Referring to the play that is shown here, which three statements are correct? (Choose three.) This play is a high-fidelity report/event. The data source is from the IDS. The data…
What is the main function of the playbook management system? tracks the attacks progress tracks the play progress and life cycle provides a centralized logging facility to run queries against…
Regarding the plays in a playbook, match the description to the section of a play. action ==> documents the actions to take during the incident response phase reference ==> provides the bulk…
What is the typical next step after the analyst runs the plays in the playbook? collection and analysis information sharing detection mitigation and remediation Explanation & Hint: The typical next…
Which section of the play is intended to provide background information and a good reason why the play exists? report identification working action analysis reference objective Explanation & Hint: The…
Which two statements about a playbook are correct? (Choose two.) A playbook is a prescriptive collection of repeatable plays (reports and methods) to detect and respond to security incidents. A…
Which tool is used to block suspicious DNS queries by domain names rather than by IP addresses? DNS sinkhole BGP black hole firewall IPS Explanation & Hint: The tool used…
Which section of the play references the data query to be run against SIEM? report identification working action analysis reference objective Explanation & Hint: In the context of conducting a…
When conducting a security incident investigation, which statement is true? The Tier 1 SOC analyst should perform an in-depth malware file analysis, using tools such as VirusTotal and Malwr.com. Slowly…
With the China Chopper RAT, which protocol should the analyst monitor closely to detect the caidao.exe client communications with the compromised web server? SMTP HTTP or HTTPS FTP DNS SSH…
While investigating a security event, the Tier 1 SOC analyst will have a set of objectives or questions they should answer. Match each objective to its description. defines the threat…
What are the two components of the China Chopper RAT? (Choose two.) RAT malware that is placed on the compromised host that is always written in Perl web shell file…
What makes China Chopper "stealthy" as a Remote Access Tool (RAT) kit? The traffic between the web shell and the client is sent over an encrypted SSH connection. the small…
What are two important reasons why the SOC analysts should not quickly formulate a conclusion that identifies the threat actor of the attack, based on a single IDS alert? (Choose…
Which four of the following are attack capabilities that are available with the China Chopper RAT Trojan? (Choose four.) brute force password file management SSL/TLS session decode virtual terminal (command…
Which two of the following are best practices to help reduce the possibility of malware arriving on the target systems? (Choose two.) When developing software, implement secure coding practices, which…
Session data provides the IP 5-tuple that is associated with an HTTP connection, along with byte counts, packet counts, and a time stamp. What three additional transaction data types can…
Match the data event to its best description. can include the 5-tuple information, which is the source and destination IP addresses, source and destination ports, protocols involved with the IP…
Logs from a DHCP server can be leveraged to accomplish which of the following? attributing a unique username to an IP address mapping an IP address to a hostname identifying…
Considering the following IPS alert, which of the following HTTP transaction records provides the most relevant correlation with the alert? Count:7 Event#7.2 2017-01-03 21:31:44 FILE-FLASH Adobe Flash Player integer underflow…