A.  

date of birth

B.  

driver's license number

C.  

gender

D.  

zip code

Discussion 0
Questions 60

Which data type is necessary to get information about source/destination ports?

Options:

A.  

statistical data

B.  

session data

C.  

connectivity data

D.  

alert data

Discussion 0
Questions 61

What is the difference between inline traffic interrogation and traffic mirroring?

Options:

A.  

Inline interrogation is less complex as traffic mirroring applies additional tags to data.

B.  

Traffic mirroring copies the traffic rather than forwarding it directly to the analysis tools

C.  

Inline replicates the traffic to preserve integrity rather than modifying packets before sending them to other analysis tools.

D.  

Traffic mirroring results in faster traffic analysis and inline is considerably slower due to latency.

Discussion 0
Questions 62

What are two denial-of-service (DoS) attacks? (Choose two)

Options:

A.  

port scan

B.  

SYN flood

C.  

man-in-the-middle

D.  

phishing

E.  

teardrop

Discussion 0
Questions 63

Drag and drop the event term from the left onto the description on the right.

Options:

Discussion 0
Questions 64

What should a security analyst consider when comparing inline traffic interrogation with traffic tapping to determine which approach to use in the network?

Options:

A.  

Tapping interrogation replicates signals to a separate port for analyzing traffic

B.  

Tapping interrogations detect and block malicious traffic

C.  

Inline interrogation enables viewing a copy of traffic to ensure traffic is in compliance with security policies

D.  

Inline interrogation detects malicious traffic but does not block the traffic

Discussion 0
Questions 65

Refer to the exhibit.

What does the output indicate about the server with the IP address 172.18.104.139?

Options:

A.  

open ports of a web server

B.  

open port of an FTP server

C.  

open ports of an email server

D.  

running processes of the server

Discussion 0
Questions 66

Refer to the exhibit.

Which type of attack is being executed?

Options:

A.  

SQL injection

B.  

cross-site scripting

C.  

cross-site request forgery

D.  

command injection

Discussion 0
Questions 67

Drag and drop the uses on the left onto the type of security system on the right.

Options:

Discussion 0
Questions 68

Drag and drop the data source from the left onto the data type on the right.

Options:

Discussion 0
Questions 69

What is the impact of false positive alerts on business compared to true positive?

Options:

A.  

True positives affect security as no alarm is raised when an attack has taken place, while false positives are alerts raised appropriately to detect and further mitigate them.

B.  

True-positive alerts are blocked by mistake as potential attacks, while False-positives are actual attacks Identified as harmless.

C.  

False-positive alerts are detected by confusion as potential attacks, while true positives are attack attempts identified appropriately.

D.  

False positives alerts are manually ignored signatures to avoid warnings that are already acknowledged, while true positives are warnings that are not yet acknowledged.

Discussion 0
Questions 70

Which event is a vishing attack?

Options:

A.  

obtaining disposed documents from an organization

B.  

using a vulnerability scanner on a corporate network

C.  

setting up a rogue access point near a public hotspot

D.  

impersonating a tech support agent during a phone call

Discussion 0
Questions 71

Which step in the incident response process researches an attacking host through logs in a SIEM?

Options:

A.  

detection and analysis

B.  

preparation

C.  

eradication

D.  

containment

Discussion 0
Questions 72

Refer to the exhibit.

Drag and drop the element name from the left onto the correct piece of the PCAP file on the right.

Options:

Discussion 0
Questions 73

An engineer is investigating a case of the unauthorized usage of the “Tcpdump” tool. The analysis revealed that a malicious insider attempted to sniff traffic on a specific interface. What type of information did the malicious insider attempt to obtain?

Options:

A.  

tagged protocols being used on the network

B.  

all firewall alerts and resulting mitigations

C.  

tagged ports being used on the network

D.  

all information and data within the datagram

Discussion 0
Questions 74

Which evasion technique is a function of ransomware?

Options:

A.  

extended sleep calls

B.  

encryption

C.  

resource exhaustion

D.  

encoding

Discussion 0
Questions 75

STION NO: 102

Refer to the exhibit.

What is the potential threat identified in this Stealthwatch dashboard?

Options:

A.  

A policy violation is active for host 10.10.101.24.

B.  

A host on the network is sending a DDoS attack to another inside host.

C.  

There are three active data exfiltration alerts.

D.  

A policy violation is active for host 10.201.3.149.

Discussion 0
Questions 76

What is a collection of compromised machines that attackers use to carry out a DDoS attack?

Options:

A.  

subnet

B.  

botnet

C.  

VLAN

D.  

command and control

Discussion 0
Questions 77

An engineer must configure network systems to detect command-and-control communications by decrypting ingress and egress perimeter traffic and allowing network security devices to detect malicious outbound communications. Which technology must be used to accomplish this task?

Options:

A.  

static IP addresses

B.  

signatures

C.  

digital certificates

D.  

cipher suite

Discussion 0
Questions 78

Refer to the exhibit.

Which packet contains a file that is extractable within Wireshark?

Options:

A.  

2317

B.  

1986

C.  

2318

D.  

2542

Discussion 0
Questions 79

Which list identifies the information that the client sends to the server in the negotiation phase of the TLS handshake?

Options:

A.  

ClientStart, ClientKeyExchange, cipher-suites it supports, and suggested compression methods

B.  

ClientStart, TLS versions it supports, cipher-suites it supports, and suggested compression methods

C.  

ClientHello, TLS versions it supports, cipher-suites it supports, and suggested compression methods

D.  

ClientHello, ClientKeyExchange, cipher-suites it supports, and suggested compression methods

Discussion 0
Questions 80

Exhibit.

An engineer received a ticket about a slowdown of a web application, Drug analysis of traffic, the engineer suspects a possible attack on a web server. How should the engineer interpret the Wiresharat traffic capture?

Options:

A.  

10.0.0.2 sends GET/ HTTP/1.1 And Post request and the target responds with HTTP/1.1. 200 OC and HTTP/1.1 403 accordingly. This is an HTTP flood attempt.

B.  

10.0.0.2 sends HTTP FORBIDDEN /1.1 And Post request, while the target responds with HTTP/1.1 200 Get and HTTP/1.1 403. This is an HTTP GET flood attack.

C.  

10.128.0.2 sends POST/1.1 And POST requests, and the target responds with HTTP/1.1 200 Ok and HTTP/1.1 403 accordingly. This is an HTTP Reserve Bandwidth flood.

D.  

10.128.0.2 sends HTTP/FORBIDDEN/ 1.1 and Get requests, and the target responds with HTTP/1.1 200 OK and HTTP/1.1 403. This is an HTTP cache bypass attack.

Discussion 0
Questions 81

What does the Zero Trust security model signify?

Options:

A.  

Zero Trust security means that no one is trusted by default from inside or outside the network

B.  

Zero Trust states that no users should be given enough privileges to misuse the system on their own

C.  

Zero Trust addresses access control and states that an individual should have only the minimum access privileges necessary to perform specific tasks

D.  

Zero Trust states that unless a subject is given explicit access to an object, it should be denied access to that object

Discussion 0
Questions 82

While viewing packet capture data, an analyst sees that one IP is sending and receiving traffic for multiple devices by modifying the IP header.

Which technology makes this behavior possible?

Options:

A.  

encapsulation

B.  

TOR

C.  

tunneling

D.  

NAT

Discussion 0
Questions 83

Refer to the exhibit.

Which component is identifiable in this exhibit?

Options:

A.  

Trusted Root Certificate store on the local machine

B.  

Windows PowerShell verb

C.  

Windows Registry hive

D.  

local service in the Windows Services Manager

Discussion 0
Questions 84

An analyst is using the SIEM platform and must extract a custom property from a Cisco device and capture the phrase, "File: Clean." Which regex must the analyst import?

Options:

A.  

File: Clean

B.  

^Parent File Clean$

C.  

File: Clean (.*)

D.  

^File: Clean$

Discussion 0
Questions 85

What ate two categories of DDoS attacks? (Choose two.)

Options:

A.  

split brain

B.  

scanning

C.  

phishing

D.  

reflected

E.  

direct

Discussion 0
Questions 86

Which regular expression is needed to capture the IP address 192.168.20.232?

Options:

A.  

^ (?:[0-9]{1,3}\.){3}[0-9]{1,3}

B.  

^ (?:[0-9]f1,3}\.){1,4}

C.  

^ (?:[0-9]{1,3}\.)'

D.  

^ ([0-9]-{3})

Discussion 0
Questions 87

An engineer receives a security alert that traffic with a known TOR exit node has occurred on the network. What is the impact of this traffic?

Options:

A.  

ransomware communicating after infection

B.  

users downloading copyrighted content

C.  

data exfiltration

D.  

user circumvention of the firewall

Discussion 0
Questions 88

A cyberattacker notices a security flaw in a software that a company is using They decide to tailor a specific worm to exploit this flaw and extract saved passwords from the software To which category of the Cyber Kill Cham model does this event belong?

Options:

A.  

reconnaissance

B.  

delivery

C.  

weaponization

D.  

exploitation

Discussion 0
Questions 89

Which classification of cross-site scripting attack executes the payload without storing it for repeated use?

Options:

A.  

stored

B.  

reflective

C.  

DOM

D.  

CSRF

Discussion 0
Questions 90

A malicious file has been identified in a sandbox analysis tool.

Which piece of information is needed to search for additional downloads of this file by other hosts?

Options:

A.  

file header type

B.  

file size

C.  

file name

D.  

file hash value

Discussion 0
Questions 91

Refer to the exhibit.

What is occurring?

Options:

A.  

Cross-Site Scripting attack

B.  

XML External Entitles attack

C.  

Insecure Deserialization

D.  

Regular GET requests

Discussion 0
Questions 92

Refer to the exhibit.

Which frame numbers contain a file that is extractable via TCP stream within Wireshark?

Options:

A.  

7,14, and 21

B.  

7 and 21

C.  

14,16,18, and 19

D.  

7 to 21

Discussion 0
Questions 93

Refer to the exhibit.

An engineer is analyzing a PCAP file after a recent breach An engineer identified that the attacker used an aggressive ARP scan to scan the hosts and found web and SSH servers. Further analysis showed several SSH Server Banner and Key Exchange Initiations. The engineer cannot see the exact data being transmitted over an encrypted channel and cannot identify how the attacker gained access How did the attacker gain access?

Options:

A.  

by using the buffer overflow in the URL catcher feature for SSH

B.  

by using an SSH Tectia Server vulnerability to enable host-based authentication

C.  

by using an SSH vulnerability to silently redirect connections to the local host

D.  

by using brute force on the SSH service to gain access

Discussion 0