Cisco CyberOps Associate 200-201 (200-201) — Questions 676750

985 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
Multi-Selectmedium

Which THREE of the following are common security controls used to defend against ransomware?

Select 3 answers
A.Implementing application whitelisting
B.Allowing macros in office documents
C.Disabling user accounts after 3 failed attempts
D.Regular offline backups
E.Network segmentation to limit lateral movement
AnswersA, D, E

Whitelisting prevents unauthorized executables, including ransomware, from running.

Why this answer

Application whitelisting is a security control that prevents unauthorized executables, scripts, and macros from running. By default allowing only approved software, it blocks ransomware payloads that arrive as unknown or untrusted files, even if a user inadvertently executes them.

Exam trap

Cisco often tests the distinction between preventive controls (like whitelisting) and reactive controls (like account lockout), and the trap here is confusing a brute-force mitigation with a ransomware defense, or assuming that enabling macros is a safe practice.

677
MCQhard

An analyst examining a Linux server notices an unusual cron job in /etc/crontab that runs a script every 5 minutes. Which of the following describes the best approach to determine if this cron job is malicious?

A.Ignore it because cron jobs are always legitimate.
B.Delete the cron job immediately to stop potential malicious activity.
C.Check the script's content, owner, and compare its hash with known threats.
D.Run the script in a sandbox to see what it does.
AnswerC

Analyzing the script and its origin is crucial for determination.

Why this answer

Inspecting the script content and correlating with known persistence techniques helps assess maliciousness.

678
MCQeasy

A company's security policy requires that all employees change their passwords every 90 days. Which type of security control does this policy enforce?

A.Compensating
B.Detective
C.Corrective
D.Preventive
AnswerD

Password aging reduces the chance of using stolen credentials long-term.

Why this answer

Password expiration policies enforce a preventive control by requiring users to change passwords at regular intervals, which reduces the risk of unauthorized access from compromised credentials. This control acts before a security incident occurs by limiting the window of opportunity for an attacker to use a stolen password. It is a proactive measure, not a reactive one, aligning with the definition of preventive controls in the NIST SP 800-53 framework.

Exam trap

Cisco often tests the distinction between preventive and detective controls by presenting a policy that seems to 'detect' non-compliance (e.g., auditing password changes), but the core function of the policy itself is to prevent unauthorized access, not to detect it.

How to eliminate wrong answers

Option A is wrong because compensating controls are alternative measures that provide equivalent protection when a primary control cannot be implemented (e.g., using multi-factor authentication when smart cards are not feasible), not a scheduled password change. Option B is wrong because detective controls identify and log security events after they occur (e.g., audit logs, IDS alerts), whereas password expiration proactively prevents credential misuse. Option C is wrong because corrective controls remediate damage after an incident (e.g., restoring from backup, patching a vulnerability), not a policy that prevents credential theft in the first place.

679
Multi-Selecteasy

A network analyst is creating a baseline for normal network traffic. Which TWO metrics should be included to establish a baseline?

Select 2 answers
A.Average bandwidth usage over time
B.Excessive connection attempts from a single IP
C.Peak traffic times
D.Typical protocol distribution (e.g., HTTP vs DNS)
E.Unusual payload sizes
AnswersA, D

Average bandwidth is a key baseline metric.

Why this answer

Baselines include average bandwidth usage and typical protocol distribution. Peak traffic times and unusual payload sizes are anomalies, not baseline metrics.

680
MCQmedium

An analyst is performing memory forensics on a Windows machine using Volatility. Which command would be most useful to identify hidden or injected code within a process?

A.dlllist
B.netscan
C.pslist
D.malfind
AnswerD

malfind scans for suspicious memory patterns indicative of code injection.

Why this answer

malfind identifies suspicious memory regions, such as injected code. pslist lists processes, netscan shows network connections, and dlllist lists loaded DLLs.

681
MCQmedium

An incident handler collects a hard drive from a compromised server. To maintain chain of custody, which information must be documented?

A.The date, time, and signature of each person who handled the evidence
B.The IP address of the server
C.The name of the antivirus software installed
D.The operating system version
AnswerA

This ensures evidence integrity and admissibility.

Why this answer

Chain of custody requires detailed documentation of who handled evidence and when.

682
MCQeasy

In the Cyber Kill Chain model, which phase involves delivering the exploit to the target, such as via email attachment or malicious link?

A.Installation
B.Exploitation
C.Weaponization
D.Delivery
AnswerD

Correct. Delivery is the transmission of the weaponized payload.

Why this answer

The delivery phase is where the weaponized payload is transmitted to the victim, e.g., via phishing email or drive-by download.

683
MCQmedium

An analyst filters PCAP with 'tcp.stream eq 0' and sees an interactive shell session with commands like 'whoami', 'ls -la', 'cd /etc'. The session originated from an HTTP POST to a web shell. Which type of attack is this?

A.Reverse shell
B.DNS tunnelling
C.SQL injection
D.Cross-site scripting
AnswerA

Interactive shell over TCP is a reverse shell.

Why this answer

A web shell allows remote command execution over HTTP, essentially a reverse shell.

684
MCQeasy

A security analyst receives an alert that an employee's workstation is generating outbound traffic to a known malware command-and-control IP address at 3:00 AM. According to the company's incident response policy, what is the FIRST action the analyst should take?

A.Isolate the workstation from the network by disabling the switch port.
B.Reimage the workstation immediately to remove the malware.
C.Apply the latest security patches to the workstation.
D.Call the employee to ask if they are working late.
AnswerA

Containment stops the malicious traffic and prevents lateral spread.

Why this answer

The first action is to isolate the workstation from the network by disabling the switch port. This immediately stops the outbound command-and-control (C2) traffic, preventing data exfiltration and further compromise, while preserving the system state for forensic analysis. According to the incident response policy, containment takes precedence over eradication or recovery to limit damage.

Exam trap

Cisco often tests the containment-first principle in incident response, and the trap here is that candidates rush to eradicate the malware (reimage) or fix the vulnerability (patch) instead of stopping the active threat by isolating the host.

How to eliminate wrong answers

Option B is wrong because reimaging destroys volatile evidence (e.g., memory, logs, malware artifacts) needed for root-cause analysis and violates the containment-first principle. Option C is wrong because applying patches does not stop active C2 communication and assumes the vulnerability is known, which may not be the case; containment must occur first. Option D is wrong because calling the employee at 3:00 AM wastes critical time, may alert the attacker if the user is compromised, and does not address the active threat.

685
MCQmedium

During a security audit, it is discovered that several users have passwords set to never expire. According to the security policy, passwords must be changed every 90 days. What is the best course of action?

A.Disable accounts that violate the policy
B.Notify users to change their passwords voluntarily
C.Immediately reset all user passwords
D.Update the password policy in Active Directory to enforce 90-day expiration
AnswerD

A Group Policy change enforces compliance automatically.

Why this answer

Option D is correct because the most efficient and enforceable way to ensure all users comply with the 90-day password expiration policy is to configure a Group Policy Object (GPO) in Active Directory that sets the 'Maximum password age' to 90 days. This automatically forces password changes at login after the expiration period, ensuring uniform enforcement without manual intervention or disruption.

Exam trap

Cisco often tests the distinction between reactive manual fixes (like resetting all passwords) and proactive policy-based enforcement, where candidates mistakenly choose a disruptive action instead of the scalable, automated solution that aligns with security policy management.

How to eliminate wrong answers

Option A is wrong because disabling accounts that violate the policy would cause unnecessary downtime and administrative overhead, and it does not address the root cause—the lack of enforced expiration—while potentially locking out legitimate users. Option B is wrong because relying on voluntary compliance is ineffective in a security audit context; users may ignore notifications, leaving the organization non-compliant and vulnerable. Option C is wrong because immediately resetting all user passwords is disruptive, does not prevent users from setting the same password again (unless complexity/history policies are enforced), and fails to implement a sustainable, automated enforcement mechanism.

686
MCQhard

During a merger, two companies have different security policies. Company A uses a discretionary access control (DAC) model, while Company B uses a mandatory access control (MAC) model. The merged entity must adopt a single policy. Which approach is most likely to be adopted and why?

A.DAC because it is more flexible
B.Both can coexist
C.MAC because it is more secure
D.A new hybrid model combining both
AnswerC

MAC offers stronger security enforcement, suitable for merged policies.

Why this answer

MAC provides stricter, system-enforced controls based on classification, which is often adopted in higher-security environments. DAC relies on user discretion and is less secure.

687
MCQhard

An analyst receives a YARA rule that includes the string 'MZ' at the beginning of a file. What does this indicator typically help identify?

A.Windows executable files
B.PDF files with embedded JavaScript
C.Linux ELF binaries
D.Malicious documents containing macros
AnswerA

'MZ' identifies PE executables.

Why this answer

The string 'MZ' (0x4D 0x5A) is the magic number for the MS-DOS header, which is present at the very beginning of all Windows Portable Executable (PE) files, including .exe, .dll, and .sys files. A YARA rule that checks for 'MZ' at offset 0 is specifically targeting the PE file format, which is the standard executable format for Windows. This indicator helps an analyst quickly identify that a file is likely a Windows executable, regardless of its extension.

Exam trap

Cisco often tests the concept of file magic numbers to see if candidates confuse the 'MZ' signature of Windows executables with other common file headers, such as '%PDF' for PDFs or 'PK' for ZIP archives, leading them to select a plausible but incorrect option like malicious documents or PDFs.

How to eliminate wrong answers

Option B is wrong because PDF files with embedded JavaScript are identified by the '%PDF' magic number (0x25 0x50 0x44 0x46) at offset 0, not 'MZ'. Option C is wrong because Linux ELF binaries start with the ELF magic number (0x7F 0x45 0x4C 0x46), not 'MZ'. Option D is wrong because malicious documents containing macros (e.g., Office documents) typically start with the OLE2 Compound Document magic number (0xD0 0xCF 0x11 0xE0 0xA1 0xB1 0x1A 0xE1) or the ZIP-based Office Open XML signature ('PK'), not 'MZ'.

688
MCQmedium

An attacker sends an email that appears to come from the company's IT department, asking the recipient to click a link and reset their password due to a security breach. Which type of social engineering is this?

A.Vishing
B.Phishing
C.Pretexting
D.Spear phishing
AnswerB

A mass email asking for credentials is classic phishing.

Why this answer

B is correct because the attack uses email as the delivery vector to trick the recipient into clicking a malicious link and divulging credentials. This matches the definition of phishing, which is a broad social engineering technique that employs deceptive electronic communications (typically email) to steal sensitive information. The email impersonates the IT department to create a false sense of urgency, a hallmark of phishing campaigns.

Exam trap

The trap here is that candidates often confuse 'phishing' with 'spear phishing' because both involve email, but the key differentiator is that spear phishing is targeted and personalized, while the question describes a generic, untargeted email sent to a broad audience.

How to eliminate wrong answers

Option A is wrong because vishing (voice phishing) uses telephone calls or voice messages, not email, to deceive victims. Option C is wrong because pretexting involves fabricating a scenario or identity to gain trust and extract information, but it does not necessarily rely on a specific communication channel like email; the question explicitly describes an email-based attack, which is phishing. Option D is wrong because spear phishing is a targeted form of phishing aimed at a specific individual or organization, often using personalized details, whereas the scenario describes a generic email sent to a recipient without any indication of customization or prior reconnaissance.

689
MCQeasy

An analyst is monitoring network traffic and sees a sudden spike in outbound data transfer from an internal server to an external IP that is known to be malicious. What is the most likely scenario?

A.Software update.
B.Data exfiltration.
C.User downloading a large file.
D.Normal backup operation.
AnswerB

Data exfiltration involves sending sensitive data to an attacker-controlled IP.

Why this answer

A sudden spike in outbound data transfer from an internal server to a known malicious external IP is a classic indicator of data exfiltration. Attackers often use compromised servers to siphon sensitive data (e.g., credentials, databases) to a command-and-control (C2) server. This behavior aligns with the post-compromise phase of an attack, where the goal is to extract data without triggering immediate alarms.

Exam trap

Cisco often tests the distinction between outbound and inbound traffic direction; candidates may confuse a user downloading a file (inbound) with a server sending data out (outbound), leading them to incorrectly choose option C.

How to eliminate wrong answers

Option A is wrong because software updates typically originate from the internal server to trusted, legitimate update servers (e.g., Microsoft, Red Hat), not to a known malicious IP; the traffic pattern would be periodic and signed, not a sudden spike to an untrusted destination. Option C is wrong because a user downloading a large file would show inbound traffic from the external IP to the user's workstation, not outbound traffic from an internal server to a malicious IP. Option D is wrong because normal backup operations usually target internal backup servers or trusted cloud storage providers (e.g., AWS S3, Azure Blob) over encrypted channels like SMB or HTTPS, not a known malicious external IP.

690
MCQeasy

A Cisco ASA firewall is configured to send syslog messages to a SIEM. Which logging level includes 'informational' messages?

A.Level 5
B.Level 3
C.Level 6
D.Level 0
AnswerC

Level 6 is informational.

Why this answer

C is correct because Cisco ASA syslog messages use the standard syslog severity levels defined in RFC 5424. 'Informational' messages correspond to severity Level 6, which provides normal operational information such as connection teardowns or configuration changes. This level is commonly used for monitoring without overwhelming the SIEM with debug-level data.

Exam trap

Cisco often tests the specific mapping of syslog severity names to numeric levels, and the trap here is confusing 'Informational' (Level 6) with 'Notice' (Level 5) or 'Debugging' (Level 7), as candidates may misremember the order or assume 'Informational' is a lower number.

How to eliminate wrong answers

Option A is wrong because Level 5 is 'Notice', not 'Informational'; Notice messages indicate normal but significant events (e.g., interface up/down). Option B is wrong because Level 3 is 'Error', which indicates error conditions that require attention. Option D is wrong because Level 0 is 'Emergency', the highest severity indicating system is unusable.

Only Level 6 matches 'Informational'.

691
MCQmedium

An analyst analyzing a PCAP sees a series of TCP connections where the client sends data with interactive patterns and receives commands. This is most likely indicative of:

A.Reverse shell
B.Web browsing
C.File transfer
D.DNS query
AnswerA

Correct. Interactive shell sessions over TCP indicate a reverse shell.

Why this answer

A reverse shell provides an interactive command-line session from the victim to the attacker.

692
MCQeasy

A user reports that they cannot access a file server. The security policy requires that all access be logged and monitored. What is the most likely reason for the access failure?

A.The user's account is locked
B.The file server is down
C.The user's IP address is not in the allowed list
D.The user's password has expired
AnswerC

Policy might restrict access based on IP, causing failure and triggering logs.

Why this answer

The security policy requiring all access to be logged and monitored strongly implies that access controls are enforced at the network level, such as through an IP-based allow list (e.g., a firewall ACL or host-based security group). If the user's IP address is not in the allowed list, the connection will be dropped or rejected before any authentication or file-sharing protocol (like SMB or NFS) can proceed, resulting in an access failure. This is the most likely cause because it directly aligns with the policy's enforcement mechanism, whereas account lockouts or password expiry would still generate authentication attempts that could be logged.

Exam trap

Cisco often tests the distinction between network-layer access controls (IP allow lists) and application-layer authentication failures, leading candidates to mistakenly choose account lockout or password expiry because they focus on user credentials rather than the policy's logging requirement.

How to eliminate wrong answers

Option A is wrong because a locked account would typically generate a specific authentication failure event (e.g., 'account locked' in Windows Security Log or /var/log/secure), which would still be logged and monitored, but the question emphasizes that access is being blocked before any authentication occurs. Option B is wrong because if the file server were down, the user would likely receive a 'server not found' or 'connection refused' error, and the security policy's logging requirement would be irrelevant to the cause of failure. Option D is wrong because an expired password would still allow the user to attempt authentication and receive a password-change prompt, which would generate log entries; the policy's focus on logging and monitoring does not directly prevent access based on password expiry.

693
MCQeasy

An analyst is investigating a Windows host suspected of malware persistence. Which registry key is commonly used by malware to run a program every time a user logs in, located under both HKLM and HKCU?

A.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
B.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
C.HKLM\SYSTEM\CurrentControlSet\Services
D.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
AnswerB

This is a correct Run key for the current user.

Why this answer

The Run and RunOnce keys under HKLM and HKCU are common persistence mechanisms. Malware often adds entries here to execute automatically at user logon.

694
MCQmedium

A company is deploying a new web application and wants to ensure it is secure against common web attacks. Which of the following is the most effective approach to validate the security of the application before going live?

A.Conduct a penetration test by an external firm
B.Run a vulnerability scanner against the application
C.Implement a web application firewall (WAF)
D.Perform a code review with static analysis tools
AnswerA

Penetration testing simulates real attacks and uncovers vulnerabilities that automated tools might miss.

Why this answer

A penetration test by an external firm is the most effective approach because it simulates a real-world attack, combining automated tools and manual exploitation techniques to identify vulnerabilities that automated scanners or static analysis might miss. Unlike a vulnerability scanner, a penetration test actively attempts to bypass security controls, test business logic flaws, and chain multiple low-risk issues into a critical exploit, providing a holistic validation of the application's security posture before going live.

Exam trap

Cisco often tests the distinction between validation (penetration test) and mitigation (WAF), trapping candidates who think a WAF or vulnerability scanner alone can fully validate application security before deployment.

How to eliminate wrong answers

Option B is wrong because a vulnerability scanner only identifies known vulnerabilities based on signatures and does not test for logic flaws, authentication bypasses, or chained exploits; it produces a high rate of false positives and misses context-specific weaknesses. Option C is wrong because implementing a WAF is a security control that mitigates attacks in production, not a validation method; it does not assess the application's inherent security and can be bypassed if the underlying code is flawed. Option D is wrong because a code review with static analysis tools only examines source code for coding errors and known patterns, but it cannot detect runtime vulnerabilities, configuration issues, or business logic flaws that only manifest during dynamic execution.

695
MCQhard

A forensic analyst is examining a suspicious file. The file has a high entropy score (close to 8.0) and the PE section names are obfuscated. Which tool or technique would best help determine if the file is packed?

A.Use the 'strings' command to extract readable strings
B.Check the file's digital signature
C.Run the 'file' command in Linux
D.Analyze the PE sections and calculate entropy to detect packing
AnswerD

Correct. High entropy and unusual section names are indicators of packing.

Why this answer

High entropy suggests compressed or encrypted data, common in packed executables. Tools like PEiD or manual analysis using 'strings' and entropy calculation can confirm packing. Hash comparison with VirusTotal can also help.

696
MCQmedium

An organization is conducting a risk assessment and assigns a monetary value to potential losses. Which risk assessment method is being used?

A.Risk treatment
B.Qualitative risk assessment
C.Risk identification
D.Quantitative risk assessment
AnswerD

Quantitative uses numerical monetary values.

Why this answer

Assigning a monetary value to potential losses is a hallmark of quantitative risk assessment. This method uses numerical data (e.g., dollar amounts, percentages) to calculate metrics such as Single Loss Expectancy (SLE) and Annualized Loss Expectancy (ALE), enabling objective comparison of risks. In contrast, qualitative methods rely on subjective ratings like high/medium/low.

Exam trap

Cisco often tests the distinction between quantitative and qualitative risk assessment by describing a scenario with monetary values (quantitative) versus subjective ratings (qualitative), leading candidates to confuse risk treatment or identification with the assessment method itself.

How to eliminate wrong answers

Option A is wrong because risk treatment is the process of selecting and implementing controls to mitigate risk, not a method for assigning monetary values to losses. Option B is wrong because qualitative risk assessment uses descriptive scales (e.g., high, medium, low) rather than monetary values to evaluate risk. Option C is wrong because risk identification is the step of recognizing potential threats and vulnerabilities, not the phase where monetary values are assigned.

697
MCQeasy

An intrusion detection system alerts on traffic that appears to be a command and control (C2) beacon. Which of the following characteristics is most typical of beaconing traffic?

A.Large data transfers to a known cloud provider
B.ICMP echo requests to multiple hosts
C.Random intervals with varying packet sizes
D.Periodic connections at regular intervals to an external IP
AnswerD

Regular intervals are a hallmark of beaconing for C2.

Why this answer

Beaconing is characterized by regular, periodic connections to a C2 server at consistent intervals.

698
MCQmedium

An IDS detected the following signature match: "ET TROJAN Zeus variant outbound connection to C2 server". The destination IP is flagged as a known malicious host. What should the analyst do FIRST?

A.Block the destination IP at the firewall
B.Open the packet capture associated with the alert
C.Ignore the alert because signatures can produce false positives
D.Isolate the source host from the network immediately
AnswerB

Packet analysis confirms the threat and identifies the affected host.

Why this answer

Option B is correct because the first step in incident response after an IDS alert is to validate the alert by examining the associated packet capture (PCAP). This allows the analyst to confirm whether the traffic truly matches the Zeus C2 signature, check for false positives, and gather contextual details such as payload content, timing, and protocol behavior. Without this validation, any subsequent action (blocking, isolating) could be premature or based on incomplete information.

Exam trap

Cisco often tests the principle that validation via packet capture must precede any containment or blocking action, trapping candidates who jump to immediate remediation without confirming the alert's accuracy.

How to eliminate wrong answers

Option A is wrong because blocking the destination IP at the firewall without first verifying the alert could disrupt legitimate traffic if the IP is shared or if the alert is a false positive; it also bypasses the need to confirm the threat. Option C is wrong because ignoring the alert outright dismisses a potential high-severity threat without investigation; while false positives are possible, the correct response is to validate, not ignore. Option D is wrong because isolating the source host immediately may be too aggressive before confirming the alert is valid; isolation can cause unnecessary operational impact and should be based on confirmed evidence from the PCAP analysis.

699
MCQhard

You are a cybersecurity analyst at a large enterprise. The NOC team reports that users are experiencing intermittent connectivity to the company's internal web application hosted on 192.168.1.100:443. You review the IPS logs and see repeated alerts for signature 'ET WEB_SERVER Possible HTTP Response Splitting' triggered by traffic from the web server to internal clients. The signature fires on responses containing CRLF sequences. You examine a packet capture and observe that the web server sends HTTP responses with legitimate headers but occasionally includes extra CRLF sequences in the body. The application developers confirm that the web application is custom and uses unfiltered user input in HTTP headers. The security policy requires that all internal traffic be inspected and blocked by the IPS. What is the best course of action?

A.Increase the threshold for the signature to require multiple occurrences before alerting, but keep blocking enabled.
B.Disable the HTTP Response Splitting signature entirely to restore connectivity, as the issue is a false positive.
C.Whitelist the web server IP address in the IPS policy so that traffic from that server is not inspected.
D.Request that the development team sanitize user input in HTTP headers to prevent CRLF injection, and in the meantime, create a custom signature that ignores CRLF sequences in the response body but alerts on header injection.
AnswerD

This fixes the vulnerability and reduces false positives temporarily.

Why this answer

Option D is correct because the root cause is a vulnerability in the custom web application that allows CRLF injection into HTTP headers, which the IPS correctly detects as a potential HTTP Response Splitting attack. Simply disabling or bypassing the signature (options A, B, C) would leave the network exposed to a real security risk. The best course is to fix the application code to sanitize user input, and in the interim, create a custom IPS signature that differentiates between benign CRLF sequences in the response body (which are not exploitable) and malicious CRLF sequences in headers, thus maintaining security while reducing false positives.

Exam trap

Cisco often tests the concept that false positives should be addressed by tuning the signature or fixing the underlying application, not by disabling or bypassing security controls, and candidates may mistakenly choose to disable the signature or whitelist the server thinking it is a simple false positive.

How to eliminate wrong answers

Option A is wrong because increasing the threshold would still allow the IPS to block legitimate traffic when the signature fires multiple times, and it does not address the underlying vulnerability or the false positive caused by CRLF sequences in the response body. Option B is wrong because disabling the signature entirely removes protection against a real HTTP Response Splitting vulnerability, violating the security policy that requires all internal traffic to be inspected and blocked by the IPS. Option C is wrong because whitelisting the web server IP address would bypass all IPS inspection for that server, which contradicts the security policy and would allow any malicious traffic from that server to go undetected, including potential exploitation of the CRLF injection flaw.

700
MCQhard

Given the syslog message, which additional data would best confirm the event as a true positive?

A.VPN logs for user authentication
B.URL filtering logs for traffic to 203.0.113.10
C.Antivirus logs on 10.0.0.5
D.NetFlow data showing other connections from 10.0.0.5
AnswerB

URL filtering can reveal if the destination is a known malicious site.

Why this answer

The syslog message likely indicates a security event such as a connection to a known malicious IP (203.0.113.10). URL filtering logs provide the specific HTTP/HTTPS request details (e.g., URI, user agent, category) that can confirm whether the traffic was intentional and malicious, rather than a false positive from a benign service or misconfiguration.

Exam trap

Cisco often tests the difference between network-layer metadata (NetFlow) and application-layer logs (URL filtering), trapping candidates who think flow data alone can confirm a malicious event.

How to eliminate wrong answers

Option A is wrong because VPN logs for user authentication only show who logged in and from where, not the actual traffic to the suspicious IP, so they cannot confirm the event as a true positive. Option C is wrong because antivirus logs on 10.0.0.5 would only show local file-based threats, not network connections to 203.0.113.10, and the event is network-based. Option D is wrong because NetFlow data showing other connections from 10.0.0.5 provides metadata about flows but lacks the application-layer detail (e.g., full URL, HTTP method) needed to confirm the specific malicious request.

701
Multi-Selecteasy

Which TWO host-based analysis techniques are most effective for detecting fileless malware?

Select 2 answers
A.Process memory analysis to detect injected code
B.Network traffic analysis
C.Signature-based file scanning
D.Registry analysis for persistence
E.PowerShell script block logging
AnswersA, E

Fileless malware often injects code into memory.

Why this answer

Process memory analysis (A) is effective because fileless malware resides in memory without writing to disk, so examining running processes for injected code, suspicious memory regions, or anomalous API calls can directly detect the malicious payload. PowerShell script block logging (E) captures the full text of PowerShell commands executed, including obfuscated or encoded scripts that fileless malware often uses to load payloads directly into memory, making it a powerful host-based detection technique.

Exam trap

Cisco often tests the distinction between host-based and network-based analysis techniques, and the trap here is that candidates may select network traffic analysis (B) because it can detect fileless malware's network activity, but the question specifically asks for host-based techniques, making B incorrect.

702
MCQhard

During a security incident, the incident response team isolates a compromised workstation from the network. The security policy requires that all actions taken during the incident be documented and approved. However, the team lead isolates the workstation without waiting for formal approval. Which principle of incident response is being prioritized?

A.Rapid containment
B.Chain of custody
C.Speed of containment
D.Preservation of evidence
AnswerC

Immediate containment limits damage and is often prioritized over formal approval in policies.

Why this answer

The team lead prioritized isolating the workstation to prevent the threat from spreading laterally, which aligns with the principle of rapid containment. While formal approval is required by policy, in an active incident the immediate need to stop the attack often overrides administrative steps. The speed of containment is critical because delaying isolation could allow malware or an attacker to pivot to other systems, increasing the scope of the breach.

Exam trap

Cisco often tests the distinction between 'Rapid containment' and 'Speed of containment' to see if candidates know that the official NIST SP 800-61 term is 'Speed of containment,' not 'Rapid containment,' which is a common distractor.

How to eliminate wrong answers

Option A is wrong because 'Rapid containment' is not a distinct principle in the NIST or SANS incident response framework; the correct term is 'Speed of containment,' which emphasizes the urgency of stopping the threat. Option B is wrong because chain of custody refers to the documentation and preservation of evidence from the moment it is collected, not to the decision-making process for containment actions. Option D is wrong because preservation of evidence focuses on maintaining the integrity of forensic data, but isolating the workstation without approval does not inherently violate evidence preservation; the priority here is stopping the attack, not evidence handling.

703
MCQhard

Refer to the exhibit. What does this log entry indicate?

A.A denied TCP packet
B.A permitted UDP packet
C.A permitted ICMP packet
D.A denied ICMP packet
AnswerC

The log explicitly states 'permitted icmp'.

Why this answer

The log entry shows an ICMP packet with a permit action, as indicated by the 'permit' keyword and the protocol number 1 (ICMP). The source and destination IP addresses, along with the ICMP type and code, confirm it is an ICMP echo request (type 8, code 0). Therefore, this is a permitted ICMP packet.

Exam trap

Cisco often tests the ability to distinguish between protocol numbers (TCP=6, UDP=17, ICMP=1) and to correctly interpret the 'permit' or 'deny' action in log entries, leading candidates to confuse the protocol or the action.

How to eliminate wrong answers

Option A is wrong because the log entry shows protocol 1 (ICMP), not TCP (protocol 6), and the action is 'permit', not 'deny'. Option B is wrong because the log entry shows protocol 1 (ICMP), not UDP (protocol 17), and the action is 'permit', not 'deny'. Option D is wrong because the log entry shows the action as 'permit', not 'deny', and the protocol is ICMP, so it is a permitted ICMP packet.

704
MCQmedium

A SOC analyst is reviewing firewall logs and sees repeated entries: 'Deny TCP 10.0.0.5:49152 -> 203.0.113.1:22' and 'Deny TCP 10.0.0.5:49153 -> 203.0.113.1:22'. What does this pattern suggest?

A.An SSH brute-force attack from the internal host
B.DNS tunneling
C.A legitimate SSH session
D.A port scan from the external host
AnswerA

The repeated connection attempts to port 22 with varying source ports is characteristic of a brute-force attempt.

Why this answer

Multiple denied connection attempts from the same internal IP to the same external IP on port 22 (SSH) with different source ports indicates a brute-force SSH attack. The firewall is denying the connections, but the pattern is indicative of an attack.

705
MCQhard

An organization uses a SIEM that ingests logs from multiple sources. The analysts are overwhelmed with alerts, many of which are false positives. Which strategy best reduces alert fatigue without increasing risk?

A.Implement a ticketing system for alerts.
B.Disable all correlation rules except critical ones.
C.Increase the number of analysts on shift.
D.Fine-tune correlation rules and thresholds based on historical data.
AnswerD

Reduces false positives while retaining detection.

Why this answer

Fine-tuning correlation rules and thresholds (option D) reduces false positives by aligning detection logic with the organization's normal baseline, derived from historical data. This directly addresses alert fatigue without disabling security coverage, as it retains the SIEM's ability to detect genuine threats while filtering out noise. In contrast, simply disabling rules or adding staff fails to address the root cause of poor alert quality.

Exam trap

Cisco often tests the misconception that reducing alerts means disabling rules or adding more staff, when the correct approach is to refine detection logic through tuning and baselining to maintain security coverage while minimizing noise.

How to eliminate wrong answers

Option A is wrong because implementing a ticketing system for alerts does not reduce the volume of false positives; it only manages the workflow, potentially increasing analyst burden by creating tickets for every alert. Option B is wrong because disabling all correlation rules except critical ones removes detection for many legitimate threats, increasing risk by creating blind spots in the security monitoring posture. Option C is wrong because increasing the number of analysts on shift does not solve the underlying problem of excessive false positives; it merely distributes the workload, leading to burnout and potential missed true positives due to alert fatigue.

706
MCQeasy

Which element of the CIA triad is primarily concerned with preventing unauthorized access to data?

A.Non-repudiation
B.Integrity
C.Confidentiality
D.Availability
AnswerC

Confidentiality prevents unauthorized disclosure of information.

Why this answer

Confidentiality is the CIA triad element that ensures data is accessible only to authorized users. It is primarily enforced through encryption (e.g., AES-256 for data at rest, TLS 1.3 for data in transit) and access control mechanisms (e.g., RBAC, ACLs). Preventing unauthorized access directly aligns with confidentiality's goal of protecting data from disclosure.

Exam trap

Cisco often tests the distinction between confidentiality and integrity, where candidates mistakenly choose integrity because they conflate 'preventing changes' with 'preventing access'.

How to eliminate wrong answers

Option A is wrong because non-repudiation ensures that a party cannot deny an action (e.g., using digital signatures with PKI), not that data is protected from unauthorized access. Option B is wrong because integrity ensures data has not been altered (e.g., via hashing with SHA-256 or checksums), not that it is hidden from unauthorized viewers. Option D is wrong because availability ensures systems and data are accessible when needed (e.g., via redundancy, failover), not that access is restricted.

707
Multi-Selecthard

Which THREE of the following are common elements of an incident response policy?

Select 3 answers
A.Data classification levels
B.Procedures for containment and eradication
C.Roles and responsibilities of the incident response team
D.Acceptable use of company resources
E.Definition of what constitutes a security incident
AnswersB, C, E

Core steps in incident response.

Why this answer

Option B is correct because containment and eradication are core phases of the NIST SP 800-61 incident response lifecycle. Containment limits the scope of the incident (e.g., isolating a compromised host via VLAN access control lists), while eradication removes the root cause (e.g., deleting malware, patching vulnerabilities). These procedures are explicitly documented in an incident response policy to ensure consistent, repeatable actions during a security event.

Exam trap

Cisco often tests the distinction between an incident response policy (which includes definitions, roles, and procedures) and other security policies like data classification or acceptable use, leading candidates to mistakenly include elements from adjacent policies.

708
Multi-Selectmedium

A security analyst is investigating a Windows workstation that experienced a series of failed logon attempts followed by a successful logon. Which TWO Windows Event IDs should the analyst examine to understand this activity?

Select 2 answers
A.4624 - An account was successfully logged on
B.4720 - A user account was created
C.4648 - A logon was attempted using explicit credentials
D.4776 - The domain controller attempted to validate the credentials for an account
E.4625 - An account failed to log on
AnswersA, E

Correct. This event indicates a successful logon.

Why this answer

4625 is failed logon, 4624 is successful logon. These are the standard events for logon success/failure.

709
MCQmedium

An analyst is monitoring network traffic and observes a host making outbound HTTPS connections to a domain that appears to be generated by a Domain Generation Algorithm (DGA). Which phase of the Cyber Kill Chain best describes this activity?

A.Installation
B.Command and Control (C2)
C.Actions on Objectives
D.Exploitation
AnswerB

Correct. DGA domains are used to locate C2 servers.

Why this answer

After installation, the malware contacts C2 servers to receive commands. DGA domains are used for C2 communication.

710
Multi-Selecthard

During a Linux forensic investigation, an analyst finds a suspicious process. The analyst wants to check for persistence mechanisms. Which THREE Linux artifacts should be examined?

Select 3 answers
A./var/log/auth.log
B./proc/net/tcp
C./etc/crontab and /var/spool/cron/
D./etc/systemd/system/ and /lib/systemd/system/
E./home/user/.bash_history
AnswersC, D, E

Correct. These files define cron jobs that can execute at specified times.

Why this answer

Cron jobs, systemd services, and bash history are common artifacts for persistence. Cron and systemd can schedule execution, bash history may show past commands.

711
Multi-Selectmedium

Which THREE indicators in Windows Event Log are most commonly associated with a successful compromise?

Select 3 answers
A.Event ID 4740: A user account was locked out
B.Event ID 4720: A user account was created
C.Event ID 7045: A service was installed in the system
D.Event ID 4624: An account was successfully logged on
E.Event ID 5156: The Windows Filtering Platform allowed a connection
AnswersB, C, D

Creation of new accounts by attacker for persistence.

Why this answer

Event ID 4720 indicates a new user account was created, which is a common post-compromise action where an attacker establishes persistence by adding a backdoor account. Event ID 7045 logs when a new service is installed, often used by malware or attackers to maintain persistence or execute code with system privileges. Event ID 4624 records successful logon events, which after a compromise may show anomalous logons (e.g., from unexpected IPs, off-hours, or using compromised credentials).

Exam trap

Cisco often tests the distinction between events that indicate a successful compromise (e.g., account creation, service installation, successful logon) versus events that indicate failed attempts or normal operations, leading candidates to mistakenly select lockout or firewall allow events as compromise indicators.

712
MCQmedium

An analyst is analyzing a suspicious executable file. Using the 'file' command, it returns 'data' instead of 'PE32 executable'. What is the most likely reason?

A.The system is missing the file command database.
B.The file is a legitimate PE file with a different extension.
C.The file is actually a script written in Python.
D.The file has been packed or encrypted to hide its true nature.
AnswerD

Packed executables often have altered headers, causing 'file' to fail to recognize them.

Why this answer

The 'data' result indicates the file's magic bytes do not match known executables, suggesting it might be packed or obfuscated.

713
MCQmedium

A SOC analyst receives an alert from the SIEM indicating a high number of failed login attempts on a domain controller from a single IP address over the last 10 minutes. The source IP is a known internal workstation. What should be the analyst's FIRST action?

A.Block the source IP at the firewall
B.Escalate to the incident response team
C.Ignore the alert because it is from an internal IP
D.Contact the user to verify if they are experiencing login issues
AnswerD

Contacting the user helps determine if the activity is intentional or a misconfiguration.

Why this answer

The analyst's first priority is to verify the legitimacy of the failed login attempts before taking any disruptive action. Since the source IP is a known internal workstation, the most likely cause is a user error, such as a forgotten password or a locked account. Contacting the user allows the analyst to quickly confirm whether the activity is benign, avoiding unnecessary escalation or network disruption.

Exam trap

Cisco often tests the candidate's ability to follow the proper incident response triage process, where the trap is to jump to a technical action (like blocking or escalating) before performing the simplest verification step.

How to eliminate wrong answers

Option A is wrong because immediately blocking the source IP at the firewall could disrupt a legitimate user's access and is premature without first verifying the cause of the failed logins. Option B is wrong because escalation to the incident response team is a later step, taken only after initial triage confirms suspicious or malicious activity, not as a first action. Option C is wrong because ignoring the alert based solely on the IP being internal is a dangerous assumption; internal IPs can be compromised or misconfigured, and the alert requires investigation.

714
MCQhard

You are a security analyst at a financial institution. The network consists of three segments: internal corporate network (10.0.0.0/24), DMZ (192.168.1.0/24) hosting a web server and an email server, and a guest wireless network (172.16.0.0/24). The firewall is configured with the following rules: (1) permit inbound HTTP/HTTPS to the web server from any; (2) permit inbound SMTP to the email server from any; (3) deny all other inbound traffic; (4) permit all outbound traffic from internal network; (5) deny all outbound traffic from guest network to internal and DMZ, but permit to internet. Recently, an employee reported that sensitive files on an internal file server (10.0.0.10) were accessed without authorization. Logs show that the access originated from an IP address in the guest network (172.16.0.50) at 3:00 AM. The guest network is open (no authentication required). The internal file server is not directly accessible from the guest network per rule (5). However, the attacker used the web server as a pivot: they compromised the web server via an unpatched vulnerability, then from the web server they connected to the internal file server. Which of the following actions would BEST prevent this type of attack in the future?

A.Implement a firewall rule that denies all traffic from the DMZ to the internal network
B.Move the web server to the internal network and place a reverse proxy in the DMZ
C.Apply a patch to the web server and require authentication on the guest network
D.Add a firewall rule that permits only necessary traffic from the DMZ to specific internal servers, and deny all other DMZ-to-internal traffic
AnswerD

This limits lateral movement: even if the web server is compromised, it can only reach authorized internal systems.

Why this answer

Option D is correct because the attack leveraged the DMZ web server as a pivot to reach the internal file server. By implementing a firewall rule that permits only necessary traffic from the DMZ to specific internal servers (e.g., only allow the web server to communicate with a database server on TCP/3306) and denies all other DMZ-to-internal traffic, you enforce a least-privilege segmentation policy. This would block the web server from initiating arbitrary connections to the internal file server (10.0.0.10), even if the web server is compromised, directly preventing the pivot attack.

Exam trap

Cisco often tests the concept that simply patching a vulnerability or adding authentication does not prevent lateral movement; the trap is that candidates focus on the initial compromise vector (unpatched web server) rather than the missing segmentation rule that allowed the pivot.

How to eliminate wrong answers

Option A is wrong because denying all traffic from the DMZ to the internal network would break legitimate services such as the web server needing to query an internal database or authenticate against an internal directory server (e.g., LDAP), making the DMZ non-functional. Option B is wrong because moving the web server to the internal network and placing a reverse proxy in the DMZ does not prevent the pivot attack; if the reverse proxy is compromised, it could still be used to access the internal network, and the web server inside the internal network would be directly exposed to internal threats. Option C is wrong because while patching the web server and requiring authentication on the guest network are good security practices, they do not address the core issue of lateral movement from the DMZ to the internal network; the attacker could still compromise the web server via a future vulnerability or a different vector and pivot to the internal file server.

715
MCQmedium

Based on the exhibit, which traffic is permitted?

A.All IP traffic from the host 198.51.100.10.
B.Only HTTPS traffic from the host 198.51.100.10.
C.All TCP traffic from any host to any host.
D.All HTTPS traffic to the host 198.51.100.10.
AnswerD

The ACL permits TCP any to host on port 443 (HTTPS).

Why this answer

The exhibit shows an access control list (ACL) entry 'permit tcp any host 198.51.100.10 eq 443'. This permits TCP traffic with a destination port of 443 (HTTPS) to the specific host 198.51.100.10 from any source. Therefore, only HTTPS traffic destined to that host is permitted, making option D correct.

Exam trap

Cisco often tests the directionality of ACL rules, and the trap here is confusing the source and destination fields, leading candidates to mistakenly think the rule permits traffic from the host rather than to the host.

How to eliminate wrong answers

Option A is wrong because the ACL does not permit all IP traffic from the host; it only permits TCP traffic with destination port 443 to the host, not from it. Option B is wrong because the ACL permits HTTPS traffic to the host, not from the host; the source is 'any' and the destination is the specific host, so traffic originating from the host is not matched. Option C is wrong because the ACL is not a blanket permit for all TCP traffic; it is restricted to traffic destined to port 443 on host 198.51.100.10 only.

716
Multi-Selecteasy

Which TWO are goals of a security operations center (SOC)? (Choose two.)

Select 2 answers
A.Continuous monitoring of security events
B.Managing user passwords
C.Developing software applications
D.Performing penetration tests
E.Responding to security incidents
AnswersA, E

SOC monitors events 24/7.

Why this answer

Option A is correct because continuous monitoring of security events is a primary goal of a SOC, ensuring real-time detection of threats through log aggregation and analysis from sources like firewalls, IDS/IPS, and endpoints. This aligns with the SOC's responsibility to maintain situational awareness and identify indicators of compromise (IoCs) as part of the NIST incident response lifecycle.

Exam trap

Cisco often tests the distinction between operational SOC responsibilities (monitoring and response) and other security functions like IAM, development, or proactive testing, so candidates may mistakenly select penetration testing as a SOC goal because it is security-related, but it is not a continuous SOC function.

717
MCQeasy

A company's security policy requires that all system logs be retained for at least one year. A security analyst discovers that log files are being overwritten after 30 days. What is the most likely cause?

A.Logs are being manually deleted by an administrator
B.Malware infection
C.The log rotation policy is set to 30 days
D.Insufficient disk space
AnswerC

Log rotation settings control how logs are overwritten; a 30-day policy directly explains the behavior.

Why this answer

Option C is correct because the log rotation setting is likely set to 30 days, causing overwrites. Option A is wrong while disk space may contribute, the direct cause is the rotation policy. Option B is wrong because malware is less likely.

Option D is wrong because an administrator deleting logs would be a deliberate act.

718
MCQhard

During incident response, a Linux server is found to have an unknown process listening on a high TCP port. The process is not listed in any systemd unit files. Which command will best help identify the process parent and its command-line arguments?

A.cat /proc/[pid]/cmdline && cat /proc/[pid]/status
B.ps aux | grep [pid]
C.journalctl -u unknown.service
D.ss -tlnp | grep [pid]
AnswerA

This retrieves command line and parent PID from the proc filesystem.

Why this answer

The /proc filesystem contains per-process directories. Checking /proc/[pid]/cmdline and /proc/[pid]/status reveals the command line and parent PID.

719
MCQhard

An organization's security policy requires that all network traffic be inspected by an intrusion prevention system. However, encrypted traffic is bypassing inspection. Which change to the policy would best address this issue?

A.Allow encrypted traffic to bypass the IPS
B.Require all internal traffic to use unencrypted protocols
C.Implement SSL/TLS decryption at the network perimeter
D.Exclude encrypted traffic from the security policy scope
AnswerC

Decryption enables the IPS to inspect encrypted payloads.

Why this answer

Option C is correct because implementing SSL/TLS decryption at the network perimeter allows the IPS to inspect the plaintext content of encrypted traffic. By terminating the encrypted session at a dedicated decryption device (e.g., a next-generation firewall or proxy), the device can re-encrypt the traffic after inspection, ensuring that threats hidden in HTTPS, SMTPS, or other TLS-encrypted flows are detected without violating the policy's requirement that all traffic be inspected.

Exam trap

Cisco often tests the misconception that encrypted traffic is inherently safe or that bypassing inspection is acceptable, when in fact attackers commonly use encryption to hide malware, command-and-control traffic, or data exfiltration, making decryption a necessary security control.

How to eliminate wrong answers

Option A is wrong because allowing encrypted traffic to bypass the IPS directly violates the security policy's requirement that all network traffic be inspected, leaving a blind spot for threats hidden in encrypted tunnels. Option B is wrong because requiring all internal traffic to use unencrypted protocols would severely degrade security by exposing sensitive data to eavesdropping and tampering, contradicting best practices and likely violating compliance standards. Option D is wrong because excluding encrypted traffic from the security policy scope simply ignores the problem, failing to address the inspection gap and leaving the organization vulnerable to attacks that leverage encryption to evade detection.

720
MCQhard

An analyst examines a PCAP and finds a series of UDP packets sent to multiple ports on a target. The target responds with ICMP 'Destination Unreachable (Port Unreachable)' messages for each port. What type of scan is being performed?

A.UDP scan
B.SYN scan
C.Xmas scan
D.FIN scan
AnswerA

UDP scan uses UDP packets; ICMP unreachable indicates closed port.

Why this answer

UDP scan sends UDP packets to ports. When a port is closed, the target responds with an ICMP port unreachable message. Open or filtered ports may not respond.

721
Multi-Selecteasy

Which TWO of the following are characteristics of an advanced persistent threat (APT)?

Select 2 answers
A.Operates with low and slow tactics to avoid detection
B.Targets specific organizations for espionage or data theft
C.Is typically financially motivated
D.Uses only commodity malware
E.Attacks are short-lived and quickly detected
AnswersA, B

APTs use stealthy methods to maintain long-term access.

Why this answer

An advanced persistent threat (APT) is characterized by its use of low-and-slow tactics to evade detection over long periods. This involves spreading malicious activity across many small, seemingly benign actions to avoid triggering threshold-based alerts in security monitoring systems. APTs are also defined by their targeted nature, focusing on specific organizations for espionage or data theft rather than opportunistic, broad-scale attacks.

Exam trap

Cisco often tests the distinction between financially motivated threats (e.g., ransomware) and APTs, so the trap here is assuming that all persistent threats are driven by money rather than recognizing the espionage and state-sponsored nature of APTs.

722
MCQmedium

Which type of attack is indicated by a series of SMB authentication attempts from one host to multiple other hosts in a short time frame?

A.Lateral movement
B.Port scanning
C.C2 beaconing
D.DNS exfiltration
AnswerA

SMB authentication attempts across hosts is typical of lateral movement.

Why this answer

Lateral movement often involves propagating across hosts using SMB for remote access and authentication.

723
MCQmedium

A security analyst receives an alert from the SIEM indicating a large number of failed login attempts from an external IP address targeting a user account. According to the incident response process, what should be the analyst's first action?

A.Initiate the legal hold process to preserve evidence
B.Contain the threat by blocking the IP address on the firewall
C.Escalate the alert to Tier 2 for deeper investigation
D.Perform initial triage to determine the severity and validity
AnswerD

Initial triage is the first step in Detection and Analysis to verify the alert and prioritize.

Why this answer

Initial triage is part of Detection and Analysis to determine if the alert is a true positive and assess its priority.

724
MCQeasy

In the NIST SP 800-61 Rev 2 incident response process, which phase involves documenting lessons learned and updating the incident response plan?

A.Containment, Eradication, and Recovery
B.Detection and Analysis
C.Post-Incident Activity
D.Preparation
AnswerC

Lessons learned and plan updates occur in this phase.

Why this answer

Option C is correct because the Post-Incident Activity phase of NIST SP 800-61 Rev 2 is specifically designed for conducting a lessons learned meeting, documenting findings, and updating the incident response plan based on those insights. This phase ensures continuous improvement of the incident response process by capturing what worked, what didn't, and what changes are needed for future incidents.

Exam trap

Cisco often tests the misconception that lessons learned and plan updates occur during the Detection and Analysis phase, because candidates confuse the analysis of the incident itself with the analysis of the incident response process performance.

How to eliminate wrong answers

Option A is wrong because Containment, Eradication, and Recovery focuses on stopping the incident, removing the threat, and restoring normal operations, not on documenting lessons learned or updating the plan. Option B is wrong because Detection and Analysis involves identifying and verifying an incident and assessing its impact, not on post-incident review or plan updates. Option D is wrong because Preparation involves establishing and training the incident response team and acquiring tools before an incident occurs, not on documenting lessons learned after an incident.

725
MCQhard

A SOC Tier 2 analyst receives an escalated alert about a potential command-and-control (C2) communication. The analyst needs to correlate network logs with threat intelligence. Which data format and transport protocol pair is specifically designed for standardized threat intelligence sharing?

A.OpenIOC and MISP
B.STIX and TAXII
C.MISP and STIX
D.TAXII and OpenIOC
AnswerB

STIX provides standardized threat intel formatting, and TAXII enables sharing.

Why this answer

STIX is the format, TAXII is the transport protocol for sharing threat intelligence.

726
MCQhard

An analyst reviews NetFlow data and sees a single internal IP communicating with many external IPs on port 53, each with small UDP packets. The internal host is not a DNS server. What is the most likely explanation?

A.The host is acting as a DNS server
B.The host is performing recursive DNS lookups
C.The host is the victim of a DNS amplification attack
D.The host is scanning for open DNS resolvers
AnswerC

The host's IP is spoofed as the source of queries to many open resolvers, causing replies to flood the host.

Why this answer

The internal host is not a DNS server, yet it is sending small UDP packets to many external IPs on port 53. This is characteristic of a DNS amplification attack, where the attacker spoofs the victim's IP address and sends small queries to open DNS resolvers, which then send large responses to the victim. The NetFlow data shows the victim receiving the amplified traffic, not initiating it, making C correct.

Exam trap

Cisco often tests the distinction between the victim and the attacker in amplification attacks; the trap here is that candidates see many small UDP packets and assume the host is initiating queries (e.g., scanning or DNS lookups), rather than recognizing that the host is the victim receiving the amplified responses.

How to eliminate wrong answers

Option A is wrong because the host is not a DNS server (explicitly stated), and a DNS server would typically listen on port 53 and respond to queries, not send small UDP packets to many external IPs. Option B is wrong because recursive DNS lookups involve the host sending queries to a single DNS resolver (e.g., 8.8.8.8) and receiving responses, not communicating with many external IPs simultaneously. Option D is wrong because scanning for open DNS resolvers would involve the host sending probes to many IPs and waiting for responses, but the NetFlow data shows the host receiving traffic from many external IPs, not initiating it.

727
MCQeasy

Which phase of the NIST Cybersecurity Framework involves actions to limit the impact of a cybersecurity incident?

A.Respond
B.Protect
C.Identify
D.Detect
AnswerA

Respond includes actions to mitigate the impact of an incident.

Why this answer

The Respond phase includes activities to contain, mitigate, and respond to incidents.

728
Matchingmedium

Match each cybersecurity framework/standard to its focus.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cybersecurity risk management framework

Information security management system standard

Payment card industry data security standard

Knowledge base of adversary tactics and techniques

Prioritized set of security best practices

Why these pairings

These frameworks guide security posture.

729
Multi-Selecthard

An organization is implementing a security policy to protect sensitive data. Which three are considered compliance frameworks that could guide this effort? (Choose three.)

Select 3 answers
A.NIST Cybersecurity Framework
B.ISO 27001
C.HIPAA
D.PCI DSS
E.GDPR
AnswersC, D, E

Health Insurance Portability and Accountability Act.

Why this answer

PCI DSS, HIPAA, and GDPR are well-known compliance frameworks. NIST CSF is a framework but not a compliance standard; ISO 27001 is a standard but the question asks for compliance frameworks.

730
Multi-Selecthard

A security analyst is examining a Linux system suspected of compromise. Which THREE artifacts should be reviewed to identify potential persistence mechanisms?

Select 3 answers
A.Authorized SSH keys in ~/.ssh/authorized_keys
B./proc/cpuinfo
C.Cron jobs in /etc/crontab and /var/spool/cron/
D.Bash history in /home/*/.bash_history
E.Systemd services in /etc/systemd/system/
AnswersC, D, E

Cron jobs can be used to execute malicious scripts periodically.

Why this answer

Cron jobs, systemd services, and bash history are key for persistence detection. SSH keys can also be used. /proc/cpuinfo is hardware info, not persistence.

731
MCQeasy

An analyst captures traffic and sees a TCP connection with only a SYN packet and an RST response. No SYN-ACK is observed. Which scan technique is this?

A.TCP SYN scan
B.Ping sweep
C.UDP scan
D.TCP connect scan
AnswerA

SYN scan uses SYN packets, and RST indicates closed port.

Why this answer

A SYN scan sends a SYN and expects a SYN-ACK; if an RST is received, the port is closed. Incomplete handshake without SYN-ACK indicates a half-open scan.

732
MCQeasy

An analyst discovers a suspicious service on a Windows host. Which command can be used to query the status and details of services from the command line?

A.services.msc
B.net start
C.sc query
D.tasklist /svc
AnswerC

sc query displays detailed service information from the command line.

Why this answer

sc query displays service status and configuration. services.msc is GUI-based, tasklist shows processes, and net start lists running services but with less detail.

733
MCQhard

An analyst detects a large outbound FTP transfer from a sensitive server to an external IP address not previously seen. The file being transferred is a compressed archive containing database dumps. Which Cyber Kill Chain phase is most directly indicated?

A.Installation
B.C2
C.Exploitation
D.Actions on Objectives
AnswerD

Exfiltration of data is a key objective in many attacks.

Why this answer

Exfiltration of sensitive data is part of 'Actions on Objectives', where the attacker achieves their goal of stealing data.

734
MCQhard

An analyst is performing host-based analysis on a machine that is part of a botnet. The machine is communicating with a C2 server over HTTPS. Which host-based evidence would be most useful to identify the C2 communication?

A.Packet capture showing the unencrypted payload
B.A memory dump of the process showing encryption keys
C.DNS logs showing queries to the C2 domain
D.Windows Event ID 5157 (Filtering Platform connection) showing the process ID
AnswerC

DNS queries often precede HTTPS connections. The domain may be unique or malicious.

Why this answer

Option C is correct because DNS logs can reveal the domain name used for C2 communication even when the traffic is encrypted over HTTPS. Since the analyst is performing host-based analysis, DNS query logs on the host itself (e.g., from the DNS client service or a local DNS resolver) will show the host attempting to resolve the C2 domain, providing a direct indicator of the C2 server's address without needing to decrypt the HTTPS traffic.

Exam trap

Cisco often tests the misconception that encrypted traffic cannot be analyzed at all, leading candidates to choose options like packet capture or memory dumps, when in fact DNS logs provide a clear, host-based indicator of C2 communication without requiring decryption.

How to eliminate wrong answers

Option A is wrong because HTTPS traffic is encrypted, so a packet capture on the host would not show the unencrypted payload; the analyst would need to decrypt the session, which is not feasible without the private key or a man-in-the-middle proxy. Option B is wrong because while a memory dump might contain encryption keys if the process stores them in plaintext, this is not a reliable or standard method for identifying C2 communication; it requires deep forensic analysis and the keys may not be present or easily extractable. Option D is wrong because Windows Event ID 5157 (Filtering Platform connection) logs the process ID and connection details, but it does not include the domain name or URL; it only shows IP addresses and ports, which may not directly identify the C2 server if it uses dynamic IPs or CDN fronting.

735
MCQmedium

In Wireshark, a security analyst wants to display only packets with source IP 10.0.0.1 and destination port 80. Which display filter should be used?

A.ip.src == 10.0.0.1 and tcp.dstport == 80
B.ip.src eq 10.0.0.1 and tcp.dstport eq 80
C.src 10.0.0.1 and dst port 80
D.host 10.0.0.1 && port 80
AnswerA

This filter correctly specifies the source IP and destination TCP port.

Why this answer

Option A is correct because Wireshark display filters use specific syntax: `ip.src` for source IP and `tcp.dstport` for destination TCP port. The `==` operator is the standard equality operator in Wireshark display filters, and the filter `ip.src == 10.0.0.1 and tcp.dstport == 80` correctly matches packets where the source IP is exactly 10.0.0.1 and the destination TCP port is exactly 80.

Exam trap

Cisco often tests the distinction between capture filter syntax (used with `tcpdump` or Wireshark's capture options) and display filter syntax (used in Wireshark's filter bar), so candidates who confuse `eq` or `host`/`port` keywords with proper display filter fields will select a wrong answer.

How to eliminate wrong answers

Option B is wrong because `eq` is not a valid operator in Wireshark display filters; the correct operators are `==`, `!=`, `>`, `<`, etc., and `eq` is used in capture filters (e.g., `host eq 10.0.0.1`), not display filters. Option C is wrong because `src` and `dst port` are not valid Wireshark display filter field names; the correct fields are `ip.src` and `tcp.dstport`, and the syntax must include the protocol prefix. Option D is wrong because `host` and `port` are capture filter keywords (used with `tcpdump` or Wireshark's capture filter syntax), not display filter fields; display filters require explicit protocol and field names like `ip.addr` and `tcp.port`.

736
MCQeasy

Refer to the exhibit. An ASA security policy is configured as shown. A user from the internet tries to access 192.168.1.5 via HTTP. What will happen?

A.Traffic will be allowed, but logged
B.Traffic will be denied
C.Traffic will be allowed only if it matches the subnet
D.Traffic will be permitted
AnswerB

The access list does not permit traffic to 192.168.1.5.

Why this answer

The ASA security policy shown uses an access control list (ACL) that implicitly denies all traffic unless explicitly permitted. Since the exhibit does not show any ACL entry permitting HTTP traffic from the internet to 192.168.1.5, the traffic is denied by default. The correct answer is B because the ASA's default behavior for inbound traffic on an interface is to deny it unless a matching permit ACE exists.

Exam trap

Cisco often tests the implicit deny principle in ASA ACLs, where candidates mistakenly assume that traffic is allowed by default or that a missing permit statement still allows traffic if it matches a subnet or is logged.

How to eliminate wrong answers

Option A is wrong because traffic is not allowed; the ACL does not contain a permit statement for HTTP from any source to 192.168.1.5, so logging is irrelevant. Option C is wrong because the ACL does not specify a subnet match for HTTP traffic; even if it did, the implicit deny would still apply to non-matching traffic. Option D is wrong because the ASA does not permit traffic by default; it requires an explicit permit rule in the ACL to allow inbound HTTP traffic.

737
Multi-Selecteasy

Which TWO components are essential in a well-written security policy?

Select 2 answers
A.Scope
B.Cost estimates
C.Enforcement
D.Technology stack
E.Vendor names
AnswersA, C

Defines who and what the policy covers.

Why this answer

A security policy must define its scope to specify which systems, users, and data are covered. Without a clear scope, the policy cannot be consistently applied, leading to gaps in enforcement. The scope ensures that all relevant assets are protected and that the policy's boundaries are understood by all stakeholders.

Exam trap

Cisco often tests the distinction between a policy (high-level, principle-based) and a procedure or standard (detailed, implementation-specific), leading candidates to mistakenly include technical details like technology stacks or vendor names as essential policy components.

738
MCQhard

A SOC analyst examines an alert generated by an IDS. The alert indicates a potential SQL injection attempt. However, the analyst finds that the source IP is a known internal web server that performs legitimate database queries. What is the most likely explanation?

A.The web server is compromised
B.The traffic is legitimate but the IDS has a false positive
C.The IDS is misconfigured
D.The analyst should ignore the alert
AnswerB

The IDS likely flagged normal database queries as malicious.

Why this answer

The correct answer is B because the source IP is a known internal web server that performs legitimate database queries. IDS signatures often trigger on SQL-like patterns in traffic, and when the traffic matches the signature but is actually benign (e.g., a web server sending parameterized queries), it constitutes a false positive. The analyst's verification that the source is a trusted internal server performing expected operations confirms the alert is not a true threat.

Exam trap

Cisco often tests the distinction between a false positive (benign traffic flagged as malicious) and a true positive (actual attack), where candidates mistakenly assume any SQL pattern in traffic indicates compromise or misconfiguration rather than recognizing legitimate database queries from a trusted internal server.

How to eliminate wrong answers

Option A is wrong because the source IP is a known internal web server performing legitimate database queries; compromise would typically show anomalous behavior or unexpected outbound connections, not just a SQL pattern match. Option C is wrong because misconfiguration would imply the IDS is not tuned to exclude known good traffic, but the alert itself is a signature match, not a configuration error—false positives are inherent to signature-based detection, not necessarily misconfiguration. Option D is wrong because ignoring alerts violates SOC procedures; the analyst must investigate and document the false positive to refine rules, not dismiss it outright.

739
Multi-Selecthard

A company is implementing threat intelligence sharing. Which THREE standards or platforms are used for this purpose? (Select three.)

Select 3 answers
A.SIEM
B.STIX
C.MISP
D.OpenIOC
E.TAXII
AnswersB, C, E

Structured Threat Information Expression.

Why this answer

STIX, TAXII, and MISP are common threat intelligence sharing standards/platforms.

740
MCQmedium

Based on the exhibit, what action should the analyst take to further investigate this alert?

A.Extract the URL from the alert and check the file hash.
B.Search the PCAP for the same signature ID.
C.Perform a DNS lookup on the destination IP.
D.Check the firewall logs for any blocked connections.
AnswerA

The reference URL provides direct access to potential malware.

Why this answer

The analyst should extract the URL from the alert and check the file hash because the alert indicates a potential malware download via HTTP. By retrieving the file referenced in the URL, the analyst can compute its hash (e.g., MD5, SHA256) and compare it against known threat intelligence databases (e.g., VirusTotal) to confirm maliciousness and identify the specific malware family. This directly validates whether the detected event is a true positive and provides actionable indicators for containment.

Exam trap

Cisco often tests the misconception that signature-based alerts are definitive, leading candidates to choose options like searching the PCAP for the same signature ID, when the real next step is to pivot from the alert's metadata (e.g., URL) to retrieve and analyze the actual payload.

How to eliminate wrong answers

Option B is wrong because searching the PCAP for the same signature ID would only find identical alerts, not provide additional context about the file or its behavior; signature IDs are static and do not reveal the payload's hash or content. Option C is wrong because performing a DNS lookup on the destination IP only resolves the domain name, which does not confirm whether the downloaded file is malicious or provide the file hash needed for further analysis. Option D is wrong because checking firewall logs for blocked connections would only show if the traffic was denied, but the alert already indicates the connection was allowed (since it triggered an alert), so firewall logs would not help analyze the file's content or hash.

741
MCQeasy

A security analyst is analyzing a memory dump from a compromised Linux server. Which tool is most appropriate for extracting running processes and network connections from the dump?

A.volatility
B.nmap
C.Wireshark
D.tcpdump
AnswerA

Volatility can analyze memory dumps to extract process and network information.

Why this answer

Volatility is the correct tool because it is a specialized memory forensics framework designed to analyze RAM dumps. It can extract a list of running processes (via the `pslist` or `pstree` plugins) and active network connections (via the `netscan` or `connscan` plugins) directly from the memory image, without relying on the live system's kernel data structures which may be compromised.

Exam trap

Cisco often tests the distinction between live network analysis tools (nmap, Wireshark, tcpdump) and memory forensics tools (Volatility), expecting candidates to recognize that only Volatility can extract process and connection artifacts from a static memory dump.

How to eliminate wrong answers

Option B (nmap) is wrong because it is a network scanning tool used to discover hosts and services on a live network, not for analyzing a static memory dump. Option C (Wireshark) is wrong because it captures and analyzes live network traffic from a network interface, not from a memory dump file. Option D (tcpdump) is wrong because it is a command-line packet analyzer that captures live network packets, and it cannot parse a memory dump to extract processes or connections.

742
Multi-Selectmedium

An organization wants to ensure the integrity of software updates downloaded from its vendor's website. The vendor provides a hash value for each update. Which TWO properties of hashing algorithms make them suitable for integrity verification? (Choose two.)

Select 3 answers
A.The same input always produces the same hash.
B.A small change in input results in a significantly different hash.
C.The hash can be reversed to obtain the original data.
D.The hash output is always the same length for a given algorithm.
E.Hashing requires a secret key to generate the hash.
AnswersA, B, D

Consistency is needed for comparison, but this is also true for integrity checks. However, the question asks for properties that make it suitable; both C and D are properties, but D is also true. However, the answer expects C and A per typical CyberOps. But D is also true; however, the explanation might be that D is a property but not the reason for integrity? Let's adjust: Actually, the correct two are A and C. D is also true but not unique to hashing; any deterministic function has that. So stick with A and C.

Why this answer

Hashing produces a fixed-size output regardless of input size, and it is a one-way function, meaning the original data cannot be derived from the hash. These properties allow comparison of hashes to detect changes.

743
MCQhard

A business impact analysis (BIA) for a critical enterprise application reveals a maximum tolerable downtime (MTD) of 4 hours and a recovery time objective (RTO) of 2 hours. The current backup solution can restore the application in 3 hours under optimal conditions. Which of the following is the most appropriate action from a policy perspective?

A.Upgrade the backup solution to achieve a restore time of 2 hours or less
B.Accept the current restore time because it is within the MTD of 4 hours
C.Reduce the RTO to 1 hour to make the backup solution acceptable
D.Increase the MTD to 5 hours to match the backup restore time
AnswerA

This aligns the recovery capability with the defined RTO, meeting policy requirements.

Why this answer

The RTO of 2 hours is the target recovery time defined in the business continuity plan, and the current backup solution's 3-hour restore time exceeds this target. Since the MTD of 4 hours is the absolute maximum the business can tolerate, the solution must meet the stricter RTO, not just the MTD. Upgrading the backup solution to achieve a restore time of 2 hours or less aligns the technical capability with the policy requirement.

Exam trap

Cisco often tests the distinction between RTO and MTD, and the trap here is that candidates mistakenly believe meeting the MTD is sufficient, ignoring that the RTO is the binding policy target that must be achieved for critical applications.

How to eliminate wrong answers

Option B is wrong because accepting a restore time of 3 hours violates the RTO of 2 hours, even though it is within the MTD of 4 hours; RTO is a policy target that must be met, not a negotiable upper limit. Option C is wrong because reducing the RTO to 1 hour would make the requirement even more stringent and does not solve the existing gap; it would worsen the compliance issue. Option D is wrong because increasing the MTD to 5 hours arbitrarily extends the maximum tolerable downtime, which is a business-driven constraint that should not be adjusted to match a technical limitation; this undermines the purpose of the BIA.

744
MCQeasy

A security policy requires that all remote access be through a VPN using strong authentication. A user calls the help desk saying they cannot connect to the VPN. The analyst checks and sees that the user's token is not synchronized. What should the analyst do?

A.Disable VPN access for the user.
B.Provide a temporary static password.
C.Reset the user's token and have them re-sync.
D.Escalate to the security team.
E.Have the user connect without a token.
AnswerC

Resolves token sync issue.

Why this answer

Option A is correct because resetting the token is standard procedure. Option B is too severe. Option C compromises strong auth.

Option D violates policy. Option E is unnecessary.

745
MCQhard

A company uses Cisco Firepower NGFW with intrusion prevention. An analyst notices that many legitimate HTTPS connections are being blocked by an IPS rule. What is the best approach to reduce false positives?

A.Create a custom rule exception for the specific destination IPs.
B.Increase the severity threshold of the rule.
C.Disable the IPS rule entirely.
D.Change the rule action from 'Drop' to 'Alert'.
AnswerA

Exceptions preserve protection while allowing legitimate traffic.

Why this answer

Creating a custom rule exception for the specific destination IPs is the best approach because it allows the IPS to continue blocking malicious traffic while exempting legitimate HTTPS connections that are incorrectly flagged. This maintains security posture by not weakening the rule globally, and it directly addresses the false positive without affecting detection of other threats.

Exam trap

Cisco often tests the misconception that changing the rule action to 'Alert' is a safe compromise, but this actually disables blocking for all traffic matching the rule, not just the false positives.

How to eliminate wrong answers

Option B is wrong because increasing the severity threshold would cause the rule to only trigger on higher-severity events, potentially missing real threats that match the rule but are not false positives. Option C is wrong because disabling the IPS rule entirely removes protection against the actual threat the rule was designed to detect, leaving the network vulnerable. Option D is wrong because changing the rule action from 'Drop' to 'Alert' would stop blocking the legitimate traffic but would also stop blocking malicious traffic matching the same rule, effectively disabling enforcement and reducing security.

746
MCQhard

An analyst is investigating a host that is making outbound HTTPS connections to multiple random-looking domains, each with a short TTL. The domains are not in any threat intelligence feeds. Which technique is most likely being used?

A.Domain Generation Algorithm (DGA)
B.Beaconing
C.DNS tunneling
D.Fast flux DNS
AnswerA

Correct. DGA generates random domains for C2.

Why this answer

Domain Generation Algorithms (DGAs) generate many random domain names to evade blocklists. Short TTLs allow fast changes.

747
MCQhard

Refer to the exhibit. A security policy requires that network traffic be classified and prioritized to ensure critical applications get bandwidth. A network engineer implements this QoS policy. However, after deployment, a security scanner reports that SSH traffic is starved. Which of the following is the most likely cause?

A.The priority percent for VOIP is too high.
B.The fair-queue algorithm does not work with this policy.
C.The critical data class includes SSH traffic.
D.SSH traffic is not classified and falls into class-default, which may not get enough bandwidth.
AnswerD

Since SSH is not in a priority class, it competes with other default traffic.

Why this answer

Option D is correct because SSH traffic is not explicitly matched by any class map in the policy, so it falls into the class-default. The class-default in this policy uses fair-queue, which does not guarantee a minimum bandwidth; if higher-priority classes (like VOIP and critical data) consume most of the link, class-default can be starved. This results in SSH sessions timing out or experiencing severe packet loss.

Exam trap

Cisco often tests the misconception that traffic not explicitly classified will still get fair treatment, when in reality class-default can be starved if higher-priority classes consume all bandwidth, especially when priority is used without proper policing or shaping.

How to eliminate wrong answers

Option A is wrong because the priority percent for VOIP is set to 30%, which is a reasonable allocation for voice traffic and would not inherently starve SSH unless the link is fully saturated by VOIP alone—but the policy also allocates bandwidth to critical data, so the starvation is more likely due to SSH not being classified. Option B is wrong because the fair-queue algorithm does work with this policy; it is applied to the class-default, which is a standard behavior for class-default when no explicit bandwidth is configured, and it does not prevent other classes from functioning. Option C is wrong because the critical data class is explicitly defined to match traffic with DSCP AF21, which is typically used for mission-critical data, not SSH (which uses TCP port 22 and is not marked with AF21 by default); thus SSH is not included in that class.

748
Multi-Selectmedium

A security analyst is investigating a potential data exfiltration incident. Which TWO of the following network behaviors are indicators of data exfiltration?

Select 2 answers
A.A high number of ICMP echo requests
B.A single host scanning multiple internal IPs
C.Multiple successful login attempts from a single IP
D.Frequent DNS queries to a known malicious domain
E.Unusually large outbound traffic from a single host
AnswersD, E

DNS queries to malicious domains may indicate C2 communication for exfiltration.

Why this answer

Data exfiltration often involves large outbound transfers (volume anomaly) and communication with known malicious IPs. DNS tunneling can also be used, but it's not the only indicator. The two best are unusual large outbound traffic and connections to known malicious IPs.

749
MCQmedium

A security analyst is examining a log file and notices that the hash value of a configuration file does not match the expected value. Which security goal has been violated?

A.Integrity
B.Confidentiality
C.Non-repudiation
D.Availability
AnswerA

Hash verification is used to check integrity.

Why this answer

Integrity ensures that data has not been altered. A mismatched hash indicates the file has been modified.

750
Multi-Selecteasy

Which TWO types of network traffic should be analyzed to detect a data exfiltration attempt via HTTP? (Choose two.)

Select 2 answers
A.ICMP echo requests
B.HTTP request headers
C.HTTP request body
D.DNS query responses
E.TCP three-way handshake
AnswersB, C

Headers may reveal suspicious patterns like custom user-agents.

Why this answer

HTTP request headers contain metadata such as User-Agent, Content-Type, and custom headers that can be manipulated to encode and exfiltrate data. The HTTP request body carries the payload, such as POST data, where stolen information can be embedded in form fields, JSON, or XML. Analyzing both allows detection of anomalous patterns indicative of data exfiltration.

Exam trap

Cisco often tests the distinction between layers of the OSI model, trapping candidates who confuse transport-layer handshakes (TCP) or network-layer diagnostics (ICMP) with application-layer HTTP traffic analysis.

Page 9

Page 10 of 14

Page 11
Cisco CyberOps Associate 200-201 200-201 Questions 676–750 | Page 10/14 | Courseiva