Cisco CyberOps Associate 200-201 (200-201) — Questions 601675

985 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQeasy

During a host-based analysis of a Windows system, an analyst finds a suspicious executable that runs every time the system boots. Which registry key is most commonly used for this type of persistence?

A.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\AppInit_DLLs
B.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
C.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Image File Execution Options
D.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
AnswerD

This is the standard Run key for system-wide startup programs.

Why this answer

The Run registry key under HKLM and HKCU is a common location for programs to automatically start at boot. Malicious software often adds entries here to achieve persistence.

602
MCQhard

In a PCAP, an analyst sees an interactive shell session over TCP with irregular command prompts and responses. Which tool was likely used to generate this traffic?

A.File transfer tool
B.Port scanner
C.Reverse shell payload
D.SQL injection tool
AnswerC

Interactive shell over TCP is characteristic of a reverse shell.

Why this answer

Reverse shells create interactive shell sessions over a TCP connection, often used by attackers to control compromised hosts.

603
Multi-Selecthard

Which TWO of the following are best practices when configuring a SIEM correlation rule to detect lateral movement?

Select 2 answers
A.Include a time window to limit the correlation to a few minutes between events.
B.Exclude the source IP address from the correlation to focus on user identity.
C.Use only a single log source, such as domain controller logs, to simplify the rule.
D.Set the rule to trigger on any Event ID 4624 (successful logon) regardless of type.
E.Correlate successful logons across different systems from the same user within a short time window.
AnswersA, E

Reduces false positives from normal activity.

Why this answer

Option A is correct because including a time window (e.g., 5 minutes) in a SIEM correlation rule ensures that only events occurring within a short, defined interval are correlated. This is critical for detecting lateral movement, where an attacker must quickly pivot from one host to another; without a time window, the rule would match events that are too far apart in time, generating excessive false positives. The time window aligns with the typical speed of automated tools like PsExec or RDP brute-force scripts, which execute logons in rapid succession.

Exam trap

Cisco often tests the misconception that any successful logon (Event ID 4624) is suspicious, when in fact only specific logon types and patterns (e.g., multiple logons from the same user across different systems in a short time) indicate lateral movement.

604
MCQmedium

A network administrator is implementing a new security policy that requires all employees to use multi-factor authentication (MFA) when accessing email from external networks. However, several employees report that they cannot receive SMS codes while traveling internationally. Which design change best balances security and usability?

A.Allow the use of authenticator apps that generate time-based one-time passwords (TOTP).
B.Allow email access without MFA from trusted countries.
C.Provide hardware tokens to all traveling employees.
D.Disable MFA for users who travel frequently.
AnswerA

TOTP apps work offline and are a common alternative to SMS.

Why this answer

Option A is correct because TOTP authenticator apps (e.g., Google Authenticator, Microsoft Authenticator) generate one-time passwords locally on the user's device without requiring cellular network connectivity. This solves the international SMS delivery problem while maintaining strong MFA security, as the TOTP algorithm (RFC 6238) uses a shared secret and the current time to produce codes that are valid for a short window (typically 30 seconds).

Exam trap

Cisco often tests the distinction between 'something you have' (phone/authenticator app) and 'something you receive' (SMS), where candidates mistakenly think SMS is the only 'something you have' factor, missing that TOTP apps provide the same factor without network dependency.

How to eliminate wrong answers

Option B is wrong because allowing email access without MFA from 'trusted countries' violates the core security policy of requiring MFA for all external access and introduces risk from compromised accounts in those regions. Option C is wrong because hardware tokens (e.g., YubiKey) require physical distribution, management, and replacement logistics that are impractical for all traveling employees, and they still rely on USB/NFC compatibility which may not be available on all devices. Option D is wrong because disabling MFA for frequent travelers completely removes the second authentication factor, exposing the organization to credential theft and unauthorized access from any external network.

605
MCQhard

A mid-sized financial firm has a segmented network with a DMZ hosting a web server, an internal network with a database server, and an employee LAN. The security infrastructure includes a next-generation firewall (NGFW) with IPS, an endpoint detection and response (EDR) solution, and a SIEM. Over the past week, the SIEM has generated alerts for unusual outbound connections from the database server to an external IP address 198.51.100.33 on TCP port 443 during non-business hours. The EDR shows no malware on the database server, but a process named 'sqlsrv.exe' (the legitimate SQL Server process) is making these connections. The server's file integrity monitoring indicates that the sqlsrv.exe file has not been modified, but a memory dump reveals injected code that appears to be a reverse shell. The firewall logs show that the outbound connections are allowed because they match an existing rule permitting the database server to reach external update servers. The IP 198.51.100.33 is not on any threat intelligence feed as malicious, but it is geolocated to a country with known cybercrime activity. Which action should the security analyst take FIRST?

A.Isolate the database server from the network immediately to prevent data exfiltration.
B.Contact the software vendor to verify the digital signature of sqlsrv.exe.
C.Add a firewall rule to block outbound connections to 198.51.100.33.
D.Run a full antivirus scan on the database server using an updated signature database.
AnswerA

Containment is the first step in incident response to stop the attack.

Why this answer

The presence of injected reverse shell code in the memory of the legitimate sqlsrv.exe process indicates that the database server is actively compromised, regardless of the file integrity or EDR results. The immediate priority is to contain the threat by isolating the server from the network to prevent data exfiltration or lateral movement, as per incident response best practices (NIST SP 800-61).

Exam trap

The trap here is that candidates focus on the unchanged file hash or lack of malware alerts and choose a slower investigative step (like scanning or vendor contact), instead of recognizing that memory-resident code injection is an active compromise requiring immediate isolation.

How to eliminate wrong answers

Option B is wrong because verifying the digital signature of sqlsrv.exe is irrelevant; the file itself is unmodified, but the attack is via code injection into the running process, not file tampering. Option C is wrong because adding a firewall rule to block only the specific IP 198.51.100.33 is insufficient; the attacker could easily switch to a different C2 IP, and the immediate containment action should be network isolation. Option D is wrong because running a full antivirus scan is a secondary step; the EDR already shows no malware, and the attack is memory-resident (injected code), which may evade signature-based scans, so isolation must come first.

606
MCQmedium

A Windows system's security log shows Event ID 4720 followed by 4726 for the same username within minutes. What does this sequence indicate?

A.A user changed their password.
B.The account was successfully logged on.
C.A group membership was changed.
D.An account was created and then deleted, possibly for short-term unauthorized access.
AnswerD

Account creation then deletion is suspicious and indicative of a throwaway account.

Why this answer

Event 4720 is account creation, 4726 is deletion; rapid sequence suggests temporary account used for malicious activity.

607
MCQhard

During a PCAP analysis, a security analyst notices an HTTP request with the URI parameter 'id=1 UNION SELECT username,password FROM users--'. What is the most likely attack being attempted?

A.Command injection
B.Cross-site scripting (XSS)
C.Directory traversal
D.SQL injection
AnswerD

UNION SELECT is a classic SQL injection technique to combine query results.

Why this answer

The presence of UNION and SELECT keywords in a URL parameter indicates a SQL injection attempt, where the attacker tries to extract data from a database.

608
MCQmedium

During alert triage, an analyst determines that an alert was triggered by legitimate administrative activity. How should this alert be classified?

A.True negative
B.False negative
C.True positive
D.False positive
AnswerD

Correct. Legitimate activity causing an alert is a false positive.

Why this answer

A false positive is when an alert is triggered but no actual attack occurred.

609
MCQeasy

In the MITRE ATT&CK framework, TTPs are mapped to:

A.Vulnerability databases
B.Compliance standards
C.Network protocols
D.Real-world threat groups
AnswerD

Correct. TTPs are associated with specific groups.

Why this answer

MITRE ATT&CK maps adversary tactics, techniques, and procedures to real-world threat groups.

610
Multi-Selectmedium

Which TWO of the following are best practices for configuring syslog to ensure reliable security event logging?

Select 2 answers
A.Use UDP for faster transmission and lower overhead.
B.Enable debug-level logging for all devices to capture maximum detail.
C.Disable log filtering to ensure all messages are sent.
D.Use TCP (port 514) instead of UDP for log transmission.
E.Configure syslog to send logs to at least two different servers.
AnswersD, E

TCP provides acknowledgment and retransmission, ensuring delivery.

Why this answer

Option D is correct because syslog over TCP (port 514) provides reliable, connection-oriented delivery, ensuring that log messages are not lost during transmission. Unlike UDP, TCP includes acknowledgment and retransmission mechanisms, which are critical for security event logging where message integrity and completeness are paramount.

Exam trap

Cisco often tests the misconception that UDP is always preferred for syslog due to lower overhead, but the exam emphasizes that for security event logging, reliability (TCP) outweighs speed, and that debug-level logging is a dangerous practice that can crash a device.

611
MCQeasy

A company's data classification policy defines "Confidential" data. Which of the following is an example of Confidential data?

A.Public marketing brochures
B.Customer payment card information
C.Company cafeteria menu
D.Employee phone numbers
AnswerB

Such data is sensitive and protected by regulations, thus Confidential.

Why this answer

Customer payment card information (PCI) is classified as Confidential data because it is subject to regulatory compliance (e.g., PCI DSS) and its unauthorized disclosure could cause significant financial or reputational harm. Confidential data typically includes personally identifiable information (PII), financial records, and trade secrets that require strict access controls and encryption at rest and in transit.

Exam trap

Cisco often tests the distinction between 'Confidential' and 'Internal' data, where candidates mistakenly classify any non-public information (like employee phone numbers) as Confidential, ignoring the higher sensitivity and regulatory impact required for Confidential classification.

How to eliminate wrong answers

Option A is wrong because public marketing brochures are intended for unrestricted distribution and contain no sensitive information, so they fall under Public or Unclassified data. Option C is wrong because a company cafeteria menu is operational, non-sensitive information that poses no risk if disclosed, typically classified as Internal or Public. Option D is wrong because employee phone numbers, while possibly considered internal, are often classified as Internal or Private but not Confidential unless combined with other sensitive data; they lack the regulatory or financial impact that defines Confidential data.

612
Multi-Selectmedium

Which TWO security concepts are fundamental to the principle of least privilege? (Choose two.)

Select 2 answers
A.Role-based access control (RBAC)
B.Mandatory access control (MAC)
C.Need-to-know
D.Separation of duties
E.Defense in depth
AnswersA, C

RBAC implements least privilege by assigning permissions to roles.

Why this answer

Role-based access control (RBAC) is fundamental to the principle of least privilege because it assigns permissions based on job functions rather than individual users, ensuring users receive only the access necessary for their roles. The 'need-to-know' concept restricts access to information strictly required for a user's tasks, directly enforcing least privilege by limiting data exposure. Together, RBAC provides a scalable framework for access management, while need-to-know ensures granular data-level control.

Exam trap

Cisco often tests the distinction between 'need-to-know' (a least privilege concept) and 'separation of duties' (a fraud-prevention concept), causing candidates to mistakenly select separation of duties because both involve limiting access, but only need-to-know directly enforces least privilege.

613
MCQmedium

A security engineer reviews syslog data and sees multiple authentication failures from a single source IP to different SSH servers. The source IP is internal. What does this indicate?

A.Brute-force attack
B.User error
C.Misconfigured client
D.Network scan
AnswerA

Repeated failed attempts from one source to multiple targets is a classic brute-force pattern.

Why this answer

Multiple authentication failures from a single internal source IP to different SSH servers is a classic indicator of a brute-force attack. The attacker is systematically attempting to guess credentials across multiple targets, which is distinct from a single misconfiguration or user error. This pattern is commonly seen in post-compromise lateral movement or initial foothold attempts within the network.

Exam trap

Cisco often tests the distinction between a network scan (which only checks for open ports) and an actual authentication attack (which generates syslog auth failures), causing candidates to confuse the two.

How to eliminate wrong answers

Option B is wrong because user error typically results in repeated failures to a single server (e.g., mistyped password), not to multiple different SSH servers from the same IP. Option C is wrong because a misconfigured client would likely fail authentication to a specific server due to key mismatch or protocol version, not generate failures across multiple distinct servers. Option D is wrong because a network scan (e.g., using Nmap) would probe for open ports (TCP 22) without attempting SSH authentication, so it would not produce authentication failure logs.

614
Multi-Selecthard

An analyst is investigating a security incident where an attacker gained access to a server by exploiting a known vulnerability. The attacker then moved laterally and exfiltrated data. Which THREE phases of the Cyber Kill Chain are evident in this scenario? (Choose three.)

Select 3 answers
A.Reconnaissance
B.Exploitation
C.Weaponization
D.Installation
E.Actions on Objectives
AnswersB, D, E

Exploiting a known vulnerability to gain access.

Why this answer

Exploitation uses the vulnerability, lateral movement is installation or command and control, and exfiltration is actions on objectives.

615
MCQeasy

An analyst notices a series of SYN packets sent to a host at increasing speed, with no SYN-ACK replies. What kind of attack is this?

A.SYN flood
B.SSL stripping
C.ARP spoofing
D.Smurf attack
AnswerA

SYN flood exploits the TCP handshake by sending many SYN packets.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a rapid succession of SYN packets to a target host without completing the handshake. The target allocates resources for each half-open connection, eventually exhausting its connection table and denying service to legitimate traffic. The absence of SYN-ACK replies confirms the attacker is not responding to the handshake, a hallmark of this volumetric denial-of-service technique.

Exam trap

Cisco often tests the distinction between a SYN flood (TCP handshake exhaustion) and a Smurf attack (ICMP broadcast amplification), so candidates mistakenly associate any flood of packets with ICMP-based attacks rather than recognizing the specific TCP SYN behavior described.

How to eliminate wrong answers

Option B is wrong because SSL stripping is a man-in-the-middle attack that downgrades HTTPS connections to HTTP, not a network-layer flood using SYN packets. Option C is wrong because ARP spoofing involves sending forged ARP replies to associate the attacker's MAC address with a legitimate IP, enabling traffic interception, not a flood of TCP SYN segments. Option D is wrong because a Smurf attack uses ICMP echo requests sent to a broadcast address with a spoofed source IP, causing all hosts on the network to reply to the victim, which is an ICMP-based amplification attack, not a TCP SYN-based flood.

616
MCQeasy

During which phase of the NIST SP 800-61 Rev 2 incident response process should an organization develop and exercise the incident response plan?

A.Preparation
B.Post-Incident Activity
C.Detection and Analysis
D.Containment, Eradication, and Recovery
AnswerA

Preparation is the first phase where the IR plan, team, and tools are established and exercised.

Why this answer

Preparation includes creating the IR plan, team, tools, and conducting exercises. The other phases occur after an incident is detected.

617
MCQeasy

Which protocol and port combination is used by SNMP for receiving traps?

A.TCP 161
B.UDP 161
C.UDP 162
D.TCP 162
AnswerC

UDP 162 is the standard SNMP trap port.

Why this answer

SNMP traps are unsolicited notifications sent from an SNMP agent to the network management system (NMS) to alert it of significant events. The correct protocol and port combination for receiving SNMP traps is UDP port 162, as defined in RFC 1157. UDP is used because traps are lightweight, connectionless messages where reliability is handled by the application layer if needed.

Exam trap

Cisco often tests the distinction between UDP port 161 (for SNMP queries) and UDP port 162 (for SNMP traps), and the trap here is that candidates confuse the port numbers or incorrectly assume SNMP uses TCP for traps due to familiarity with TCP-based protocols like HTTP or SSH.

How to eliminate wrong answers

Option A is wrong because TCP port 161 is used for SNMP queries (GET, GETNEXT, SET) from the manager to the agent, not for receiving traps, and SNMP typically uses UDP, not TCP. Option B is wrong because UDP port 161 is the standard port for SNMP agent communication (queries and responses), not for trap reception. Option D is wrong because TCP port 162 is not used for SNMP traps; SNMP traps always use UDP port 162, as TCP's connection-oriented overhead is unnecessary for one-way trap delivery.

618
MCQhard

An organization is implementing monitoring for encrypted traffic without decrypting it. Which approach would be most effective for detecting malicious activity?

A.Deploy SSL/TLS inspection to decrypt traffic
B.Use NetFlow analysis to identify unusual connection patterns
C.Monitor SNMP traffic from endpoints
D.Block all encrypted traffic except from known good sources
AnswerB

NetFlow metadata can indicate malicious behavior even in encrypted traffic.

Why this answer

NetFlow analysis examines metadata (source/destination IPs, ports, protocols, byte counts) without decrypting the payload. Unusual patterns like beaconing to a known C2 server, data exfiltration via non-standard ports, or unexpected volumetric flows can indicate malicious activity even when the traffic is encrypted. This approach preserves privacy and compliance while still enabling threat detection through behavioral anomalies.

Exam trap

Cisco often tests the distinction between 'monitoring without decryption' and 'decryption-based inspection'—the trap is that candidates assume encrypted traffic is invisible to security tools, but metadata analysis (NetFlow) can reveal malicious patterns without ever seeing the plaintext.

How to eliminate wrong answers

Option A is wrong because SSL/TLS inspection decrypts the traffic, which violates the requirement to monitor without decrypting and introduces privacy, compliance, and performance overhead. Option C is wrong because SNMP traffic is used for network device management (e.g., polling OIDs for interface stats, CPU load) and does not provide visibility into encrypted session metadata or connection patterns between endpoints. Option D is wrong because blocking all encrypted traffic except from known good sources is overly restrictive, breaks legitimate encrypted services (e.g., HTTPS, VPNs), and is not a monitoring approach—it is an access control policy that fails to detect malicious activity within allowed encrypted flows.

619
MCQeasy

Which Windows Event ID is recorded when a user account is created, indicating potential unauthorized account creation?

A.4726
B.4648
C.4624
D.4720
AnswerD

4720 indicates account creation.

Why this answer

Event ID 4720 is logged when a user account is created in Active Directory or local SAM.

620
MCQmedium

An analyst observes repeated TCP SYN packets to various ports on a target IP with no SYN-ACK responses. What type of scan is most likely being performed?

A.UDP scan
B.Ping sweep
C.SYN scan
D.TCP connect scan
AnswerC

Correct. SYN scan sends SYN packets and does not complete the handshake.

Why this answer

A SYN scan sends SYN packets and observes responses; incomplete handshakes indicate scanning.

621
Multi-Selectmedium

Which THREE of the following are best practices for creating and maintaining security policies? (Choose three.)

Select 3 answers
A.Develop policies in isolation by the security team.
B.Obtain approval from senior management.
C.Provide training on policies to all employees.
D.Review and update policies annually.
E.Store policies in a secure location accessible only to security staff.
AnswersB, C, D

Management support is critical for enforcement.

Why this answer

Option B is correct because security policies require executive endorsement to ensure organization-wide compliance and resource allocation. Senior management approval establishes authority and accountability, making the policy enforceable across all departments, not just IT. Without this buy-in, policies lack the legal and organizational weight needed for disciplinary actions or budget justification.

Exam trap

Cisco often tests the misconception that security policies should be restricted to security staff only, but the correct approach is that policies must be accessible to all employees to ensure awareness and compliance.

622
MCQeasy

An organization's security policy specifies that all configuration changes must be approved through a change management process. An analyst discovers that a firewall rule was added without approval. What is the appropriate action?

A.Remove the rule immediately.
B.Change the policy to allow emergency changes without approval.
C.Report the unauthorized change to management.
D.Document the change and ignore it.
E.Analyze the rule to see if it's needed, then either approve or remove.
AnswerC

Policy requires reporting violations.

Why this answer

Option C is correct because reporting the unauthorized change is required by policy. Option A is too hasty without impact analysis. Option B might follow reporting.

Option D violates policy. Option E is inappropriate.

623
Multi-Selectmedium

A SOC analyst is investigating a potential data exfiltration incident. Which TWO indicators from NetFlow/IPFIX analysis would most strongly suggest data exfiltration?

Select 2 answers
A.Consistent traffic at regular intervals to an external IP
B.Connection to an IP address flagged as malicious in threat intelligence
C.Multiple connection attempts to various ports on the same external IP
D.High volume of data transferred to a single external IP address
E.Low volume of traffic to multiple external IPs
AnswersB, D

Communicating with a known malicious IP suggests data being sent to an attacker-controlled server.

Why this answer

Unusually high traffic volume to a single external destination (large data transfer) and communication with a known malicious IP (C2 or exfiltration server) are strong indicators. Option C (regular intervals) is more characteristic of beaconing, which can be C2 but not necessarily exfiltration. Option D is port scan behavior.

Option E is normal.

624
Multi-Selectmedium

Which TWO of the following are typically included in a security policy's scope statement?

Select 2 answers
A.Threat intelligence sources to be used
B.Encryption algorithms to be used
C.List of systems and networks covered
D.User roles and responsibilities affected
E.Minimum password length requirements
AnswersC, D

Scope identifies which assets are covered.

Why this answer

The scope statement of a security policy defines the boundaries of the policy's applicability. Option C is correct because explicitly listing the systems and networks covered ensures that all stakeholders understand which assets fall under the policy's requirements, preventing gaps or overlaps in security controls.

Exam trap

Cisco often tests the distinction between a policy's scope (what it covers) and the specific technical controls or standards that implement the policy, so candidates mistakenly select granular technical details like encryption algorithms or password lengths as part of the scope statement.

625
MCQmedium

A security analyst is using NetFlow data to investigate a potential data exfiltration incident. Which NetFlow metric is most useful for identifying large volumes of data being transferred to an external IP address?

A.Source port
B.Destination IP
C.Bytes transferred
D.Packet count
AnswerC

High byte counts to an external IP may indicate exfiltration.

Why this answer

Option C is correct because the 'Bytes transferred' metric in NetFlow directly quantifies the volume of data sent to a specific destination IP. In a data exfiltration scenario, an unusually high byte count to an external IP is a strong indicator of large-scale data transfer, whereas other metrics like source port or packet count do not directly measure data volume.

Exam trap

Cisco often tests the misconception that packet count is equivalent to data volume, but the trap here is that packet count ignores packet size, making bytes transferred the definitive metric for data volume in exfiltration analysis.

How to eliminate wrong answers

Option A is wrong because the source port is typically a random ephemeral port (e.g., 49152-65535) used for the session and does not indicate data volume or exfiltration intent. Option B is wrong because while the destination IP identifies where data is sent, it alone does not measure the amount of data transferred; a single IP could receive both normal and exfiltration traffic. Option D is wrong because packet count does not account for packet size; a high packet count with small packets (e.g., DNS queries) could be benign, whereas a low packet count with large packets (e.g., 1500-byte MTU) could indicate exfiltration.

626
MCQeasy

An analyst notices that a host is sending large amounts of data to an external IP address on TCP port 22 during non-business hours. What is the most likely activity?

A.Remote administration
B.DNS query
C.FTP file transfer
D.Data exfiltration via SSH
AnswerD

SSH on port 22 can be used to tunnel data out.

Why this answer

SSH (TCP port 22) is commonly used for secure remote administration, but the scenario describes large data transfers to an external IP during non-business hours, which is a classic indicator of data exfiltration. Attackers often use SSH tunneling to bypass security controls and exfiltrate data because SSH encrypts the traffic, making it difficult for network monitoring tools to inspect the payload. The combination of high volume, external destination, and off-hours activity strongly suggests malicious data theft rather than legitimate administrative tasks.

Exam trap

Cisco often tests the misconception that SSH is only used for remote administration, causing candidates to overlook the data exfiltration angle when large data transfers occur on port 22 during suspicious hours.

How to eliminate wrong answers

Option A is wrong because remote administration via SSH typically involves interactive sessions or small control commands, not large data transfers; legitimate admins would also likely operate during business hours. Option B is wrong because DNS queries use UDP/TCP port 53, not port 22, and are small packets for name resolution, not bulk data transfer. Option C is wrong because FTP file transfer uses TCP ports 20 and 21, not port 22; while SFTP (SSH File Transfer Protocol) runs over SSH, the question specifies 'FTP file transfer' which refers to the standard FTP protocol.

627
MCQhard

In a risk management process, after identifying risks, the next step is to determine the potential impact and likelihood. This is known as:

A.Risk acceptance
B.Risk mitigation
C.Risk assessment
D.Risk transfer
AnswerC

Risk assessment quantifies impact and likelihood to prioritize risks.

Why this answer

After risks have been identified, the next logical step in the risk management process is to evaluate their potential impact and likelihood. This evaluation is formally known as risk assessment (or risk analysis), which quantifies or qualifies the risk level to prioritize subsequent treatment decisions. In the context of the 200-201 exam, risk assessment is a core component of the NIST SP 800-30 risk management framework.

Exam trap

Cisco often tests the order of the risk management process steps, and the trap here is confusing risk assessment (the evaluation step) with risk mitigation (the treatment step), leading candidates to select 'Risk mitigation' because they think of 'doing something about the risk' immediately after identification.

How to eliminate wrong answers

Option A is wrong because risk acceptance is a risk treatment strategy where an organization acknowledges the risk and chooses to tolerate it without active mitigation, not the step of determining impact and likelihood. Option B is wrong because risk mitigation involves implementing controls to reduce the risk level (e.g., deploying a firewall or patching a vulnerability), which occurs after the risk assessment has been completed. Option D is wrong because risk transfer shifts the financial burden of a risk to a third party (e.g., purchasing cyber insurance), which is also a post-assessment treatment decision, not the evaluation of impact and likelihood.

628
Multi-Selecthard

Which THREE actions are mandatory in the evidence handling process according to standard forensic procedures?

Select 3 answers
A.Document the chain of custody
B.Delete any malware found immediately
C.Use a write blocker when imaging
D.Create a forensic image of the device
E.Reboot the device to clear temporary files
AnswersA, C, D

Required to maintain integrity and admissibility.

Why this answer

Options A, B, and D are mandatory: documenting chain of custody, creating a forensic image, and using write blockers. Option C (rebooting) is avoided to preserve evidence. Option E (deleting malware) destroys evidence.

629
MCQmedium

During an intrusion analysis, an analyst identifies that an attacker used a domain generation algorithm (DGA) to resolve C2 domains. Which of the following traffic patterns is most consistent with DGA?

A.Multiple DNS queries to algorithmically generated domains that result in NXDOMAIN responses
B.Large DNS responses indicating amplification
C.DNS queries to a single domain with high frequency
D.DNS queries with long TTL values
AnswerA

DGA generates many domains, most of which don't exist, causing NXDOMAIN.

Why this answer

DGA generates many random-looking domains, many of which will be non-existent (NXDOMAIN) as the attacker cycles through them.

630
MCQeasy

A security analyst reviews an alert from the IPS that shows a spike in TCP SYN packets from an external IP to multiple internal hosts on port 443. What is the most likely attack type?

A.SYN flood
B.Port scanning
C.Man-in-the-middle
D.DNS amplification
AnswerA

A SYN flood sends many TCP SYN packets to exhaust resources.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a high volume of SYN packets to multiple hosts without completing the handshake, exhausting server resources. The alert describes a spike in TCP SYN packets from an external IP to multiple internal hosts on port 443, which matches the behavior of a distributed SYN flood targeting HTTPS services. This is the most likely attack because the IPS is detecting the initial connection attempts characteristic of a SYN flood.

Exam trap

Cisco often tests the distinction between a SYN flood and port scanning by emphasizing that a SYN flood targets multiple hosts on the same port, while port scanning targets multiple ports on a single host.

How to eliminate wrong answers

Option B is wrong because port scanning typically involves a single source sending SYN packets to multiple ports on a single host to discover open services, not to multiple hosts on the same port. Option C is wrong because a man-in-the-middle attack requires intercepting and potentially modifying traffic between two parties, which does not align with a spike in unsolicited SYN packets. Option D is wrong because DNS amplification attacks use spoofed source IPs to send small queries to open DNS resolvers, which then send large responses to the victim, and they rely on UDP, not TCP SYN packets.

631
MCQhard

A security analyst is reviewing a series of failed login attempts on a critical server. The logs show that the source IP addresses are from multiple geographic regions and the usernames tried are all valid employees. The attempts occur every 5 minutes for the past hour. According to the company's security policy, which type of attack is most likely occurring, and what is the best immediate response?

A.Password spraying; enforce multi-factor authentication immediately.
B.Credential stuffing; implement rate limiting.
C.Brute-force attack; add the IPs to a blocklist.
D.Dictionary attack; reset all employee passwords.
AnswerA

Password spraying uses a few passwords against many users; MFA mitigates this effectively.

Why this answer

The attack pattern—valid usernames with low-frequency attempts from diverse IPs—is characteristic of password spraying, where an attacker tries a single common password against many accounts to avoid lockout thresholds. The best immediate response is to enforce multi-factor authentication (MFA), which renders the stolen or guessed password insufficient for access, mitigating the attack without relying on IP-based blocking that is ineffective against distributed sources.

Exam trap

Cisco often tests the distinction between password spraying and credential stuffing by focusing on the source of credentials—password spraying uses guessed common passwords, while credential stuffing uses stolen credential pairs from data breaches.

How to eliminate wrong answers

Option B is wrong because credential stuffing uses previously leaked username/password pairs from other breaches, not a single password tried across many valid usernames; rate limiting would help but is not the best immediate response as MFA directly neutralizes the credential misuse. Option C is wrong because a brute-force attack targets a single account with many password attempts, not multiple valid usernames from diverse IPs every 5 minutes; adding IPs to a blocklist is ineffective when the source IPs are numerous and geographically distributed. Option D is wrong because a dictionary attack tries many common passwords against a single account, not a single password across many accounts; resetting all employee passwords is disruptive and unnecessary when MFA can stop the attack immediately.

632
MCQeasy

A security administrator needs to ensure that data transmitted between a web browser and a web server is encrypted. Which technology should be implemented?

A.HTTPS
B.TLS
C.SSH
D.IPsec
AnswerB

TLS is the standard protocol for encrypting web traffic, used by HTTPS.

Why this answer

TLS (Transport Layer Security) is the correct technology because it operates at the transport layer and provides encryption for data in transit between a web browser and a web server. HTTPS is not a separate encryption protocol but rather HTTP over TLS, meaning TLS is the underlying technology that actually performs the encryption. Therefore, the question asks for the technology to implement, and TLS is the direct answer.

Exam trap

The trap here is that candidates see 'HTTPS' and assume it is the encryption technology itself, but Cisco tests the understanding that HTTPS is merely HTTP over TLS, and the actual encryption mechanism is TLS.

How to eliminate wrong answers

Option A (HTTPS) is wrong because HTTPS is not a standalone encryption technology; it is HTTP running on top of TLS (or SSL), so the actual encryption is provided by TLS, not HTTPS itself. Option C (SSH) is wrong because SSH is used for secure remote administration and file transfers (e.g., SFTP, SCP), not for encrypting standard web browser-to-web server HTTP traffic. Option D (IPsec) is wrong because IPsec operates at the network layer and is typically used for securing VPN tunnels between networks or hosts, not for encrypting individual web sessions between a browser and a server.

633
MCQhard

A host inside the network has a connection to a known malicious IP with TCP state TIME_WAIT. What is the most likely interpretation?

A.The host has finished its communication
B.The connection was terminated by the remote host
C.The host is being scanned
D.The host is actively infected and communicating
AnswerA

Correct. TIME_WAIT means the local side has sent FIN and received ACK, waiting for potential retransmission.

Why this answer

The TIME_WAIT TCP state indicates that the local host has initiated the closure of the connection and is waiting for any delayed packets to arrive before fully releasing the socket. This state is entered after the local host sends the final ACK in the four-way handshake, meaning the host has completed its communication with the remote IP. Therefore, the connection is finished, not ongoing.

Exam trap

Cisco often tests the misconception that TIME_WAIT implies ongoing activity or remote termination, when in fact it specifically indicates the local host has completed the connection closure.

How to eliminate wrong answers

Option B is wrong because TIME_WAIT is entered by the host that initiates the active close, not by the remote host; if the remote host terminated the connection, the local host would see CLOSE_WAIT or LAST_ACK states. Option C is wrong because a scanning tool typically uses SYN, SYN-ACK, or RST packets to probe ports, and TIME_WAIT is a normal termination state that does not indicate scanning activity. Option D is wrong because an active infection with ongoing communication would show ESTABLISHED state, not TIME_WAIT, which signifies that the TCP session has already been closed.

634
Multi-Selectmedium

During memory analysis using Volatility, an analyst suspects code injection. Which THREE commands would be most useful to identify injected code? (Select THREE)

Select 3 answers
A.malfind
B.pslist or pstree
C.netscan
D.dlllist or ldrmodules
E.hashdump
AnswersA, B, D

malfind scans for injected code or hidden memory regions.

Why this answer

malfind detects injected code, dlllist/ldrmodules show loaded modules anomalies, and pslist/pstree identify suspicious processes.

635
MCQhard

An analyst observes a large outbound FTP transfer to an external IP address from a server that normally does not generate such traffic. This is most likely an indicator of:

A.Persistence
B.Lateral movement
C.C2 communication
D.Exfiltration
AnswerD

Correct. Large outbound transfers are a key exfiltration indicator.

Why this answer

Data exfiltration often involves large transfers to external destinations not typical for the host.

636
MCQmedium

Refer to the exhibit. A network analyst sees repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23. Based on the log, what type of activity is most likely occurring?

A.DNS amplification attack
B.ARP spoofing
C.Brute force attempt on Telnet service
D.ICMP flood attack
AnswerC

Multiple connection attempts to port 23 (Telnet) from the same source indicate a brute force or scanning activity.

Why this answer

The log shows repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23, which is the default port for Telnet. Multiple failed connection attempts to a Telnet service indicate a brute force attack, where an attacker tries to guess credentials by repeatedly attempting to log in.

Exam trap

Cisco often tests the association of default port numbers with services (port 23 = Telnet) and expects candidates to recognize that repeated connection attempts to a login service indicate a brute force attack, not a flood or spoofing attack.

How to eliminate wrong answers

Option A is wrong because a DNS amplification attack uses spoofed source IPs to send small queries to open DNS resolvers, causing large responses to flood a victim; it does not involve repeated direct connections to port 23. Option B is wrong because ARP spoofing involves sending forged ARP replies to associate the attacker's MAC address with a legitimate IP, enabling man-in-the-middle attacks, not repeated Telnet login attempts. Option D is wrong because an ICMP flood attack overwhelms a target with ICMP echo request packets (ping floods), not with TCP connection attempts to port 23.

637
Multi-Selecteasy

An analyst is investigating a Linux system for persistence mechanisms. Which TWO of the following are common locations for cron-based persistence? (Select TWO)

Select 2 answers
A./var/spool/cron/crontabs/
B./etc/init.d/
C./etc/crontab
D./var/log/cron
E./etc/systemd/system/
AnswersA, C

User crontabs are stored here.

Why this answer

Crontabs for users are stored in /var/spool/cron/crontabs/ and system-wide cron jobs are in /etc/crontab.

638
Multi-Selecthard

An analyst is investigating a Windows system using prefetch files. The analyst notices a prefetch file for a tool called 'procdump.exe' with a run count of 1 and the last run time corresponding to the time of the incident. Which THREE conclusions can be drawn?

Select 3 answers
A.The parent process that launched the tool is identified
B.The tool was executed from a specific file path
C.The tool was executed at least once
D.The tool was executed with specific command-line arguments
E.The tool was executed only once (run count = 1)
AnswersB, C, E

Correct. Prefetch files contain the full path of the executable.

Why this answer

Prefetch shows evidence of execution, run count indicates how many times, and the path reveals the location. However, prefetch does not show the parent process or command-line arguments.

639
MCQhard

A security analyst is investigating an incident where an attacker successfully altered DNS records to redirect users to a fake website. Which attack occurred?

A.ARP spoofing
B.DNS poisoning
C.Man-in-the-Middle
D.Pharming
AnswerB

DNS poisoning alters DNS records to redirect traffic.

Why this answer

DNS poisoning corrupts DNS resolver caches to redirect traffic to malicious sites.

640
MCQhard

An organization needs to ensure that a document has not been altered and to verify the sender's identity. Which combination of cryptographic techniques should be used?

A.Digital signature and hashing
B.Digital signature and symmetric encryption
C.Symmetric encryption and hashing
D.Asymmetric encryption and hashing
AnswerA

Hashing verifies integrity; the digital signature authenticates the sender.

Why this answer

Hashing ensures integrity (detects changes), and digital signatures (asymmetric) provide authentication and non-repudiation.

641
MCQmedium

An analyst needs to configure syslog to forward logs from multiple network devices to a central SIEM. Which syslog severity level should be used to ensure security-relevant events are sent while minimizing bandwidth usage?

A.Level 0 (Emergency)
B.Level 7 (Debug)
C.Level 6 (Informational)
D.Level 4 (Warning)
AnswerD

Warning and above includes most security events while filtering noise.

Why this answer

Option D (Level 4, Warning) is correct because it captures security-relevant events such as authentication failures, configuration changes, and interface errors while filtering out lower-severity informational and debug messages. This balances visibility of potential threats with minimal bandwidth consumption, as Warning-level logs are typically concise and less frequent than lower severity levels.

Exam trap

Cisco often tests the misconception that higher severity (lower number) is always better for security, leading candidates to choose Emergency (Level 0) or Alert (Level 1), but the question explicitly asks to minimize bandwidth while ensuring security events are sent, so Warning (Level 4) is the optimal balance.

How to eliminate wrong answers

Option A is wrong because Level 0 (Emergency) is reserved for system-wide catastrophic failures (e.g., kernel panic) and is too rare to provide adequate security monitoring; relying on it would miss most security events. Option B is wrong because Level 7 (Debug) generates verbose, high-volume logs intended for troubleshooting, which would overwhelm bandwidth and storage, and is not suitable for production security forwarding. Option C is wrong because Level 6 (Informational) includes routine operational messages (e.g., interface up/down, normal user logins) that are not inherently security-relevant, leading to unnecessary bandwidth usage without focusing on actual threats.

642
MCQmedium

A company has implemented a role-based access control (RBAC) policy for its network devices. A network engineer needs temporary access to configure a router in a different region. According to the RBAC policy, what is the appropriate procedure?

A.Have the root password shared via encrypted email to the engineer
B.Use the shared admin account for the duration of the task
C.Ask another engineer with access to perform the configuration changes
D.Submit a request to the security team for temporary role elevation with a specified time limit
AnswerD

This follows the principle of least privilege with an approval workflow.

Why this answer

Option D is correct because RBAC policies require that any deviation from assigned roles, such as temporary access to a router in a different region, must be handled through a formal privilege elevation process. This typically involves submitting a request to the security team, who can grant temporary role elevation with a specified time limit, ensuring that access is auditable, time-bound, and revoked automatically. This aligns with the principle of least privilege and maintains the integrity of the RBAC model by avoiding permanent or shared credentials.

Exam trap

Cisco often tests the misconception that sharing credentials or using a shared admin account is acceptable for temporary access, when in reality RBAC mandates formal, auditable, and time-limited role elevation to maintain security and accountability.

How to eliminate wrong answers

Option A is wrong because sharing the root password, even via encrypted email, violates RBAC principles by granting permanent, unmonitored superuser access that bypasses role-based controls and audit trails. Option B is wrong because using a shared admin account undermines RBAC by providing non-repudiation issues and lacks the time-bound, role-specific elevation required for temporary tasks. Option C is wrong because asking another engineer to perform the changes does not resolve the need for the requesting engineer to have direct access; it also introduces potential miscommunication and still requires the other engineer to have appropriate role elevation if they lack the required permissions.

643
MCQmedium

An analyst discovers an unknown process on a Windows host that has no parent process (PPID 0). What does this likely indicate?

A.The process is a child of the System Idle Process.
B.The process is likely hidden or injected by malware.
C.The process is a user-initiated task running normally.
D.The process is a legitimate system process started at boot.
AnswerB

PPID 0 is suspicious and may indicate the process was created by a kernel-mode component or rootkit.

Why this answer

A process with PPID 0 is unusual and may indicate a rootkit or direct kernel manipulation. Normal processes have a parent, except for the System Idle Process (PID 0).

644
Multi-Selecteasy

Which TWO types of data are commonly used for network forensics? (Choose two.)

Select 1 answer
A.Application code
B.Hard drive images
C.NetFlow records
D.Full packet captures
E.Network logs
AnswersE

Network logs capture events and are key for forensic analysis.

Why this answer

Network logs (E) are a primary source of evidence in network forensics because they record events such as authentication attempts, firewall actions, and system access. These logs provide a chronological trail of activity that can be correlated with other data to reconstruct an incident. They are commonly used due to their availability and the critical context they offer for identifying malicious behavior.

Exam trap

Cisco often tests the distinction between metadata-only sources (like NetFlow) and full-content sources (like packet captures and logs), leading candidates to incorrectly select NetFlow as a primary forensic data type when the question requires evidence with payload or detailed event context.

645
Multi-Selectmedium

Which three data sources are commonly used in a SIEM for threat hunting? (Choose three.)

Select 3 answers
A.Firewall logs.
B.Social media feeds.
C.Physical access logs.
D.NetFlow records.
E.DNS query logs.
AnswersA, D, E

Firewall logs show permitted and denied connections.

Why this answer

Firewall logs are a primary data source in SIEM for threat hunting because they record all allowed and denied traffic flows, including source/destination IPs, ports, and protocols. Analyzing these logs helps identify unauthorized access attempts, policy violations, and patterns indicative of lateral movement or data exfiltration.

Exam trap

Cisco often tests the distinction between direct log sources (firewall, NetFlow, DNS) and external threat intelligence or physical security logs, so candidates mistakenly include social media feeds or physical access logs as SIEM data sources.

646
MCQhard

Refer to the exhibit. An analyst configures an ACL to block traffic to a malicious host on port 443. After applying it inbound on the external interface, the analyst sees the ACL counters. What does the output indicate?

A.The ACL is working correctly; traffic to the malicious host is blocked.
B.The ACL is not blocking traffic because the deny line has 0 matches.
C.The ACL needs to be applied outbound to work.
D.The ACL is blocking all traffic because the permit line is never used.
AnswerB

Indicates the rule is not being hit; possible wrong direction.

Why this answer

Option B is correct because the ACL counters show 0 matches for the deny line that is intended to block traffic to the malicious host on port 443. This indicates that no traffic matching the deny condition has been processed by the ACL, meaning the rule is not being triggered. Since the ACL is applied inbound on the external interface, traffic from the external network destined for the malicious host should match the deny line if it is correctly configured; the 0 matches suggest the ACL is not blocking the intended traffic.

Exam trap

Cisco often tests the misconception that an ACL with 0 matches on a deny line is still blocking traffic, when in fact the counters prove the rule is not being hit, so the traffic is passing through unblocked.

How to eliminate wrong answers

Option A is wrong because the ACL counters show 0 matches on the deny line, which means traffic to the malicious host is not being blocked; the ACL is not working correctly. Option C is wrong because applying the ACL outbound would not change the fact that the deny line has 0 matches; the issue is with the ACL rule itself or the traffic not matching, not the direction. Option D is wrong because the permit line being unused does not indicate that all traffic is blocked; the ACL only blocks traffic matching the deny rule, and the permit line is a default implicit permit at the end of the ACL, not a configured line that would be counted.

647
MCQmedium

Refer to the exhibit. An analyst observes that the router's ACL is allowing all traffic to the web server at 192.168.1.100 on ports 80 and 443, but blocking all other TCP ports below 1024. However, the web server is also running an SSH service on port 22. What will happen to SSH traffic from the outside?

A.SSH will be permitted because of the last line 'permit ip any any'.
B.SSH will be denied because the ACL does not have an explicit permit for SSH.
C.SSH will be permitted because it is not blocked by any rule.
D.SSH will be denied because of the deny line range.
AnswerD

The deny line covers port 22, so SSH traffic is denied.

Why this answer

The ACL denies all TCP ports below 1024 except ports 80 and 443, which are explicitly permitted. Since SSH uses TCP port 22, which falls within the denied range (below 1024) and is not explicitly permitted, it is blocked by the deny line. The last line 'permit ip any any' only applies to traffic not already denied, but SSH traffic is already denied by the earlier rule, so it never reaches that permit statement.

Exam trap

Cisco often tests the misconception that a final 'permit ip any any' overrides earlier deny statements, when in fact ACLs stop processing after the first match, so traffic denied earlier never reaches the final permit.

How to eliminate wrong answers

Option A is wrong because the 'permit ip any any' line is processed only after the deny rules; since SSH traffic on port 22 is already denied by the explicit deny range, it never reaches the final permit. Option B is wrong because the ACL does not need an explicit deny for SSH; the deny line covering ports below 1024 implicitly blocks SSH port 22. Option C is wrong because SSH is blocked by the deny rule that covers all TCP ports below 1024 except those explicitly permitted (80 and 443).

648
MCQeasy

A security analyst is monitoring network traffic and notices a sudden increase in outbound connections from a single workstation to multiple IP addresses on port 443 at regular intervals. The workstation is used for standard office applications. Which action should the analyst take first?

A.Correlate the connections with firewall logs and endpoint telemetry
B.Immediately block all outbound traffic from the workstation
C.Escalate to the incident response team immediately
D.Isolate the workstation from the network
AnswerA

Correlation helps identify if the traffic is malicious or caused by legitimate software like updates or VoIP.

Why this answer

Option A is correct because the sudden increase in outbound connections to multiple IPs on port 443 (HTTPS) from a single workstation could indicate command-and-control (C2) traffic, data exfiltration, or a compromised system. The first step should be to correlate these connections with firewall logs and endpoint telemetry to gather contextual evidence—such as process names, parent processes, and connection durations—before taking any disruptive action. This aligns with the NIST incident response process (Preparation, Detection & Analysis, Containment, Eradication, Recovery) where analysis precedes containment.

Exam trap

Cisco often tests the candidate's understanding of the incident response process by presenting a plausible but premature containment action (like isolation or blocking) as a distractor, when the correct first step is always to gather and correlate evidence to confirm the threat.

How to eliminate wrong answers

Option B is wrong because immediately blocking all outbound traffic from the workstation is overly aggressive and could disrupt legitimate business operations, such as software updates or cloud application access, without confirming malicious intent. Option C is wrong because escalation to the incident response team should occur after initial analysis and triage, not as the first action; the analyst must first verify the anomaly to avoid false alarms. Option D is wrong because isolating the workstation from the network is a containment step that should be taken only after confirming malicious activity through correlation with logs and telemetry, as premature isolation can hinder forensic data collection and impact productivity.

649
MCQeasy

A security analyst analyzes an IDS alert that triggered on the string '/etc/passwd'. What type of signature is this?

A.Stateful signature
B.Composite signature
C.Atomic signature
D.Anomaly signature
AnswerC

Correct. An atomic signature triggers on a single packet or string pattern.

Why this answer

The string '/etc/passwd' is a single, fixed pattern that the IDS matches against a single packet payload. This is the definition of an atomic signature: it looks for a specific content string without requiring any state or context from previous packets. Option C is correct because the alert is triggered solely by the presence of that literal string in a packet, not by any sequence of events or statistical deviation.

Exam trap

Cisco often tests the distinction between atomic and stateful signatures by presenting a single-packet pattern and expecting candidates to recognize that no session tracking is involved, leading some to mistakenly choose 'stateful' because they associate '/etc/passwd' with a multi-step exploit.

How to eliminate wrong answers

Option A is wrong because a stateful signature tracks connection state (e.g., TCP handshake or session flags) and matches patterns across multiple packets, not a single static string. Option B is wrong because a composite signature combines multiple atomic or stateful conditions (e.g., pattern A AND pattern B) to trigger an alert, whereas this is a single condition. Option D is wrong because an anomaly signature uses baseline statistical models (e.g., traffic volume or protocol deviations) to detect outliers, not a fixed literal string like '/etc/passwd'.

650
Multi-Selectmedium

Which TWO are components of the NIST SP 800-61 Rev 2 Preparation phase? (Select two.)

Select 2 answers
A.Conducting lessons learned
B.Developing an incident response plan
C.Containing the incident
D.Creating an incident response team
E.Identifying indicators of compromise
AnswersB, D

The IR plan is a key output of Preparation.

Why this answer

Preparation includes developing the IR plan and creating the IR team.

651
MCQmedium

An analyst reviews the ACL applied to the outside interface of a router. The analyst notices that traffic from 192.168.1.0/24 to 10.10.10.10 on port 443 is permitted, but all other traffic is denied and logged. Which of the following is a potential security issue with this ACL?

A.The deny statement with logging may generate excessive logs, potentially masking attacks.
B.The ACL is applied inbound on the outside interface, which could allow external traffic.
C.The permit statement does not have logging enabled, so traffic is not monitored.
D.The ACL allows all traffic from 192.168.1.0/24 to 10.10.10.10 on any port.
AnswerA

Excessive logging can bury important alerts in noise.

Why this answer

The ACL has a single permit statement for traffic from 192.168.1.0/24 to 10.10.10.10 on port 443, followed by an implicit deny all that is logged. This means every packet that does not match the permit rule generates a log entry. In a production environment, even normal background noise (e.g., scans, broadcast traffic) can produce thousands of log messages per second, overwhelming syslog storage and masking malicious activity.

The core issue is that logging on the deny-all can cause log flooding, not that the permit lacks logging.

Exam trap

Cisco often tests the misconception that logging on a permit statement is necessary for monitoring, when in fact the critical security issue is that logging on a deny-all can cause log flooding that masks real attacks.

How to eliminate wrong answers

Option B is wrong because the ACL is applied to the outside interface, but the question does not specify inbound or outbound direction; even if inbound, the permit statement only allows traffic from a private RFC 1918 source (192.168.1.0/24), which should never originate from the outside, so the real issue is the logging volume, not the direction. Option C is wrong because logging on the permit statement is not required for security monitoring; the deny-all with logging already captures denied traffic, and enabling logging on the permit would add unnecessary overhead without addressing the log-flooding risk. Option D is wrong because the ACL explicitly restricts traffic to destination 10.10.10.10 on port 443 only, not any port; the statement 'permit tcp 192.168.1.0 0.0.0.255 host 10.10.10.10 eq 443' limits both destination IP and port.

652
MCQeasy

Refer to the exhibit. A network administrator is configuring TACACS+ on a switch. Based on the configuration snippet, what is the expected behavior if the TACACS+ server becomes unreachable?

A.Users cannot log in because TACACS+ is required.
B.Users can still log in using local credentials.
C.Users can log in but accounting logs are not generated.
D.The switch falls back to no authentication.
AnswerB

The command 'aaa authentication login default local' specifies that local authentication is used by default.

Why this answer

The configuration snippet shows the 'tacacs-server host' command but does not include the 'tacacs-server directed-request' or 'aaa authentication login default group tacacs+ local' statement. By default, when 'aaa authentication login default group tacacs+' is configured without the 'local' fallback method, the switch will use local authentication if the TACACS+ server is unreachable. Option B is correct because the switch is configured to fall back to local credentials when the TACACS+ server becomes unreachable, as indicated by the presence of 'local' in the authentication list.

Exam trap

Cisco often tests the distinction between 'authentication failure' (server reachable but rejects credentials) and 'server unreachable' (no response), where fallback to local only occurs in the latter case when 'local' is explicitly configured as a secondary method.

How to eliminate wrong answers

Option A is wrong because the configuration includes 'local' as a fallback method, so TACACS+ is not required; if the server is unreachable, local authentication is used. Option C is wrong because accounting logs are generated by the 'aaa accounting' command, which is independent of authentication fallback; the question focuses on authentication behavior, not accounting. Option D is wrong because the switch does not fall back to no authentication; it explicitly falls back to local authentication as configured in the 'aaa authentication login default group tacacs+ local' command.

653
Multi-Selectmedium

A Windows Event Log analysis reveals Event ID 4720 and 4726 occurrences for the same account within a short time. Which TWO actions were performed? (Select 2)

Select 2 answers
A.User account was locked
B.User account was deleted
C.Group policy was updated
D.User logged on successfully
E.User account was created
AnswersB, E

4726 is account deletion.

Why this answer

Event ID 4720 indicates account creation, and 4726 indicates account deletion. The rapid creation and deletion may indicate an attempt to avoid detection or create a temporary account.

654
MCQhard

During an incident response, an analyst extracts a file from network traffic using Zeek's file analysis feature. The file has a SHA-256 hash that matches a known malware indicator. Which type of IoC is this?

A.Behavioral IoC
B.Network-based IoC
C.Host-based IoC
D.File-based IoC
AnswerD

File hashes are file-based indicators.

Why this answer

A file hash is a file-based IoC that uniquely identifies a malicious file.

655
MCQhard

During a security incident, a SOC analyst reviews NetFlow records and notices a single internal host communicating with a remote server on TCP port 443, sending 50 MB of data in 5 minutes, while the usual baseline for that host is 1 MB per hour. Which type of activity is most likely indicated?

A.Denial of service attack
B.Port scan activity
C.Data exfiltration
D.Normal web browsing traffic
AnswerC

Unusually high outbound data volume, especially to a single external IP, is a strong indicator of data theft.

Why this answer

The sudden spike in outbound data volume from a single internal host to a remote server over TCP port 443 (HTTPS) far exceeds the established baseline of 1 MB per hour, reaching 50 MB in just 5 minutes. This anomalous behavior is a classic indicator of data exfiltration, where an attacker is using encrypted HTTPS traffic to stealthily transfer stolen data out of the network without triggering typical signature-based alerts.

Exam trap

Cisco often tests the distinction between volumetric anomalies (like data exfiltration) and behavioral anomalies (like scans or DoS), and the trap here is that candidates may confuse a high outbound data volume with a DoS attack, forgetting that DoS targets inbound traffic to a victim, not outbound bulk transfer from a single host.

How to eliminate wrong answers

Option A is wrong because a denial of service (DoS) attack would typically involve flooding a target with traffic to overwhelm it, not a single host sending a large volume of data to a remote server; the traffic direction (outbound) and the lack of a flood pattern rule out DoS. Option B is wrong because port scan activity involves probing multiple ports on a target to discover open services, not sustained data transfer over a single port (443) from one host to one server. Option D is wrong because normal web browsing traffic would not exceed the baseline by a factor of 600x (50 MB in 5 minutes vs. 1 MB per hour) and would show a more balanced, interactive pattern rather than a one-way bulk upload.

656
MCQmedium

A network intrusion detection system (NIDS) generates an alert for a known exploit against a web server. The analyst verifies that the server is patched. What is the next best step?

A.Reconfigure the NIDS to block the traffic
B.Tune the signature to ignore the server
C.Dismiss the alert as a false positive
D.Investigate if the exploit was actually attempted
AnswerD

Correct. Investigating the attempt can reveal attacker behavior and prevent future incidents.

Why this answer

Even if the server is patched, the exploit attempt may indicate a broader attack or reconnaissance. Investigating the attempt helps determine intent and identify other compromised systems.

657
Multi-Selecteasy

A security policy requires multifactor authentication for all administrative access. Which TWO of the following are examples of factors used in MFA? (Choose two.)

Select 2 answers
A.MAC address
B.Password
C.Fingerprint
D.Smart card
E.Username
AnswersC, D

A fingerprint is an inherence (biometric) factor.

Why this answer

Fingerprint (Option C) is a correct example of a multifactor authentication factor because it falls under the 'something you are' category, which relies on biometric characteristics. In MFA, at least two different categories must be used (e.g., knowledge, possession, inherence). A fingerprint is an inherence factor, making it a valid component of MFA.

Exam trap

Cisco often tests the distinction between an authentication factor and an identifier; the trap here is that candidates mistakenly select username (Option E) as a factor, when it is merely a claim of identity, not a proof of identity.

658
MCQmedium

An analyst is reviewing Snort alerts and notices repeated 'ET SCAN Potential SSH Scan' alerts from the same source IP. Which action should the analyst take next?

A.Correlate with authentication logs to confirm unsuccessful attempts.
B.Run a vulnerability scan on the destination.
C.Ignore because it is a false positive.
D.Immediately block the IP on the firewall.
AnswerA

This provides evidence of actual brute force attempts, enabling informed decision-making.

Why this answer

Option A is correct because Snort alerts for 'ET SCAN Potential SSH Scan' indicate a pattern of connection attempts to the SSH port (TCP/22), but the alert alone does not confirm whether the attempts were successful or malicious. Correlating with authentication logs (e.g., /var/log/auth.log or Windows Event ID 4625) allows the analyst to verify failed login attempts, which is the definitive evidence of an actual SSH brute-force attack. This step aligns with the network intrusion analysis methodology of validating alerts before taking action.

Exam trap

Cisco often tests the principle that alerts must be validated with additional data sources (like logs) before taking action, trapping candidates who jump to blocking or ignoring based on the alert alone.

How to eliminate wrong answers

Option B is wrong because running a vulnerability scan on the destination does not help confirm or deny the SSH scan activity; it assesses system weaknesses, not the legitimacy of the incoming connection attempts. Option C is wrong because dismissing the alert as a false positive without investigation is premature; repeated SSH scan alerts from the same source IP often indicate a real reconnaissance or brute-force attempt, and ignoring them could lead to a security breach. Option D is wrong because immediately blocking the IP on the firewall is an overly aggressive response without first verifying that the activity is malicious; the source IP could be a legitimate scanner or a misconfigured monitoring tool, and blocking it prematurely could disrupt operations or hide the true nature of the traffic.

659
MCQmedium

A company uses Cisco Firepower NGFW with intrusion prevention. The security team notices that some legitimate traffic is being blocked by the IPS, causing application outages. The analyst reviews the IPS signature events and finds false positives. What is the best approach to handle this without reducing security posture?

A.Lower the severity of the signature to informational.
B.Disable the IPS signature that is causing the false positives.
C.Create a custom rule to exclude the affected traffic based on source/destination, while monitoring the signature for true positives.
D.Update the IPS signature database to the latest version.
AnswerC

Allows traffic while enabling detection.

Why this answer

Option C is correct because it allows the security team to selectively exclude only the specific legitimate traffic causing false positives, using source/destination criteria in a custom rule, while keeping the IPS signature active for all other traffic. This approach maintains the overall security posture by still detecting true positives from the same signature against other traffic flows. Disabling or lowering the signature's severity would globally reduce detection capability, and updating the database may not address a signature that is inherently too broad for the environment.

Exam trap

Cisco often tests the misconception that disabling or lowering the severity of a false-positive signature is an acceptable quick fix, but the correct approach is to use custom rule exclusions to preserve detection for true positives.

How to eliminate wrong answers

Option A is wrong because lowering the severity to informational would suppress all alerts from that signature, effectively disabling its detection capability and reducing security posture, as the signature would no longer generate actionable alerts for true positives. Option B is wrong because disabling the IPS signature entirely removes its protection for all traffic, including potential true positives, which directly reduces security posture and is an overly aggressive response to false positives. Option D is wrong because updating the IPS signature database to the latest version does not resolve false positives caused by a signature that is too broadly matching legitimate traffic; the signature's behavior is defined by its rule logic, not by the database version, and updates typically add or modify signatures for new threats, not tune existing ones for false positives.

660
MCQmedium

An analyst suspects data exfiltration via DNS. Which log type would provide the most relevant information to confirm this?

A.Web server logs
B.Firewall logs
C.DNS logs
D.IDS/IPS alerts
AnswerC

DNS logs show query types, domains, and responses, ideal for detecting exfiltration.

Why this answer

DNS logs capture all DNS queries and responses, including the domain names being resolved. Data exfiltration via DNS often involves encoding stolen data into DNS queries (e.g., subdomains of a controlled domain). By examining DNS logs for unusual query patterns, high query volumes, or long, random-looking subdomains, an analyst can directly confirm exfiltration activity.

Exam trap

Cisco often tests the distinction between logs that record metadata (firewall logs) versus logs that record application-layer payloads (DNS logs), leading candidates to mistakenly choose firewall logs because they think 'all traffic passes through the firewall'.

How to eliminate wrong answers

Option A is wrong because web server logs record HTTP/HTTPS requests and responses, not DNS queries; they would miss exfiltration that uses DNS tunneling. Option B is wrong because firewall logs track allowed or denied network connections based on IP addresses and ports, but they do not log the content of DNS queries (the domain names themselves), making them insufficient for detecting DNS-based data exfiltration. Option D is wrong because IDS/IPS alerts are generated based on signatures or anomalies, but they may not capture the raw DNS query data needed to confirm exfiltration; they can raise alerts but do not provide the detailed query logs required for definitive analysis.

661
MCQeasy

A security analyst is reviewing the incident response plan for a small business. The plan states that after an incident is contained, the next step is to preserve evidence. The CISO wants to ensure that the plan follows NIST guidelines. Which step should be added between containment and evidence preservation according to NIST?

A.Lessons learned
B.Recovery
C.Evidence collection and analysis
D.Eradication
AnswerD

NIST places eradication after containment.

Why this answer

According to NIST SP 800-61 Rev. 2, the incident response lifecycle includes Preparation, Detection & Analysis, Containment, Eradication, Recovery, and Post-Incident Activity (Lessons Learned). Eradication (option D) must follow containment to remove artifacts such as malware, backdoors, or compromised accounts before evidence is preserved for legal or forensic purposes. Without eradication, residual threats could tamper with or destroy evidence during collection.

Exam trap

Cisco often tests the NIST incident response phase order, and the trap here is that candidates confuse 'evidence collection and analysis' with 'evidence preservation' or assume recovery immediately follows containment, when in fact eradication is the mandatory intermediate step.

How to eliminate wrong answers

Option A (Lessons learned) is wrong because it occurs after recovery in the NIST framework, not between containment and evidence preservation. Option B (Recovery) is wrong because recovery (restoring systems to normal operation) comes after eradication and before lessons learned; placing it before evidence preservation risks overwriting forensic data. Option C (Evidence collection and analysis) is wrong because evidence preservation is a prerequisite for collection and analysis; the NIST order is contain, eradicate, then preserve evidence, then collect and analyze.

662
MCQeasy

A company uses Cisco Stealthwatch to monitor network traffic. Which type of data does Stealthwatch primarily rely on for visibility?

A.SNMP traps
B.Full packet captures
C.Syslog messages
D.NetFlow data
AnswerD

Stealthwatch collects and analyzes NetFlow to detect anomalies.

Why this answer

Cisco Stealthwatch is designed for network traffic analysis and relies on NetFlow data (including IPFIX and other flow protocols) to provide visibility into network behavior, traffic patterns, and anomalies. Unlike full packet captures, NetFlow metadata (source/destination IP, ports, protocols, byte counts) is lightweight and scalable for monitoring large networks, making it the primary data source for Stealthwatch's behavioral analytics and threat detection.

Exam trap

Cisco often tests the distinction between flow-based monitoring (NetFlow) and packet-based monitoring (full packet capture), and the trap here is that candidates mistakenly think full packet captures are required for security monitoring, overlooking that Stealthwatch's efficiency and scalability come from using metadata-rich flow data instead.

How to eliminate wrong answers

Option A is wrong because SNMP traps are used for device status and fault management (e.g., interface up/down, CPU spikes), not for detailed traffic flow analysis that Stealthwatch requires. Option B is wrong because full packet captures provide deep packet inspection but are resource-intensive and not scalable for continuous monitoring across large networks; Stealthwatch uses flow data for efficiency. Option C is wrong because syslog messages are event logs from devices (e.g., authentication failures, configuration changes) and do not contain the traffic metadata (flows) needed for Stealthwatch's network visibility and anomaly detection.

663
MCQhard

An analyst is reviewing Sysmon logs from a compromised host. They see Event ID 1 (Process creation) for cmd.exe with parent process winword.exe. What does this indicate?

A.The Windows Update service initiated cmd from Word
B.The user launched cmd.exe manually from within Word using a shortcut
C.Word crashed and created a dump file using cmd
D.A macro in a Word document executed cmd.exe as part of the attack
AnswerD

Common technique: macro calls cmd to download or execute payload.

Why this answer

Event ID 1 (Process creation) with parent process winword.exe spawning cmd.exe is a classic indicator of a macro-based attack. Microsoft Word is not designed to launch command-line interpreters under normal operation; when cmd.exe appears as a child of winword.exe, it strongly suggests that a malicious macro within the document executed a shell command, often to download payloads, escalate privileges, or perform reconnaissance. This aligns with common phishing and malware delivery techniques where attackers embed VBA macros to execute system commands.

Exam trap

Cisco often tests the distinction between normal application behavior and process injection or parent-child anomalies; the trap here is assuming that any cmd.exe launch is benign or user-initiated, when the parent process (winword.exe) is the key indicator of macro-based compromise.

How to eliminate wrong answers

Option A is wrong because Windows Update runs as a system service (svchost.exe or trustedinstaller.exe), not as a child of winword.exe; there is no mechanism for Windows Update to initiate cmd.exe from Word. Option B is wrong because manually launching cmd.exe from within Word via a shortcut would still show the parent process as explorer.exe or the user's shell, not winword.exe; Word does not become the parent process for user-initiated commands outside its own UI. Option C is wrong because Word crash dumps are typically created by Windows Error Reporting (WerFault.exe) or the process itself, not by spawning cmd.exe; a crash dump does not involve launching a command shell.

664
MCQhard

An analyst sees an alert for 'SQL injection' but the target is an internal application that only accepts POST requests with JSON data. The alert was triggered by a parameter in the URL. What is the most likely issue?

A.Application vulnerability
B.False positive due to mismatch
C.True positive SQL injection
D.Signature misconfiguration
AnswerB

The signature triggered on a non-relevant parameter.

Why this answer

The alert was triggered by a parameter in the URL, but the target application only accepts POST requests with JSON data. Since SQL injection via a URL parameter is impossible against an application that does not process URL parameters, the alert is a false positive caused by a mismatch between the signature's expected attack vector and the actual application behavior.

Exam trap

Cisco often tests the concept that a signature alert is not automatically a true positive—candidates must correlate the alert's trigger (e.g., URL parameter) with the application's actual input processing (e.g., only accepting JSON POST data) to identify a false positive due to vector mismatch.

How to eliminate wrong answers

Option A is wrong because the application only accepts POST requests with JSON data, so a URL parameter cannot be processed as an SQL injection vector; this indicates no actual vulnerability exists in that context. Option C is wrong because a true positive SQL injection would require the application to interpret the injected SQL in a query, but here the injection vector (URL parameter) is not used by the application, making exploitation impossible. Option D is wrong because signature misconfiguration would imply the signature is incorrectly tuned or enabled, but the issue is that the signature correctly detects a pattern in the URL parameter while the application ignores that parameter, so the signature is functioning as designed—the mismatch is between the alert and the application's behavior, not a signature configuration error.

665
MCQhard

Based on the exhibit, what is the most likely type of attack being observed?

A.ARP spoofing
B.DNS amplification attack
C.Port scan
D.SYN flood
AnswerD

Rapid SYN packets without completing handshake indicates SYN flood.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a high volume of SYN packets with spoofed source IP addresses, causing the target to allocate resources for half-open connections until it exhausts its backlog queue and denies legitimate traffic. The exhibit likely shows a massive spike in SYN packets without corresponding SYN-ACK or ACK completions, which is the hallmark of this attack.

Exam trap

Cisco often tests the distinction between a SYN flood (which targets the TCP handshake state table) and a port scan (which probes for open ports), so the trap here is that candidates see many SYN packets and assume it's a port scan rather than recognizing the volumetric nature of the attack.

How to eliminate wrong answers

Option A is wrong because ARP spoofing involves sending forged ARP replies to associate the attacker's MAC address with the IP address of a legitimate host, which would not produce a flood of TCP SYN packets but rather ARP traffic. Option B is wrong because a DNS amplification attack uses small DNS queries with spoofed source IPs to generate large responses from open resolvers, resulting in high UDP traffic on port 53, not TCP SYN floods. Option C is wrong because a port scan typically sends a small number of packets (e.g., SYN, FIN, or NULL) to multiple ports to discover open services, not a massive volume of SYN packets to a single port that overwhelms the connection queue.

666
MCQeasy

An analyst wants to determine if a specific executable has been run on a Windows system. Which artifact provides evidence of prior execution?

A.Registry Run keys
B.Task Scheduler logs
C.Prefetch files
D.Windows Event Logs
AnswerC

Prefetch files are located in C:\Windows\Prefetch and track execution.

Why this answer

Prefetch files (.pf) are created by Windows when an executable runs, storing execution details such as the first eight file paths referenced and the last run time. Analyzing Prefetch files allows an analyst to determine if a specific executable has been executed, even if the executable itself has been deleted. This makes Prefetch the most direct artifact for evidence of prior execution.

Exam trap

Cisco often tests the misconception that Windows Event Logs (specifically Security Event ID 4688) are always enabled and capture all process executions, when in reality they require explicit audit policy configuration and are often not logging by default, making Prefetch a more reliable artifact for execution evidence.

How to eliminate wrong answers

Option A is wrong because Registry Run keys (e.g., HKLM\Software\Microsoft\Windows\CurrentVersion\Run) only indicate programs configured to start automatically at boot or user logon, not whether an arbitrary executable has been run. Option B is wrong because Task Scheduler logs record scheduled tasks and their execution history, but they do not capture execution of executables that were not scheduled. Option D is wrong because Windows Event Logs (e.g., Security log with Event ID 4688) can log process creation if auditing is enabled, but by default many systems do not log all process executions, making them unreliable for this specific forensic question.

667
MCQmedium

A company's security policy requires that all data classified as 'Confidential' must be encrypted at rest and in transit. This requirement is part of which policy?

A.Remote Access Policy
B.Password Policy
C.Data Classification Policy
D.Acceptable Use Policy
AnswerC

This policy defines classification levels and associated controls like encryption.

Why this answer

The requirement to encrypt 'Confidential' data is a direct outcome of a data classification policy, which defines categories (e.g., Public, Internal, Confidential, Restricted) and mandates specific security controls for each category. Encryption at rest and in transit is a typical control for the 'Confidential' tier, ensuring data is protected using mechanisms like AES-256 for storage and TLS 1.2+ for transmission.

Exam trap

Cisco often tests the distinction between a policy that defines data sensitivity levels (data classification) and a policy that implements access controls (remote access), leading candidates to confuse the encryption requirement with the method of access.

How to eliminate wrong answers

Option A is wrong because a remote access policy governs how users connect from external networks (e.g., VPN protocols, multi-factor authentication), not the classification-based encryption requirements for data. Option B is wrong because a password policy defines rules for password creation, complexity, and expiration (e.g., minimum length, special characters), not encryption of data based on sensitivity. Option D is wrong because an acceptable use policy outlines permitted and prohibited behaviors for company resources (e.g., browsing restrictions, software installation), not data encryption mandates tied to classification labels.

668
MCQhard

During a security assessment, an analyst uses the Shodan search engine to find exposed industrial control systems. Which phase of the attack lifecycle does this activity represent?

A.Command and control
B.Reconnaissance
C.Delivery
D.Exploitation
AnswerB

Shodan is used for passive reconnaissance to identify targets.

Why this answer

Reconnaissance involves gathering information about targets. Shodan is a passive reconnaissance tool that indexes device information without direct interaction.

669
MCQmedium

A SOC analyst is investigating a suspected data exfiltration. The analyst needs to preserve evidence from a compromised workstation. Which of the following is the CORRECT procedure to ensure evidence integrity?

A.Use a write-blocker, compute hash of original disk, create image, compute hash of image, and compare hashes.
B.Create a forensic image without write-blocking, then hash the image.
C.Copy all files to an external drive without hashing.
D.Disconnect the hard drive and boot from a live CD to collect data.
AnswerA

This ensures the image is an exact copy.

Why this answer

Proper evidence preservation requires hashing the original disk before imaging and then hashing the image to verify integrity.

670
Multi-Selectmedium

An incident response plan includes steps to contain a ransomware outbreak. Which TWO actions are typically performed during the containment phase? (Select two.)

Select 2 answers
A.Notify law enforcement
B.Identify the initial infection vector
C.Restore data from backups
D.Disconnect infected systems from the network
E.Quarantine the malware samples
AnswersD, E

Isolation prevents further spread of ransomware.

Why this answer

Options A and D are correct containment actions: disconnecting infected systems and quarantining malware. Option B is recovery, not containment. Option C is analysis.

Option E is a post-incident action.

671
MCQmedium

During a SYN scan, an attacker sends a SYN packet to a closed port on a target. What response does the target typically send back?

A.ICMP Port Unreachable
B.RST
C.ACK
D.SYN-ACK
AnswerB

Closed ports respond with RST.

Why this answer

In a SYN scan, a closed port responds with a RST packet to reject the connection attempt.

672
Multi-Selecteasy

Which TWO of the following are examples of Indicators of Compromise (IoCs) used in network security monitoring? (Choose two.)

Select 2 answers
A.MD5 hash of a malicious executable
B.IP addresses of known command and control servers
C.The current time of day
D.The company's stock price
E.The number of employees in the company
AnswersA, B

File hashes are used to identify known malware samples.

Why this answer

An Indicator of Compromise (IoC) is a piece of forensic data that identifies potentially malicious activity on a network or system. The MD5 hash of a malicious executable is a file-based IoC that allows security monitoring tools to detect known malware by comparing file hashes against threat intelligence feeds. This is a standard IoC used in signature-based detection systems like Snort or YARA.

Exam trap

Cisco often tests the distinction between IoCs (specific, actionable artifacts of compromise) and unrelated contextual data (like time, stock price, or employee count) to see if candidates understand that IoCs must directly indicate malicious activity, not just general system or business information.

673
Multi-Selecthard

Which two actions should an analyst take when a security monitoring tool generates a high number of false positives for a specific signature? (Choose two.)

Select 2 answers
A.Create a whitelist for known benign traffic.
B.Tune the signature parameters (e.g., threshold).
C.Increase the sensitivity of the signature.
D.Escalate to management without analysis.
E.Immediately disable the signature.
AnswersA, B

Whitelisting exempts known good traffic from triggering the signature.

Why this answer

Option A is correct because creating a whitelist for known benign traffic allows the analyst to suppress alerts for traffic that is confirmed safe, reducing false positives without losing visibility into actual threats. This approach leverages the security monitoring tool's ability to filter based on source/destination IPs, ports, or application signatures, ensuring that only truly malicious traffic triggers the signature.

Exam trap

Cisco often tests the misconception that disabling a signature or increasing sensitivity is a valid first step for handling false positives, but the correct response is always to tune or whitelist to preserve detection capability.

674
Multi-Selectmedium

Which TWO actions are appropriate when analyzing network traffic to identify a potential data exfiltration attempt?

Select 2 answers
A.Look for connections to known malicious IP addresses or domains.
B.Clear the network logs to ensure accurate analysis.
C.Focus exclusively on inbound traffic from external sources.
D.Immediately block all outbound traffic from the suspect host.
E.Identify unusually large outbound data transfers to external hosts.
AnswersA, E

Connections to malicious destinations are suspicious.

Why this answer

Connections to known malicious IP addresses or domains are a strong indicator of data exfiltration, as attackers often use command-and-control (C2) servers to receive stolen data. This aligns with the principle of threat intelligence-based detection, where security feeds (e.g., Cisco Talos, AlienVault OTX) provide reputation scores for external hosts. Identifying such outbound connections helps confirm that data is being sent to an adversary-controlled destination.

Exam trap

Cisco often tests the distinction between inbound and outbound traffic analysis, trapping candidates who forget that data exfiltration is an outbound activity, not an inbound one.

675
MCQeasy

An analyst needs to check for services that were set to start automatically on a Windows host. Which command-line utility can be used to query the state and start type of all services?

A.sc query
B.tasklist
C.schtasks
D.netstat
AnswerA

Correct. sc query lists service status and configuration.

Why this answer

The 'sc query' command retrieves information about services, including their state and start type (auto, manual, disabled). It is useful for identifying suspicious services.

Page 8

Page 9 of 14

Page 10
Cisco CyberOps Associate 200-201 200-201 Questions 601–675 | Page 9/14 | Courseiva