312-39 : Certified SOC Analyst : Part 05

Which of the following attack can be eradicated by disabling of “allow_url_fopen and allow_url_include” in the php.ini file?
- File Injection Attacks
- URL Injection Attacks
- LDAP Injection Attacks
- Command Injection Attacks
Which of the following stage executed after identifying the required event sources?
- Identifying the monitoring Requirements
- Defining Rule for the Use Case
- Implementing and Testing the Use Case
- Validating the event source against monitoring requirement
Which of the following steps of incident handling and response process focus on limiting the scope and extent of an incident?
- Containment
- Data Collection
- Eradication
- Identification
Which of the following data source will a SOC Analyst use to monitor connections to the insecure ports?
- Netstat Data
- DNS Data
- IIS Data
- DHCP Data
Which of the following technique protects from flooding attacks originated from the valid prefixes (IP addresses) so that they can be traced to its true source?
- Rate Limiting
- Egress Filtering
- Ingress Filtering
- Throttling
Which of the following contains the performance measures, and proper project and time management details?
- Incident Response Policy
- Incident Response Tactics
- Incident Response Process
- Incident Response Procedures
John as a SOC analyst is worried about the amount of Tor traffic hitting the network. He wants to prepare a dashboard in the SIEM to get a graph to identify the locations from where the TOR traffic is coming.

Which of the following data source will he use to prepare the dashboard?
- DHCP/Logs capable of maintaining IP addresses or hostnames with IPtoName resolution.
- IIS/Web Server logs with IP addresses and user agent IPtouseragent resolution.
- DNS/ Web Server logs with IP addresses.
- Apache/ Web Server logs with IP addresses and Host Name.
Which of the following process refers to the discarding of the packets at the routing level without informing the source that the data did not reach its intended recipient?
- Load Balancing
- Rate Limiting
- Black Hole Filtering
- Drop Requests
Which of the following tool can be used to filter web requests associated with the SQL Injection attack?
- Nmap
- UrlScan
- ZAP proxy
- Hydra
Charline is working as an L2 SOC Analyst. One day, an L1 SOC Analyst escalated an incident to her for further investigation and confirmation. Charline, after a thorough investigation, confirmed the incident and assigned it with an initial priority.

What would be her next action according to the SOC workflow?
- She should immediately escalate this issue to the management
- She should immediately contact the network administrator to solve the problem
- She should communicate this incident to the media immediately
- She should formally raise a ticket and forward it to the IRT
Which of the following threat intelligence helps cyber security professionals such as security operations managers, network operations center and incident responders to understand how the adversaries are expected to perform the attack on the organization, and the technical capabilities and goals of the attackers along with the attack vectors?
- Analytical Threat Intelligence
- Operational Threat Intelligence
- Strategic Threat Intelligence
- Tactical Threat Intelligence
If the SIEM generates the following four alerts at the same time:

I. Firewall blocking traffic from getting into the network alerts
II. SQL injection attempt alerts
III. Data deletion attempt alerts
IV. Brute-force attempt alerts

Which alert should be given least priority as per effective alert triaging?
- III
- IV
- II
- I
InfoSystem LLC, a US-based company, is establishing an in-house SOC. John has been given the responsibility to finalize strategy, policies, and procedures for the SOC.

Identify the job role of John.
- Security Analyst – L1
- Chief Information Security Officer (CISO)
- Security Engineer
- Security Analyst – L2
Which of the following service provides phishing protection and content filtering to manage the Internet experience on and off your network with the acceptable use or compliance policies?
- Apility.io
- Malstrom
- OpenDNS
- I-Blocklist
David is a SOC analyst in Karen Tech. One day an attack is initiated by the intruders but David was not able to find any suspicious events.

This type of incident is categorized into __________?
- True Positive Incidents
- False positive Incidents
- True Negative Incidents
- False Negative Incidents
Emmanuel is working as a SOC analyst in a company named Tobey Tech. The manager of Tobey Tech recently recruited an Incident Response Team (IRT) for his company. In the process of collaboration with the IRT, Emmanuel just escalated an incident to the IRT.

What is the first step that the IRT will do to the incident escalated by Emmanuel?
- Incident Analysis and Validation
- Incident Recording
- Incident Classification
- Incident Prioritization
Identify the HTTP status codes that represents the server error.
- 2XX
- 4XX
- 1XX
- 5XX
Jony, a security analyst, while monitoring IIS logs, identified events shown in the figure below.

312-39 Part05 Q18 004

What does this event log indicate?
- Parameter Tampering Attack
- XSS Attack
- Directory Traversal Attack
- SQL Injection Attack
Which attack works like a dictionary attack, but adds some numbers and symbols to the words from the dictionary and tries to crack the password?
- Hybrid Attack
- Bruteforce Attack
- Rainbow Table Attack
- Birthday Attack
Which of the following attack can be eradicated by converting all non-alphanumeric characters to HTML character entities before displaying the user input in search engines and forums?
- Broken Access Control Attacks
- Web Services Attacks
- XSS Attacks
- Session Management Attacks

312-39 : Certified SOC Analyst : Part 05

Which of the following attack can be eradicated by disabling of “allow_url_fopen and allow_url_include” in the php.ini file?

Which of the following stage executed after identifying the required event sources?

Which of the following steps of incident handling and response process focus on limiting the scope and extent of an incident?

Which of the following data source will a SOC Analyst use to monitor connections to the insecure ports?

Which of the following technique protects from flooding attacks originated from the valid prefixes (IP addresses) so that they can be traced to its true source?

Which of the following contains the performance measures, and proper project and time management details?

John as a SOC analyst is worried about the amount of Tor traffic hitting the network. He wants to prepare a dashboard in the SIEM to get a graph to identify the locations from where the TOR traffic is coming.

Which of the following data source will he use to prepare the dashboard?

Which of the following process refers to the discarding of the packets at the routing level without informing the source that the data did not reach its intended recipient?

Which of the following tool can be used to filter web requests associated with the SQL Injection attack?

Charline is working as an L2 SOC Analyst. One day, an L1 SOC Analyst escalated an incident to her for further investigation and confirmation. Charline, after a thorough investigation, confirmed the incident and assigned it with an initial priority.

What would be her next action according to the SOC workflow?

If the SIEM generates the following four alerts at the same time:

Which alert should be given least priority as per effective alert triaging?

InfoSystem LLC, a US-based company, is establishing an in-house SOC. John has been given the responsibility to finalize strategy, policies, and procedures for the SOC.

Identify the job role of John.

Which of the following service provides phishing protection and content filtering to manage the Internet experience on and off your network with the acceptable use or compliance policies?

David is a SOC analyst in Karen Tech. One day an attack is initiated by the intruders but David was not able to find any suspicious events.

This type of incident is categorized into __________?

Emmanuel is working as a SOC analyst in a company named Tobey Tech. The manager of Tobey Tech recently recruited an Incident Response Team (IRT) for his company. In the process of collaboration with the IRT, Emmanuel just escalated an incident to the IRT.

What is the first step that the IRT will do to the incident escalated by Emmanuel?

Identify the HTTP status codes that represents the server error.

Jony, a security analyst, while monitoring IIS logs, identified events shown in the figure below.

What does this event log indicate?

Which attack works like a dictionary attack, but adds some numbers and symbols to the words from the dictionary and tries to crack the password?

Which of the following attack can be eradicated by converting all non-alphanumeric characters to HTML character entities before displaying the user input in search engines and forums?