Cisco CyberOps Associate 200-201 (200-201) — Questions 526600

985 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
Multi-Selecthard

A security analyst discovers that an attacker exfiltrated data using DNS tunneling. Which TWO controls should be implemented to detect or prevent this? (Select two.)

Select 2 answers
A.Monitor DNS query sizes and frequencies
B.Use a DNS sinkhole
C.Disable recursive DNS on the internal DNS server
D.Implement DNSSEC
E.Block all DNS queries to external servers
AnswersA, B

Unusually large or frequent queries may indicate tunneling.

Why this answer

Option A is correct because DNS tunneling often involves unusually large query sizes (e.g., encoded data in subdomains) and abnormal query frequencies (e.g., thousands of requests per minute). Monitoring these metrics allows analysts to spot deviations from baseline behavior, which is a key detection technique for exfiltration via DNS. Option B is correct because a DNS sinkhole redirects malicious or suspicious DNS queries to a controlled IP address, effectively blocking the resolution of domains used for tunneling and preventing data from reaching the attacker's command-and-control server.

Exam trap

Cisco often tests the misconception that DNSSEC or disabling recursion can stop DNS tunneling, but DNSSEC only signs records and does not inspect payloads, while disabling recursion breaks internal resolution without affecting external tunneling via forwarders.

527
MCQhard

During incident response, an analyst extracts files from a PCAP using Wireshark's Export Objects feature. One extracted file is a PDF that triggers an IDS alert for 'Exploit:PDF/HeapSpray'. Which technique does this alert describe?

A.Return-oriented programming (ROP)
B.Shellcode injection
C.Heap spray
D.Stack buffer overflow
AnswerC

Heap spray loads shellcode into heap memory to hijack execution.

Why this answer

Heap spray is a memory corruption technique where an attacker fills heap memory with shellcode to increase the chance of code execution, often used in PDF exploits.

528
MCQmedium

A security analyst observes periodic outbound HTTPS connections to an unusual domain that resolves to different IP addresses each time. This behavior is most indicative of:

A.Exfiltration via FTP
B.DNS tunnelling
C.Port scanning
D.Beaconing using DGA
AnswerD

Periodic HTTPS connections to DGA domains indicate C2 beaconing.

Why this answer

Domain Generation Algorithms (DGA) are used to generate many domain names to evade blocklists, and C2 servers may use HTTPS with varying IPs.

529
MCQmedium

You are the cybersecurity analyst for a small business that has a security policy requiring all network traffic to pass through a proxy server for content filtering. Recently, employees have been complaining that some websites are not loading correctly. You check the proxy logs and see that the proxy is blocking traffic that appears to be from non-standard ports. However, upon investigation, you find that the blocked sites are legitimate business tools that use custom ports. Which action aligns with the security policy?

A.Instruct employees to access the tools via HTTP instead.
B.Configure the proxy to allow all traffic on custom ports for those specific tools.
C.Disable content filtering for the affected employees.
D.Create a security exception based on business need and document it.
AnswerD

This balances security and usability while maintaining audit trail.

Why this answer

Option C is correct because creating a documented exception addresses the legitimate need while maintaining policy control. Option A bypasses policy by allowing all traffic on custom ports; Option B disables content filtering entirely; Option D may not be feasible.

530
MCQeasy

During a security investigation, an analyst examines a PCAP file in Wireshark. The analyst wants to see only traffic between two specific IP addresses (192.168.1.10 and 10.0.0.5). Which display filter should be applied?

A.tcp.port==80
B.ip.src==192.168.1.10 and ip.dst==10.0.0.5
C.ip.addr==192.168.1.10 && ip.addr==10.0.0.5
D.ip.addr eq 192.168.1.10 or ip.addr eq 10.0.0.5
AnswerC

This filter includes packets where either IP is source or destination, covering both directions.

Why this answer

The correct display filter uses 'ip.addr' to match either direction. The syntax 'ip.addr==192.168.1.10 && ip.addr==10.0.0.5' shows packets where both addresses appear, which is correct for traffic between them.

531
MCQhard

A company uses a SIEM that collects logs from firewalls, servers, and endpoints. The SIEM is generating a high volume of low-priority events, causing analysts to miss critical alerts. Which approach would best improve the signal-to-noise ratio?

A.Implement event filtering and correlation rules to reduce false positives.
B.Deploy additional sensors to collect more data.
C.Hire more analysts to review all events.
D.Increase the storage capacity of the SIEM.
AnswerA

Filtering and correlation reduce noise and highlight relevant events.

Why this answer

The SIEM's high volume of low-priority events indicates a poor signal-to-noise ratio, where benign or irrelevant events drown out critical alerts. Implementing event filtering and correlation rules directly reduces false positives by discarding known noise (e.g., repeated benign scans) and grouping related events into meaningful alerts, allowing analysts to focus on genuine threats. This is the standard approach in SIEM tuning to improve detection fidelity without adding resources or data.

Exam trap

Cisco often tests the misconception that 'more data equals better security' (Option B), but the real goal is to reduce noise through intelligent filtering and correlation, not to increase data volume.

How to eliminate wrong answers

Option B is wrong because deploying additional sensors would increase the total volume of events, likely worsening the noise problem rather than improving the signal-to-noise ratio. Option C is wrong because hiring more analysts does not address the root cause of excessive low-priority events; it merely shifts the bottleneck from missing alerts to manual review, which is inefficient and unsustainable. Option D is wrong because increasing storage capacity only allows the SIEM to retain more events, but does nothing to reduce the volume of low-priority alerts or improve alert prioritization.

532
MCQmedium

A security analyst is reviewing logs from a network-based IPS that detected traffic from an internal host connecting to a known malicious IP address on port 6667. The traffic is encrypted IRC. Which conclusion is most likely?

A.The traffic is a normal application update
B.The host is running a legitimate IRC client
C.The host is compromised and part of a botnet
D.The IPS is generating a false positive
AnswerC

Encrypted IRC to a malicious IP is a strong botnet indicator.

Why this answer

Port 6667 is the default port for IRC (Internet Relay Chat), and encrypted IRC traffic to a known malicious IP strongly indicates command-and-control (C2) communication. Botnets commonly use IRC over TLS/SSL to evade detection and issue commands to compromised hosts. Therefore, the host is most likely compromised and part of a botnet.

Exam trap

Cisco often tests the misconception that encrypted traffic is always benign or that port 6667 is only used for legitimate chat, leading candidates to overlook the known malicious IP indicator.

How to eliminate wrong answers

Option A is wrong because normal application updates typically use HTTP/HTTPS on ports 80/443 or vendor-specific ports, not port 6667 with encrypted IRC. Option B is wrong because a legitimate IRC client would not connect to a known malicious IP address; legitimate IRC servers are not blacklisted. Option D is wrong because the IPS signature matched encrypted IRC traffic to a known malicious IP, which is a strong indicator of compromise, not a false positive.

533
MCQmedium

A Cisco Firepower sensor is generating an alert for a known benign application. The analyst has verified it is a false positive. What is the first step to suppress this alert?

A.Create a network analysis policy exception.
B.Increase the severity threshold.
C.Submit a false positive report to Talos.
D.Disable the intrusion rule globally.
AnswerA

This suppresses the alert for the specific benign traffic without affecting other detections.

Why this answer

A network analysis policy (NAP) exception is the correct first step because it allows you to suppress alerts for specific benign applications without affecting the overall detection posture. In Cisco Firepower, NAP exceptions are applied before intrusion rules are evaluated, so they can filter out known false positives at the preprocessor level, preventing the rule from even triggering. This is more efficient than modifying the intrusion rule itself, as it avoids disabling detection for other traffic.

Exam trap

Cisco often tests the distinction between preprocessor-level suppression (NAP exceptions) and rule-level suppression (disabling rules), where candidates mistakenly choose to disable the rule globally instead of creating a targeted exception.

How to eliminate wrong answers

Option B is wrong because increasing the severity threshold would suppress all alerts below that severity level, not just the specific benign application, potentially missing real threats. Option C is wrong because submitting a false positive report to Talos is a feedback mechanism for improving future rule updates, not an immediate operational step to suppress an alert. Option D is wrong because disabling the intrusion rule globally would stop all alerts from that rule, including for malicious traffic that the rule is designed to detect, which is too broad and risky.

534
MCQmedium

An analyst reviews Snort alert logs and sees many alerts for 'SQL Injection Attempt' from a single external IP to a public-facing web server. Which analysis step is most effective?

A.Block the IP at the firewall immediately
B.Check the web server logs for the same IP
C.Run a port scan against the IP
D.Disable the SQL injection signature
AnswerB

Correct. Web server logs show the actual HTTP requests and can confirm if the attacks were attempted.

Why this answer

Checking the web server logs for the same IP is the most effective step because it allows the analyst to correlate the Snort alerts with actual HTTP requests. This confirms whether the SQL injection attempts were successful or merely reconnaissance, and provides context such as the specific URI, parameters, and response codes (e.g., 200 vs 500) needed to assess impact.

Exam trap

The trap here is that candidates often choose to block the IP immediately (Option A) as a 'quick fix' without realizing that incident response requires validation and evidence collection before taking containment actions.

How to eliminate wrong answers

Option A is wrong because immediately blocking the IP at the firewall is a reactive measure that may disrupt legitimate traffic (e.g., shared NAT IPs) and does not provide forensic evidence or confirm the attack's success. Option C is wrong because running a port scan against the IP is an active reconnaissance technique that could be illegal without authorization, and it does not help analyze the existing alerts or validate the SQL injection attempts. Option D is wrong because disabling the SQL injection signature would suppress all future alerts for that attack vector, leaving the web server vulnerable and eliminating visibility into ongoing or future SQL injection attempts.

535
MCQmedium

You are a security analyst for a medium-sized enterprise. You notice that the network monitoring system has flagged an unusual amount of traffic between two internal hosts: 192.168.1.10 (a file server) and 192.168.1.20 (a workstation in the sales department). The traffic is occurring on port 445 (SMB) and is happening outside of normal business hours. The volume of data transferred is significantly higher than typical usage. The file server logs show that the sales workstation has been accessing a large number of files in quick succession. The sales employee reports that they have been working late, but they cannot explain the high volume of file access. You have access to the file server logs, network flow data, and the workstation's event logs. The workstation has antivirus software installed that is up to date. What should you do FIRST?

A.Isolate the workstation from the network immediately
B.Reimage the workstation to ensure it is clean
C.Run a full antivirus scan on the workstation
D.Analyze network flow data to identify the destination of the data
AnswerA

Isolation stops potential ransomware spread or data theft.

Why this answer

Option A is correct because the anomalous SMB traffic on port 445, occurring outside business hours with a high volume of file access in quick succession, strongly indicates a ransomware or data exfiltration attack. Isolating the workstation immediately contains the threat, preventing lateral movement and further encryption or exfiltration of sensitive data. This aligns with the first step in incident response: containment before analysis.

Exam trap

Cisco often tests the incident response priority of containment over analysis; the trap here is that candidates choose analysis (Option D) or remediation (Option B/C) first, forgetting that immediate isolation prevents further damage and preserves evidence for later investigation.

How to eliminate wrong answers

Option B is wrong because reimaging the workstation destroys forensic evidence (e.g., memory artifacts, logs, malware samples) needed for root cause analysis and attribution. Option C is wrong because running a full antivirus scan is a secondary step after containment; the antivirus is up to date but may not detect a zero-day or fileless malware, and scanning could trigger further malicious activity. Option D is wrong because analyzing network flow data to identify the destination is a post-containment analysis step; delaying isolation risks data exfiltration or encryption completion.

536
MCQhard

A security analyst is investigating a potential exploit. The PCAP shows a HTTP POST request containing a long string of characters that, when decoded, reveals a series of return-oriented programming (ROP) gadgets. What is the likely purpose of this payload?

A.Lateral movement
B.Privilege escalation
C.Exploitation
D.Persistence
AnswerC

ROP is a code-reuse exploitation technique.

Why this answer

ROP gadgets are used to bypass non-executable memory protections by chaining together small code sequences to execute arbitrary code. This is an exploitation technique.

537
MCQhard

An analyst discovers that a Windows system executes a payload each time a user logs in, even before the desktop appears. Which registry key is most likely used for such persistence, and why would it be harder to detect than typical Run keys?

A.HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
B.HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
C.HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
D.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AnswerC

AppInit_DLLs loads a DLL into each process using user32.dll, providing stealthy persistence.

Why this answer

AppInit_DLLs loads DLLs into every process that loads user32.dll, making it a stealthy persistence mechanism.

538
Multi-Selectmedium

Which two characteristics are commonly associated with a distributed denial-of-service (DDoS) attack?

Select 2 answers
A.High volume of traffic from multiple sources
B.Multiple failed login attempts
C.Slow application response time
D.Unusual increase in ICMP echo requests
E.Traffic from a single IP address
AnswersA, D

Multiple sources are a defining feature of DDoS.

Why this answer

A DDoS attack is characterized by a high volume of traffic originating from multiple compromised sources (a botnet) to overwhelm a target. This distributed nature distinguishes it from a DoS attack, which typically uses a single source. The goal is to exhaust the target's bandwidth, processing capacity, or application resources, causing denial of service for legitimate users.

Exam trap

Cisco often tests the distinction between a DoS (single source) and a DDoS (multiple sources), so the trap here is that candidates may incorrectly select 'Traffic from a single IP address' (option E) as a DDoS characteristic, confusing the two attack types.

539
MCQmedium

Which compliance framework is specifically designed to protect the privacy and security of electronic health information in the United States?

A.GDPR
B.ISO 27001
C.HIPAA
D.PCI DSS
AnswerC

HIPAA covers health information privacy and security.

Why this answer

HIPAA governs protected health information (PHI) in the US.

540
MCQmedium

A security analyst is reviewing logs from a web proxy and sees that a user's machine is making frequent connections to a domain that is registered recently and has a low reputation score. What is the best action?

A.Check if the user has a legitimate need to access the domain.
B.Disable the user's network access.
C.Block the domain immediately.
D.Ignore because it might be a false positive.
AnswerA

Investigating the purpose of the connection helps determine if the activity is malicious.

Why this answer

The best action is to check if the user has a legitimate need to access the domain because a recently registered domain with a low reputation score is a strong indicator of potential malicious activity, but it could also be a false positive or a legitimate new service. Security analysts must validate the context through user inquiry or additional log correlation before taking irreversible actions like blocking or disabling access. This aligns with the principle of least disruption and evidence-based decision-making in security monitoring.

Exam trap

Cisco often tests the misconception that a low reputation score alone justifies immediate blocking, but the trap here is that the question requires you to prioritize investigation over reaction, as the best action is to gather context before applying a control.

How to eliminate wrong answers

Option B is wrong because disabling the user's network access is an overly aggressive response that disrupts productivity without confirming malicious intent, and it violates the principle of verifying before acting. Option C is wrong because blocking the domain immediately could break legitimate business operations if the domain is a newly registered but legitimate service, and it bypasses the necessary validation step. Option D is wrong because ignoring the alert dismisses a high-risk indicator (recent registration + low reputation) that commonly correlates with command-and-control (C2) traffic or phishing domains, and false positives should be investigated, not ignored.

541
Multi-Selecteasy

Which TWO actions should an analyst take when a critical alert is triggered?

Select 2 answers
A.Delete the alert to reduce noise
B.Verify the alert with other sources
C.Escalate to incident response team
D.Search for similar alerts in the past
E.Immediately power off the affected system
AnswersB, C

Correct. Corroborating the alert with other logs confirms its validity.

Why this answer

Option B is correct because verifying a critical alert with other sources (e.g., correlating with firewall logs, NetFlow data, or endpoint detection responses) is a fundamental step to confirm the alert is a true positive and not a false positive. This cross-validation reduces the risk of acting on inaccurate information and ensures that the incident response process is based on reliable evidence. Without verification, an analyst might escalate a non-threatening event, wasting resources and potentially missing a real threat.

Exam trap

Cisco often tests the misconception that immediate containment actions like powering off a system are always the correct first step, when in fact verification and preservation of evidence are prioritized to avoid destroying critical forensic data.

542
MCQeasy

A security analyst discovers that an attacker has captured network traffic and used it to impersonate a legitimate user in a subsequent session. Which element of the CIA triad is most directly compromised in this scenario?

A.Integrity
B.Non-repudiation
C.Confidentiality
D.Availability
AnswerC

The attacker captured traffic, violating confidentiality.

Why this answer

Confidentiality is compromised when data is accessed by unauthorized parties. The attacker captured traffic (unauthorized access to data), which leads to impersonation, but the core violation here is confidentiality because the data was disclosed.

543
MCQeasy

Which of the following is a common indicator of a brute-force attack on an SSH server?

A.A single failed login attempt.
B.Multiple successful logins from the same user.
C.Repeated login attempts with different usernames and passwords in a short period.
D.High CPU usage on the server.
AnswerC

This pattern matches brute-force attacks trying to guess credentials.

Why this answer

A brute-force attack on an SSH server is characterized by a high volume of authentication attempts, typically using different usernames and passwords, in a short time window. This pattern aims to guess valid credentials through repeated trial and error, which is distinct from a single failure or a few successful logins. The rapid, automated nature of the attempts is the key indicator that distinguishes brute-force activity from normal user behavior.

Exam trap

Cisco often tests the distinction between a single failed login (normal) and a pattern of repeated failures (attack), leading candidates to mistakenly choose Option A because they focus on the word 'failed' rather than the volume and pattern of attempts.

How to eliminate wrong answers

Option A is wrong because a single failed login attempt is a normal event that can occur due to a typo or forgotten password, and does not indicate a systematic attack. Option B is wrong because multiple successful logins from the same user could indicate legitimate concurrent sessions or a compromised account, but it is not a direct sign of a brute-force attack, which focuses on failed attempts. Option D is wrong because high CPU usage on the server can have many causes, such as resource-intensive processes or denial-of-service attacks, and is not a specific or reliable indicator of SSH brute-force attempts.

544
MCQeasy

A SOC analyst is reviewing a firewall log and sees a large number of outbound connections from an internal server to a known command-and-control (C2) domain. The connections are on port 443, and the packets have irregular timing. What should the analyst do first?

A.Isolate the server from the network and escalate to incident response.
B.Check the server's logs for signs of compromise.
C.Ignore the alert because port 443 is normal traffic.
D.Block the domain at the firewall immediately.
AnswerA

Containment first.

Why this answer

The irregular timing and outbound connections to a known C2 domain on port 443 strongly indicate a compromised host using HTTPS to blend in with normal traffic. Isolating the server first prevents further data exfiltration or lateral movement while preserving forensic evidence, which aligns with the NIST incident response framework. Escalating to incident response ensures proper handling and analysis.

Exam trap

Cisco often tests the principle of containment before investigation, where candidates mistakenly choose to investigate logs first instead of isolating the compromised host to prevent further damage.

How to eliminate wrong answers

Option B is wrong because checking the server's logs before containment risks the attacker destroying evidence or continuing malicious activity; isolation must come first. Option C is wrong because while port 443 is used for legitimate HTTPS, the combination of a known C2 domain and irregular timing is a clear indicator of compromise, not normal traffic. Option D is wrong because blocking the domain at the firewall alone does not stop the compromised server from using other C2 domains or IPs, and it may alert the attacker without containing the host.

545
MCQmedium

Which type of malware is characterized by self-replication and spreading to other systems without user interaction, often causing network congestion?

A.Ransomware
B.Trojan
C.Worm
D.Virus
AnswerC

Worms self-replicate and spread over networks without user intervention.

Why this answer

A worm is self-replicating and spreads automatically, unlike a virus which requires a host file.

546
MCQhard

An analyst detects an attack where the attacker uses NTLM authentication with a hashed password instead of the plaintext password. This technique is known as:

A.Password spraying
B.Brute force
C.Kerberos ticket reuse
D.Pass-the-hash
AnswerD

Correct. Pass-the-hash uses the NTLM hash for authentication.

Why this answer

Pass-the-hash allows an attacker to authenticate using the hash of a password without knowing the actual password.

547
Multi-Selecthard

An analyst is examining a Windows system for evidence of privilege escalation or credential theft. Which THREE Event IDs should the analyst focus on in the Security log? (Select THREE)

Select 3 answers
A.4648
B.4776
C.4720
D.4625
E.4624
AnswersA, B, E

Explicit credentials logon, often used with runas for privilege escalation.

Why this answer

Event ID 4648 (A logon was attempted using explicit credentials) is correct because it records when a user explicitly provides credentials to run a program or service, which is a common technique in privilege escalation (e.g., runas) and credential theft (e.g., pass-the-hash). This event captures the target account, source process, and target workstation, making it invaluable for detecting lateral movement or credential misuse.

Exam trap

Cisco often tests the distinction between Event IDs that log authentication attempts (4624, 4625) versus those that log credential usage (4648, 4776), trapping candidates who confuse successful logons (4624) with evidence of credential theft.

548
Multi-Selecthard

A SOC analyst is analyzing logs from multiple sources. Which THREE log types are most useful for detecting a brute force attack against a web application?

Select 3 answers
A.DNS logs
B.System authentication logs
C.Web server logs
D.IDS/IPS alerts
E.Firewall logs
AnswersB, C, E

System logs record failed/successful logins.

Why this answer

System authentication logs (B) are critical because they record every login attempt, including failed ones, which directly reveals the repeated authentication failures characteristic of a brute force attack. Web server logs (C) capture HTTP request details such as source IP, URI, and response codes (e.g., 401 Unauthorized or 403 Forbidden), allowing an analyst to correlate many failed login requests from a single source. Firewall logs (E) show allowed and denied connections, enabling detection of high volumes of inbound traffic to the web application's port (e.g., TCP 443 or 80) from a specific IP, which is a common brute force pattern.

Exam trap

Cisco often tests the distinction between raw logs (like authentication, web server, and firewall logs) and derived alerts (like IDS/IPS alerts), tricking candidates into selecting IDS/IPS alerts because they seem directly relevant, but the question specifically asks for log types, not alert types.

549
MCQmedium

A security analyst at a SOC Tier 1 receives an alert about a potential malware infection on a user's workstation. What is the primary responsibility of the Tier 1 analyst in this scenario?

A.Coordinate with legal counsel for data breach notification
B.Conduct initial triage and basic investigation
C.Develop new detection signatures
D.Perform deep forensic analysis of the malware
AnswerB

Tier 1 handles initial triage and basic investigation.

Why this answer

Tier 1 analysts monitor alerts, perform initial triage, and escalate if needed. They conduct basic investigation.

550
MCQhard

A financial services company has a security policy that all remote access must be through VPN with two-factor authentication. An employee on a business trip uses a hotel Wi-Fi to connect to the corporate network but claims the VPN client was not working, so they used RDP directly over the internet to access their desktop. The employee's manager approved this as a temporary measure. The security team discovers this during a log review. The policy has no provision for temporary exceptions. What should be the security team's first action?

A.Investigate whether any data was compromised during the session.
B.Report the violation to the security officer and recommend disciplinary action.
C.Disable RDP access from the internet for all users immediately.
D.Accept the manager's approval as sufficient authorization.
AnswerA

Understanding the risk helps guide subsequent actions appropriately.

Why this answer

Option D is correct because the first step is to investigate whether any data was compromised during the session. Option A might be too harsh without evidence; Option B is premature; Option C ignores the policy violation.

551
MCQeasy

A security analyst is using a SIEM to create a correlation rule that triggers when more than 10 failed logins are detected from the same source IP within 1 minute. This rule is designed to detect which type of attack?

A.Brute-force attack
B.Phishing attack
C.Privilege escalation
D.Man-in-the-middle attack
AnswerA

Failed logins from same IP indicate password guessing.

Why this answer

The rule detects multiple failed logins in a short time, which is characteristic of a brute-force attack.

552
MCQmedium

A security analyst observes repeated failed login attempts to an internal web server from multiple external IP addresses. The analyst creates a correlation rule that triggers an alert if more than 10 failed logins occur from a single source IP within 5 minutes. After deploying the rule, the analyst finds that the rule generates false positives from legitimate users who mistype passwords. Which action should the analyst take to reduce false positives while maintaining detection effectiveness?

A.Whitelist all external IP addresses that belong to business partners.
B.Reduce the time window to 2 minutes to catch attacks faster.
C.Change the rule to block the source IP after 5 failed attempts.
D.Increase the threshold to 15 failed logins within a 10-minute window.
AnswerD

Higher threshold and longer window reduce false positives from occasional mistypes while still detecting sustained attacks.

Why this answer

Option D is correct because increasing the threshold to 15 failed logins within a 10-minute window reduces false positives by allowing more mistyped attempts from legitimate users before triggering an alert, while still detecting brute-force attacks. The longer time window and higher threshold smooth out transient user errors without significantly delaying detection of sustained attack patterns.

Exam trap

Cisco often tests the misconception that reducing the time window or lowering the threshold improves detection, when in fact it increases false positives, and that whitelisting or blocking IPs is a proper tuning action rather than adjusting the rule's parameters.

How to eliminate wrong answers

Option A is wrong because whitelisting external IPs of business partners would bypass security monitoring entirely, allowing those IPs to conduct unlimited failed logins without triggering alerts, which could mask compromised partner accounts. Option B is wrong because reducing the time window to 2 minutes would increase false positives by making the rule more sensitive to brief bursts of legitimate mistypes, and it would not address the root cause of user errors. Option C is wrong because changing the rule to block the source IP after 5 failed attempts would aggressively block legitimate users after a few mistypes, causing denial-of-service for valid users and potentially blocking shared IPs (e.g., NAT) used by multiple people.

553
MCQhard

An organization uses Zeek for network monitoring. An analyst wants to extract files transferred over HTTP from network traffic. Which Zeek script or functionality should they use?

A.Zeek's connection log
B.Zeek's HTTP log
C.Zeek's file extraction script
D.Zeek's DNS log
AnswerC

Zeek provides a script to extract files from HTTP traffic.

Why this answer

Zeek's file analysis framework can extract files from protocols like HTTP. The script 'file_extraction.zeek' or 'http_file_extraction.zeek' is used. However, the question likely expects 'Zeek's file extraction capability' or similar.

Among options: 'HTTP::extract_files' is a Zeek event or script. The correct answer is that Zeek can extract files via its file analysis framework, and the specific script is often 'http_file_extraction.zeek'.

554
MCQeasy

A security analyst notices that a user's account has been used to access sensitive data outside of normal working hours. Which security concept is being violated?

A.Non-repudiation
B.Confidentiality
C.Availability
D.Integrity
AnswerB

Confidentiality protects data from unauthorized access, which is the issue.

Why this answer

Option C is correct because confidential data was accessed by an unauthorized user, violating confidentiality. Option A is incorrect because availability refers to uptime, not data protection. Option B is incorrect because integrity ensures data is not altered, not that access is prevented.

Option D is incorrect because non-repudiation deals with proof of action, not access control.

555
MCQeasy

Which of the following is a valid indicator of compromise (IoC)?

A.A file hash (MD5)
B.The company's logo
C.An employee's email address
D.A user's full name
AnswerA

File hashes uniquely identify malicious files.

Why this answer

An IoC is any artifact observed on a network or system that indicates a potential intrusion. File hashes (MD5/SHA-256) are commonly used IoCs.

556
MCQhard

During a threat hunt, an analyst discovers sustained outbound traffic from a workstation to multiple IP addresses in different countries on port 443. The traffic patterns show periodic spikes at 5-minute intervals. The workstation is used by a sales representative who frequently accesses cloud CRM. Which additional evidence would most strongly suggest the workstation is compromised?

A.The CRM application uses port 443
B.The sales representative reported slow performance
C.The outbound traffic includes connections to IPs not associated with the CRM
D.The workstation has antivirus installed and up-to-date
AnswerC

Unknown IPs suggest malicious communication.

Why this answer

Option C is correct because outbound traffic to IP addresses not associated with the CRM application indicates the workstation is communicating with unknown or malicious destinations. Since the CRM is accessed via a known domain or IP range, connections to unrelated IPs on port 443 (HTTPS) suggest the workstation may be part of a botnet or exfiltrating data, especially given the periodic spikes at 5-minute intervals, which are characteristic of beaconing behavior used by malware to maintain command-and-control (C2) communications.

Exam trap

Cisco often tests the concept that legitimate application traffic (e.g., CRM on port 443) can be used as a smokescreen, and candidates mistakenly assume that any traffic on a standard port is benign, overlooking the importance of destination IP analysis and traffic patterns like beaconing.

How to eliminate wrong answers

Option A is wrong because the CRM application legitimately uses port 443 for HTTPS traffic, so this alone does not indicate compromise; it is expected behavior. Option B is wrong because slow performance is a subjective symptom that can be caused by many benign factors (e.g., network congestion, resource-heavy applications) and is not a definitive indicator of compromise. Option D is wrong because having antivirus installed and up-to-date does not guarantee the workstation is not compromised; malware can evade detection through techniques like polymorphism or zero-day exploits, and antivirus is not a real-time indicator of current infection status.

557
Multi-Selectmedium

An analyst identifies an alert for 'ET TROJAN Win32/DarkComet RAT Beacon'. The analyst confirms the host is infected. Which TWO phases of the Cyber Kill Chain have been completed prior to this C2 beacon? (Choose two.)

Select 2 answers
A.Installation
B.Weaponisation
C.Reconnaissance
D.Exploitation
E.Delivery
AnswersD, E

Exploitation allowed the malware to run.

Why this answer

For C2 to occur, the attacker must have delivered the malware and exploited a vulnerability to install it.

558
MCQeasy

What is the purpose of a security baseline?

A.To define the minimum acceptable security posture
B.To respond to security incidents
C.To encrypt sensitive data
D.To detect malware infections
AnswerA

Baselines establish secure configurations.

Why this answer

A security baseline defines the minimum acceptable security posture for systems, networks, and devices. It establishes a standard configuration that must be met to ensure a consistent level of security across the organization, such as requiring specific patch levels, disabling unnecessary services, and enforcing password policies. Without a baseline, there is no reference point to measure compliance or identify deviations that could indicate a security weakness.

Exam trap

Cisco often tests the distinction between a security baseline (a static reference standard) and operational security controls (like incident response or encryption), leading candidates to confuse the baseline with the tools or processes that enforce or detect security issues.

How to eliminate wrong answers

Option B is wrong because responding to security incidents is the purpose of an incident response plan (IRP) and associated procedures, not a security baseline. Option C is wrong because encrypting sensitive data is a specific security control or mechanism, often implemented via protocols like AES or TLS, not the overarching definition of a minimum security posture. Option D is wrong because detecting malware infections is the function of antivirus software, intrusion detection systems (IDS), or endpoint detection and response (EDR) tools, not a security baseline.

559
Multi-Selecthard

Which THREE of the following are common evasion techniques used by attackers?

Select 3 answers
A.Slow scans
B.Fragmentation
C.Using high ports
D.Patching vulnerabilities
E.Encryption
AnswersA, B, E

Correct. Slow scans avoid triggering threshold-based alerts.

Why this answer

Slow scans are a common evasion technique used by attackers to avoid detection by intrusion detection systems (IDS) and intrusion prevention systems (IPS). By sending packets at a very low rate, often over hours or days, the scan falls below the threshold of time-based detection algorithms that trigger alerts on rapid port sweeps. This technique exploits the fact that many security devices rely on timing heuristics to identify reconnaissance activity.

Exam trap

Cisco often tests the distinction between evasion techniques and general security practices; the trap here is that candidates may mistake 'patching vulnerabilities' as an attacker action, when in reality it is a defender's mitigation strategy, not an evasion method.

560
MCQhard

During the containment phase of an incident, the IR team decides to power off a compromised server to prevent further damage. However, they later realize that this action may have destroyed volatile evidence. According to best practices, what should the team have done instead?

A.Disconnect the server from the network but leave it running
B.Perform a live forensic image of the server's memory before powering off
C.Immediately power off the server without any imaging
D.Skip evidence collection and focus solely on containment
AnswerB

Live imaging captures volatile data such as memory and running processes.

Why this answer

Short-term containment should preserve evidence; live imaging captures volatile data before power-off.

561
Multi-Selectmedium

A security analyst is investigating a potential data exfiltration incident. Which TWO of the following are common indicators that data exfiltration may be occurring over DNS? (Choose two.)

Select 2 answers
A.DNS responses with a large number of IP addresses
B.DNS queries for AAAA records (IPv6) from an IPv4-only network
C.High volume of DNS queries to a single domain not normally visited
D.Unusually large DNS TXT record responses
E.DNS query responses with high TTL values
AnswersC, D

A sudden surge of queries to an unknown domain could indicate a DNS tunnel.

Why this answer

Option C is correct because a high volume of DNS queries to a single domain that is not normally visited is a classic indicator of DNS tunneling, where an attacker encodes exfiltrated data into DNS query subdomains. This behavior creates an abnormal query pattern that stands out in baseline traffic analysis.

Exam trap

Cisco often tests the distinction between normal DNS behavior (e.g., CDN responses with many IPs) and anomalous patterns specific to tunneling, so candidates mistakenly pick A or E because they sound 'unusual' without understanding the underlying exfiltration mechanism.

562
Multi-Selectmedium

A security analyst is configuring a firewall to block common reconnaissance techniques. Which THREE types of reconnaissance traffic should be blocked to prevent active reconnaissance? (Choose three.)

Select 3 answers
A.Social engineering
B.WHOIS lookups
C.Vulnerability scanning
D.Port scanning
E.Ping sweeps
AnswersC, D, E

Vulnerability scanning actively probes for weaknesses.

Why this answer

Active reconnaissance involves direct interaction with the target. Port scanning, ping sweeps, and vulnerability scanning are active methods. Passive reconnaissance includes social engineering, Google searches, and WHOIS lookups.

563
MCQhard

A security analyst notices that an employee is accessing the corporate network from an unauthorized device. According to the security policy, which action should the analyst take first?

A.Report the employee to human resources for disciplinary action
B.Ignore the incident because it is a minor violation
C.Disable the device's network access immediately
D.Update the security policy to allow personal devices
AnswerC

Immediate containment is a typical first step.

Why this answer

Option C is correct because the immediate priority when an unauthorized device is detected on the corporate network is to contain the threat by disabling network access. This aligns with the principle of least privilege and incident response procedures, where the first step is to stop the unauthorized access to prevent potential data breaches or malware propagation. The security policy typically mandates such immediate action to enforce access control, often implemented via 802.1X or MAC address filtering at the switch or NAC (Network Access Control) level.

Exam trap

Cisco often tests the distinction between immediate containment actions (like disabling network access) versus long-term administrative or policy changes, trapping candidates who confuse incident response phases or prioritize HR reporting over security controls.

How to eliminate wrong answers

Option A is wrong because reporting to HR for disciplinary action is a secondary step that should occur after the immediate security threat is neutralized; it does not address the active unauthorized access. Option B is wrong because ignoring the incident violates the security policy and could lead to a significant security breach, as unauthorized devices may introduce malware or bypass security controls. Option D is wrong because updating the policy to allow personal devices is a strategic decision that requires risk assessment and implementation of proper controls (e.g., MDM, VPN), not an immediate response to a violation.

564
MCQhard

During an incident response, an analyst extracts a suspicious file and computes its MD5 hash: d41d8cd98f00b204e9800998ecf8427e. Upon checking a threat intelligence feed, this hash is known as a malicious indicator. What does this hash represent?

A.A false positive; the hash corresponds to an empty file.
B.An invalid hash; the file may be corrupt.
C.A known malicious executable that should be quarantined.
D.A hash of a benign system file.
AnswerA

The empty file hash is often listed in threat feeds as a mistake; it is a false positive.

Why this answer

The MD5 hash d41d8cd98f00b204e9800998ecf8427e is the well-known hash of an empty file (zero bytes). It is not a valid indicator of a malicious file; the analyst should verify the file's actual content.

565
Matchingmedium

Match each analysis type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Examining file without executing it

Running file in a sandbox to observe behavior

Matching patterns against known threats

Detecting deviations from baseline behavior

Using rules to detect unknown threats

Why these pairings

These are key analysis methodologies in cybersecurity.

566
MCQhard

Refer to the exhibit. An analyst sees these log messages on a Cisco router. The source IP 10.0.0.2 is an internal server. What is the most likely explanation?

A.An external host is scanning the router.
B.The router is under a brute-force attack on the HTTP server.
C.The internal server is trying to access the router's web interface, which is blocked by an ACL.
D.The router is infected with malware and generating traffic.
AnswerC

The router's own IP is being targeted on HTTP; this is likely management access.

Why this answer

The log messages show repeated TCP connection attempts from internal server 10.0.0.2 to the router's IP on port 443 (HTTPS) and port 80 (HTTP), which are denied by an ACL. Since the source is an internal server and the destination is the router's own IP, this indicates the server is trying to reach the router's web interface, but the ACL is blocking those packets. Option C correctly identifies this scenario.

Exam trap

Cisco often tests the distinction between inbound vs. outbound traffic and internal vs. external sources, so the trap here is assuming any denied traffic to a router must be an external attack, when the source IP clearly shows it is an internal host.

How to eliminate wrong answers

Option A is wrong because the source IP 10.0.0.2 is internal, not external, so this is not an external host scanning the router. Option B is wrong because a brute-force attack on the HTTP server would typically show repeated authentication failures (e.g., HTTP 401 or 403 responses) or many login attempts, not simple TCP connection denials by an ACL. Option D is wrong because malware on the router would generate traffic from the router to other hosts, not inbound connection attempts to the router's own web interface; the logs show inbound packets being denied, not outbound traffic.

567
MCQmedium

An analyst is handling a data breach involving sensitive customer information (PII) stored in a database. According to data classification policy, what is the most critical step to take first?

A.Classify the data as high impact
B.Review the data classification policy
C.Notify affected customers immediately
D.Contain the breach and preserve evidence
AnswerD

Containment and evidence preservation are the first actions in incident response.

Why this answer

Option D is correct because the immediate priority in any data breach incident is to contain the breach to prevent further data loss and to preserve forensic evidence for investigation and potential legal action. According to NIST SP 800-61 and common incident response frameworks, containment and evidence preservation must occur before notification or classification changes to ensure the integrity of the investigation and to limit damage.

Exam trap

Cisco often tests the candidate's understanding of the incident response lifecycle order, specifically that containment and evidence preservation must precede notification or policy review, even though notification seems like the most urgent ethical step.

How to eliminate wrong answers

Option A is wrong because classifying data as 'high impact' is a policy-driven step that should have been done before the breach; changing classification during an incident does not address the immediate threat and can confuse response efforts. Option B is wrong because reviewing the data classification policy during an active breach wastes critical time; the policy should already be known and applied, and the priority is containment, not policy review. Option C is wrong because notifying affected customers prematurely, before containment and evidence preservation, can compromise the investigation, violate legal hold requirements, and potentially cause unnecessary panic; notification typically occurs after the scope is understood and evidence is secured.

568
MCQmedium

Refer to the exhibit. What does this Snort rule detect?

A.A NetBIOS name service query
B.A vulnerability in Microsoft RPC
C.Normal SMB traffic
D.Exploit code for a buffer overflow
AnswerD

Correct. The null-byte pattern is indicative of a buffer overflow exploit.

Why this answer

The Snort rule detects a buffer overflow attempt by matching a specific pattern (e.g., a long string of 'A' characters or a shellcode pattern) in the payload, which is characteristic of exploit code targeting a vulnerable service. Buffer overflow exploits often send oversized data to trigger memory corruption, and Snort rules use content matching and byte_test to identify such anomalies. This rule likely targets a known overflow in a protocol like SMB or RPC, but the signature is specific to the exploit payload, not the protocol itself.

Exam trap

Cisco often tests the distinction between protocol-specific signatures (e.g., 'this is SMB traffic') and exploit-specific signatures (e.g., 'this is a buffer overflow payload'), so the trap here is that candidates see 'SMB' in the rule and assume it's normal SMB traffic, missing the exploit pattern in the payload.

How to eliminate wrong answers

Option A is wrong because a NetBIOS name service query uses UDP port 137 and has a specific packet structure (e.g., name query transaction ID), not the payload pattern of a buffer overflow. Option B is wrong because a vulnerability in Microsoft RPC would be detected by a rule matching the RPC interface UUID or opnum, not a generic exploit payload pattern. Option C is wrong because normal SMB traffic follows protocol state machines and does not contain oversized or malformed payloads that trigger buffer overflow signatures.

569
Multi-Selecthard

Which THREE of the following are indicators that a network may be compromised by a botnet?

Select 3 answers
A.Unusual outbound traffic to known command-and-control servers.
B.Multiple systems communicating with the same external IP at regular intervals.
C.High volume of ICMP echo requests.
D.Endpoint alerts of known malware signatures.
E.Increase in legitimate business traffic.
AnswersA, B, D

C&C communication is a hallmark of botnet activity.

Why this answer

Option A is correct because botnet-infected systems typically communicate with command-and-control (C2) servers to receive instructions or exfiltrate data. Unusual outbound traffic to known C2 IPs or domains is a strong indicator of botnet activity, as legitimate traffic rarely targets these addresses. Security monitoring tools often use threat intelligence feeds to flag such connections.

Exam trap

Cisco often tests the distinction between generic attack symptoms (like high ICMP volume) and specific botnet indicators (like C2 communication and beaconing), so candidates mistakenly select Option C because they associate any unusual traffic with botnets without considering the precise behavioral patterns.

570
MCQmedium

A security analyst is creating a policy for handling sensitive customer data. The policy must ensure data is encrypted at rest and in transit. Which type of policy most directly addresses this requirement?

A.Incident Response Policy
B.Data Protection Policy
C.Access Control Policy
D.Physical Security Policy
AnswerB

Data protection policy mandates encryption at rest and in transit.

Why this answer

A data protection policy specifically covers encryption, storage, and transmission controls. Option B is correct. Option A (access control) is about permissions.

Option C (incident response) is about breaches. Option D (physical security) is about facilities.

571
Multi-Selectmedium

A security analyst is reviewing web server logs and notices a high number of 404 errors for non-existent URLs. Which TWO of the following tools would best help investigate this anomaly?

Select 2 answers
A.Snort for IDS alerts
B.YARA for file scanning
C.Wireshark for packet-level analysis
D.SIEM for correlation and alerting
E.NetFlow for top talkers
AnswersC, D

Wireshark can capture and analyze HTTP requests.

Why this answer

Using SIEM for correlation and Wireshark for packet analysis on the server's traffic can help identify the source and nature of the requests.

572
MCQeasy

An organization's security policy requires that all data at rest on laptops be encrypted. An employee reports that their laptop was stolen. Which control would most likely prevent data exposure?

A.Remote wipe
B.Biometric authentication
C.Full disk encryption
D.Screen lock with password
AnswerC

Full disk encryption encrypts all data on the drive, preventing access even if the drive is removed.

Why this answer

Option B is correct because full disk encryption ensures data cannot be read from the drive. Option A is wrong because remote wipe requires network connectivity. Option C is wrong because screen lock only protects while unattended.

Option D is wrong because biometric authentication does not encrypt data.

573
MCQhard

A company is implementing a security policy that requires all employees to use multi-factor authentication (MFA) when accessing corporate resources remotely. However, during a recent security audit, it was found that several employees have been using app passwords for legacy applications that do not support MFA. What is the best practice under this policy?

A.Allow app passwords as they provide a second factor.
B.Implement a VPN requirement for legacy application access.
C.Discontinue use of legacy applications until they support MFA.
D.Create a separate policy for legacy applications with compensating controls.
AnswerD

This balances security and business needs by applying additional controls like network isolation and monitoring.

Why this answer

Option D is correct because when legacy applications cannot support MFA directly, the best practice is to create a separate policy that documents compensating controls—such as network segmentation, IP allowlisting, or strict access logging—to mitigate the risk of using app passwords. App passwords bypass the second factor and are essentially static credentials, so they must be governed by additional security measures rather than being treated as equivalent to MFA.

Exam trap

Cisco often tests the misconception that app passwords are a valid second factor, when in reality they are a static bypass that undermines the MFA policy—candidates must recognize that compensating controls are the correct administrative response for unsupported applications.

How to eliminate wrong answers

Option A is wrong because app passwords are not a true second factor; they are static passwords generated once and bypass the MFA challenge, effectively reducing security to single-factor authentication. Option B is wrong because requiring a VPN does not enforce MFA for the legacy application itself; it only secures the transport layer, leaving the application vulnerable to credential theft or replay attacks. Option C is wrong because discontinuing legacy applications outright is often impractical and not a security policy best practice—compensating controls allow continued operation while managing risk.

574
MCQmedium

A SOC analyst is monitoring network traffic using Cisco Stealthwatch. An alert is generated indicating a large volume of data being transferred from a critical server to an external IP address during off-hours. The analyst observes that the data transfer is using encrypted HTTPS traffic to a cloud storage provider. The server is known to host sensitive customer data. The analyst reviews the server's outbound firewall rules and finds that HTTPS traffic to any destination is allowed. The analyst checks the server's recent login logs and sees an authentication from a user account that is typically used by a contractor who only works during business hours. The contractor's account has not been disabled after the contract ended last week. What should the analyst do first?

A.Ignore the alert because the traffic is encrypted and cannot be inspected.
B.Immediately block the external IP address at the firewall to stop the data transfer.
C.Investigate the alert further by checking the server for any signs of malware or unauthorized access, and then escalate to the incident response team.
D.Disable the contractor's user account and notify the IT manager.
AnswerC

This is the correct first action. The analyst should collect additional evidence (e.g., process lists, network connections, file system changes) to confirm the incident. Only after validation should escalation and containment occur, following the incident response plan.

Why this answer

The correct first step is to investigate the alert further to confirm whether it is a genuine security incident. Option C is correct because it follows established incident response procedures: gather more evidence (e.g., check for malware, unauthorized access) before taking containment or eradication actions. Prematurely blocking the IP (A) could disrupt legitimate business operations if the transfer is authorized.

Disabling the account (B) is a valid remediation step but should occur after confirming the incident and as part of a coordinated response. Ignoring the alert (D) is dangerous because encryption does not automatically indicate benign activity; exfiltration often uses HTTPS to evade detection.

575
MCQmedium

A network analyst is troubleshooting a false positive alert from an IPS that blocks traffic to a legitimate database server. The alert signature is triggered by the pattern 'OR 1=1'. The analyst determines that the traffic is from a web application that uses dynamic SQL queries. Which action best reduces false positives while maintaining security?

A.Increase the sensitivity of the signature
B.Add the database server IP to an exception list
C.Change the signature to alert-only mode
D.Disable the signature entirely
AnswerB

Whitelisting known good traffic reduces false positives.

Why this answer

Option B is correct because adding the database server IP to an exception list allows the IPS to ignore traffic matching the 'OR 1=1' pattern specifically when it is destined for the legitimate database server. This preserves security by continuing to block the same pattern when it targets other servers, while eliminating the false positive caused by the web application's dynamic SQL queries. Whitelisting by destination IP is a targeted exception that does not weaken overall detection.

Exam trap

Cisco often tests the distinction between 'reducing false positives' and 'reducing security' — candidates mistakenly choose alert-only mode (option C) thinking it stops the blocking, but fail to realize it also stops blocking real attacks, which is not a security-maintaining action.

How to eliminate wrong answers

Option A is wrong because increasing the sensitivity of the signature would make it trigger on even more benign traffic, worsening the false positive problem. Option C is wrong because changing the signature to alert-only mode would stop blocking the false positive but would also prevent the IPS from blocking actual SQL injection attacks using the same pattern, reducing security. Option D is wrong because disabling the signature entirely removes protection against all 'OR 1=1' attacks across the network, which is an overreaction to a single false positive.

576
MCQhard

A company's security policy requires that all network devices be managed using SSHv2. An auditor finds that some older switches are still using Telnet. The network team claims they cannot upgrade due to budget constraints. What is the best immediate action to mitigate risk?

A.Implement an ACL to restrict Telnet access to only the management subnet.
B.Use SSHv1 as a compromise.
C.Create a VLAN for management and enforce Telnet only on that VLAN.
D.Implement port security on the switches.
E.Disable Telnet and rely on console access only.
AnswerA

Compensating control reduces attack surface.

Why this answer

Option A is correct because an ACL restricting Telnet to the management subnet reduces exposure. Option B is impractical for remote management. Option C still uses Telnet.

Option D uses insecure SSHv1. Option E is unrelated.

577
Multi-Selectmedium

A security analyst is investigating a potential data breach. The analyst identifies that the attacker used a technique to impersonate a legitimate user by spoofing the MAC address and IP address. Which TWO types of network attacks could involve these techniques? (Choose two.)

Select 2 answers
A.ARP spoofing
B.Denial of Service
C.DNS poisoning
D.IP spoofing
E.Phishing
AnswersA, D

ARP spoofing links an attacker's MAC to a legitimate IP.

Why this answer

ARP spoofing is correct because it involves an attacker sending forged ARP messages over a local network to associate their MAC address with the IP address of a legitimate user. This allows the attacker to intercept, modify, or redirect traffic intended for that user, effectively impersonating them at Layer 2.

Exam trap

Cisco often tests the distinction between IP spoofing (Layer 3) and ARP spoofing (Layer 2), and candidates may incorrectly assume that IP spoofing alone is sufficient for impersonation on a local network, forgetting that ARP resolution is required for actual traffic interception.

578
MCQmedium

In a Linux system, an analyst wants to check for unauthorized cron jobs. Which of the following is a common location for user-specific cron jobs?

A./var/log/cron
B./etc/cron.d/
C./etc/crontab
D./var/spool/cron/crontabs/
AnswerD

This directory contains crontab files for individual users.

Why this answer

User-specific cron jobs are stored in /var/spool/cron/crontabs/ (or /var/spool/cron/ on some distributions), named after the user.

579
MCQmedium

An organization uses STIX and TAXII to share threat intelligence with an ISAC. What is the purpose of TAXII in this scenario?

A.It stores threat intelligence locally
B.It is a platform for malware analysis
C.It provides a method to transport threat intelligence
D.It defines the format for threat indicators
AnswerC

TAXII is the transport mechanism.

Why this answer

TAXII is a protocol for exchanging STIX data.

580
MCQhard

A security analyst is evaluating risks and calculates that a threat has a likelihood of 0.5 and an impact of $200,000. What is the risk value?

A.$50,000
B.$100,000
C.$400,000
D.$200,000
AnswerB

Risk = likelihood × impact = 0.5 × $200,000 = $100,000.

Why this answer

The risk value is calculated by multiplying the likelihood (0.5) by the impact ($200,000), resulting in $100,000. This is the standard quantitative risk analysis formula used in security assessments to prioritize threats.

Exam trap

Cisco often tests the basic risk calculation formula (Risk = Likelihood × Impact) and the trap here is that candidates may mistakenly use the impact value alone or apply incorrect arithmetic, such as dividing instead of multiplying.

How to eliminate wrong answers

Option A is wrong because $50,000 would result from multiplying 0.25 by $200,000, not 0.5. Option C is wrong because $400,000 would result from multiplying 2.0 by $200,000, which is not a valid probability. Option D is wrong because $200,000 assumes a likelihood of 1.0, ignoring the 0.5 probability factor.

581
MCQmedium

An analyst finds an unknown scheduled task on a Windows system that runs a PowerShell script at system startup. Which tool is best for examining the task's trigger and actions?

A.Services.msc
B.Event Viewer
C.Registry Editor
D.Task Scheduler
AnswerD

Task Scheduler allows inspection of all task properties.

Why this answer

Task Scheduler (taskschd.msc) provides a GUI to view all scheduled tasks, their triggers, and actions.

582
MCQhard

An analyst uses 'tshark -r capture.pcap -Y "http.request.method == POST"' to display only HTTP POST requests. This is an example of a:

A.Statistical filter
B.Read filter
C.Capture filter
D.Display filter
AnswerD

-Y applies a display filter to packets in the file.

Why this answer

The `-Y` flag in tshark applies a display filter, which operates on packets already read from the capture file. Display filters use a syntax based on protocol fields (e.g., `http.request.method == POST`) to show or hide packets in the output without altering the underlying capture data. This is distinct from capture filters, which discard packets at the kernel level before they are stored.

Exam trap

Cisco often tests the distinction between display filters (`-Y`) and capture filters (`-f`), trapping candidates who confuse the `-Y` flag with a capture filter because both can filter packets, but only capture filters discard data at the point of acquisition.

How to eliminate wrong answers

Option A is wrong because a statistical filter is not a standard tshark filter type; tshark offers capture, read, and display filters, but not a dedicated 'statistical filter' (statistics are generated via separate `-z` options). Option B is wrong because a read filter is applied with the `-R` flag (deprecated) or `-Y` in older contexts, but the official term for `-Y` is a display filter, and read filters are not a separate category in current Wireshark/tshark documentation. Option C is wrong because a capture filter uses the `-f` flag and BPF syntax (e.g., `tcp port 80`) to limit which packets are captured or read from a file; the `-Y` flag does not discard packets from the capture, it only filters the display.

583
MCQhard

Refer to the exhibit. What does this packet capture indicate?

A.SYN flood
B.Port scan
C.Session hijack
D.Normal HTTP traffic
AnswerB

Correct. The pattern matches a TCP connect scan.

Why this answer

The packet capture shows multiple TCP SYN packets sent to a single host (10.10.10.10) targeting different ports (80, 443, 22, 21) with no subsequent ACK or RST responses. This pattern is characteristic of a port scan, specifically a SYN scan, where the attacker sends SYN packets to probe for open ports without completing the three-way handshake.

Exam trap

Cisco often tests the distinction between a SYN flood (volume-based attack on a single port) and a SYN scan (probing multiple ports), where candidates mistakenly associate any SYN traffic with a flood rather than recognizing the multi-port pattern as reconnaissance.

How to eliminate wrong answers

Option A is wrong because a SYN flood involves sending a high volume of SYN packets to a single port to exhaust server resources, not probing multiple ports. Option C is wrong because session hijacking requires an established TCP session with sequence number prediction, which is absent here. Option D is wrong because normal HTTP traffic would show completed three-way handshakes (SYN, SYN-ACK, ACK) and subsequent data transfer, not isolated SYN packets to multiple ports.

584
MCQhard

Refer to the exhibit. A host-based analysis tool outputs a JSON report. Which persistence mechanism is being used?

A.Windows Service
B.Startup Folder
C.Registry Run Key
D.Scheduled Task
AnswerC

The HKLM...Run key is a common startup persistence location.

Why this answer

The JSON report shows a registry key modification under `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`, which is a standard Registry Run Key. This key automatically launches the specified executable (`C:\Users\malware\app.exe`) at user logon, making it a persistence mechanism. The `"Value":"C:\\Users\\malware\\app.exe"` confirms the payload path, and the key name `"MaliciousService"` is irrelevant to the actual mechanism.

Exam trap

Cisco often tests the distinction between registry-based persistence (Run keys) and service-based persistence, where candidates mistakenly associate the word 'Service' in a key name with a Windows Service, but the actual mechanism is determined by the registry path, not the value name.

How to eliminate wrong answers

Option A is wrong because a Windows Service requires installation via `sc create` or the Service Control Manager, and the JSON shows no `ImagePath` under `SYSTEM\CurrentControlSet\Services` or `Start` type values; a Run key is not a service. Option B is wrong because the Startup Folder uses a shortcut file in `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup`, not a registry key; the JSON explicitly references a registry path. Option D is wrong because a Scheduled Task is defined in `\Windows\System32\Tasks` or via `schtasks.exe` with XML triggers, not a simple registry value under `Run`; the JSON lacks task-specific fields like `Triggers` or `Actions`.

585
MCQmedium

In a PCAP, an analyst sees a large outbound data transfer over FTP to an external IP address during non-business hours. The source host is a database server. Which phase of the Cyber Kill Chain does this represent?

A.Installation
B.Actions on Objectives
C.Weaponization
D.Exploitation
AnswerB

Exfiltration is an action on objectives.

Why this answer

The Cyber Kill Chain's 'Actions on Objectives' phase is where the attacker achieves their ultimate goal, such as exfiltrating data. In this scenario, a large outbound FTP transfer from a database server to an external IP during non-business hours directly indicates data theft, which is the final objective of the intrusion. FTP (port 21/20) is used here as the exfiltration protocol, moving sensitive data out of the network.

Exam trap

Cisco often tests the distinction between 'Actions on Objectives' and 'Exploitation' by presenting a post-compromise activity (like data exfiltration) and expecting candidates to recognize it as the final phase, not the initial breach.

How to eliminate wrong answers

Option A is wrong because 'Installation' refers to deploying malware or a backdoor on the target system, not to the actual data exfiltration seen here. Option C is wrong because 'Weaponization' is the phase where the attacker creates a deliverable payload (e.g., coupling an exploit with a dropper), which occurs before delivery and exploitation. Option D is wrong because 'Exploitation' is the phase where a vulnerability is triggered to gain initial access, not the post-compromise data theft activity.

586
Multi-Selecteasy

In the Cyber Kill Chain, which TWO phases occur after the attacker establishes command and control (C2)?

Select 2 answers
A.Exploitation
B.Lateral movement
C.Weaponisation
D.Installation
E.Actions on objectives
AnswersB, E

Lateral movement can occur after C2 to reach more systems.

Why this answer

After establishing command and control (C2), the attacker typically performs lateral movement to pivot within the network and then executes actions on objectives, such as data exfiltration or system disruption. In the Cyber Kill Chain, the phases following C2 are lateral movement and actions on objectives, as the attacker uses the C2 channel to explore the environment and achieve their end goal.

Exam trap

Cisco often tests the order of the Cyber Kill Chain phases, and the trap here is confusing 'installation' (which occurs before C2) with 'lateral movement' (which occurs after C2), leading candidates to incorrectly select installation as a post-C2 phase.

587
Multi-Selectmedium

Which TWO of the following are essential components of an effective security policy framework according to Cisco best practices?

Select 2 answers
A.A high-level security policy that defines management's intent.
B.A network diagram showing all security devices.
C.Standards that define mandatory rules for technology use.
D.A password policy that specifies minimum length and complexity.
E.A log analysis procedure for detecting anomalies.
AnswersA, C

This is the top-level document that sets direction.

Why this answer

A high-level security policy is essential because it defines management's intent, establishes the organization's security philosophy, and provides the authoritative foundation for all subordinate policies, standards, and procedures. According to Cisco best practices, this top-tier document must be approved by senior leadership and sets the strategic direction for the entire security program, ensuring alignment with business objectives and regulatory requirements.

Exam trap

Cisco often tests the distinction between policy framework components (high-level intent and mandatory standards) versus operational or procedural documents, leading candidates to mistakenly select specific technical controls (like password policies or log procedures) as essential framework elements.

588
MCQhard

A network analyst finds a PCAP with a series of DNS queries for subdomains like "data12345.example.com" and "data67890.example.com" where the subdomain names appear to contain encoded base64 data. This pattern suggests:

A.Port scan via DNS
B.Normal DNS resolution
C.DGA-based C2
D.DNS tunnelling for exfiltration
AnswerD

Encoding data in subdomains for exfiltration is DNS tunnelling.

Why this answer

DNS exfiltration encodes data in subdomain names to bypass security controls, as DNS is often allowed through firewalls.

589
MCQeasy

An analyst receives an alert for 'ET WEB_SERVER Possible SQL Injection Attempt' triggered by a URL parameter containing ' OR 1=1--'. After investigating, the analyst confirms that the web application is not vulnerable to SQL injection and the request was a benign test. How should this alert be classified?

A.False positive
B.True negative
C.False negative
D.True positive
AnswerA

The alert triggered but no attack occurred, so false positive.

Why this answer

The alert triggered but there was no actual attack, so it is a false positive.

590
MCQeasy

Which security concept describes the potential for a threat to exploit a vulnerability, and is often expressed as a combination of likelihood and impact?

A.Risk
B.Exploit
C.Threat
D.Vulnerability
AnswerA

Risk = likelihood × impact.

Why this answer

Risk is the probability and potential damage from a threat exploiting a vulnerability.

591
MCQmedium

During a host-based analysis, an analyst discovers a suspicious service on a Windows machine. Which tool or command can be used to query the service configuration?

A.reg query
B.sc query
C.schtasks
D.tasklist
AnswerB

sc query displays service status and configuration.

Why this answer

The 'sc' command-line tool (Service Control) can query and modify services. 'sc query' shows the status, and 'sc qc' shows the configuration.

592
MCQeasy

Which OSI layer is targeted by a TCP SYN flood attack?

A.Layer 7 - Application
B.Layer 4 - Transport
C.Layer 3 - Network
D.Layer 2 - Data Link
AnswerB

TCP is at the Transport layer, so a SYN flood targets Layer 4.

Why this answer

A TCP SYN flood attack targets the Transport layer (Layer 4) because it exploits the TCP three-way handshake mechanism. The attacker sends a high volume of SYN packets with spoofed source IP addresses, causing the server to allocate resources for half-open connections that never complete, exhausting its connection queue.

Exam trap

Cisco often tests the distinction between the layer where the vulnerability exists (Layer 4, TCP) versus the layer where the packet is encapsulated (Layer 3, IP), leading candidates to mistakenly choose Layer 3 because the attack uses IP packets.

How to eliminate wrong answers

Option A is wrong because Layer 7 (Application) deals with application protocols like HTTP, FTP, and DNS; a SYN flood does not involve application-layer payloads or logic. Option C is wrong because Layer 3 (Network) handles IP routing and addressing; while the attack uses IP packets, the vulnerability lies in the TCP handshake at Layer 4. Option D is wrong because Layer 2 (Data Link) manages MAC addresses and frame delivery on a local network segment; a SYN flood operates above this layer, targeting TCP state management.

593
MCQmedium

A security analyst is investigating a potential data breach. They need to preserve evidence for legal proceedings. Which action should the analyst take to ensure the integrity of the data?

A.Run antivirus scans on the affected system
B.Use a write blocker when creating a forensic image
C.Delete suspicious files to contain the threat
D.Copy files to a network share without write protection
AnswerB

Write blockers prevent any writes to the source drive.

Why this answer

Write-blocking ensures original data is not altered during forensic acquisition.

594
Multi-Selectmedium

A security analyst is reviewing logs to identify a potential brute force attack. Which TWO log entries would be most suspicious? (Choose TWO.)

Select 2 answers
A.Successful login from IP 10.0.0.9 after 50 failed attempts.
B.A single successful login from a known IP during business hours.
C.A failed login attempt from an external IP at 3:00 AM.
D.50 failed login attempts from IP 10.0.0.9 within 2 minutes.
E.A user changing their password after a successful login.
AnswersA, D

Success after many failures strongly indicates a successful brute force.

Why this answer

Option A is correct because a successful login immediately following 50 failed attempts from the same IP is a classic indicator of a brute force attack that eventually succeeded. This pattern shows an attacker systematically trying credentials until one works, which is a high-severity security event requiring immediate investigation.

Exam trap

Cisco often tests the distinction between a single failed login and a pattern of repeated failures, tricking candidates into thinking any failed login is suspicious, when in fact only a high volume of failures from the same source indicates a brute force attempt.

595
MCQmedium

A security analyst is investigating a potential data exfiltration incident. The analyst notices that a large amount of data has been sent to an external IP address over port 443 during non-business hours. The company uses a proxy server that logs all outbound connections. Which action should the analyst take first to validate the suspicion?

A.Immediately block the external IP address at the firewall.
B.Run a packet capture on the internal server to analyze the payload.
C.Check the proxy logs to see the destination IP and user agent string.
D.Notify the security team lead and wait for further instructions.
AnswerC

Proxy logs provide details about the connection and can help identify if the traffic is suspicious.

Why this answer

Option C is correct because proxy logs contain the destination IP and user agent string, which are critical for validating whether the external IP is legitimate or malicious. By checking these logs first, the analyst can correlate the outbound connection with known threat intelligence or anomalous user agents without disrupting operations or consuming resources on unnecessary packet captures.

Exam trap

Cisco often tests the candidate's ability to prioritize log analysis over reactive actions, and the trap here is that candidates may jump to blocking the IP (Option A) or escalating (Option D) without first using available logs to validate the suspicion.

How to eliminate wrong answers

Option A is wrong because immediately blocking the external IP at the firewall could disrupt legitimate business traffic if the IP is later found to be benign, and it bypasses the validation step needed to confirm exfiltration. Option B is wrong because running a packet capture on the internal server is resource-intensive and may not be feasible if the server is remote or the traffic is already encrypted over TLS (port 443), making payload analysis ineffective without decryption keys. Option D is wrong because notifying the security team lead and waiting for further instructions delays the investigation and violates the principle of first validating the suspicion with available logs before escalating.

596
MCQmedium

An analyst is investigating a PCAP file and wants to reconstruct a conversation between two hosts. Which Wireshark filter would be most appropriate to follow the entire TCP stream?

A.tcp.stream eq 0
B.dns.qry.name
C.ip.addr == 10.0.0.1
D.http.request
AnswerA

Correct. tcp.stream reconstructs the TCP stream.

Why this answer

The 'tcp.stream' filter allows the analyst to follow and reconstruct the full TCP conversation.

597
MCQeasy

Refer to the exhibit. An analyst runs tasklist /SVC on a suspected host. Which process is most suspicious?

A.svchost.exe with PID 1500
B.svchost.exe with PID 1240
C.notmalware.exe with PID 2300
D.svchost.exe with PID 1780
AnswerC

Unusual name and no services; likely malware disguised.

Why this answer

Option C is correct because 'notmalware.exe' is a deliberately suspicious process name that does not correspond to any legitimate Windows system binary. The tasklist /SVC command displays processes and their associated services; a process named 'notmalware.exe' is a clear indicator of potential malware attempting to disguise itself with an ironic name, whereas svchost.exe is a legitimate Windows host process for services.

Exam trap

Cisco often tests the misconception that multiple svchost.exe processes are inherently suspicious, when in fact Windows normally runs many svchost instances, and the real red flag is a process with a clearly fabricated name like 'notmalware.exe'.

How to eliminate wrong answers

Option A is wrong because svchost.exe with PID 1500 is a legitimate Windows system process that hosts multiple services; its presence alone is not suspicious without additional indicators like unusual parent process or high resource usage. Option B is wrong because svchost.exe with PID 1240 is also a normal svchost instance; multiple svchost.exe processes are expected in Windows as each hosts one or more services. Option D is wrong because svchost.exe with PID 1780 is another legitimate svchost instance; the tasklist /SVC output shows these are associated with standard services, making them not inherently suspicious.

598
MCQhard

An analyst captures traffic and sees a high number of DNS queries for random subdomains under a single domain, all returning NXDOMAIN. This pattern is typical of which malicious activity?

A.DNS cache poisoning
B.DNS amplification attack
C.DNS tunneling
D.Domain generation algorithm (DGA) activity
AnswerD

DGA malware generates many random subdomains to bypass domain blacklists.

Why this answer

D is correct because a high volume of DNS queries for random subdomains under a single domain, all returning NXDOMAIN, is a classic indicator of Domain Generation Algorithm (DGA) activity. Malware uses DGA to generate thousands of pseudo-random domain names to contact a command-and-control (C2) server; the NXDOMAIN responses indicate that the generated domains are not yet registered or have been sinkholed.

Exam trap

Cisco often tests the distinction between DGA activity and DNS tunneling by emphasizing that DGA generates random, unresolvable subdomains (NXDOMAIN), while tunneling uses structured subdomains that typically receive valid responses (e.g., TXT records) to exfiltrate data.

How to eliminate wrong answers

Option A is wrong because DNS cache poisoning (e.g., a Kaminsky attack) injects forged DNS records into a resolver's cache to redirect traffic, not generate random subdomain queries that all return NXDOMAIN. Option B is wrong because a DNS amplification attack uses open resolvers to send large responses to a victim's spoofed IP, characterized by high traffic volume and large response sizes, not by random subdomain queries with NXDOMAIN replies. Option C is wrong because DNS tunneling encodes data (e.g., exfiltrated files) within DNS queries and responses, typically using structured subdomains and receiving non-NXDOMAIN replies (e.g., TXT records), not random subdomains that all fail resolution.

599
MCQhard

Which type of attack does this Snort alert most likely indicate?

A.Buffer overflow
B.SQL injection
C.Directory traversal
D.Cross-site scripting
AnswerC

Unicode bypass of './' and '../' filters is a known directory traversal technique.

Why this answer

The Snort alert signature 'ET WEB_SERVER ATTACKS Directory Traversal Attempt' specifically detects patterns like '../' or encoded variants (e.g., '%2e%2e%2f') in HTTP requests. This indicates an attempt to access files outside the web root directory, which is the hallmark of a directory traversal attack. The alert triggers on the URI path, not on SQL syntax or script injection patterns.

Exam trap

Cisco often tests the ability to distinguish between web application attacks by focusing on the specific payload pattern in the alert signature, where candidates confuse directory traversal with SQL injection or XSS because all three involve HTTP requests.

How to eliminate wrong answers

Option A is wrong because a buffer overflow attack typically triggers alerts based on oversized payloads or specific shellcode patterns (e.g., NOP sleds, long strings in protocol fields), not directory traversal strings. Option B is wrong because SQL injection alerts would match SQL keywords like 'UNION', 'SELECT', or 'OR 1=1' in query parameters, not path traversal sequences. Option D is wrong because cross-site scripting alerts detect script tags (e.g., '<script>', 'onerror=') or encoded JavaScript in user input, not '../' path manipulation.

600
MCQhard

An organization uses Cisco Stealthwatch for network traffic analysis. The analyst observes a sudden increase in traffic from a workstation to multiple external IPs on port 443. The traffic pattern shows consistent packet sizes of 1500 bytes, and the destination IPs are spread across different geographic regions. Which type of activity is most likely indicated?

A.VoIP call initiation.
B.Normal web browsing activity.
C.A DDoS attack originating from the workstation.
D.Data exfiltration via HTTPS.
AnswerD

Consistent large packets and many destinations suggest exfiltration.

Why this answer

The consistent 1500-byte packet size indicates maximum-sized TCP segments, which is atypical for interactive web browsing but common when data is being padded to fill MTU for efficient exfiltration. Cisco Stealthwatch detects this anomalous volumetric pattern to external IPs on HTTPS (port 443) as a sign of data exfiltration, where an internal host sends large, uniform chunks of data to multiple external destinations to evade detection.

Exam trap

Cisco often tests the misconception that any traffic to multiple external IPs on port 443 is normal web browsing, but the trap here is the consistent 1500-byte packet size, which is a key indicator of data exfiltration rather than typical HTTPS activity.

How to eliminate wrong answers

Option A is wrong because VoIP call initiation uses protocols like SIP (port 5060/5061) or RTP (dynamic ports), not HTTPS on port 443, and VoIP traffic typically shows variable packet sizes with small, frequent packets for voice codecs. Option B is wrong because normal web browsing generates a mix of packet sizes (e.g., small ACKs, variable HTTP responses) and does not produce a sustained stream of maximum-sized 1500-byte packets to numerous geographically diverse IPs. Option C is wrong because a DDoS attack originating from the workstation would target a single or few destinations with high-volume traffic, not multiple external IPs, and the workstation would be the attacker, not the victim; Stealthwatch would flag this as a compromised host generating outbound attack traffic, but the pattern of uniform packet sizes to many IPs is more characteristic of data exfiltration.

Page 7

Page 8 of 14

Page 9