Sample questions
Cisco CyberOps Associate 200-201 practice questions
A security analyst observes repeated failed login attempts to an internal web server from multiple external IP addresses. The analyst creates a correlation rule that triggers an alert if more than 10 failed logins occur from a single source IP within 5 minutes. After deploying the rule, the analyst finds that the rule generates false positives from legitimate users who mistype passwords. Which action should the analyst take to reduce false positives while maintaining detection effectiveness?
Trap 1: Whitelist all external IP addresses that belong to business…
Whitelisting external IPs could exclude malicious IPs and reduce visibility.
Trap 2: Reduce the time window to 2 minutes to catch attacks faster.
Reducing the window would increase false positives as legitimate mistypes might occur within 2 minutes.
Trap 3: Change the rule to block the source IP after 5 failed attempts.
Blocking after 5 failures would still trigger on legitimate mistypes and may block users.
- A
Whitelist all external IP addresses that belong to business partners.
Why wrong: Whitelisting external IPs could exclude malicious IPs and reduce visibility.
- B
Reduce the time window to 2 minutes to catch attacks faster.
Why wrong: Reducing the window would increase false positives as legitimate mistypes might occur within 2 minutes.
- C
Change the rule to block the source IP after 5 failed attempts.
Why wrong: Blocking after 5 failures would still trigger on legitimate mistypes and may block users.
- D
Increase the threshold to 15 failed logins within a 10-minute window.
Higher threshold and longer window reduce false positives from occasional mistypes while still detecting sustained attacks.
A security analyst is investigating a host that is suspected of being used as a pivot point in a network intrusion. The analyst needs to identify which process initiated an outbound connection to a known malicious IP address. Which host-based analysis approach should the analyst use to correlate the network connection to the specific process?
Trap 1: Examine the Windows Firewall log to see the source and destination…
Firewall logs show network traffic but do not identify the process that initiated it.
Trap 2: Review Windows Security Event Log for Event ID 4688 (Process…
Event ID 4688 shows process creation events but does not directly link them to network connections.
Trap 3: Use PowerShell cmdlet 'Get-NetTCPConnection' to list current TCP…
Get-NetTCPConnection provides connection details but lacks the owning process information without additional options.
- A
Run 'netstat -b' on the Windows host to display active connections with the associated process executable.
The -b flag shows the binary involved in creating each connection, directly correlating the connection to the process.
- B
Examine the Windows Firewall log to see the source and destination IP addresses and ports for outbound traffic.
Why wrong: Firewall logs show network traffic but do not identify the process that initiated it.
- C
Review Windows Security Event Log for Event ID 4688 (Process Creation) for the timeline of process starts.
Why wrong: Event ID 4688 shows process creation events but does not directly link them to network connections.
- D
Use PowerShell cmdlet 'Get-NetTCPConnection' to list current TCP connections and their states.
Why wrong: Get-NetTCPConnection provides connection details but lacks the owning process information without additional options.
Which TWO of the following are common indicators of a denial-of-service (DoS) attack?
Trap 1: A low level of network utilization on the target server
DoS attacks increase utilization, not decrease.
Trap 2: A gradual increase in traffic from multiple geographic locations
This may be normal traffic growth or a marketing campaign.
Trap 3: A high number of DNS queries from diverse source IPs
This could be a DDoS, but the question asks for DoS (single source).
- A
A low level of network utilization on the target server
Why wrong: DoS attacks increase utilization, not decrease.
- B
A gradual increase in traffic from multiple geographic locations
Why wrong: This may be normal traffic growth or a marketing campaign.
- C
A high number of DNS queries from diverse source IPs
Why wrong: This could be a DDoS, but the question asks for DoS (single source).
- D
A sudden increase in traffic from a single source IP address
This indicates a potential DoS attack from that IP.
- E
A large number of incomplete TCP connections (SYN packets without ACK)
This is characteristic of a SYN flood DoS attack.
An analyst reviews the ACL applied to the outside interface of a router. The analyst notices that traffic from 192.168.1.0/24 to 10.10.10.10 on port 443 is permitted, but all other traffic is denied and logged. Which of the following is a potential security issue with this ACL?
Exhibit
Refer to the exhibit. ! Output from show access-list 101 ! Extended IP access list 101 ! 10 permit tcp 192.168.1.0 0.0.0.255 host 10.10.10.10 eq 443 ! 20 deny ip any any log !
Trap 1: The ACL is applied inbound on the outside interface, which could…
The exhibit does not indicate the direction; it just shows the ACL content.
Trap 2: The permit statement does not have logging enabled, so traffic is…
Logging on permit is optional; the issue is the deny log.
Trap 3: The ACL allows all traffic from 192.168.1.0/24 to 10.10.10.10 on…
It only permits port 443, not all ports.
- A
The deny statement with logging may generate excessive logs, potentially masking attacks.
Excessive logging can bury important alerts in noise.
- B
The ACL is applied inbound on the outside interface, which could allow external traffic.
Why wrong: The exhibit does not indicate the direction; it just shows the ACL content.
- C
The permit statement does not have logging enabled, so traffic is not monitored.
Why wrong: Logging on permit is optional; the issue is the deny log.
- D
The ACL allows all traffic from 192.168.1.0/24 to 10.10.10.10 on any port.
Why wrong: It only permits port 443, not all ports.
Which TWO of the following are indicators of a network intrusion? (Choose two.)
Trap 1: High bandwidth usage during business hours
High bandwidth can be legitimate, e.g., video streaming or backups.
Trap 2: A single failed login attempt from an internal user
One failed login is normal; it does not indicate an intrusion.
Trap 3: Regular ICMP echo requests to external hosts
ICMP echo requests are common for network troubleshooting.
- A
High bandwidth usage during business hours
Why wrong: High bandwidth can be legitimate, e.g., video streaming or backups.
- B
A single failed login attempt from an internal user
Why wrong: One failed login is normal; it does not indicate an intrusion.
- C
Regular ICMP echo requests to external hosts
Why wrong: ICMP echo requests are common for network troubleshooting.
- D
A sudden increase in DNS queries to unknown domains from a single host
This could indicate malware beaconing or DNS tunneling.
- E
Multiple outbound connections from a server to an external IP on port 445
Port 445 is SMB; outbound SMB from a server may indicate data exfiltration.
Refer to the exhibit. A network analyst sees repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23. Based on the log, what type of activity is most likely occurring?
Exhibit
Refer to the exhibit. Mar 1 10:15:22 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49152) -> 10.0.0.1(23), 1 packet Mar 1 10:15:23 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49153) -> 10.0.0.1(23), 1 packet Mar 1 10:15:24 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49154) -> 10.0.0.1(23), 1 packet
Trap 1: DNS amplification attack
DNS amplification uses UDP port 53, not TCP port 23.
Trap 2: ARP spoofing
ARP spoofing involves ARP packets, not TCP log entries.
Trap 3: ICMP flood attack
ICMP flood would generate ICMP packets, not TCP connections to port 23.
- A
DNS amplification attack
Why wrong: DNS amplification uses UDP port 53, not TCP port 23.
- B
ARP spoofing
Why wrong: ARP spoofing involves ARP packets, not TCP log entries.
- C
Brute force attempt on Telnet service
Multiple connection attempts to port 23 (Telnet) from the same source indicate a brute force or scanning activity.
- D
ICMP flood attack
Why wrong: ICMP flood would generate ICMP packets, not TCP connections to port 23.
Drag and drop the steps for the TCP three-way handshake into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to configure a VLAN on a Cisco switch into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps for initial configuration of a Cisco IOS device after booting into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to implement a disaster recovery plan for a critical server into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps for the DHCP DORA process (dynamic host configuration) into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to perform a password recovery on a Cisco IOS router into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to analyze a packet capture for suspicious activity into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
A company's security policy includes a clause that all software installed on company devices must be approved by the IT department. An employee installs an unapproved application that later causes a malware infection. Which policy was violated?
Trap 1: Incident Response Policy
Incident response policy outlines steps after an incident.
Trap 2: Data Retention Policy
Data retention policy deals with log storage.
Trap 3: Remote Access Policy
Remote access policy governs external connections.
- A
Incident Response Policy
Why wrong: Incident response policy outlines steps after an incident.
- B
Acceptable Use Policy
Software installation rules are part of acceptable use.
- C
Data Retention Policy
Why wrong: Data retention policy deals with log storage.
- D
Remote Access Policy
Why wrong: Remote access policy governs external connections.
Refer to the exhibit. An analyst configures an ACL to block traffic to a malicious host on port 443. After applying it inbound on the external interface, the analyst sees the ACL counters. What does the output indicate?
Exhibit
Refer to the exhibit.
```
Router# show ip access-lists
Extended IP access list BLOCK_MALICIOUS
10 deny tcp any host 203.0.113.5 eq 443
20 permit ip any any (2623 matches)
```Trap 1: The ACL is working correctly; traffic to the malicious host is…
Deny line has no matches, so no traffic is being denied.
Trap 2: The ACL needs to be applied outbound to work.
Could be, but the exhibit does not specify direction.
Trap 3: The ACL is blocking all traffic because the permit line is never…
Permit line has matches; traffic is passing.
- A
The ACL is working correctly; traffic to the malicious host is blocked.
Why wrong: Deny line has no matches, so no traffic is being denied.
- B
The ACL is not blocking traffic because the deny line has 0 matches.
Indicates the rule is not being hit; possible wrong direction.
- C
The ACL needs to be applied outbound to work.
Why wrong: Could be, but the exhibit does not specify direction.
- D
The ACL is blocking all traffic because the permit line is never used.
Why wrong: Permit line has matches; traffic is passing.
An analyst is reviewing a suspicious email reported by a user. The email contains an attachment 'invoice.pdf' and urges the user to open it. Which indicator is most likely to confirm it is a phishing attempt?
Trap 1: The email has a company logo.
Can be easily spoofed.
Trap 2: The attachment is a PDF file.
PDFs are commonly used but not inherently malicious.
Trap 3: The email was sent during business hours.
Normal timing; not suspicious.
- A
The email has a company logo.
Why wrong: Can be easily spoofed.
- B
The email was sent from a domain that looks like 'arnazon.com'.
Typo-squatting domain indicates phishing.
- C
The attachment is a PDF file.
Why wrong: PDFs are commonly used but not inherently malicious.
- D
The email was sent during business hours.
Why wrong: Normal timing; not suspicious.
Refer to the exhibit. An EDR alert shows this JSON event. What is the most significant indicator of a potential malware infection?
Exhibit
Refer to the exhibit.
```
{
"event": "Process Creation",
"timestamp": "2024-08-01T10:00:00Z",
"hostname": "DESKTOP-ABC123",
"user": "jsmith",
"process": "C:\\Users\\jsmith\\Downloads\\invoice.exe",
"parent_process": "C:\\Windows\\explorer.exe"
}
```Trap 1: The user is 'jsmith'.
Username alone not suspicious.
Trap 2: The parent process is explorer.exe.
Normal for user-launched processes.
Trap 3: The event type is 'Process Creation'.
Normal event type.
- A
The user is 'jsmith'.
Why wrong: Username alone not suspicious.
- B
The parent process is explorer.exe.
Why wrong: Normal for user-launched processes.
- C
The process path is in the Downloads folder.
Common location for malware delivered via email or web.
- D
The event type is 'Process Creation'.
Why wrong: Normal event type.
Which TWO are best practices for managing SIEM alerts to reduce false positives? (Choose two.)
Trap 1: Disable all alerts that generate more than 100 events per day.
May miss true positives.
Trap 2: Use a separate SIEM for each department.
Splits visibility, not reduce false positives.
Trap 3: Increase the number of log sources.
May increase noise.
- A
Disable all alerts that generate more than 100 events per day.
Why wrong: May miss true positives.
- B
Use a separate SIEM for each department.
Why wrong: Splits visibility, not reduce false positives.
- C
Regularly tune correlation rules based on feedback.
Adapts to environment.
- D
Increase the number of log sources.
Why wrong: May increase noise.
- E
Maintain a whitelist of known benign activity.
Filters out known good.
Which TWO types of network traffic should be analyzed to detect a data exfiltration attempt via HTTP? (Choose two.)
Trap 1: ICMP echo requests
ICMP is not HTTP.
Trap 2: DNS query responses
DNS is a separate protocol.
Trap 3: TCP three-way handshake
The handshake is normal for any TCP connection.
- A
ICMP echo requests
Why wrong: ICMP is not HTTP.
- B
HTTP request headers
Headers may reveal suspicious patterns like custom user-agents.
- C
HTTP request body
The body may contain data being exfiltrated.
- D
DNS query responses
Why wrong: DNS is a separate protocol.
- E
TCP three-way handshake
Why wrong: The handshake is normal for any TCP connection.
Refer to the exhibit. The analyst sees two IDS alerts from the same source. What should the analyst conclude?
Exhibit
Refer to the exhibit. Event: 1, Signature: GPL TROJAN Zeus Variant Outbound Connection Timestamp: 2023-09-15 14:23:45 Src IP: 10.0.0.25:49152 -> Dst IP: 198.51.100.10:80 Protocol: TCP Packet: GET /gate.php HTTP/1.1 Host: malware.example.com User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Event: 2, Signature: ET POLICY Outgoing HTTP Request with Suspicious User-Agent Timestamp: 2023-09-15 14:23:46 Src IP: 10.0.0.25:49153 -> Dst IP: 198.51.100.10:80 Protocol: TCP Packet: GET /images/logo.png HTTP/1.1 Host: malware.example.com User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0)
Trap 1: The alerts are false positives because the user-agent is common
The user-agent is outdated and suspicious.
Trap 2: The host is being scanned
Scanning would involve multiple ports or IPs.
Trap 3: The host is downloading a large file
The GET requests are small, not large files.
- A
The alerts are false positives because the user-agent is common
Why wrong: The user-agent is outdated and suspicious.
- B
The host is being scanned
Why wrong: Scanning would involve multiple ports or IPs.
- C
The host is likely infected with malware
Multiple alerts to a known malicious domain suggest infection.
- D
The host is downloading a large file
Why wrong: The GET requests are small, not large files.
An analyst observes that an internal host is sending ICMP echo requests with payloads containing random data to an external IP. The payload size is larger than typical. What is the most likely technique?
Trap 1: Ping of death
Ping of death involves malformed packets, not consistent tunneling.
Trap 2: Traceroute
Traceroute uses ICMP with varying TTL, not random payloads.
Trap 3: Smurf attack
Smurf attack uses ICMP echo requests to broadcast addresses.
- A
Ping of death
Why wrong: Ping of death involves malformed packets, not consistent tunneling.
- B
Traceroute
Why wrong: Traceroute uses ICMP with varying TTL, not random payloads.
- C
Smurf attack
Why wrong: Smurf attack uses ICMP echo requests to broadcast addresses.
- D
ICMP tunneling
ICMP tunneling uses the payload of ICMP packets for covert communication.
You are a security analyst for a financial institution. Over the past hour, the intrusion detection system has generated multiple alerts for outbound traffic from a single internal host (10.0.0.50) to various external IP addresses on port 443. The alerts indicate that the host is making HTTPS connections to IPs that are associated with known command and control servers. Additionally, the host has been observed making DNS queries for domains that are algorithmically generated (e.g., rgj3k2.example.com, fh7d8s.example.net). The host is a Windows 10 workstation used by an employee in the accounting department. The employee reports that they have not noticed any unusual behavior, but they did click on a link in a phishing email yesterday. The network administrator confirms that the host's firewall rules allow outbound HTTPS traffic. You have access to endpoint logs, network flow data, and packet captures. Which course of action should you take FIRST?
Trap 1: Analyze packet captures to determine the full extent of the…
Analysis is important but should not delay containment.
Trap 2: Block all outbound HTTPS traffic from the network
This would disrupt business operations and may not be necessary.
Trap 3: Reimage the host immediately to remove the malware
Reimaging destroys forensic evidence; analysis should precede reimaging.
- A
Isolate the host from the network to prevent further C2 communication
Isolation stops active communication and allows for forensic analysis.
- B
Analyze packet captures to determine the full extent of the compromise
Why wrong: Analysis is important but should not delay containment.
- C
Block all outbound HTTPS traffic from the network
Why wrong: This would disrupt business operations and may not be necessary.
- D
Reimage the host immediately to remove the malware
Why wrong: Reimaging destroys forensic evidence; analysis should precede reimaging.
Which TWO of the following are valid reasons to create an exception to a security policy? (Choose two.)
Trap 1: The employee finds the policy inconvenient.
Inconvenience is not a valid business reason.
Trap 2: The policy is too new and employees are not yet trained.
Lack of training is not a valid exception; the policy should be followed after training.
Trap 3: The employee is a senior executive.
Seniority does not justify bypassing security controls.
- A
The employee finds the policy inconvenient.
Why wrong: Inconvenience is not a valid business reason.
- B
The policy is too new and employees are not yet trained.
Why wrong: Lack of training is not a valid exception; the policy should be followed after training.
- C
The employee is a senior executive.
Why wrong: Seniority does not justify bypassing security controls.
- D
A business-critical application cannot function with the policy control.
If the control breaks a critical app, a temporary exception with compensatory controls may be needed.
- E
Temporary exception to avoid disrupting operations during a migration.
Short-term exceptions with risk acceptance can be allowed during transitions.
Which TWO of the following are typically included in a security policy's scope statement?
Trap 1: Threat intelligence sources to be used
Threat intelligence is separate from policy scope.
Trap 2: Encryption algorithms to be used
Encryption algorithms are technical standards, not scope.
Trap 3: Minimum password length requirements
Password length is a specific control, not scope.
- A
Threat intelligence sources to be used
Why wrong: Threat intelligence is separate from policy scope.
- B
Encryption algorithms to be used
Why wrong: Encryption algorithms are technical standards, not scope.
- C
List of systems and networks covered
Scope identifies which assets are covered.
- D
User roles and responsibilities affected
Scope defines which users are subject to the policy.
- E
Minimum password length requirements
Why wrong: Password length is a specific control, not scope.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.