Cisco CyberOps Associate 200-201 (200-201) — Questions 151225

507 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
MCQeasy

A company's security policy states that employees must not use corporate laptops for personal web browsing. An employee is found to have streamed video during work hours, consuming significant bandwidth. What is the best course of action?

A.Give a verbal warning and take no further action
B.Update the policy to allow streaming under certain conditions
C.Immediately terminate the employee
D.Report the violation to HR for disciplinary action per the existing policy
AnswerD

Following the established policy ensures consistent enforcement and deterrence.

Why this answer

Option C is correct because the policy is clear, and a violation should be addressed consistently, typically through HR for disciplinary action. Option A is too harsh for a first offense. Option B bypasses policy enforcement.

Option D ignores the policy violation entirely.

152
MCQhard

During a security incident, a SOC analyst finds that the SIEM is not receiving logs from a critical firewall due to a network issue. The analyst needs to ensure that no alerts are missed during the outage. What should the analyst do?

A.Restart the SIEM collector service.
B.Manually monitor the firewall console.
C.Configure the firewall to queue logs locally and forward when connectivity is restored.
D.Ignore the gap because logs are not critical.
AnswerC

Queuing ensures logs are not lost and can be sent later, preserving visibility.

Why this answer

Option C is correct because configuring the firewall to queue logs locally ensures that log data generated during the network outage is stored in a local buffer (often using syslog buffering or a local log file) and automatically forwarded once connectivity to the SIEM is restored. This prevents any gap in security monitoring and ensures that all alerts are captured for analysis, even during transient network failures.

Exam trap

Cisco often tests the misconception that restarting services or manual monitoring can compensate for a network outage, when the correct approach is to leverage local log queuing or buffering on the source device to prevent data loss.

How to eliminate wrong answers

Option A is wrong because restarting the SIEM collector service does not address the root cause—the network outage preventing log transmission—and would not recover logs that were never sent. Option B is wrong because manually monitoring the firewall console is not scalable, does not provide centralized alerting, and would require constant human attention, which is impractical during an outage and does not guarantee that all alerts are captured. Option D is wrong because ignoring the log gap violates fundamental security monitoring principles; logs from critical firewalls are essential for incident detection, forensics, and compliance, and any gap could allow a security event to go undetected.

153
Multi-Selectmedium

Which TWO actions are examples of false positive reduction techniques? (Choose two.)

Select 2 answers
A.Changing signature action from drop to alert
B.Removing the sensor
C.Adding destination IP to whitelist
D.Disabling all signatures
E.Increasing the signature threshold
AnswersC, E

Whitelists prevent alerts for known safe traffic.

Why this answer

Adding a destination IP to a whitelist (option C) reduces false positives by excluding known benign traffic from triggering alerts. Increasing the signature threshold (option E) reduces false positives by requiring a higher number of matches or a larger event count before an alert is generated, filtering out low-level noise.

Exam trap

Cisco often tests the distinction between reducing false positives (by tuning or whitelisting) versus disabling detection entirely, so candidates mistakenly choose options like disabling signatures or removing sensors as valid reduction techniques.

154
MCQhard

Refer to the exhibit. A firewall log shows denied TCP traffic from an internal host to an external IP on consecutive ports. What type of activity is indicated?

A.Port scanning
B.Worm propagation
C.Denial of service
D.Data exfiltration
AnswerA

The pattern of denied connections to consecutive ports indicates a scan.

Why this answer

The firewall log shows denied TCP traffic from an internal host to an external IP on consecutive ports. This sequential pattern of connection attempts to multiple ports on the same target is a classic indicator of a port scan, where an attacker probes for open ports to identify potential services to exploit. The firewall's deny action confirms the traffic was blocked, but the behavior itself is characteristic of reconnaissance activity, specifically a TCP connect scan.

Exam trap

Cisco often tests the distinction between reconnaissance (port scanning) and exploitation (worm propagation) by presenting a log of denied traffic to consecutive ports, leading candidates to confuse the scanning phase with the actual attack phase, such as worm propagation or DoS.

How to eliminate wrong answers

Option B (Worm propagation) is wrong because worm propagation typically involves self-replicating code that spreads by exploiting vulnerabilities, often generating traffic to random or specific ports based on the exploit, not a sequential scan of consecutive ports. Option C (Denial of service) is wrong because a DoS attack aims to overwhelm a target with traffic to disrupt service, usually flooding a single port or using high-volume traffic, not probing multiple consecutive ports in a low-and-slow manner. Option D (Data exfiltration) is wrong because data exfiltration involves sending sensitive data out of the network, which would use established connections on a single port (e.g., HTTP/HTTPS, DNS, or FTP), not a series of denied connection attempts to consecutive ports.

155
MCQmedium

An analyst is investigating a host that is suspected of being compromised. She runs the 'netstat -anb' command and sees an established connection to an unknown IP address on port 4444. The associated process is svchost.exe. Which conclusion is MOST appropriate?

A.The host is definitely compromised because svchost.exe should not make outbound connections.
B.The host may be infected with malware that is injecting code into svchost.exe.
C.The analyst should immediately kill the svchost.exe process.
D.The connection is legitimate because svchost.exe is a critical Windows process.
AnswerB

Malware often injects into svchost.exe to hide its network activity.

Why this answer

Option B is correct because svchost.exe is a legitimate Windows service host process, but it is a common target for malware that uses process injection or DLL sideloading to hide malicious network activity. The established connection to an unknown IP on port 4444 (often associated with Metasploit or backdoor listeners) indicates the process may be hosting injected code, not that svchost.exe itself is inherently malicious. The analyst should investigate further before concluding compromise or taking action.

Exam trap

Cisco often tests the misconception that svchost.exe never makes outbound connections, when in fact many Windows services (e.g., BITS, Windows Update) do; the trap is assuming any outbound connection from a critical process is automatically legitimate or automatically malicious without considering the port and context.

How to eliminate wrong answers

Option A is wrong because svchost.exe can make legitimate outbound connections for Windows services like DNS, DHCP, or Windows Update, so an outbound connection alone does not prove compromise. Option C is wrong because killing svchost.exe could crash critical system services and disrupt the investigation; the analyst should first capture memory and network artifacts to identify the injected code. Option D is wrong because while svchost.exe is a critical Windows process, an established connection to an unknown IP on port 4444 is highly suspicious and should not be dismissed as legitimate without further analysis.

156
MCQmedium

You are a security administrator for a company with 500 employees. The company uses a SIEM with basic correlation rules. Recently, the HR department reported that several employees received phishing emails with a link to a fake login page. The emails bypassed the spam filter. You want to detect if any employees clicked the link. You have access to web proxy logs, DNS logs, and endpoint antivirus logs. The phishing link is 'http://malicious-login.com/verify'. Which action should you take first to identify affected users?

A.Run a vulnerability scan on all employee workstations.
B.Search DNS logs for queries to 'malicious-login.com'.
C.Search endpoint logs for any malware detections.
D.Query the web proxy logs for HTTP requests containing the URL.
AnswerD

Web proxy logs record full URLs accessed by users.

Why this answer

The web proxy logs record all HTTP requests made by clients, including the full URL path. Querying for 'http://malicious-login.com/verify' directly shows which employees clicked the link, because the proxy captures the exact destination and timestamp of each request. This is the most direct and reliable evidence of user interaction with the phishing link.

Exam trap

Cisco often tests the distinction between DNS resolution and actual HTTP request completion, tricking candidates into thinking DNS logs are sufficient to prove a user clicked a link, when in fact only web proxy logs confirm the full URL was requested.

How to eliminate wrong answers

Option A is wrong because a vulnerability scan identifies system weaknesses, not user actions like clicking a link; it would not reveal whether an employee visited the phishing URL. Option B is wrong because DNS logs only show that a client resolved the domain 'malicious-login.com', not that the user actually made an HTTP request to the specific '/verify' path; a DNS query could occur from background processes or pre-fetching without user interaction. Option C is wrong because endpoint antivirus logs only record malware detections; the phishing page itself is not malware, and no malicious file would be detected unless the user downloaded and executed a payload.

157
Drag & Dropmedium

Drag and drop the steps to investigate a security incident using a SIEM into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident investigation: identify, collect, analyze, contain, document.

158
Multi-Selectmedium

Which TWO of the following are indicators of a network scan?

Select 2 answers
A.Single connection to a well-known port
B.ICMP echo requests to multiple hosts
C.DNS queries for many domains
D.Multiple connection attempts from same source to different ports on same destination
E.Large number of SYN packets to a single port from multiple sources
AnswersB, D

Correct. This is a ping sweep to identify live hosts.

Why this answer

Option B is correct because ICMP echo requests (ping sweeps) sent to multiple hosts are a classic reconnaissance technique used to identify live hosts on a network. This type of scan maps the network topology before launching further attacks, and it is a clear indicator of network scanning activity.

Exam trap

Cisco often tests the distinction between a network scan (reconnaissance from a single source) and a denial-of-service attack (flood from multiple sources), so candidates may confuse option E (SYN flood) with a scan.

159
MCQhard

An organization must retain security logs for at least one year due to regulatory compliance. However, their SIEM storage is limited. Which strategy best balances compliance and storage?

A.Archive logs to compressed files after 30 days and retain for one year.
B.Delete logs after 30 days and rely on local log rotation.
C.Only store alerts and drop raw logs.
D.Increase SIEM storage without archiving.
AnswerA

Archiving preserves logs for compliance while reducing storage consumption.

Why this answer

Option A is correct because archiving logs to compressed files after 30 days preserves data for compliance while saving storage space. Option B deletes logs too early; Option C loses raw data; Option D is expensive.

160
MCQmedium

In Security Onion, an analyst runs 'squert' and sees a high number of alerts from a single source IP across multiple destination ports. What is the most likely cause?

A.Denial of service
B.SQL injection
C.Port scan
D.Phishing attack
AnswerC

A port scanner probes multiple ports to discover services.

Why this answer

Squert is a web interface for Sguil in Security Onion that visualizes alert data from the intrusion detection system (IDS). A high number of alerts from a single source IP targeting multiple destination ports is a classic signature of a port scan, where the attacker probes a range of ports on one or more targets to discover open services. The IDS triggers multiple alerts because each probe (e.g., SYN packets to different ports) matches a detection rule, such as those for TCP SYN scans.

Exam trap

Cisco often tests the distinction between a port scan and a denial of service attack, where candidates mistakenly associate 'high number of alerts' with DoS, but the key differentiator is the single source IP targeting multiple destination ports versus overwhelming a single service.

How to eliminate wrong answers

Option A is wrong because a denial of service (DoS) attack typically floods a single target with traffic to overwhelm it, resulting in alerts from many source IPs or a high volume to a single port, not a single source IP across multiple destination ports. Option B is wrong because SQL injection attacks target web application parameters (e.g., HTTP GET/POST fields) and would generate alerts related to SQL syntax in payloads, not a pattern of probes across many ports. Option D is wrong because phishing attacks involve social engineering via email or malicious links, which would trigger alerts on email headers or URL patterns, not a single IP scanning multiple ports.

161
MCQmedium

A security analyst is investigating an alert from a host-based intrusion detection system (HIDS) that detected a file modification in the system32 directory. Which log source should the analyst check first to understand the process that made the change?

A.Firewall logs.
B.Windows Event Logs.
C.NetFlow data.
D.DNS logs.
AnswerB

Windows Event Logs record process creation events that can identify the process modifying files.

Why this answer

Windows Event Logs (specifically Security Event ID 4656 or 4663) record detailed information about file operations, including the process that initiated the modification. Since the HIDS detected a file change in system32, the Event Logs provide the process name, user account, and timestamp needed to trace the source of the modification.

Exam trap

Cisco often tests the distinction between host-based logs (Windows Event Logs) and network-based logs (firewall, NetFlow, DNS), expecting candidates to recognize that only host logs can reveal the process responsible for a local file change.

How to eliminate wrong answers

Option A is wrong because firewall logs track network traffic (source/destination IPs, ports, protocols) and do not record local file system operations on a host. Option C is wrong because NetFlow data captures network flow metadata (IP conversations, byte counts) and has no visibility into local file modifications. Option D is wrong because DNS logs record domain name resolution queries and responses, not process-level file changes on the endpoint.

162
MCQmedium

A security analyst is reviewing baseline network traffic and notices that the normal HTTP traffic volume has increased by 300% over the past hour. The increase is from a single client IP to a single external web server. What does this indicate?

A.Possible data exfiltration via HTTP
B.A denial-of-service (DoS) attack against the web server
C.A distributed denial-of-service (DDoS) attack from botnets
D.Normal fluctuations during peak hours
AnswerA

Large upload of data to a single external server is suspicious.

Why this answer

A 300% increase in HTTP traffic from a single client IP to a single external web server is anomalous and strongly suggests data exfiltration. Attackers often use HTTP (port 80) to tunnel stolen data out of a network because it is typically allowed through firewalls and proxies without inspection. The fact that the traffic is from one IP to one server indicates a targeted, non-distributed activity, which aligns with exfiltration rather than a volumetric attack.

Exam trap

Cisco often tests the distinction between a single-source anomaly (exfiltration or DoS) and a multi-source anomaly (DDoS), and the trap here is that candidates confuse a traffic volume increase with a DoS attack, ignoring the single-source indicator that points to exfiltration.

How to eliminate wrong answers

Option B is wrong because a denial-of-service (DoS) attack would typically involve a flood of traffic from a single source to overwhelm the server, but the scenario describes a 300% increase in HTTP traffic volume, which is more consistent with sustained data transfer than a flood designed to cause resource exhaustion. Option C is wrong because a distributed denial-of-service (DDoS) attack involves multiple source IPs (botnets) generating traffic, but the question explicitly states the increase is from a single client IP, ruling out a distributed attack. Option D is wrong because a 300% increase from a single IP to a single external server is not normal peak-hour fluctuation; normal traffic patterns show gradual changes across many clients, not a sudden spike from one source.

163
MCQhard

To protect sensitive data at rest, a company uses AES-256 encryption. This primarily ensures which security goal?

A.Confidentiality
B.Availability
C.Integrity
D.Non-repudiation
AnswerA

Encryption protects data from unauthorized disclosure.

Why this answer

AES-256 encryption transforms plaintext data into ciphertext using a 256-bit symmetric key, rendering it unreadable without the correct decryption key. This directly ensures confidentiality by preventing unauthorized access to the stored data, even if the storage medium is compromised.

Exam trap

Cisco often tests the distinction between encryption (confidentiality) and hashing (integrity), so the trap here is confusing AES-256's role in protecting data from unauthorized reading with the ability to detect tampering, which would require a separate integrity mechanism.

How to eliminate wrong answers

Option B is wrong because availability refers to ensuring data is accessible when needed, typically addressed by redundancy, backups, and fault tolerance, not encryption. Option C is wrong because integrity ensures data has not been tampered with, usually provided by hashing algorithms (e.g., SHA-256) or HMAC, not encryption alone. Option D is wrong because non-repudiation prevents a party from denying an action, achieved through digital signatures and public key infrastructure (PKI), not symmetric encryption like AES-256.

164
MCQhard

A company's security policy requires that all remote access connections be authenticated using a certificate. Which type of control is this?

A.Corrective
B.Preventive
C.Detective
D.Deterrent
AnswerB

Preventive controls block unauthorized access, as does certificate authentication.

Why this answer

Requiring a certificate for remote access authentication enforces a specific identity verification method before granting access. This is a preventive control because it stops unauthorized connections from being established by ensuring only devices with a valid certificate can initiate the session, directly blocking access before any data exchange occurs.

Exam trap

Cisco often tests the distinction between preventive and deterrent controls, where candidates mistakenly choose deterrent because they think a certificate requirement 'discourages' attackers, but the correct classification is preventive because it technically enforces authentication and blocks access without it.

How to eliminate wrong answers

Option A is wrong because corrective controls (e.g., restoring from backup after a breach) are applied after an incident to mitigate damage, not before access is granted. Option C is wrong because detective controls (e.g., logging failed authentication attempts) identify ongoing or past violations but do not block the initial connection. Option D is wrong because deterrent controls (e.g., warning banners) discourage malicious behavior through fear of consequences but do not technically enforce authentication like a certificate requirement does.

165
MCQmedium

During a security incident, an analyst needs to preserve network evidence for forensic analysis. Which action should be taken first?

A.Isolate the affected systems from the network.
B.Create a forensic image of all hard drives.
C.Shut down the affected systems to prevent further damage.
D.Capture the contents of volatile memory from affected systems.
AnswerD

Volatile data is lost when power is removed, so it must be captured first.

Why this answer

During a security incident, the first priority is to capture volatile memory (RAM) because it contains critical evidence such as running processes, network connections, and encryption keys that will be lost when the system is powered off. Option D is correct because volatile data is ephemeral and must be collected before any action that could alter the system state, such as shutdown or isolation.

Exam trap

Cisco often tests the order of volatility (RFC 3227) and the misconception that isolating or shutting down the system is the safest first step, when in fact it destroys the most volatile evidence.

How to eliminate wrong answers

Option A is wrong because isolating the affected systems from the network may trigger network-level changes (e.g., ARP cache updates, connection teardowns) that alter volatile memory contents, and it does not preserve the current state of memory. Option B is wrong because creating a forensic image of hard drives is a non-volatile data acquisition step that should occur after volatile memory capture, as it does not preserve RAM contents and may be delayed without losing evidence. Option C is wrong because shutting down the system destroys all volatile memory data (e.g., running processes, open network sockets, encryption keys) and may also cause disk writes (e.g., pagefile updates) that overwrite evidence.

166
MCQeasy

An organization wants to classify data based on its sensitivity and impact if disclosed. Which security principle is being applied?

A.Defense in depth
B.Confidentiality, integrity, and availability (CIA)
C.Least privilege
D.Data loss prevention
AnswerB

Data classification directly supports confidentiality and integrity by applying appropriate controls.

Why this answer

The organization's goal is to classify data based on sensitivity and impact if disclosed, which directly aligns with the confidentiality component of the CIA triad. Confidentiality ensures that sensitive information is accessed only by authorized individuals, and classification is the foundational step to enforce this principle. The CIA triad (Confidentiality, Integrity, Availability) is the core security model that governs how data is protected based on its value and risk.

Exam trap

Cisco often tests the distinction between a security principle (CIA) and a security mechanism (DLP, least privilege, defense in depth), leading candidates to confuse the 'what' (classification) with the 'how' (implementation).

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, IDS, encryption) to protect assets, not a principle for classifying data by sensitivity. Option C is wrong because least privilege is an access control principle that grants only the minimum permissions needed to perform a task, which is applied after data classification, not the classification principle itself. Option D is wrong because data loss prevention (DLP) is a technology solution that monitors and prevents unauthorized data transfers, but it does not define how data should be classified based on sensitivity and impact.

167
Multi-Selectmedium

Which TWO of the following are best practices for implementing a security policy?

Select 2 answers
A.Use technical jargon to ensure precision
B.Avoid enforcement to promote user compliance
C.Write the policy once and never change it
D.Review and update the policy annually
E.Obtain management approval and support
AnswersD, E

Periodic review keeps policy current.

Why this answer

Option D is correct because security policies must be living documents that adapt to evolving threats, regulatory changes (e.g., GDPR, PCI DSS), and organizational shifts. Annual reviews ensure the policy remains aligned with current risk posture and compliance requirements, as recommended by frameworks like NIST SP 800-53.

Exam trap

Cisco often tests the misconception that security policies are static, one-time documents, when in fact they require periodic review and management buy-in to remain effective and enforceable.

168
Multi-Selecthard

Which TWO of the following are characteristics of behavioral-based anomaly detection in network monitoring? (Select 2)

Select 2 answers
A.Establishes a baseline of normal traffic
B.Relies on predefined signatures
C.Can inspect encrypted traffic without decryption
D.Uses static rules written by administrators
E.Can detect zero-day attacks
AnswersA, E

Behavioral analysis uses baselines to find deviations.

Why this answer

Correct: B (establishes baseline) and C (detects unknown attacks). A is wrong because signature-based detection is not behavioral. D is wrong because rule-based is static.

E is wrong because only signature-based can decode encrypted payloads (if decryption used).

169
MCQhard

A SOC team is evaluating a SIEM rule that triggers on 'more than 10 failed login attempts from a single source within 5 minutes.' The rule is generating too many alerts from a legitimate external monitoring service. How should the rule be modified?

A.Increase the threshold to 20 failed attempts.
B.Disable the rule and rely on other detection methods.
C.Add an exception for the source IP of the monitoring service.
D.Extend the time window to 10 minutes.
AnswerC

Exceptions effectively reduce false positives without changing rule logic.

Why this answer

Option C is correct because the rule is generating false positives from a known, legitimate source. Adding an exception for the monitoring service's source IP allows the SIEM to continue detecting actual brute-force attacks while ignoring expected traffic from that specific host. This is a standard whitelisting technique in SIEM rule tuning to reduce noise without compromising security coverage.

Exam trap

Cisco often tests the concept that tuning a SIEM rule should preserve detection capability for actual threats, so candidates mistakenly choose threshold or time-window adjustments (A or D) instead of the more precise fix of adding an exception for the known benign source.

How to eliminate wrong answers

Option A is wrong because increasing the threshold to 20 failed attempts would still generate alerts from the monitoring service if it performs more than 20 attempts in 5 minutes, and it could also delay detection of a real brute-force attack that uses fewer than 20 attempts. Option B is wrong because disabling the rule entirely removes detection of brute-force attacks from all sources, creating a critical security gap that cannot be justified by a single false positive source. Option D is wrong because extending the time window to 10 minutes would still trigger on the monitoring service if it performs more than 10 failed attempts in that longer period, and it would also slow down detection of actual attacks by requiring a longer observation window.

170
MCQmedium

A SOC analyst is reviewing alerts from a network-based intrusion detection system (NIDS). An alert indicates a potential SQL injection attempt, but the destination server is a web application that accepts SQL queries as part of its normal function. What should the analyst do?

A.Disable the alert to reduce noise.
B.Tune the NIDS signature to ignore that server.
C.Immediately block the source IP.
D.Correlate with web server logs to determine if the request was malicious.
AnswerD

Correlation provides context to differentiate between normal and malicious SQL queries.

Why this answer

Option D is correct because the NIDS alert alone cannot confirm malicious intent when the destination server legitimately accepts SQL queries. Correlating with web server logs allows the analyst to examine the full HTTP request (e.g., parameters, payload, referrer) to distinguish between a benign feature usage and an actual SQL injection attack, such as detecting unexpected SQL keywords or syntax in input fields that should not contain them.

Exam trap

Cisco often tests the misconception that any NIDS alert indicating a known attack pattern must be acted upon immediately with a blocking action, without considering the application's normal behavior or the need for log correlation.

How to eliminate wrong answers

Option A is wrong because disabling the alert removes visibility into a potential threat and violates the principle of maintaining detection coverage; alerts should be tuned or suppressed, not disabled entirely. Option B is wrong because tuning the NIDS signature to ignore that server would create a blind spot for all future SQL-related traffic to that host, including genuine attacks, and does not address the need to investigate the current alert. Option C is wrong because immediately blocking the source IP is an overly aggressive response that could block legitimate users and disrupt business operations; the analyst must first verify malicious intent through log correlation.

171
MCQmedium

A company uses Snort for intrusion detection. The analyst receives an alert for 'ET POLICY Outgoing DNS Query to Possible Malicious Domain'. The destination IP is 203.0.113.5. The analyst checks the DNS query and finds it is for 'update.software.com', which is a legitimate update server. However, the Snort rule triggered because the domain was recently added to a threat intelligence feed. What is the most likely cause of this false positive?

A.The Snort rule is misconfigured and should be disabled
B.The rule is too broad and matches all DNS queries
C.The Snort signature is too generic and should be tuned
D.The threat intelligence feed contains a false positive for that domain
AnswerD

The domain is legitimate but was erroneously flagged by the threat feed, causing a false positive alert.

Why this answer

The Snort rule triggered because the domain 'update.software.com' was listed in a threat intelligence feed, but the analyst verified it is a legitimate update server. This indicates the threat intelligence feed itself incorrectly flagged the domain as malicious, making it a false positive in the feed. Option D is correct because the root cause is the feed's inaccuracy, not a misconfiguration or overly broad rule.

Exam trap

Cisco often tests the distinction between a false positive caused by a rule or signature issue versus a false positive caused by inaccurate threat intelligence, leading candidates to incorrectly blame the rule configuration or signature specificity.

How to eliminate wrong answers

Option A is wrong because disabling the rule would remove detection for legitimate threats; the rule itself is not misconfigured, as it correctly matches the feed. Option B is wrong because the rule is not too broad—it specifically matches DNS queries to domains in the threat intelligence feed, not all DNS queries. Option C is wrong because the Snort signature is not too generic; it is precisely targeting domains from the feed, and tuning the signature would not fix an incorrect feed entry.

172
Matchingmedium

Match each Windows event log type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Logs success/failure audit events

Logs operating system events

Logs events from applications

Logs installation events

Logs events forwarded from other computers

Why these pairings

These are standard Windows Event Log categories.

173
MCQeasy

A small retail company has a security policy that requires all point-of-sale (POS) systems to be isolated on a separate network segment with strict firewall rules. During a network audit, you discover that the POS system is connected to the same network as the office workstations, violating policy. The store manager says it was done for convenience because the network cable was too short. What is the best course of action?

A.Accept the risk because it's a small store.
B.Implement a software firewall on the POS system to compensate.
C.Purchase a longer cable and reconnect the POS to the correct segment.
D.Move the POS system to the correct network segment immediately and report the violation.
AnswerD

This restores compliance and ensures proper documentation.

Why this answer

Option D is correct because immediate remediation and reporting is required. Option A is fine but lacks reporting; Option B is not a substitute; Option C is unacceptable.

174
Multi-Selectmedium

Which THREE of the following are best practices for implementing security logging and monitoring? (Select 3)

Select 3 answers
A.Define alert thresholds based on baselines
B.Synchronize device clocks using NTP
C.Minimize log retention to reduce storage costs
D.Centralize logs to a dedicated log server
E.Log only during incident response to reduce noise
AnswersA, B, D

Baselines reduce false positives.

Why this answer

Defining alert thresholds based on baselines is a best practice because it allows the security monitoring system to distinguish between normal and anomalous behavior. By establishing a baseline of typical network traffic, CPU usage, or login patterns, you can set thresholds that trigger alerts only when deviations occur, reducing false positives and ensuring that genuine security incidents are not missed.

Exam trap

Cisco often tests the misconception that logging should be minimized to reduce noise or storage costs, but the correct approach is to log continuously and use baselines and centralized aggregation to manage volume and relevance.

175
MCQeasy

You are a security analyst at a medium-sized company. A user reports that their workstation is running slowly and the network is sluggish. You check the firewall logs and see a large number of outgoing connections from the user's workstation to an external IP address (198.51.100.23) on port 4444. The connections are short-lived and occur every few seconds. The workstation has standard corporate antivirus installed, which is up-to-date and shows no threats. You have also noticed that the workstation is making DNS queries to an unusual domain (malicious.example.com) that resolves to the same external IP. What is the most appropriate immediate action?

A.Block the external IP address on the firewall and continue monitoring.
B.Isolate the workstation by disconnecting it from the network immediately.
C.Run a full forensic analysis on the workstation without disconnecting it.
D.Update the antivirus signatures and run a full scan on the workstation.
AnswerB

Isolation stops C2 communication and preserves evidence.

Why this answer

The workstation exhibits classic signs of a command-and-control (C2) infection: periodic outbound connections to an external IP on a non-standard port (4444) and DNS queries to a suspicious domain. Isolating the workstation immediately (Option B) is the most appropriate action because it stops the potential data exfiltration and prevents the malware from receiving further commands, containing the threat before any analysis or remediation.

Exam trap

Cisco often tests the principle that containment (isolation) must precede analysis or remediation when active C2 traffic is observed, and the trap here is that candidates may choose to block the IP or run a scan, mistakenly thinking those actions are sufficient to stop the threat without removing the host from the network.

How to eliminate wrong answers

Option A is wrong because simply blocking the external IP on the firewall does not remove the malware from the workstation; the malware could use a different IP or domain to continue its C2 communication, and the infected host remains a risk to the network. Option C is wrong because running a full forensic analysis without disconnecting the workstation allows the malware to continue its malicious activity (e.g., exfiltrating data, spreading laterally) during the analysis, which violates the containment-first principle of incident response. Option D is wrong because the antivirus is already up-to-date and shows no threats, indicating the malware is likely unknown or obfuscated; running another scan with the same signatures will not detect it, and the infection remains active on the network.

176
MCQmedium

During an incident, an analyst captures network traffic. Which field in a TCP header is used to reassemble fragmented packets?

A.Flags
B.Window size
C.Acknowledgment number
D.Sequence number
AnswerD

Correct. The sequence number indicates the order of bytes for reassembly.

Why this answer

The Sequence Number field in the TCP header is used to reassemble fragmented packets because it indicates the order of data bytes in the stream. When a TCP segment is fragmented at the IP layer, the sequence number allows the receiver to correctly reorder the fragments based on the original byte stream, ensuring proper reassembly.

Exam trap

Cisco often tests the distinction between IP fragmentation (handled by the Identification field and fragment offset in the IP header) and TCP reassembly (handled by the Sequence Number), causing candidates to confuse the two layers.

How to eliminate wrong answers

Option A is wrong because the Flags field in the TCP header (e.g., SYN, ACK, FIN) controls connection state and segment behavior, not packet reassembly. Option B is wrong because the Window Size field indicates the amount of data the receiver is willing to accept for flow control, not for reassembly ordering. Option C is wrong because the Acknowledgment Number field confirms receipt of data up to a certain sequence number, but it does not provide the ordering information needed to reassemble fragmented packets.

177
MCQhard

During a forensic investigation, an analyst acquires a hard drive image using dd. What must be done to ensure the evidence is admissible in court?

A.Encrypt the image
B.Use a write blocker
C.Compress the image
D.Store the image in a shared folder
AnswerB

Write blockers prevent modification of the original evidence.

Why this answer

Using a write blocker ensures that the hard drive is not modified during acquisition, preserving the original data's integrity. This is critical for maintaining the chain of custody and demonstrating that the evidence has not been tampered with, which is a fundamental requirement for admissibility in court. The dd command itself does not prevent writes; a hardware or software write blocker must be used to guarantee read-only access.

Exam trap

Cisco often tests the distinction between integrity preservation (write blocker) and other security goals like confidentiality (encryption) or storage efficiency (compression), leading candidates to confuse admissibility requirements with general best practices.

How to eliminate wrong answers

Option A is wrong because encrypting the image protects confidentiality but does not preserve integrity or prevent modification during acquisition; it could even complicate verification of the original data. Option C is wrong because compressing the image reduces storage size but does not ensure the evidence was collected without alteration; compression may also introduce potential data integrity issues if not done correctly. Option D is wrong because storing the image in a shared folder increases the risk of unauthorized access or modification, which could break the chain of custody and make the evidence inadmissible.

178
Multi-Selectmedium

A company's security policy mandates data encryption at rest. Which TWO of the following are acceptable methods to meet this requirement? (Choose two.)

Select 2 answers
A.Database encryption
B.Full disk encryption
C.File-level encryption
D.Hashing
E.Encryption of network traffic (TLS)
AnswersA, B

Encrypts data within database files, protecting at rest.

Why this answer

Full disk encryption and file-level encryption both protect data at rest. Database encryption also does, but only two are needed. Encryption of network traffic protects data in transit, not at rest.

179
Multi-Selecteasy

Which TWO of the following are key components of a security policy? (Choose two.)

Select 2 answers
A.Incident response procedures
B.Policy statement
C.Enforcement and compliance guidelines
D.Password complexity requirements
E.Network topology diagrams
AnswersB, C

The policy statement defines the purpose and scope of the policy.

Why this answer

A security policy is a high-level document that defines an organization's overall security posture, objectives, and guiding principles. The policy statement (B) is the core component that articulates management's commitment and the policy's scope, while enforcement and compliance guidelines (C) specify how the policy will be implemented and what consequences exist for violations. These two elements are fundamental to any security policy framework.

Exam trap

Cisco often tests the distinction between a security policy (high-level, principle-based) and operational procedures or technical standards, causing candidates to mistake detailed implementation steps like incident response or password rules as policy components.

180
MCQeasy

An organization's security policy mandates that all external media (USB drives, external hard drives) must be scanned for malware before use. An employee inserts a USB drive to transfer a presentation for a meeting. The employee runs the antivirus scan, but it fails to complete because the USB drive has a hardware write-protect switch. The employee is in a hurry. What should the employee do?

A.Manually check each file for suspicious extensions.
B.Remove the USB drive and use a different approved method of file transfer.
C.Disable write protection and rescan.
D.Proceed with the file transfer since the scan failed due to hardware issue.
AnswerB

This complies with policy by avoiding an unscanned medium.

Why this answer

Option C is correct because if the scan cannot be performed, the USB should not be used; using an alternative method complies with policy. Option A may still not allow a proper scan; Option B violates policy; Option D is not a substitute for scanning.

181
MCQhard

A company implements a policy where users must authenticate with a password and a one-time code from a token. Which AAA component is strengthened by this policy?

A.Authentication
B.Accounting
C.Auditing
D.Authorization
AnswerA

Multi-factor authentication strengthens the authentication component of AAA.

Why this answer

Authentication is the AAA component that verifies the identity of a user. By requiring both a password (something you know) and a one-time code from a token (something you have), the policy implements multi-factor authentication (MFA), which directly strengthens the authentication process. This ensures that even if a password is compromised, an attacker cannot authenticate without the token.

Exam trap

Cisco often tests the distinction between authentication and authorization, where candidates mistakenly think that adding a token strengthens authorization (access control) rather than the identity verification step.

How to eliminate wrong answers

Option B (Accounting) is wrong because accounting tracks user activities and resource consumption (e.g., login/logout times, data transferred) for auditing or billing, not the verification of identity. Option C (Auditing) is wrong because auditing is a separate process of reviewing logs and records to detect security events or compliance violations, not a core AAA component that handles identity verification. Option D (Authorization) is wrong because authorization determines what resources or actions an authenticated user is permitted to access, not the method of proving identity.

182
MCQhard

You are a security analyst at a multinational corporation. The company has implemented a security policy that requires all employees to use company-issued laptops with full disk encryption. During a routine audit, you discover that a senior executive's laptop is not encrypted. The executive claims that IT support had disabled encryption because the laptop was running slowly. The current policy does not allow exceptions without management approval. The executive's laptop contains sensitive client data. What should you do?

A.Report the violation to the security manager and advise that the laptop remain in use but monitored closely until encryption can be applied during next maintenance window.
B.Accept the executive's explanation and document it as an informal exception.
C.Escalate to the incident response team to treat this as a data breach because data may have been exposed.
D.Immediately re-enable encryption on the laptop and submit an exception request after the fact.
AnswerA

This ensures compliance while minimizing business disruption and follows proper escalation.

Why this answer

Option B is correct because reporting the violation and monitoring the laptop until encryption can be applied is a balanced approach. Option A violates policy by making changes without approval; Option C overreacts without evidence of breach; Option D ignores policy entirely.

183
MCQhard

A security analyst is reviewing NetFlow records and notices a host sending data to an external IP at regular intervals during non-business hours. Which flow characteristic is most indicative of data exfiltration?

A.Random destination ports.
B.High number of small packets.
C.Low number of bytes per flow.
D.Constant bit rate and consistent packet size.
AnswerD

Data exfiltration tools often send data at a steady rate to avoid suspicion.

Why this answer

Data exfiltration often uses a steady, low-and-slow approach to evade detection. A constant bit rate and consistent packet size indicate a scripted, automated transfer, such as a beacon or a covert channel, which is highly suspicious during non-business hours. This pattern contrasts with legitimate traffic, which typically shows variable packet sizes and bursty behavior.

Exam trap

Cisco often tests the misconception that data exfiltration always involves large volumes of data or many small packets, when in fact the hallmark of stealthy exfiltration is consistency and regularity to blend in with normal traffic patterns.

How to eliminate wrong answers

Option A is wrong because random destination ports are more indicative of port scanning or malware trying to find an open service, not a sustained data transfer. Option B is wrong because a high number of small packets is characteristic of VoIP, DNS queries, or DDoS attacks, not the steady, consistent flow of exfiltrated data. Option C is wrong because a low number of bytes per flow suggests minimal data transfer, which is the opposite of what you would expect from a successful exfiltration of significant data.

184
MCQeasy

A company wants to monitor for unauthorized wireless access points. Which technique should they implement?

A.Enable port security on all switches.
B.Use VLAN segmentation.
C.Deploy a Wireless Intrusion Prevention System (WIPS).
D.Implement 802.1X authentication.
AnswerC

Designed to detect rogue APs and wireless threats.

Why this answer

A Wireless Intrusion Prevention System (WIPS) is specifically designed to detect, classify, and block unauthorized wireless access points (rogue APs) by continuously monitoring the RF spectrum. Unlike wired-only controls, WIPS can identify rogue devices that are not connected to the wired network, making it the correct choice for this requirement.

Exam trap

Cisco often tests the distinction between wired security controls (port security, VLANs, 802.1X) and wireless-specific monitoring (WIPS), trapping candidates who assume that any network security measure can detect unauthorized wireless devices.

How to eliminate wrong answers

Option A is wrong because port security is a wired switch feature that limits the number of MAC addresses per port and does not monitor or detect wireless rogue access points. Option B is wrong because VLAN segmentation logically separates network traffic but provides no mechanism to discover or prevent unauthorized wireless devices from operating. Option D is wrong because 802.1X authentication controls network access for wired and wireless clients via RADIUS, but it does not actively scan for or block rogue access points that are not part of the authentication domain.

185
Multi-Selectmedium

Which TWO are common indicators of a phishing email? (Select two.)

Select 2 answers
A.Urgent call to action
B.Personal salutation
C.Generic greeting
D.Proper spelling and grammar
E.Matching sender domain
AnswersA, C

Phishing creates urgency to trick victims into acting quickly.

Why this answer

Phishing emails often create a false sense of urgency to pressure recipients into acting without verifying the source. An urgent call to action, such as 'Your account will be suspended in 24 hours,' is a classic social engineering tactic that exploits fear or time pressure to bypass rational scrutiny.

Exam trap

Cisco often tests the distinction between generic phishing (mass, untargeted) and spear phishing (targeted, personalized), so candidates mistakenly select 'Personal salutation' as a common indicator when it actually indicates a more advanced attack, not a typical phishing email.

186
MCQmedium

Based on the exhibit, what is the most likely conclusion about the host's security state?

A.The svchost.exe process on UDP port 4444 indicates a Windows service that should be monitored.
B.The established TCP connection to 203.0.113.5 indicates data exfiltration to a known malicious IP.
C.The host is running a legitimate remote administration tool on port 4444.
D.The host has a backdoor listening on UDP port 4444, and the established connection suggests an active command session via cmd.exe.
AnswerD

The combination of UDP listener and cmd.exe connection to external IP is highly suspicious.

Why this answer

The exhibit shows svchost.exe listening on UDP port 4444, which is unusual because svchost.exe typically hosts Windows services over TCP or named pipes, not raw UDP. Additionally, an established TCP connection to 203.0.113.5 with cmd.exe as the associated process indicates an active command shell session, which is a classic sign of a backdoor. The combination of a non-standard UDP listener and an active cmd.exe connection strongly suggests the host is compromised with a backdoor providing remote command execution.

Exam trap

Cisco often tests the misconception that svchost.exe is always legitimate, but the trap here is that a UDP listener on port 4444 combined with an established cmd.exe connection is a definitive indicator of a backdoor, not a normal Windows service or remote admin tool.

How to eliminate wrong answers

Option A is wrong because svchost.exe does not natively listen on UDP port 4444; legitimate Windows services use well-known ports (e.g., 135, 445) over TCP, and a UDP listener on 4444 is anomalous and indicative of malware masquerading as a system process. Option B is wrong because while the TCP connection to 203.0.113.5 is suspicious, the exhibit does not provide evidence that this IP is known malicious or that data exfiltration is occurring; the primary indicator is the cmd.exe process tied to the connection, suggesting an interactive shell rather than bulk data transfer. Option C is wrong because legitimate remote administration tools (e.g., RDP on 3389, SSH on 22) do not use UDP port 4444, and svchost.exe is not a legitimate remote administration binary; the presence of cmd.exe on the established connection confirms an unauthorized command session.

187
Multi-Selecthard

Which THREE factors should be considered when tuning an IPS signature? (Choose three.)

Select 3 answers
A.Time of day
B.Application protocol
C.Source and destination IPs
D.Signature severity
E.Packet length
AnswersB, C, D

Signatures should match the intended protocol to reduce false positives.

Why this answer

Application protocol (B) is critical because IPS signatures are protocol-aware and must match the specific protocol context (e.g., HTTP, SMTP, DNS) to avoid false positives. Tuning based on the protocol ensures the signature only inspects traffic where the vulnerability or exploit is relevant, such as applying a SQL injection signature only to HTTP traffic.

Exam trap

Cisco often tests the misconception that time-based or packet-length parameters are valid tuning options, when in fact IPS tuning focuses on protocol context, IP addresses, and severity to balance detection accuracy and performance.

188
MCQhard

An analyst examines a PCAP file and sees a series of HTTP POST requests to an external server with Base64-encoded payloads in the request body. The payloads decode to small text strings. Which type of data exfiltration technique is being used?

A.Session hijacking
B.DNS exfiltration
C.HTTP data exfiltration
D.HTTP tunneling
AnswerC

Data hidden in HTTP POST requests is a typical exfiltration technique.

Why this answer

The analyst observes HTTP POST requests carrying Base64-encoded payloads in the request body that decode to small text strings. This is a classic indicator of HTTP data exfiltration, where sensitive data is encoded and sent over HTTP to an external server, bypassing security controls by blending with normal web traffic.

Exam trap

Cisco often tests the distinction between HTTP data exfiltration and HTTP tunneling, where the trap is that candidates confuse encapsulating another protocol (tunneling) with simply sending encoded data over HTTP (exfiltration).

How to eliminate wrong answers

Option A is wrong because session hijacking involves stealing a valid session token (e.g., via XSS or packet sniffing) to impersonate a user, not exfiltrating data via HTTP POST bodies. Option B is wrong because DNS exfiltration encodes data in DNS queries (e.g., subdomains or TXT records) and uses UDP port 53, not HTTP POST requests. Option D is wrong because HTTP tunneling encapsulates non-HTTP protocols (e.g., SSH, RDP) inside HTTP to bypass firewalls, whereas here the payloads are directly Base64-encoded text strings in the POST body, not a tunnel for another protocol.

189
MCQeasy

Refer to the exhibit. An EDR alert shows this JSON event. What is the most significant indicator of a potential malware infection?

A.The user is 'jsmith'.
B.The parent process is explorer.exe.
C.The process path is in the Downloads folder.
D.The event type is 'Process Creation'.
AnswerC

Common location for malware delivered via email or web.

Why this answer

The process path in the Downloads folder is the most significant indicator because it suggests the executable was downloaded from the internet, a common vector for malware delivery. Attackers frequently use social engineering to trick users into saving malicious files to the Downloads folder, which then execute and initiate infection chains. In EDR analysis, execution from user-writable directories like Downloads is a high-fidelity alert, as legitimate software is rarely launched from this location.

Exam trap

Cisco often tests the distinction between benign system behavior (like explorer.exe as a parent process) and high-risk execution paths (like the Downloads folder), tricking candidates into focusing on the user or event type rather than the contextual risk of the file's origin.

How to eliminate wrong answers

Option A is wrong because the username 'jsmith' alone is not an indicator of compromise; it only identifies the user context and does not provide evidence of malicious activity. Option B is wrong because explorer.exe is a legitimate Windows shell process that commonly spawns child processes when users interact with the system, so it is not inherently suspicious. Option D is wrong because 'Process Creation' is a standard event type in Windows ETW and Sysmon logs; it is the specific attributes of the process (such as its path) that indicate potential malware, not the event type itself.

190
MCQeasy

Refer to the exhibit. A security policy states that all remote desktop (RDP) and Telnet access from external networks must be blocked. Does the above access-list comply with the policy?

A.Yes, because it denies RDP and Telnet.
B.Yes, because it denies TCP ports 3389 and 23.
C.No, because it permits all other traffic.
D.No, because it should deny HTTP traffic as well.
AnswerA

The ACL denies both services required by policy.

Why this answer

The ACL explicitly denies RDP (port 3389) and Telnet (port 23) and permits all other traffic, which fully meets the policy requirement. The policy does not require blocking other services.

191
Multi-Selecthard

Which THREE of the following are valid techniques to detect a compromised host using network monitoring?

Select 3 answers
A.Identifying periodic outbound connections to an unknown IP at regular intervals (beaconing).
B.Watching for ICMP echo requests from internal hosts to external hosts.
C.Observing DNS queries for domains that are known to be malicious from threat intelligence.
D.Detecting a host that is sending SMTP traffic to a server not authorized as a mail relay.
E.Monitoring for high volumes of HTTP traffic to a known CDN.
AnswersA, C, D

Beaconing is a common C2 technique.

Why this answer

Option A is correct because beaconing is a classic indicator of a compromised host establishing a command-and-control (C2) channel. The host periodically sends outbound connections to an unknown IP at regular intervals, which is a behavior that network monitoring tools can detect as anomalous traffic patterns, often used by malware to maintain persistence and receive instructions.

Exam trap

Cisco often tests the distinction between normal network behavior (like ICMP pings or CDN traffic) and actual malicious indicators, so candidates may mistake common but benign traffic for signs of compromise.

192
MCQmedium

A security analyst discovers that an employee has been sharing login credentials with coworkers. Which policy violation is this?

A.Remote Access Policy violation
B.Incident Response Policy violation
C.Data Classification Policy violation
D.Acceptable Use Policy violation
AnswerD

Sharing credentials is a misuse of company resources, violating the Acceptable Use Policy.

Why this answer

Sharing login credentials violates the Acceptable Use Policy (AUP), which defines how employees may use company systems and data. The AUP typically prohibits password sharing because it undermines non-repudiation and access control, as each user should have unique credentials for accountability. This is a direct breach of acceptable behavior, not a failure of remote access, incident response, or data classification procedures.

Exam trap

Cisco often tests the distinction between policies by making candidates confuse a data classification violation (handling sensitive data incorrectly) with an acceptable use violation (improper use of credentials or systems).

How to eliminate wrong answers

Option A is wrong because a Remote Access Policy governs how external connections (e.g., VPN, RDP) are established and secured, not the internal sharing of credentials among coworkers. Option B is wrong because an Incident Response Policy outlines the steps to detect, contain, and remediate security incidents, not the prohibition of password sharing. Option C is wrong because a Data Classification Policy defines how data is categorized (e.g., public, confidential) and handled based on sensitivity, but does not address user authentication practices like credential sharing.

193
MCQhard

During an incident response, the SOC needs to determine the scope of a compromise by identifying all hosts that communicated with a known malicious IP in the last 30 days. Which data source would best support this analysis?

A.SNMP traps from routers
B.Syslog from the DHCP server
C.Firewall deny logs
D.NetFlow records from the router
AnswerD

NetFlow captures all traffic flows, allowing historical analysis.

Why this answer

NetFlow records capture metadata about all IP traffic flows traversing a router, including source and destination IP addresses, ports, and timestamps. This allows the SOC to query for any host that communicated with the known malicious IP over the past 30 days, providing a complete picture of the compromise's scope. Unlike logs that only record denied traffic or administrative events, NetFlow records all successful communications, making it the ideal data source for this analysis.

Exam trap

Cisco often tests the distinction between logs that record only denied traffic (firewall deny logs) versus logs that record all traffic (NetFlow), leading candidates to mistakenly choose firewall deny logs because they associate firewalls with security monitoring.

How to eliminate wrong answers

Option A is wrong because SNMP traps from routers are used for network device monitoring and fault management (e.g., link up/down, CPU spikes), not for recording per-flow IP communication history with specific destinations. Option B is wrong because syslog from the DHCP server logs IP address lease assignments and client MAC addresses, but does not log the actual network traffic flows or communications between hosts and external IPs. Option C is wrong because firewall deny logs only record traffic that was blocked, not allowed traffic; since the malicious IP was likely contacted successfully, deny logs would miss the very communications needed to identify compromised hosts.

194
MCQhard

Refer to the exhibit. A network administrator applied this ACL inbound on the external interface of a firewall. An attacker sends a TCP SYN packet with source IP 192.0.2.1 to destination 10.1.1.100 port 80. Which statement accurately describes the packet's treatment?

A.The packet is permitted because the ACL only denies non-TCP traffic
B.The packet is denied by the implicit deny at the end
C.The packet is denied because there is no permit for source 192.0.2.1
D.The packet is permitted by the first ACE
AnswerD

The first line matches TCP any to host 10.1.1.100 on port 80.

Why this answer

The ACL permits TCP to 10.1.1.100 on port 80, so the SYN packet is permitted. However, since it's inbound, the firewall will still check the state. But the ACL itself allows it.

Option A is correct. Option B is incorrect because there is an explicit deny. Option C is incorrect because it is permitted by the first line.

Option D is incorrect because it doesn't match deny before.

195
MCQmedium

A company's security policy requires that all firewall rule changes be approved through a change management process. An engineer notices an unauthorized rule that allows RDP from any external IP. What is the first step the engineer should take?

A.Wait for approval from the change management board
B.Remove the rule immediately and document the change after
C.Investigate who added the rule
D.Block all RDP access to the network
AnswerB

Emergency removal is appropriate to stop immediate risk, with documentation per policy.

Why this answer

Option A is correct because the rule represents an active threat, so immediate removal is justified as an emergency change, followed by documentation. Option B is wrong because waiting for approval delays protection. Option C is wrong because investigation can follow removal.

Option D is wrong because blocking all RDP is too broad.

196
MCQmedium

Refer to the exhibit. This syslog message is generated from a Cisco firewall. According to the security policy, all traffic from the 10.10.10.0/24 network to the internal 192.168.1.0/24 network must be denied except for HTTP traffic from specific IPs. Which of the following should be investigated?

A.The packet was permitted but logged.
B.The packet was denied because it was HTTP traffic from 10.10.10.5.
C.The destination IP 192.168.1.10 is compromised.
D.The source IP 10.10.10.5 should be allowed to pass HTTP traffic.
AnswerD

This IP might be one that should be permitted per policy; its denial warrants investigation.

Why this answer

The syslog message shows that a packet from 10.10.10.5 to 192.168.1.10 on port 80 (HTTP) was permitted. According to the security policy, HTTP traffic from specific IPs is allowed, so 10.10.10.5 should be one of those permitted sources. The correct answer is D because the log indicates the traffic was allowed, which aligns with the policy exception, and no compromise or misconfiguration is evident.

Exam trap

Cisco often tests the misinterpretation of syslog actions—candidates mistakenly think a 'permit' action for HTTP traffic from a denied subnet is a violation, when in fact the policy exception explicitly allows it, so no investigation is required.

How to eliminate wrong answers

Option A is wrong because the syslog message shows the packet was permitted (action 'permit'), not denied, and the log entry itself indicates it was logged; the question asks what should be investigated, and a permitted HTTP packet from a source that should be allowed does not warrant investigation. Option B is wrong because the packet was permitted, not denied, and HTTP traffic from 10.10.10.5 is exactly the type of traffic that the policy exception allows. Option C is wrong because the syslog message provides no indication that 192.168.1.10 is compromised; the destination IP is simply the target of a permitted HTTP request, and compromise would require additional evidence such as abnormal traffic patterns or alerts.

197
MCQhard

Your organization uses a SIEM solution (Cisco Secure Network Analytics and Cisco Secure Cloud Analytics) for monitoring. You are the lead analyst and receive multiple alerts: (1) A host on the internal network is making thousands of outbound connections to a known malicious IP on port 80 in a short time. (2) At the same time, there is a spike in DNS queries from the same host to a domain that is registered very recently. (3) The firewall logs show that the host is communicating with internal servers on high ports (e.g., 4444, 5555). The host is a Windows 10 workstation used by the finance department. The user reports it has been slow recently. You have access to Cisco AMP for Endpoints, Cisco Firepower NGFW, and Cisco Stealthwatch. The environment has 500 endpoints, and the network uses 802.1X authentication. What should be your first course of action?

A.Check the current baseline for the host to confirm it is anomalous.
B.Block the malicious IP at the firewall and continue monitoring.
C.Update the antivirus signatures on the host and run a full scan.
D.Isolate the host from the network immediately and begin investigation.
AnswerD

Containment is the first priority before analysis.

Why this answer

Option D is correct because the combination of outbound connections to a known malicious IP, recent domain DNS queries, and internal C2-like traffic on high ports (4444, 5555) indicates a confirmed compromise. Immediate isolation via 802.1X or switch ACL stops lateral movement and data exfiltration while preserving forensic evidence. Cisco AMP for Endpoints can then be used to analyze the host offline without risking further spread.

Exam trap

Cisco often tests the principle of 'containment before eradication' — candidates mistakenly choose to block the IP or scan the host, but the correct first step is always to isolate the compromised endpoint to stop the attack from spreading.

How to eliminate wrong answers

Option A is wrong because checking the baseline is a passive analysis step that wastes time during an active, multi-indicator compromise; the alerts already confirm anomalous behavior. Option B is wrong because blocking only the external IP leaves the host still infected and able to communicate internally via high ports (e.g., 4444, 5555), allowing lateral movement and persistence. Option C is wrong because updating antivirus signatures and scanning is a reactive, slow step that may miss advanced malware; the host should be isolated first to prevent damage while a deeper investigation is conducted.

198
MCQeasy

Which type of malware is designed to spread automatically across networks without user interaction?

A.Ransomware
B.Virus
C.Trojan
D.Worm
AnswerD

Worms spread autonomously across networks.

Why this answer

A worm is a standalone malware program that replicates itself to spread to other computers over a network, often exploiting vulnerabilities without any user intervention. Unlike viruses, worms do not require a host file or user action to propagate, making them capable of rapid, automated spread across networks.

Exam trap

Cisco often tests the distinction between a virus and a worm, where the trap is that candidates confuse 'self-replicating' with 'requires a host file,' leading them to incorrectly choose virus instead of worm for autonomous network spread.

How to eliminate wrong answers

Option A is wrong because ransomware typically requires user interaction (e.g., clicking a link or opening an attachment) to execute and encrypt files; it does not self-propagate automatically. Option B is wrong because a virus attaches itself to a legitimate host file or program and relies on user action (e.g., running the infected file) to spread, not autonomous network propagation. Option C is wrong because a Trojan disguises itself as legitimate software to trick users into installing it, and it does not self-replicate or spread automatically across networks.

199
MCQmedium

A company's security policy prohibits the use of shared accounts. However, a legacy application requires a shared administrative account to run. What is the best approach?

A.Use a privileged access management solution to control and monitor the shared account
B.Create a policy exception
C.Disable the application
D.Ignore the policy because it's a legacy system
AnswerA

PAM enforces accountability and auditability, aligning with policy intent.

Why this answer

A privileged access management (PAM) solution can monitor and control the shared account, providing accountability while allowing the legacy application to function.

200
MCQeasy

An organization's security policy requires that all security incidents be reported within one hour of discovery. A junior analyst notices an unauthorized login attempt but is unsure if it qualifies as an incident. What should the analyst do first?

A.Delete the logs to avoid false alarms
B.Wait until the incident is confirmed
C.Investigate on their own without reporting
D.Report the suspicious activity immediately
AnswerD

Proactive reporting ensures policy compliance and allows further investigation.

Why this answer

Reporting suspicious activity immediately aligns with the policy, even if not confirmed. Waiting or deleting logs could violate reporting requirements.

201
MCQeasy

Refer to the exhibit. Which security protocol is being configured?

A.IPsec VPN (IKE phase 1)
B.SSL VPN
C.MACsec
D.SSH
AnswerA

The crypto isakmp policy configures IKE phase 1 for IPsec.

Why this answer

The exhibit shows the configuration of an IPsec VPN IKE phase 1 policy using the `crypto isakmp policy` command. The parameters set—encryption algorithm (e.g., aes), hash algorithm (e.g., sha), Diffie-Hellman group (e.g., 2), and authentication method (e.g., pre-share)—are all specific to IKE phase 1, which establishes a secure authenticated channel for further key exchange. This is not used for SSL VPN, MACsec, or SSH, as those protocols have distinct configuration syntax and purposes.

Exam trap

Cisco often tests the distinction between IKE phase 1 and phase 2 configuration commands, so the trap here is that candidates see 'crypto isakmp' and incorrectly associate it with SSL VPN or SSH because they overlook the specific protocol hierarchy.

How to eliminate wrong answers

Option B is wrong because SSL VPN is configured using `webvpn` or `crypto ssl` commands, not `crypto isakmp policy`. Option C is wrong because MACsec is configured under interface mode with `mka` or `macsec` commands, not with a global ISAKMP policy. Option D is wrong because SSH is configured using `ip ssh` or `crypto key generate rsa` commands, and it does not use IKE phase 1 parameters like Diffie-Hellman groups or encryption algorithms in a policy block.

202
MCQmedium

During an incident, the analyst finds that an attacker modified system files. Which security principle was primarily violated?

A.Confidentiality
B.Availability
C.Integrity
D.Non-repudiation
AnswerC

Integrity ensures data and systems are not tampered with; file modification violates this.

Why this answer

Integrity ensures that data and system files are not altered by unauthorized entities. When an attacker modifies system files, the trustworthiness and accuracy of those files are compromised, directly violating the integrity principle. This is distinct from confidentiality (unauthorized disclosure) or availability (denial of service).

Exam trap

Cisco often tests the distinction between integrity and availability by presenting a scenario where an attacker modifies files (integrity) rather than deleting them or causing a denial of service (availability), leading candidates to mistakenly choose availability.

How to eliminate wrong answers

Option A is wrong because confidentiality concerns unauthorized access to or disclosure of information, not unauthorized modification. Option B is wrong because availability ensures that systems and data are accessible when needed; file modification does not inherently prevent access. Option D is wrong because non-repudiation provides proof of origin or delivery of data (e.g., via digital signatures), not protection against unauthorized changes.

203
MCQhard

A security analyst reviews system logs and notices multiple failed login attempts from a single IP address to different user accounts over a short period. The analyst then sees a successful login for one account. Which type of attack is most likely occurring?

A.Brute force
B.Dictionary attack
C.Credential stuffing
D.Password spraying
AnswerD

Password spraying tries a few passwords across many accounts to avoid lockouts.

Why this answer

Password spraying (D) is the correct answer because the attacker attempts a small number of common passwords against many user accounts, avoiding account lockout thresholds. The pattern of multiple failed logins from a single IP across different accounts, followed by a single success, matches this low-and-slow technique rather than targeting one account with many passwords.

Exam trap

Cisco often tests the distinction between password spraying and credential stuffing by emphasizing the use of a single IP and multiple accounts versus reused breach data, leading candidates to confuse credential stuffing (which requires known pairs) with this broader password-guessing method.

How to eliminate wrong answers

Option A (Brute force) is wrong because it typically involves many password attempts against a single account, not multiple accounts from one IP. Option B (Dictionary attack) is wrong because it uses a list of likely passwords against one account, not spreading attempts across accounts. Option C (Credential stuffing) is wrong because it uses previously breached username/password pairs from other services, not a single IP trying common passwords across accounts.

204
MCQhard

GreenTech Inc. is a mid-sized company with 500 employees. The company uses Microsoft Exchange Online for email and has implemented a security policy that requires all employees to report suspicious emails to the security team. The security team uses a phishing simulation tool to train employees. In the past month, several employees have reported receiving emails that appear to be from the CEO requesting urgent wire transfers. The security team has blocked the sender domains and updated the email filters. However, one employee fell for the latest scam and transferred $50,000 to an account before reporting it. The security incident response plan states that any monetary loss must be reported to the board within 24 hours. The security analyst receives the report on Monday morning. What should the analyst do first based on the policy and best practices?

A.Disable email access for all employees to prevent further attacks
B.Launch a full forensic investigation to identify the source
C.Notify the board within the 24-hour window as per policy
D.Immediately contact the bank to attempt to reverse the wire transfer
AnswerD

Swift action can help recover the funds before they are withdrawn.

Why this answer

Option A is correct because time is critical; attempting to reverse the transfer may recover the funds. Option B is delayed and may miss the reversal window. Option C is secondary.

Option D is overly disruptive.

205
MCQhard

During a security incident, a network engineer captures traffic with tcpdump and saves it to a pcap file. The analyst needs to extract all HTTP POST requests containing a specific string in the URI. Which command should be used?

A.tcpdump -r traffic.pcap -X | grep 'string'
B.tcpdump -r traffic.pcap 'tcp port 80' -A | grep 'POST' | grep 'string'
C.ngrep -q -W byline 'POST.*string' port 80
D.tcpdump -r traffic.pcap -nn 'host 10.0.0.1'
AnswerB

Reads pcap, filters HTTP, prints ASCII, then greps for POST and string.

Why this answer

Option B is correct because it uses tcpdump with the `-r` flag to read the pcap file, filters for TCP port 80 (HTTP), uses `-A` to print packet payloads in ASCII, and then pipes the output through two grep commands: first to isolate lines containing 'POST' (indicating HTTP POST requests) and second to filter for the specific string in the URI. This combination efficiently extracts only the relevant HTTP POST requests with the target string from the captured traffic.

Exam trap

Cisco often tests the distinction between reading a pcap file with `-r` versus capturing live traffic, and the trap here is that candidates may forget to include the `-A` flag for ASCII output or the `tcp port 80` filter, leading to incomplete or irrelevant results.

How to eliminate wrong answers

Option A is wrong because piping tcpdump output through `-X` prints hex and ASCII, but the grep for 'string' will match any occurrence in the raw packet data, not specifically within HTTP POST URIs, and it lacks a filter for port 80 or POST method. Option C is wrong because ngrep is not a standard tool included in most base Linux distributions or the Cisco exam's assumed toolset, and while it could work, the question asks for a command using tcpdump, making this an incorrect choice. Option D is wrong because it filters only for traffic to/from host 10.0.0.1 with `-nn` (no name resolution), but it does not isolate HTTP POST requests or search for a specific string in the URI.

206
MCQhard

An analyst sees these logs. What should be the immediate course of action?

A.Investigate whether these are legitimate SSH attempts from authorized remote administrators.
B.Change the SSH port to a non-standard port.
C.Block all traffic from the 10.0.0.0/24 subnet.
D.Add an ACL permit rule for SSH from these sources.
E.Disable SSH access to the router.
AnswerA

Verify before acting.

Why this answer

Option B is correct because the attempts could be from authorized admins; investigation is needed. Option A is premature. Option C is too aggressive.

Option D is not a solution. Option E is extreme.

207
Multi-Selecteasy

A security analyst is investigating a host that is suspected of being compromised. The analyst runs a series of commands to gather information. Which TWO of the following commands are most useful for collecting volatile data from a live Windows system? (Choose two.)

Select 2 answers
A.netstat -anob
B.tasklist /svc
C.dir /s C:\Windows\System32\config
D.wevtutil qe System /c:10
E.reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AnswersA, B

Shows active network connections with associated process IDs and executables.

Why this answer

The `netstat -anob` command displays active network connections, listening ports, and the associated process IDs (PIDs) along with the executable name. This is critical for identifying unauthorized outbound connections or backdoor listeners that indicate compromise. Because network state and process-to-port mappings reside in volatile memory (RAM), they are lost on reboot, making this command essential for live forensic collection.

Exam trap

Cisco often tests the distinction between volatile (memory-resident) and non-volatile (disk-based) data, and the trap here is that candidates mistakenly treat registry queries or event log exports as volatile because they are commonly used in live response, when in fact they read persistent disk artifacts.

208
MCQhard

An organization has implemented a security information and event management (SIEM) system. The SOC analyst receives an alert indicating a high number of failed login attempts from a single IP address targeting a critical server. The analyst checks the server logs and finds that the server is configured to lock the account after 5 failed attempts. However, the alert shows thousands of attempts. Which of the following explains this discrepancy?

A.The failed attempts are against different usernames, not the same account
B.The attacker is using a brute-force tool that bypasses account lockout
C.The server's logging is not capturing all authentication events
D.The SIEM alert is a false positive due to a misconfiguration
AnswerA

This is a common technique to avoid lockout; each account may have only a few attempts, but total attempts across many accounts are high.

Why this answer

The account lockout policy (5 failed attempts) applies per individual username, not per source IP address. If the attacker is attempting to authenticate with many different usernames from the same IP, each username can fail up to 5 times before being locked, allowing thousands of total failed attempts across different accounts. The SIEM aggregates all failed authentication events from that IP, while the server's lockout mechanism only triggers per user, explaining the discrepancy.

Exam trap

Cisco often tests the distinction between account lockout (per user) and failed login events (per source IP), trapping candidates who assume lockout limits total attempts from an IP rather than per-username attempts.

How to eliminate wrong answers

Option B is wrong because brute-force tools cannot bypass account lockout policies enforced by the authentication system (e.g., Windows Active Directory or Linux PAM); lockout is a server-side mechanism that applies regardless of the tool used. Option C is wrong because if the server were missing log entries, the SIEM would show fewer events than the server, not more; the alert shows thousands of attempts, indicating logging is capturing them. Option D is wrong because the alert is not a false positive—it accurately reflects the high volume of failed attempts from that IP; the misconfiguration would be in the analyst's interpretation, not in the SIEM rule.

209
MCQmedium

A security administrator is implementing a privileged access management (PAM) solution. Which practice best enforces the principle of least privilege for administrators?

A.Create shared admin accounts for the team
B.Use Just-in-Time administration to grant temporary privileges
C.Grant permanent admin rights to all senior administrators
D.Monitor admin activity without restricting access
AnswerB

JIT grants access only for the duration of a task.

Why this answer

Option A is correct because Just-in-Time administration provides access only when needed, reducing standing privileges. Option B is wrong because sharing accounts violates accountability. Option C is wrong because permanent admin rights increase risk.

Option D is wrong because monitoring without limiting access still allows abuse.

210
Multi-Selectmedium

Which THREE are examples of social engineering attacks? (Select three.)

Select 3 answers
A.Man-in-the-middle
B.Smishing
C.SQL injection
D.Phishing
E.Spear phishing
AnswersB, D, E

Smishing uses SMS messages for deception.

Why this answer

Smishing is a form of social engineering attack that uses SMS (Short Message Service) text messages to trick recipients into revealing sensitive information or clicking malicious links. Unlike technical attacks that exploit system vulnerabilities, smishing relies on psychological manipulation, making it a classic social engineering vector.

Exam trap

Cisco often tests the distinction between technical attacks (like MITM or SQL injection) and social engineering attacks (like smishing, phishing, and spear phishing), where the trap is that candidates confuse a technical attack vector with a human-targeted manipulation technique.

211
MCQmedium

A security analyst at a medium-sized enterprise notices that an employee's workstation has been sending outbound traffic to a known malicious IP address at irregular intervals. The analyst runs a scan and finds no malware signatures. What should the analyst do next?

A.Block the malicious IP at the firewall and continue monitoring.
B.Escalate to the incident response team for further investigation.
C.Review the employee's recent web browsing history and email attachments.
D.Immediately disconnect the workstation from the network and reimage it.
AnswerB

Escalation ensures proper handling of a potential advanced threat that may require specialized skills.

Why this answer

Option C is correct because the situation suggests a potential advanced threat that requires specialized team. Disconnecting prematurely might destroy evidence. Blocking IP alone does not address the root cause.

Reviewing history is part of investigation but escalation is the best next step.

212
MCQmedium

An analyst reviews IDS alerts and sees multiple alerts for the same signature from different internal IPs targeting the same external server. One common cause is...

A.A false positive
B.A DDoS attack
C.A worm spreading internally
D.A misconfigured server
AnswerC

Worm infections cause multiple hosts to exhibit similar malicious behavior.

Why this answer

A worm spreading internally (option C) is the most likely cause because worms self-replicate and propagate across a network, generating identical IDS alerts from multiple internal IPs as each infected host attempts to connect to the same external server (e.g., for command-and-control or payload delivery). This pattern—same signature, multiple internal sources, single external target—is a classic indicator of worm activity, where the worm's propagation logic causes each compromised host to initiate similar outbound connections.

Exam trap

Cisco often tests the distinction between a DDoS attack and a worm by focusing on the source distribution—candidates mistakenly choose DDoS because they see multiple sources, but forget that DDoS sources are typically external, not internal, and the signature consistency points to a worm's automated propagation.

How to eliminate wrong answers

Option A is wrong because a false positive would typically produce alerts from a single or few IPs due to benign traffic matching a signature, not a coordinated pattern of multiple distinct internal IPs triggering the same alert. Option B is wrong because a DDoS attack would involve multiple sources targeting a single victim, but the sources are usually external (or a mix), and the alerts would likely show varied signatures or traffic types, not the same signature repeated from internal IPs. Option D is wrong because a misconfigured server would cause alerts from that server's IP only, not from multiple different internal IPs, and the signature would typically reflect the misconfiguration (e.g., protocol violations) rather than a consistent outbound connection pattern.

213
MCQeasy

A company's acceptable use policy (AUP) prohibits personal devices on the corporate network. An employee is found connecting a personal tablet to access internal resources. What should the security team do?

A.Allow the device and update the policy
B.Block the device and investigate
C.Remind the employee of the AUP and request removal
D.Disable the network port
AnswerC

Policy enforcement starts with reminding the user of the existing rules.

Why this answer

Option D is correct because the AUP clearly prohibits personal devices, so the employee should be reminded of the policy. Option A is wrong because allowing it without exception violates policy. Option B is wrong because blocking the device without communication is not in line with user education.

Option C is wrong because disabling the port is excessive without first enforcing the policy.

214
MCQeasy

A security analyst is reviewing a Snort alert that triggered on the signature 'ET TROJAN Win.Trojan.Generic'. What is the most likely reason this alert fired?

A.A system infected with a trojan
B.A legitimate Windows update
C.A misconfigured firewall
D.An attacker attempting to exploit a buffer overflow
AnswerA

The signature specifically detects trojan activity.

Why this answer

The Snort signature 'ET TROJAN Win.Trojan.Generic' is designed to detect network traffic patterns or payloads associated with known Trojan malware. When this alert fires, it indicates that the sensor observed data matching the signature's characteristics, most likely from a system that is infected with a Trojan and is communicating with a command-and-control server or performing malicious activity.

Exam trap

Cisco often tests the distinction between signature categories (e.g., Trojan vs. exploit vs. policy violation) to see if candidates understand that each signature type is tailored to a specific threat behavior, not just any anomaly.

How to eliminate wrong answers

Option B is wrong because a legitimate Windows update uses Microsoft's own signed binaries and update servers, and its traffic does not match the specific patterns of a Trojan signature; Snort would not trigger on benign update traffic unless a false positive occurs due to a poorly tuned signature. Option C is wrong because a misconfigured firewall might cause connectivity issues or block legitimate traffic, but it does not generate Trojan-specific network payloads that would match this signature. Option D is wrong because a buffer overflow exploit typically targets a vulnerability in a service or application and would be detected by a different class of signatures (e.g., 'ET EXPLOIT' or 'SHELLCODE'), not a generic Trojan signature.

215
MCQeasy

A healthcare organization has a security policy that mandates immediate reporting of any potential data breach to the privacy officer. An analyst notices that an employee accidentally emailed a patient list to the wrong recipient. The recipient is known to be a trusted partner, but the email contained PHI. The analyst contacts the recipient who acknowledges receipt and agrees to delete the email. What should the analyst do next?

A.Update the access control list to prevent similar mistakes.
B.Do nothing further since the data was deleted.
C.Send a warning email to the employee without reporting.
D.Report the incident as a data breach to the privacy officer as per policy.
AnswerD

This ensures compliance and proper documentation.

Why this answer

Option B is correct because policy requires immediate reporting regardless of outcome. Option A ignores the policy; Option C circumvents the reporting requirement; Option D is not an immediate required action.

216
Matchingmedium

Match each Cisco CyberOps concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Security Operations Center

Confidentiality, Integrity, Availability

Indicator of Compromise

Tactics, Techniques, and Procedures

Adversary, Capability, Infrastructure, Victim

Why these pairings

These are fundamental concepts in cybersecurity analysis.

217
MCQhard

During a host-based analysis of a Windows system, an analyst finds that the Windows Event ID 4688 (process creation) logs show a child process spawning from a legitimate application, but the parent process path is empty. What does this likely indicate?

A.The parent process was terminated immediately after spawning
B.The process was spawned via a WMI call without a parent path
C.The event log is corrupted
D.The process is a kernel thread
AnswerB

WMI spawns often result in empty parent path fields.

Why this answer

When a process is spawned via Windows Management Instrumentation (WMI), the parent process path is often empty in Event ID 4688 logs because WMI creates the child process in a way that does not preserve the standard parent-child relationship. This occurs because WMI uses the `Win32_Process.Create` method, which runs under the WMI provider host process (WmiPrvSE.exe) but does not populate the parent process path field in the security log. The empty parent path is a strong indicator of WMI-based process creation, which is commonly used for lateral movement or persistence by attackers.

Exam trap

Cisco often tests the misconception that an empty parent path indicates log corruption or a terminated parent, but the correct interpretation is that WMI-based process creation deliberately omits the parent path in Event ID 4688.

How to eliminate wrong answers

Option A is wrong because if the parent process were terminated immediately after spawning, the parent process ID (PPID) would still be recorded in the event log, and the parent process path would not be empty—it would show the path of the terminated process. Option C is wrong because event log corruption would typically manifest as missing events, garbled data, or error codes, not as a consistently empty parent process path for a specific event type. Option D is wrong because kernel threads are not user-mode processes and do not generate Event ID 4688 logs; they are managed by the kernel and appear in different log sources or not at all.

218
MCQeasy

A SOC analyst is investigating a suspicious file on a Windows host. The file hash matches a known malware variant in a threat intelligence feed. What is the next best step for host-based analysis?

A.Run a full antivirus scan on the host
B.Disable the network adapter to prevent further communication
C.Check for persistence mechanisms such as registry Run keys or scheduled tasks
D.Reboot the host to clear the malware from memory
AnswerC

Malware often adds persistence. Examining startup locations helps determine scope and removal.

Why this answer

Option C is correct because after confirming a file hash matches a known malware variant, the immediate priority for host-based analysis is to determine how the malware maintains persistence on the system. Persistence mechanisms such as Registry Run keys (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run) or scheduled tasks (via schtasks.exe) allow malware to survive reboots and re-establish execution. Identifying these artifacts is critical for containment and eradication, as it reveals the malware's foothold and prevents re-infection after removal.

Exam trap

Cisco often tests the distinction between host-based analysis (focusing on local artifacts like persistence, processes, and registry) and network-based containment (like disabling adapters), so candidates mistakenly choose network isolation steps when the question explicitly asks for host-based analysis.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan is reactive and may not detect the specific malware variant if signatures are outdated or if the malware employs evasion techniques like packing or polymorphism; the hash match already confirms maliciousness, so scanning adds no new forensic value. Option B is wrong because disabling the network adapter is a network-based containment step, not a host-based analysis step; while it may prevent C2 communication, the question specifically asks for the next best step in host-based analysis, which should focus on understanding the malware's local impact and persistence. Option D is wrong because rebooting the host may clear malware from memory (e.g., fileless malware), but it destroys volatile evidence such as running processes, network connections, and memory-resident artifacts, and it does not address persistence mechanisms that would cause the malware to reload on startup.

219
MCQeasy

Which principle ensures that a user cannot deny having performed an action?

A.Authentication
B.Accountability
C.Authorization
D.Non-repudiation
AnswerD

Non-repudiation provides evidence that an action occurred, preventing denial.

Why this answer

Non-repudiation ensures that a user cannot deny having performed an action, typically by using digital signatures or cryptographic mechanisms. In network security, this is often achieved through protocols like HMAC or digital certificates that bind an action to a specific identity, providing irrefutable proof. Without non-repudiation, a user could claim they never sent a message or executed a command, undermining audit trails and legal accountability.

Exam trap

Cisco often tests the distinction between accountability and non-repudiation, where candidates confuse logging/tracking (accountability) with cryptographic proof (non-repudiation), leading them to select 'Accountability' instead of 'Non-repudiation'.

How to eliminate wrong answers

Option A is wrong because authentication verifies the identity of a user or device (e.g., via passwords, certificates, or biometrics) but does not prevent the user from later denying they performed an action. Option B is wrong because accountability refers to the ability to trace actions back to a specific entity through logging and auditing, but it does not inherently provide cryptographic proof to prevent denial. Option C is wrong because authorization controls what resources or actions a user is permitted to access (e.g., via ACLs or RBAC), but it does not address the issue of denying past actions.

220
MCQeasy

Based on the exhibit, which type of traffic is being denied?

A.Traffic permitted by the access group.
B.TCP traffic to a DNS server.
C.UDP traffic from an internal host to an external DNS server.
D.ICMP traffic from an external host.
AnswerC

The log matches UDP from inside to outside port 53.

Why this answer

The exhibit shows an access control list (ACL) entry that denies UDP traffic from any source to any destination with a destination port of 53, which is the standard port for DNS. Since the ACL is applied inbound on an interface facing the internal network, it specifically blocks UDP traffic originating from an internal host destined for an external DNS server. This matches option C exactly.

Exam trap

Cisco often tests the distinction between UDP and TCP for DNS traffic, leading candidates to assume that all DNS traffic uses UDP, when in fact DNS can use TCP for larger responses or zone transfers, and the ACL only blocks UDP.

How to eliminate wrong answers

Option A is wrong because the ACL is explicitly denying traffic, not permitting it; the access group is used to apply the ACL, but the ACL itself contains a deny statement. Option B is wrong because the ACL denies UDP traffic to port 53, but TCP traffic to a DNS server (port 53) is not affected by this rule; the rule only targets UDP. Option D is wrong because the ACL denies UDP traffic from any source, but ICMP traffic uses a different protocol (type 1) and is not affected by a UDP-specific deny statement.

221
MCQeasy

An analyst needs to review the Windows event logs from a host to determine if a user's account was used to log in at an unusual time. Which log type should the analyst check?

A.Application
B.System
C.Setup
D.Security
AnswerD

Security log records logon/logoff events.

Why this answer

The Security log in Windows Event Viewer records audit events, including successful and failed logon attempts (Event ID 4624 for successful logons). This log type is the correct source for determining if a user's account was used to log in at an unusual time, as it captures the timestamp and details of each authentication event.

Exam trap

Cisco often tests the distinction between the Security log (which records authentication events) and the System log (which records system-level events), leading candidates to mistakenly choose the System log for logon analysis.

How to eliminate wrong answers

Option A is wrong because the Application log records events from applications and programs, not authentication or logon activities. Option B is wrong because the System log records events from Windows system components (e.g., driver failures, service starts), not user logon events. Option C is wrong because the Setup log records events related to Windows installation and updates, not user authentication or logon activity.

222
Multi-Selecthard

A security policy mandates that all network devices must be hardened. Which THREE of the following are common hardening best practices for routers and switches? (Select three.)

Select 3 answers
A.Implement access control lists (ACLs)
B.Disable unused services
C.Enable Telnet for remote management
D.Use default credentials for initial setup
E.Enable SNMPv3 with strong authentication
AnswersA, B, E

ACLs restrict traffic to only necessary communications.

Why this answer

Options A, B, and D are correct hardening practices. Option C is wrong as default credentials are weak. Option E is wrong because Telnet is insecure.

223
MCQhard

A company's security team is investigating an alert from their EDR platform indicating that a workstation in the finance department has been making repeated connections to an external IP address associated with a known command-and-control (C2) server. The analyst has isolated the host from the network and is performing host-based analysis. The host is running Windows 10 with Sysmon deployed and Windows Event Logging enabled. The analyst reviews Sysmon events and finds: - Event ID 1 (Process Creation): 'powershell.exe -NoP -NonI -W Hidden -Enc JABzAD0ATgBlAHcALQBPAEI ...' (long encoded string) - Event ID 3 (Network Connect): powershell.exe connecting to the C2 IP on port 443 (HTTPS), and also to an internal IP on port 445 (SMB). - Event ID 11 (FileCreate): a file created at C:\Users\financeuser\AppData\Roaming\Microsoft\svchost.exe (size 512KB) with no signature. - Event ID 7 (Image Load): svchost.exe (from AppData) loaded 'crypt32.dll'. - Event ID 8 (CreateRemoteThread): not observed. The analyst also checks the Windows Security log and finds Event ID 4624 (Success Logon) for the user 'financeuser' from a remote workstation at 2:00 AM, which is outside normal hours. The workstation is part of the Active Directory domain. The analyst needs to determine the most effective next step to contain the threat and prevent recurrence.

A.Isolate the host further by blocking all inbound and outbound traffic via the host firewall, then perform memory acquisition and deep forensic analysis before remediation.
B.Remove the malicious svchost.exe file and kill the powershell process, then run a full antivirus scan.
C.Power off the workstation and reimage it immediately, then reset the user's password.
D.Change the user's password, revoke all Kerberos tickets, and check for lateral movement using the SMB connection observed.
AnswerD

The SMB connection suggests lateral movement; resetting credentials and revoking tickets prevents further abuse of the account.

Why this answer

Option D is correct because the SMB connection (port 445) to an internal IP strongly indicates lateral movement via techniques like PsExec or scheduled tasks. Changing the user's password and revoking Kerberos tickets (e.g., using `klist -li 0x3e7 purge`) immediately cuts off the attacker's authenticated access, while checking for lateral movement addresses the broader compromise. This aligns with the NIST incident response containment phase, prioritizing credential and token revocation over file deletion or reimaging alone.

Exam trap

Cisco often tests the distinction between host-level containment (e.g., deleting files) and domain-level containment (e.g., credential revocation), where candidates mistakenly choose a simple file removal or reimage without addressing the broader authentication compromise indicated by the SMB connection and off-hours logon.

How to eliminate wrong answers

Option A is wrong because the host is already isolated from the network; further firewall blocking is redundant, and memory acquisition is a forensic step, not containment. Option B is wrong because simply removing the file and killing the process does not address the compromised credentials or potential lateral movement via SMB; the attacker could re-authenticate or have already moved to other hosts. Option C is wrong because powering off and reimaging destroys volatile evidence and does not revoke the attacker's access via Kerberos tickets or changed passwords, allowing them to persist in the domain.

224
MCQmedium

A security analyst notices repeated failed login attempts from an external IP. The company has a policy for account lockout after 5 failed attempts. However, the lockout is not triggering. What is the most likely cause?

A.The failed attempts are occurring on a legacy application that does not integrate with Active Directory.
B.The lockout threshold is set to 10 attempts.
C.The lockout policy is applied to user accounts but not to administrative accounts.
D.The intrusion prevention system is blocking the lockout mechanism.
E.The firewall is allowing the traffic but not logging.
AnswerA

Legacy apps often bypass domain policy.

Why this answer

Option B is correct because legacy applications may not integrate with Active Directory domain lockout policies. Option A is plausible but not specific to external IP. Option C is unlikely.

Option D is possible but not given. Option E is irrelevant.

225
MCQmedium

Refer to the exhibit. An analyst sees these syslog messages from the Cisco ASA. What is the most likely cause?

A.An external host attempting to connect to an internal server.
B.A denial-of-service attack from the external IP.
C.An internal host (10.0.0.10) is attempting to access the Internet on port 80 and is being blocked.
D.An internal host is performing a port scan of the external server.
AnswerC

The deny messages indicate outbound traffic is blocked.

Why this answer

The syslog messages show the Cisco ASA denying traffic from internal IP 10.0.0.10 to external destination 203.0.113.5 on TCP port 80. The ASA's access control list (ACL) is configured to block outbound HTTP traffic from this host, which is the most likely cause of the denial. The messages indicate a standard deny action, not a signature-based attack detection.

Exam trap

Cisco often tests the ability to read syslog message fields (source vs. destination) to determine traffic direction, and the trap here is that candidates may misinterpret the deny as an attack from the external IP (option A) or as a scan (option D) without carefully parsing the source and destination addresses.

How to eliminate wrong answers

Option A is wrong because the syslog shows the source IP is internal (10.0.0.10) and the destination is external (203.0.113.5), meaning the connection attempt originates from inside the network, not from an external host. Option B is wrong because a denial-of-service attack would typically generate multiple rapid connection attempts or specific DoS signatures, not a single deny message per connection; the ASA would also log a different severity or event type for DoS. Option D is wrong because a port scan would involve multiple destination ports or sequential connection attempts, but the log only shows a single denied connection to port 80, not a pattern of scanning behavior.

Page 2

Page 3 of 7

Page 4

All pages