Which two statements about a playbook are correct? (Choose two.) A playbook is a prescriptive collection of repeatable plays (reports and methods) to detect and respond to security incidents. A…
Which tool is used to block suspicious DNS queries by domain names rather than by IP addresses? DNS sinkhole BGP black hole firewall IPS Explanation & Hint: The tool used…
Which section of the play references the data query to be run against SIEM? report identification working action analysis reference objective Explanation & Hint: In the context of conducting a…
When conducting a security incident investigation, which statement is true? The Tier 1 SOC analyst should perform an in-depth malware file analysis, using tools such as VirusTotal and Malwr.com. Slowly…
With the China Chopper RAT, which protocol should the analyst monitor closely to detect the caidao.exe client communications with the compromised web server? SMTP HTTP or HTTPS FTP DNS SSH…
While investigating a security event, the Tier 1 SOC analyst will have a set of objectives or questions they should answer. Match each objective to its description. defines the threat…
What are the two components of the China Chopper RAT? (Choose two.) RAT malware that is placed on the compromised host that is always written in Perl web shell file…
What makes China Chopper "stealthy" as a Remote Access Tool (RAT) kit? The traffic between the web shell and the client is sent over an encrypted SSH connection. the small…
What are two important reasons why the SOC analysts should not quickly formulate a conclusion that identifies the threat actor of the attack, based on a single IDS alert? (Choose…
Which four of the following are attack capabilities that are available with the China Chopper RAT Trojan? (Choose four.) brute force password file management SSL/TLS session decode virtual terminal (command…
Which two of the following are best practices to help reduce the possibility of malware arriving on the target systems? (Choose two.) When developing software, implement secure coding practices, which…
Session data provides the IP 5-tuple that is associated with an HTTP connection, along with byte counts, packet counts, and a time stamp. What three additional transaction data types can…
Match the data event to its best description. can include the 5-tuple information, which is the source and destination IP addresses, source and destination ports, protocols involved with the IP…
Logs from a DHCP server can be leveraged to accomplish which of the following? attributing a unique username to an IP address mapping an IP address to a hostname identifying…
Considering the following IPS alert, which of the following HTTP transaction records provides the most relevant correlation with the alert? Count:7 Event#7.2 2017-01-03 21:31:44 FILE-FLASH Adobe Flash Player integer underflow…
Malware often takes the form of binary files. To prove the assertion that a malicious file was downloaded, submitting the output of a sandbox detonation report along with an IPS…
The process of relating multiple security event records to gain more clarity than is available from any security event record in isolation is called what? corroboration correlation aggregation normalization summarization…
Match each color of the TLP to the correct description: Disclosure is not limited ==> white Not for disclosure, which is restricted to participants only ==> green Limited disclosure, which is restricted…
Which organization publishes a report of the top 10 most widely exploited web application vulnerabilities? OWASP Spamhaus Alexa Farsight Explanation & Hint: The organization that publishes a report of the…
Which two statements are true about CVSS? (Choose two.) CVSS is vendor agnostic. CVSS is Cisco proprietary. CVSS is designed to calculate the chances of a network being attacked. CVSS…