CCNA Network Intrusion Analysis Questions

75 of 115 questions · Page 1/2 · Network Intrusion Analysis · Answers revealed

1
Multi-Selecteasy

Which TWO pieces of information are essential for an analyst to correlate when investigating an intrusion alert from a network-based sensor?

Select 2 answers
A.The color of the network cables
B.Source and destination IP addresses
C.The brand of the sensor
D.Timestamp of the alert
E.The name of the security team lead
AnswersB, D

IP addresses identify the communicating hosts.

Why this answer

Source and destination IP addresses are essential because they allow the analyst to identify the communicating endpoints involved in the intrusion attempt. By correlating these addresses with other alert data, the analyst can determine the origin of the attack and the targeted asset, which is critical for scoping the incident and initiating containment actions.

Exam trap

Cisco often tests the distinction between operational data (IP addresses, timestamps) and irrelevant administrative or physical details, trapping candidates who confuse 'essential for correlation' with 'nice to have' or 'commonly known' information.

2
MCQeasy

An analyst is examining a syslog message from a Cisco ASA showing: %ASA-4-106023: Deny udp src outside:192.0.2.1/123 dst inside:10.0.0.5/123. Which type of traffic is being denied?

A.HTTP traffic
B.SNMP traffic
C.NTP traffic
D.DNS traffic
AnswerC

NTP uses UDP port 123.

Why this answer

The syslog message %ASA-4-106023 shows a UDP deny from source 192.0.2.1 port 123 to destination 10.0.0.5 port 123. Port 123 is the well-known port for Network Time Protocol (NTP), which is used for clock synchronization. Therefore, the denied traffic is NTP traffic.

Exam trap

The trap here is that candidates may confuse port 123 with other common UDP services like DNS (port 53) or SNMP (ports 161/162), or assume the '123' is a random number rather than a standard port assignment.

How to eliminate wrong answers

Option A is wrong because HTTP traffic uses TCP port 80 or 8080, not UDP port 123. Option B is wrong because SNMP traffic uses UDP ports 161 (queries) and 162 (traps), not port 123. Option D is wrong because DNS traffic uses UDP port 53 (or TCP for zone transfers), not port 123.

3
Multi-Selecthard

Which TWO network behaviors suggest an ARP spoofing attack is occurring? (Choose two.)

Select 2 answers
A.A high number of TCP RST packets
B.A single host sending numerous ARP requests
C.Packets originating from a MAC address that does not match the IP's legitimate MAC
D.An increase in broadcast ARP traffic
E.Multiple IP addresses mapping to the same MAC address
AnswersC, E

Indicates the attacker is sending packets with a spoofed MAC.

Why this answer

Option C is correct because in an ARP spoofing attack, the attacker sends forged ARP replies that associate their own MAC address with the IP address of a legitimate host (e.g., the default gateway). This causes packets destined for that IP to be sent to the attacker's MAC, creating a mismatch between the source MAC in the packet and the legitimate MAC address for that IP. Detecting such mismatches is a key indicator of ARP cache poisoning.

Exam trap

Cisco often tests the distinction between normal ARP traffic (e.g., broadcasts for resolution) and malicious ARP behavior (e.g., multiple IPs on one MAC or MAC-IP mismatches), so candidates mistakenly choose high ARP volume or TCP RSTs as spoofing indicators.

4
Drag & Dropmedium

Drag and drop the steps to configure a VLAN on a Cisco switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VLAN creation: global config, create VLAN, name it, then assign ports.

5
MCQhard

A Cisco Firepower appliance generates an intrusion specific event with the message 'MALWARE-CNC generic command and control traffic detected'. The analyst needs to determine if the alert is a true positive. Which additional data source would provide the most corroborating evidence?

A.Application control logs
B.URL filtering logs
C.NetFlow records
D.DNS query logs
AnswerD

DNS logs can confirm if the destination is a known CnC domain.

Why this answer

DNS query logs are the most corroborating evidence because malware command-and-control (C2) traffic often relies on DNS to resolve the IP address of the C2 server. A sudden spike in NXDOMAIN responses, queries to algorithmically generated domains (DGA), or requests to known malicious domains in the DNS logs would directly confirm the C2 activity. This aligns with the 'MALWARE-CNC' signature, which specifically targets C2 communication patterns.

Exam trap

Cisco often tests the misconception that NetFlow or URL filtering logs are sufficient for C2 detection, but the key is that DNS logs reveal the domain resolution step that is almost always part of C2 communication, making them the most direct corroborating source.

How to eliminate wrong answers

Option A is wrong because application control logs identify which applications (e.g., HTTP, FTP) are in use but do not reveal the destination domain or IP of C2 traffic, making them insufficient for corroborating C2-specific alerts. Option B is wrong because URL filtering logs show only HTTP/HTTPS requests with full URLs, but C2 traffic often uses non-standard ports or protocols (e.g., DNS tunneling, IRC) that bypass URL filtering entirely. Option C is wrong because NetFlow records provide IP addresses, ports, and byte counts but lack the domain name resolution data needed to confirm C2 domain lookups; they cannot distinguish between a legitimate DNS query and a DGA-based query without additional context.

6
MCQeasy

A security analyst observes a high volume of ICMP echo replies from multiple internal hosts to a single external IP address. Which type of network activity is most likely indicated?

A.Ping sweep
B.ARP spoofing
C.Port scan
D.Smurf attack
AnswerA

Ping sweep sends ICMP echo requests to multiple hosts to discover live hosts.

Why this answer

A ping sweep uses ICMP echo requests to discover live hosts; the observed high volume of ICMP echo replies from multiple internal hosts to a single external IP indicates that the external IP sent a flood of echo requests, and the internal hosts are responding. This is the classic signature of a ping sweep (or ICMP sweep) where an attacker probes a range of internal addresses to map the network.

Exam trap

Cisco often tests the distinction between a Smurf attack and a ping sweep by emphasizing that in a Smurf attack the replies are directed to a spoofed victim IP (often internal), whereas here the replies go to a single external IP, making it a sweep.

How to eliminate wrong answers

Option B is wrong because ARP spoofing involves sending forged ARP replies to associate the attacker's MAC address with the IP of a legitimate host, which does not generate ICMP echo replies from multiple hosts to a single external IP. Option C is wrong because a port scan typically uses TCP SYN, UDP, or other transport-layer probes to discover open ports, not ICMP echo replies. Option D is wrong because a Smurf attack uses ICMP echo requests with a spoofed source IP (the victim) sent to a broadcast address, causing all hosts on the network to reply to the victim; here, replies are going to a single external IP, not a victim inside the network, and the traffic is replies, not requests.

7
MCQeasy

Refer to the exhibit. What does this syslog message indicate?

A.Failed telnet attempt
B.Denied SSH connection attempt
C.Successful SSH connection
D.Allowed TCP traffic
AnswerB

The destination port 22 (SSH) was denied.

Why this answer

The syslog message '%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: 10.1.1.1] [localport: 22]' indicates a failed login attempt on port 22, which is the default port for SSH. Since the message explicitly shows 'localport: 22' and the login failed, it corresponds to a denied SSH connection attempt, not a successful one or a Telnet attempt (which uses port 23).

Exam trap

The trap here is that candidates may confuse the 'Login failed' message with a generic 'denied' message, but Cisco specifically tests the ability to identify the protocol by the port number (22 for SSH vs. 23 for Telnet) in the syslog output.

How to eliminate wrong answers

Option A is wrong because the syslog message shows 'localport: 22', which is the default port for SSH, not Telnet (port 23); a failed Telnet attempt would reference port 23. Option C is wrong because the message explicitly states 'Login failed', indicating the connection was denied, not successful. Option D is wrong because the message indicates a failed login, not allowed TCP traffic; allowed traffic would generate a different syslog message (e.g., 'LOGIN_SUCCESS' or an ACL permit log).

8
MCQeasy

Which command-line tool is used to capture and analyze network packets in real time?

A.Wireshark
B.tcpdump
C.Nmap
D.Nessus
AnswerB

Correct. tcpdump is a command-line packet capture utility.

Why this answer

tcpdump is a command-line packet analyzer that captures and displays network packets in real time directly from the terminal. It uses libpcap to intercept raw packets at the network interface, making it ideal for scripting and remote session analysis where a GUI is unavailable.

Exam trap

Cisco often tests the distinction between command-line and GUI tools, trapping candidates who know Wireshark is a packet analyzer but forget the question explicitly asks for a command-line tool.

How to eliminate wrong answers

Option A is wrong because Wireshark is a GUI-based packet analyzer, not a command-line tool; it uses the same underlying capture engine as tcpdump but requires a graphical environment. Option C is wrong because Nmap is a network discovery and security scanning tool that sends probes to map hosts and services, not a real-time packet capture and analysis tool. Option D is wrong because Nessus is a vulnerability scanner that assesses systems for known weaknesses, not a tool for capturing or analyzing live network packets.

9
MCQhard

A security analyst observes a sudden spike in outbound traffic from a critical server to an external IP address on TCP port 443. The server is a web application server that normally only receives inbound connections. Which type of intrusion is most likely occurring?

A.Distributed denial-of-service (DDoS) attack from the server
B.Brute-force attack on the server's SSH service
C.SQL injection attack against the server
D.Command-and-control (C2) communication from malware on the server
AnswerD

Malware often uses HTTPS outbound to establish C2 while evading detection.

Why this answer

A sudden spike in outbound traffic from a server that normally only receives inbound connections is a classic indicator of command-and-control (C2) communication. Malware on the server often establishes outbound HTTPS (TCP 443) connections to a C2 server to exfiltrate data or receive instructions, bypassing firewalls that typically allow outbound web traffic.

Exam trap

Cisco often tests the distinction between inbound attack types (like SQL injection or brute-force) and outbound indicators of compromise (like C2 traffic), leading candidates to confuse the direction of the traffic with the attack vector.

How to eliminate wrong answers

Option A is wrong because a DDoS attack from the server would involve sending a high volume of traffic to a target, but the question describes a spike to a single external IP, not a distributed flood, and the server is not typically used as an attack source. Option B is wrong because a brute-force attack on SSH would target TCP port 22, not 443, and would generate inbound traffic, not outbound spikes. Option C is wrong because an SQL injection attack is an inbound web application attack that manipulates database queries, not a cause of outbound traffic spikes to an external IP on port 443.

10
MCQhard

You are a security analyst for a financial institution. Over the past hour, the intrusion detection system has generated multiple alerts for outbound traffic from a single internal host (10.0.0.50) to various external IP addresses on port 443. The alerts indicate that the host is making HTTPS connections to IPs that are associated with known command and control servers. Additionally, the host has been observed making DNS queries for domains that are algorithmically generated (e.g., rgj3k2.example.com, fh7d8s.example.net). The host is a Windows 10 workstation used by an employee in the accounting department. The employee reports that they have not noticed any unusual behavior, but they did click on a link in a phishing email yesterday. The network administrator confirms that the host's firewall rules allow outbound HTTPS traffic. You have access to endpoint logs, network flow data, and packet captures. Which course of action should you take FIRST?

A.Isolate the host from the network to prevent further C2 communication
B.Analyze packet captures to determine the full extent of the compromise
C.Block all outbound HTTPS traffic from the network
D.Reimage the host immediately to remove the malware
AnswerA

Isolation stops active communication and allows for forensic analysis.

Why this answer

Option A is correct because the immediate priority when confirmed C2 communication is detected is to contain the threat by isolating the host from the network. The combination of outbound HTTPS connections to known C2 servers and algorithmically generated domain (AGD) DNS queries strongly indicates active malware infection. Isolating the host (e.g., via network access control or switch port shutdown) stops data exfiltration and further command reception, which is the first step in incident response containment before any analysis or remediation.

Exam trap

Cisco often tests the incident response priority order, and the trap here is that candidates choose analysis (Option B) or remediation (Option D) first, forgetting that containment (Option A) is the immediate required step per NIST SP 800-61 and Cisco's own incident handling framework.

How to eliminate wrong answers

Option B is wrong because analyzing packet captures to determine the full extent of compromise is a secondary step; the first action must be containment to prevent ongoing C2 traffic and lateral movement. Option C is wrong because blocking all outbound HTTPS traffic from the network is an overly broad and disruptive measure that would break legitimate business operations, and it is not a targeted containment action. Option D is wrong because reimaging the host immediately destroys volatile evidence (e.g., memory-resident malware, active network connections) and should only be performed after forensic data collection and containment.

11
MCQmedium

You are analyzing network traffic from a compromised host. The host is running Windows and is connected to a corporate network. The IDS generated an alert for a known malware signature matching traffic from the host to an external IP on port 443. However, you see that the traffic is encrypted and the destination IP is a cloud storage provider. The host also shows periodic DNS queries to a domain that closely resembles the cloud provider's domain but with a single character difference (typosquatting). The employee on that host reports no unusual activity. Which step should you take first to confirm the compromise?

A.Check DNS logs to see if the typosquatted domain resolved recently and correlate with the encrypted traffic timestamps.
B.Dismiss the alert as a false positive because the user reports no issues.
C.Examine the full packet capture for the encrypted session to see the payload.
D.Enable SSL/TLS decryption on the corporate firewall to inspect the encrypted traffic.
AnswerA

DNS logs can show resolution of suspicious domains, indicating potential C2 communication.

Why this answer

Option A is correct because correlating DNS logs with encrypted traffic timestamps is the fastest, least intrusive way to confirm whether the host actually communicated with the typosquatted domain. If the DNS query for the lookalike domain resolved just before the encrypted session to the external IP, it strongly indicates the malware is using the typosquatted domain for command-and-control (C2) over HTTPS, bypassing simple domain-based blocklists. This step validates the alert without requiring decryption or assuming user reports are reliable.

Exam trap

Cisco often tests the misconception that encrypted traffic cannot be analyzed at all, leading candidates to choose decryption (Option D) as the first step, when in fact DNS log correlation is a non-disruptive, immediate method to confirm the compromise.

How to eliminate wrong answers

Option B is wrong because user reports are unreliable in compromise scenarios—malware often runs silently without user-visible symptoms, and dismissing the alert based on user feedback ignores the IDS signature and DNS evidence. Option C is wrong because the traffic is encrypted (TLS/SSL), so examining the full packet capture will only show encrypted payloads; without the session keys, you cannot see the plaintext content. Option D is wrong because enabling SSL/TLS decryption on the corporate firewall is a major operational change that requires policy approval, certificate deployment, and may break certificate pinning; it is not a first step and could alert the malware if it checks for interception.

12
MCQhard

During incident response, a security analyst reviews a PCAP file and sees TCP packets with only the SYN flag set, followed by RST packets upon receiving a SYN-ACK. No connection is established. Which scanning technique is being used?

A.Half-open scan (SYN scan)
B.FIN scan
C.Christmas tree scan
D.Full connect scan
AnswerA

Half-open scan sends SYN, receives SYN-ACK, then RST to avoid detection.

Why this answer

The described behavior—sending a SYN packet, receiving a SYN-ACK, and immediately replying with an RST—is the hallmark of a half-open (SYN) scan. This technique never completes the three-way handshake, so the target does not log an established connection, making it stealthier than a full connect scan. The RST sent after the SYN-ACK terminates the handshake before it can be fully established, confirming the port is open without creating a full session.

Exam trap

Cisco often tests the distinction between a half-open scan and a full connect scan by focusing on whether the three-way handshake is completed; the trap here is that candidates may confuse the RST sent after SYN-ACK as part of a normal connection teardown, rather than recognizing it as the defining characteristic of a SYN scan that never completes the handshake.

How to eliminate wrong answers

Option B (FIN scan) is wrong because a FIN scan sends a packet with only the FIN flag set, expecting an RST from closed ports and no response from open ports; it does not involve SYN or SYN-ACK exchanges. Option C (Christmas tree scan) is wrong because it sends packets with the FIN, URG, and PSH flags set (a 'lit-up' combination), not just the SYN flag, and relies on different responses from open vs. closed ports per RFC 793. Option D (Full connect scan) is wrong because it completes the full three-way handshake (SYN, SYN-ACK, ACK) before sending an RST to close the connection, whereas the scenario shows an RST sent immediately after the SYN-ACK, before the final ACK.

13
MCQhard

A security team implements an IPS that uses behavioral profiling. Which type of detection method is being used?

A.Heuristic
B.Signature-based
C.Rule-based
D.Anomaly-based
AnswerD

Behavioral profiling defines normal behavior and detects anomalies.

Why this answer

Behavioral profiling establishes a baseline of normal network traffic patterns and then flags deviations from that baseline as potential threats. This is the core mechanism of anomaly-based detection, which identifies malicious activity by comparing observed behavior against a learned model of normal behavior rather than against predefined signatures or rules.

Exam trap

Cisco often tests the distinction between anomaly-based and heuristic detection, where candidates mistakenly choose heuristic because both involve 'behavior' or 'profiling,' but heuristic relies on predefined rules of thumb while anomaly-based relies on a learned baseline of normal behavior.

How to eliminate wrong answers

Option A is wrong because heuristic detection uses algorithms or rules of thumb to identify suspicious behavior based on general characteristics, not by learning and comparing against a baseline of normal behavior. Option B is wrong because signature-based detection relies on predefined patterns (e.g., byte sequences or known exploit payloads) to match known threats, not on behavioral profiling. Option C is wrong because rule-based detection uses static, manually defined rules (e.g., 'if port 445 and SMB traffic, then alert') rather than dynamically learned behavioral baselines.

14
Multi-Selecthard

Which three steps are part of the network intrusion analysis process according to Cisco best practices?

Select 3 answers
A.Collection
B.Detection
C.Prevention
D.Analysis
E.Remediation
AnswersA, B, D

Collecting data from network sources is the first step.

Why this answer

Collection is correct because the network intrusion analysis process begins with gathering raw data from sources such as NetFlow, syslogs, and packet captures (PCAP). This step ensures that all relevant evidence is preserved for subsequent detection and analysis, aligning with Cisco's best practices for incident response.

Exam trap

Cisco often tests the distinction between the analysis process steps and adjacent security functions (prevention, remediation) to see if candidates confuse the reactive analysis workflow with proactive or corrective actions.

15
Multi-Selectmedium

Which THREE indicators are commonly found in network traffic that suggest a host is part of a botnet? (Choose three.)

Select 3 answers
A.Connections to known IRC servers on non-standard ports
B.Large file downloads from external servers
C.Periodic connections to IP addresses with poor reputation
D.High volumes of outbound traffic to multiple destinations
E.Frequent DNS queries to legitimate corporate DNS servers
AnswersA, C, D

IRC is a common C2 channel.

Why this answer

Option A is correct because botnets often use IRC (Internet Relay Chat) for command and control (C2) communication. Attackers configure IRC servers on non-standard ports (e.g., TCP 6667–6669 are common, but botnets may use ports like 8080, 8443, or random high ports) to evade detection by security tools that monitor default IRC ports. The presence of persistent IRC connections to unusual ports is a strong indicator of botnet activity.

Exam trap

Cisco often tests the distinction between normal network behavior (like large downloads or frequent DNS queries) and specific botnet indicators (IRC on non-standard ports, connections to low-reputation IPs, and asymmetric outbound traffic patterns), trapping candidates who confuse generic high-bandwidth activity with botnet C2 signatures.

16
MCQeasy

Based on the exhibit, which host is likely engaged in data exfiltration?

A.10.0.0.1
B.10.0.0.3
C.10.0.0.2
D.None of the above
AnswerA

This host has large volumes of data to external web servers.

Why this answer

Host 10.0.0.1 is likely engaged in data exfiltration because the exhibit shows a large volume of outbound TCP traffic from this IP to an external destination on port 443 (HTTPS), with a significantly higher byte count compared to other hosts. This pattern is consistent with data being encrypted and sent to an external server, a common exfiltration technique to bypass inspection.

Exam trap

Cisco often tests the concept that data exfiltration is indicated by a high volume of outbound traffic to an external destination, especially over encrypted channels, and the trap here is that candidates may overlook the byte count asymmetry and focus only on the destination port or protocol, missing the key behavioral indicator.

How to eliminate wrong answers

Option B (10.0.0.3) is wrong because its traffic pattern shows a balanced exchange of packets with internal hosts, typical of normal internal communication, not exfiltration. Option C (10.0.0.2) is wrong because its outbound traffic volume is low and primarily to internal IPs, indicating routine operations rather than data theft. Option D (None of the above) is wrong because the exhibit clearly identifies 10.0.0.1 as the host with anomalous outbound data volume, making it the correct choice.

17
MCQhard

A Cisco Firepower sensor is generating a high number of false positives from a rule that triggers on large ICMP packets. The analyst suspects the rule threshold is too low. Which tuning action most effectively reduces false positives while maintaining detection of actual attacks?

A.Change the rule action from alert to drop.
B.Disable the rule entirely.
C.Add an exception for trusted source IPs.
D.Increase the packet size threshold.
AnswerD

This directly addresses the cause of false positives without disabling detection.

Why this answer

Increasing the packet size threshold (Option D) directly addresses the root cause of the false positives: the rule is triggering on legitimate large ICMP packets that are below the actual attack size. By raising the threshold to a value that still captures known attack vectors (e.g., ICMP echo requests exceeding 65,535 bytes in a fragmented attack), the sensor reduces noise while preserving detection of true malicious oversized packets. This is the most effective tuning action because it adjusts the detection parameter without disabling or bypassing the rule.

Exam trap

Cisco often tests the misconception that changing the rule action (e.g., to drop) or adding exceptions is the best way to reduce false positives, when in fact the most precise and effective method is to adjust the detection threshold parameter that is causing the false positives.

How to eliminate wrong answers

Option A is wrong because changing the rule action from alert to drop would still generate false positives (the rule would still match and drop legitimate traffic), potentially causing denial of service for valid large ICMP packets, and does not reduce the false positive rate. Option B is wrong because disabling the rule entirely eliminates detection of all oversized ICMP attacks, leaving the network vulnerable to actual threats such as ICMP fragmentation or ping-of-death attacks. Option C is wrong because adding an exception for trusted source IPs only reduces false positives from those specific sources; it does not address the underlying threshold issue and may miss attacks originating from trusted IPs that have been compromised.

18
MCQmedium

A host is infected with malware that uses DNS tunneling to exfiltrate data. Which type of analysis would best detect this activity?

A.DNS log analysis
B.Windows event log analysis
C.Firewall log analysis
D.NetFlow analysis
AnswerA

DNS logs show query names, sizes, and frequency.

Why this answer

DNS tunneling encodes exfiltrated data within DNS queries or responses, often using TXT or A record types to bypass network security controls. DNS log analysis is the most direct detection method because it reveals anomalous patterns such as unusually long domain names, excessive NXDOMAIN responses, or high volumes of DNS traffic to a single external server, which are hallmarks of tunneling activity.

Exam trap

Cisco often tests the misconception that firewall logs or NetFlow are sufficient for detecting application-layer tunneling, when in fact only DNS-specific logs provide the granularity to see the encoded payloads within DNS queries.

How to eliminate wrong answers

Option B is wrong because Windows event log analysis focuses on system-level events (e.g., process creation, user logins) and does not capture network-layer DNS traffic, so it would miss the outbound data exfiltration. Option C is wrong because firewall logs typically record IP addresses, ports, and protocols but lack the DNS query/response payload details needed to detect the encoded data within DNS messages. Option D is wrong because NetFlow analysis provides metadata (source/destination IP, bytes transferred) but does not inspect the content of DNS packets, making it unable to identify the tunneling pattern or the data being exfiltrated.

19
Multi-Selecthard

An analyst is investigating an alert triggered by a Snort rule that matches traffic on port 445 (SMB). The analyst sees that the signature has a high false positive rate. Which THREE factors should the analyst evaluate to tune the signature for better accuracy? (Choose three.)

Select 3 answers
A.Implementing a behavioral analysis heuristic to detect anomalous SMB activity.
B.Disabling the rule to eliminate false positives.
C.Creating a rule exception for internal subnets that use SMB for file sharing.
D.Adjusting the detection threshold to only alert when a certain number of SMB events occur within a time window.
E.Adding specific destination IP addresses of legitimate SMB servers.
AnswersC, D, E

Exceptions for known benign traffic improve accuracy.

Why this answer

Option C is correct because creating a rule exception for internal subnets that legitimately use SMB for file sharing reduces false positives by excluding known benign traffic. This allows the Snort rule to focus on external or anomalous SMB traffic on port 445, improving detection accuracy without disabling the rule entirely.

Exam trap

Cisco often tests the distinction between tuning an existing signature (e.g., adding exceptions or thresholds) versus implementing entirely new detection methods (e.g., behavioral analysis), which leads candidates to mistakenly select options that propose changing the detection approach rather than refining the rule.

20
MCQhard

You are a security analyst for a medium-sized enterprise. The network includes a DMZ with a web server (10.0.1.10) and a database server (10.0.2.10) in the internal network. Users access the web server via HTTPS from the internet. The web server queries the database server on TCP 3306. Recently, users reported that the web application sometimes returns database errors. You review firewall logs and see the following: - Allowed inbound HTTPS to 10.0.1.10 from various external IPs. - Denied outbound from 10.0.1.10 to 10.0.2.10 on port 3306. - Allowed outbound from 10.0.1.10 to external IPs on port 443. You also notice that the web server's outbound traffic to the database server is being blocked. The firewall has a default deny rule. Which action should you take to restore normal operation while maintaining security?

A.Create a rule allowing inbound traffic on TCP 3306 to the database server from any source.
B.Move the database server to the DMZ to avoid firewall restrictions.
C.Create a rule allowing all outbound traffic from the DMZ to the internal network.
D.Create a rule allowing outbound traffic from the web server IP (10.0.1.10) to the database server IP (10.0.2.10) on TCP 3306.
AnswerD

This specifically allows the needed traffic while minimizing exposure.

Why this answer

The firewall logs show that outbound traffic from the web server (10.0.1.10) to the database server (10.0.2.10) on TCP 3306 is being denied, which causes the database errors. Since the web server initiates the connection to the database, a rule allowing this specific outbound traffic from the web server to the database server on port 3306 restores functionality while maintaining the default-deny posture. This is the most secure approach because it permits only the necessary traffic between the two specific hosts and port, without opening broader access.

Exam trap

Cisco often tests the misconception that you need an inbound rule for the database server when the traffic is actually initiated from the web server outbound, leading candidates to choose Option A or C.

How to eliminate wrong answers

Option A is wrong because allowing inbound traffic on TCP 3306 to the database server from any source would expose the database directly to the internet, bypassing the web server and creating a severe security risk. Option B is wrong because moving the database server to the DMZ would expose it to the same network segment as the web server and potentially the internet, increasing the attack surface and violating the principle of defense in depth. Option C is wrong because allowing all outbound traffic from the DMZ to the internal network would permit any DMZ host to reach any internal host on any port, which is overly permissive and could enable lateral movement by an attacker who compromises a DMZ device.

21
MCQmedium

An analyst examines a PCAP file and sees multiple packets with the same source IP, destination port 443, and a payload that starts with 'GET /login.php HTTP/1.1'. The packets occur in rapid succession with slight variations in the URL parameter. Which type of attack is most likely occurring?

A.SSL/TLS renegotiation attack
B.HTTP flood DDoS attack
C.DNS amplification
D.ARP poisoning
AnswerB

Rapid HTTP requests with variations are characteristic of HTTP flood.

Why this answer

The attack involves multiple packets with the same source IP, all targeting destination port 443 with HTTP GET requests to '/login.php'. The rapid succession and slight variations in URL parameters indicate an attempt to overwhelm the web server with legitimate-looking HTTP requests, which is characteristic of an HTTP flood DDoS attack. This attack exploits the application layer (Layer 7) by exhausting server resources through repeated HTTP requests, rather than exploiting SSL/TLS or network-layer vulnerabilities.

Exam trap

Cisco often tests the distinction between application-layer DDoS attacks (like HTTP floods) and protocol-specific attacks (like SSL/TLS renegotiation or DNS amplification), where candidates mistakenly associate any attack on port 443 with SSL/TLS issues rather than recognizing the HTTP payload as the key indicator.

How to eliminate wrong answers

Option A is wrong because an SSL/TLS renegotiation attack exploits the TLS renegotiation handshake to inject plaintext into an encrypted session, not by sending multiple HTTP GET requests with varying parameters. Option C is wrong because a DNS amplification attack uses small DNS queries with spoofed source IPs to generate large responses from open resolvers, targeting UDP port 53, not TCP port 443 with HTTP payloads. Option D is wrong because ARP poisoning involves sending forged ARP replies to associate the attacker's MAC address with a legitimate IP address on a local network, disrupting Layer 2 communication, not sending HTTP requests to a remote server.

22
MCQmedium

An analyst sees an alert: 'ET POLICY Outgoing HTTP Request with Suspicious User-Agent (Mozilla/5.0 compatible; MSIE 6.0; Windows NT 5.1)'. The source is an internal host that typically uses Windows 10. What should the analyst suspect?

A.The traffic is from a web proxy
B.The host is running Windows XP
C.The host is running a browser update
D.The traffic is likely generated by malware
AnswerD

Malware often uses old User-Agents to evade detection.

Why this answer

The User-Agent string 'Mozilla/5.0 compatible; MSIE 6.0; Windows NT 5.1' mimics Internet Explorer 6 on Windows XP (NT 5.1). Since the source host normally runs Windows 10, this outdated and mismatched User-Agent is a strong indicator of malware attempting to disguise its traffic as legacy browser activity to evade detection.

Exam trap

Cisco often tests the concept that an anomalous User-Agent string inconsistent with the host's known OS is a red flag for malware, not an indication of the actual OS version.

How to eliminate wrong answers

Option A is wrong because a web proxy typically preserves the original client's User-Agent or adds its own header, not fabricate a legacy Windows XP User-Agent. Option B is wrong because the host is known to run Windows 10, not Windows XP; the alert indicates the traffic is spoofing XP, not that the OS is actually XP. Option C is wrong because browser updates do not change the User-Agent to an older, incompatible version like MSIE 6.0 on Windows NT 5.1; updates would use a current User-Agent string.

23
MCQmedium

Refer to the exhibit. A security analyst reviews the ACL configuration applied outbound on the external interface. Which statement is true about traffic from the 192.168.1.0/24 network to the internet?

A.All outbound traffic is denied except HTTP and HTTPS.
B.Only HTTP and HTTPS traffic is allowed.
C.HTTP and HTTPS traffic from the internal network is allowed, but SSH is denied.
D.SSH traffic is only denied if it originates from the 192.168.1.0/24 network.
AnswerC

Lines 10 and 20 permit HTTP/HTTPS; line 30 denies SSH; line 40 permits everything else.

Why this answer

The ACL applied outbound on the external interface permits TCP traffic from the 192.168.1.0/24 network to any destination on ports 80 (HTTP) and 443 (HTTPS), and denies all other traffic, including SSH (port 22). Since the ACL has an implicit deny at the end, only HTTP and HTTPS are allowed; SSH is explicitly denied because it does not match any permit statement. Therefore, HTTP and HTTPS traffic from the internal network is allowed, but SSH is denied.

Exam trap

Cisco often tests the implicit deny any at the end of an ACL, and the trap here is that candidates assume SSH is explicitly denied rather than understanding it is blocked by the implicit deny because it is not permitted.

How to eliminate wrong answers

Option A is wrong because it states 'all outbound traffic is denied except HTTP and HTTPS' — this is too broad; the ACL only applies to traffic from 192.168.1.0/24, not all outbound traffic, and it does not deny all other protocols (e.g., ICMP could be implicitly denied but not explicitly). Option B is wrong because it says 'only HTTP and HTTPS traffic is allowed' — while this is true for the 192.168.1.0/24 network, the statement omits the source network restriction and implies it applies to all traffic, which is inaccurate. Option D is wrong because it claims 'SSH traffic is only denied if it originates from the 192.168.1.0/24 network' — the ACL denies all traffic not matching the permit statements, so SSH from any source (including other internal networks) would be denied by the implicit deny, not just from 192.168.1.0/24.

24
MCQmedium

Refer to the exhibit from a Cisco Firepower event. Which action is most appropriate for the analyst?

A.Escalate to law enforcement
B.Investigate the source host for compromise
C.Block the destination IP
D.Disable the intrusion signature
AnswerB

Correct. The source is internal and the alert indicates suspicious activity, so the host may be compromised.

Why this answer

The exhibit shows a single intrusion event from a specific source IP to a destination IP. The most appropriate first step is to investigate the source host for compromise because the event indicates a potential exploit attempt originating from that host. Without additional context (e.g., multiple events, confirmed data exfiltration), escalating to law enforcement or blocking the IP is premature, and disabling the signature would blind the sensor to future threats.

Exam trap

Cisco often tests the principle of 'investigate before act' — the trap here is that candidates see a security event and immediately choose a reactive action (block, disable, escalate) instead of the proper investigative step.

How to eliminate wrong answers

Option A is wrong because law enforcement escalation is reserved for confirmed, high-severity incidents (e.g., active data breach, child exploitation) with legal authority, not a single unverified intrusion event. Option C is wrong because blocking the destination IP without first verifying the source host's compromise could disrupt legitimate traffic and fails to address the root cause (the potentially compromised source). Option D is wrong because disabling the intrusion signature would prevent detection of that exploit across all hosts, weakening the security posture and violating the principle of maintaining detection coverage.

25
Multi-Selectmedium

Which TWO actions are recommended when tuning IDS signatures to reduce false positives?

Select 2 answers
A.Increase alert severity for all signatures
B.Replace IDS with a next-generation firewall
C.Modify signature thresholds to match typical traffic patterns
D.Disable signatures that generate frequent alerts
E.Whitelist known good behavior
AnswersC, E

Adjusting thresholds reduces false positives.

Why this answer

Options B and C are correct. Modifying thresholds and whitelisting known good behavior are standard tuning practices. Option A is too drastic.

Option D is ineffective. Option E is a different solution.

26
MCQmedium

During a security incident, an analyst captures network traffic and observes multiple connections from an internal host to a remote IP on port 4444, with irregular packet timing and small payloads. Which type of activity is most likely indicated?

A.C2 beaconing
B.DNS tunneling
C.File transfer
D.VoIP communication
AnswerA

Beaconing involves regular small packets to a command-and-control server.

Why this answer

The observed traffic—multiple connections from an internal host to a remote IP on TCP port 4444, with irregular timing and small payloads—is a classic signature of command-and-control (C2) beaconing. Attackers often use non-standard high ports like 4444 to evade detection, and the irregular intervals (jitter) are intentionally introduced to avoid pattern-based anomaly detection, while small payloads minimize data transfer and reduce the chance of triggering network thresholds.

Exam trap

Cisco often tests the distinction between C2 beaconing and DNS tunneling by presenting port 4444 (a common C2 port) and irregular timing, hoping candidates confuse it with DNS tunneling because both can use small payloads, but DNS tunneling specifically leverages DNS protocol fields and port 53, not a direct TCP connection on a high port.

How to eliminate wrong answers

Option B (DNS tunneling) is wrong because DNS tunneling typically uses UDP port 53 and encodes data within DNS queries/responses, not direct TCP connections to port 4444 with small payloads. Option C (File transfer) is wrong because file transfers usually involve larger, consistent payload sizes and predictable timing (e.g., SMB on port 445 or FTP on port 21), not the irregular, small-payload pattern described. Option D (VoIP communication) is wrong because VoIP uses protocols like SIP (UDP 5060) or RTP (dynamic UDP ports) with real-time, steady packet flows, not irregular TCP connections to a single high port like 4444.

27
Multi-Selecteasy

Which two are common techniques used in network intrusion analysis? (Choose two.)

Select 2 answers
A.Threat intelligence feeds
B.Sandboxing
C.Signature-based detection
D.Heuristic analysis
E.Anomaly-based detection
AnswersC, E

Common network intrusion detection technique.

Why this answer

Signature-based detection (C) is a core technique in network intrusion analysis where predefined patterns (signatures) of known attacks—such as specific byte sequences in a packet payload or known malicious IP addresses—are matched against network traffic. This method is highly effective for detecting known threats with low false-positive rates, as it relies on exact pattern matching rather than behavioral baselines.

Exam trap

Cisco often tests the distinction between detection techniques (signature-based and anomaly-based) and supporting tools (threat intelligence feeds, sandboxing) or host-based methods (heuristic analysis), leading candidates to incorrectly select options that are not primary network intrusion analysis techniques.

28
MCQeasy

A junior analyst reports that the network-based intrusion detection system (NIDS) has been generating alerts for a signature that detects a known exploit of a web server. The alert triggers on every connection to the company's internal web server over port 80. The analyst has verified that the web server is fully patched and the traffic is normal HTTP requests. The analyst asks you for advice. What should you recommend as the first step?

A.Verify that the web server is fully patched and configure a patch management system.
B.Reconfigure the web server to use a non-standard port.
C.Run a packet capture to analyze the HTTP requests.
D.Disable the specific signature for the web server's IP address in the IDS.
AnswerD

This reduces false positives while keeping detection for other servers.

Why this answer

Option D is correct because the NIDS is generating false positives: the signature matches normal HTTP traffic to a fully patched web server. Disabling the signature for that specific IP address eliminates the noise without compromising security, as the server is not vulnerable to the exploit. This is a standard tuning action in intrusion detection to reduce alert fatigue while maintaining coverage for other hosts.

Exam trap

Cisco often tests the candidate's ability to distinguish between a true positive and a false positive, and the trap here is that candidates may choose to investigate further (Option C) or apply a security fix (Option A) instead of recognizing that the immediate priority is to tune the IDS to reduce alert noise.

How to eliminate wrong answers

Option A is wrong because the analyst has already verified the web server is fully patched; re-verifying and configuring a patch management system does not address the false positive alerts from the NIDS. Option B is wrong because changing the web server to a non-standard port is an unnecessary workaround that can break client configurations and does not solve the root cause of the signature triggering on legitimate HTTP traffic. Option C is wrong because running a packet capture to analyze HTTP requests is an investigative step that may be useful later, but it is not the first step; the analyst already confirmed the traffic is normal HTTP requests, so capturing packets adds delay without addressing the immediate false positive issue.

29
MCQhard

An analyst observes that an internal host is sending ICMP echo requests with payloads containing random data to an external IP. The payload size is larger than typical. What is the most likely technique?

A.Ping of death
B.Traceroute
C.Smurf attack
D.ICMP tunneling
AnswerD

ICMP tunneling uses the payload of ICMP packets for covert communication.

Why this answer

ICMP tunneling encapsulates non-ICMP data (e.g., command-and-control traffic) within ICMP echo request/reply packets. The random payload data and larger-than-typical payload size are hallmarks of this technique, as the attacker uses the ICMP protocol to bypass firewalls and exfiltrate data or establish covert communication.

Exam trap

Cisco often tests the distinction between attacks that exploit ICMP for denial of service (e.g., ping of death, Smurf) versus those that use ICMP for covert data transfer (ICMP tunneling), so candidates must focus on the presence of random payload data rather than just the protocol or packet size.

How to eliminate wrong answers

Option A is wrong because a ping of death exploits a buffer overflow by sending an oversized ICMP packet (typically >65535 bytes) to crash the target, not by using random data in normal-sized payloads. Option B is wrong because traceroute uses ICMP echo requests with varying TTL values to map network hops, not random payloads or large payload sizes. Option C is wrong because a Smurf attack sends ICMP echo requests to a broadcast address with a spoofed source IP, causing amplification, not random data in the payload.

30
MCQmedium

During a security incident, an analyst uses Wireshark to examine a pcap. The TCP stream shows the string 'GET /malware.exe HTTP/1.1'. Which is the most likely type of attack?

A.Cross-site scripting
B.Trojan download
C.Directory traversal
D.SQL injection
AnswerB

Request to download an executable is typical of malware delivery.

Why this answer

The TCP stream shows an HTTP GET request for a file named 'malware.exe', which indicates the client is downloading an executable from a server. This is characteristic of a Trojan download attack, where a user is tricked into downloading and executing malicious software, often disguised as a legitimate file. The use of Wireshark to capture the HTTP request confirms the network-level activity of a file transfer, aligning with the Trojan's delivery mechanism.

Exam trap

Cisco often tests the distinction between attack types based on the specific HTTP method and payload; the trap here is that candidates may confuse a simple file download with injection-based attacks like XSS or SQLi, overlooking that the GET request for an executable directly indicates a Trojan download rather than an injection vector.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting malicious scripts into web pages, typically via parameters in HTTP requests or responses, not a direct GET request for an executable file. Option C is wrong because directory traversal attacks exploit path manipulation (e.g., '../') to access restricted files, not a straightforward download of a named executable. Option D is wrong because SQL injection targets database queries through input fields (e.g., in POST data or URL parameters), not a simple GET request for a static file.

31
Multi-Selecteasy

An analyst is investigating a host that was compromised via a web exploit. The analyst has a pcap file of the network traffic. Which TWO pieces of evidence would indicate that the attacker established a persistent backdoor?

Select 2 answers
A.A single large file upload to a cloud service
B.Regular beaconing to an external IP on a high port
C.A change in the host's registry
D.An SSH connection from an external IP
E.DNS queries with subdomains that encode data
AnswersB, E

Regular beaconing is a hallmark of persistent C2 communication, indicating a backdoor that periodically checks in.

Why this answer

Regular beaconing to an external IP on a high port (Option B) is a classic indicator of a persistent backdoor because the compromised host periodically initiates outbound connections to a command-and-control (C2) server, often using non-standard high ports (e.g., 4444, 8080, or 1337) to evade firewall rules. This behavior maintains a communication channel that allows the attacker to issue commands or exfiltrate data over time, even if the initial exploit vector is patched.

Exam trap

Cisco often tests the distinction between network-based evidence (pcap) and host-based evidence (registry changes), so candidates may incorrectly select Option C because they confuse persistence mechanisms with the type of data available in a packet capture.

32
Multi-Selecteasy

Which two pieces of evidence are strong indicators of compromise (IOC) in network traffic?

Select 2 answers
A.Communication with a known malicious IP address
B.Encrypted traffic using unrecognized SSL certificates
C.Regular DNS queries to corporate DNS servers
D.Normal SMTP traffic to internal mail server
E.Standard HTTP traffic to a known content delivery network
AnswersA, B

Malicious IPs are direct IOCs.

Why this answer

Communication with a known malicious IP address is a strong indicator of compromise because it directly suggests the host is interacting with a command-and-control (C2) server or a malware distribution point. Threat intelligence feeds and blocklists (e.g., AlienVault OTX, MISP) provide curated lists of known malicious IPs; matching traffic to these lists provides high-fidelity evidence of an active compromise.

Exam trap

Cisco often tests the distinction between 'normal' traffic and 'anomalous' traffic, and the trap here is that candidates may mistake encrypted traffic (Option B) as always suspicious, but the question asks for 'strong indicators' — and unrecognized SSL certificates are indeed a strong IOC, while regular DNS, SMTP, and CDN traffic are not.

33
MCQmedium

What does this firewall log entry indicate?

A.Outbound HTTP connection denied
B.Inbound HTTP connection allowed
C.Inbound HTTP connection denied
D.Outbound HTTP connection allowed
AnswerC

Source outside, destination inside port 80, and action is deny.

Why this answer

The firewall log entry shows a packet with source IP 10.0.0.2 (internal) and destination IP 203.0.113.5 (external) on destination port 80 (HTTP). The action is 'DENY' and the direction is 'inbound', meaning the firewall denied an incoming connection attempt from the external host to the internal host. Since the destination port is HTTP, this is an inbound HTTP connection that was denied.

Exam trap

Cisco often tests the distinction between the source/destination IP addresses and the firewall's direction field; candidates mistakenly assume that if the source IP is internal, the traffic must be outbound, but the direction field indicates the flow relative to the firewall's interfaces, not the IP addresses.

How to eliminate wrong answers

Option A is wrong because the log indicates an inbound connection (external to internal), not outbound; the source is internal and destination is external, but the direction field says 'inbound', which refers to the traffic flow relative to the firewall's perspective. Option B is wrong because the action is 'DENY', not 'ALLOW', so the connection was not allowed. Option D is wrong because the connection is inbound, not outbound, and it was denied, not allowed.

34
MCQhard

An analyst uses Wireshark to investigate a suspicious download. The TCP stream shows a GET request for a .exe file from an external IP, followed by a 200 OK response. The response contains the file but the last packet in the stream has a FIN flag set from the server. The client sends an ACK but then immediately sends a RST. What does this behavior suggest?

A.The client application crashed after receiving the file
B.Normal completion of download
C.The server is performing a delayed response
D.The client intentionally terminated the connection to evade detection
AnswerD

RST after receiving data can be used to avoid logging.

Why this answer

The client sending a RST immediately after acknowledging the FIN indicates an abnormal termination. In a normal TCP teardown, the client would send its own FIN to close the connection gracefully. The RST suggests the client application intentionally aborted the connection, which is a common evasion technique to avoid detection by network monitoring tools that may not fully process the RST.

Exam trap

Cisco often tests the difference between a graceful TCP teardown (FIN/ACK exchange) and an abrupt reset (RST), and the trap here is assuming that any ACK followed by a RST indicates a crash or normal behavior, rather than recognizing the RST as an intentional evasion tactic.

How to eliminate wrong answers

Option A is wrong because a crash would likely result in no ACK or a RST without a preceding ACK, but here the client properly ACKs the FIN before sending the RST, indicating intentional action. Option B is wrong because a normal completion involves a graceful four-way handshake (FIN from server, ACK from client, FIN from client, ACK from server), not a RST. Option C is wrong because a delayed response would manifest as a long gap before the server sends data or FIN, not as a client-initiated RST after the transfer completes.

35
MCQeasy

A network engineer sees the following event in the firewall logs: 'STATUS: intrusion prevented, action: drop, signature: "SQL Injection - SELECT"' on traffic from internal IP to a web server. What type of attack was detected?

A.Command injection
B.Buffer overflow
C.Cross-site scripting
D.SQL injection
AnswerD

The signature name directly matches SQL injection attack.

Why this answer

The log entry explicitly states 'SQL Injection - SELECT' as the signature, which directly identifies the attack as SQL injection. The firewall detected a malicious SQL query (e.g., a SELECT statement with crafted input) in the traffic from an internal IP to a web server and dropped it, preventing the attack. SQL injection exploits improper input validation in web applications to manipulate backend databases.

Exam trap

Cisco often tests the ability to distinguish between web application attacks (SQL injection vs. XSS vs. command injection) by focusing on the specific payload or signature keywords in logs, where candidates may confuse 'injection' with command injection or misinterpret the 'SELECT' keyword as a generic query rather than SQL-specific.

How to eliminate wrong answers

Option A is wrong because command injection involves executing arbitrary OS commands on the server (e.g., via shell metacharacters like ';' or '|'), not SQL queries; the signature explicitly mentions 'SQL Injection', not command execution. Option B is wrong because a buffer overflow attack exploits memory corruption by overflowing a buffer (e.g., stack or heap) to execute arbitrary code, which is unrelated to SQL query manipulation. Option C is wrong because cross-site scripting (XSS) injects malicious client-side scripts (e.g., JavaScript) into web pages viewed by other users, not SQL statements targeting the database.

36
MCQhard

Which type of attack does this Snort rule detect?

A.Cross-site scripting
B.Buffer overflow
C.SQL injection
D.Directory traversal
AnswerC

UNION SELECT is a SQL injection technique used to combine query results.

Why this answer

Option C is correct because the Snort rule detects SQL injection by matching the pattern 'union select' in the HTTP request body. SQL injection attacks manipulate database queries by injecting malicious SQL statements, and the rule's content match for 'union select' is a classic indicator of a UNION-based SQL injection attempt.

Exam trap

Cisco often tests the ability to distinguish attack types by their payload signatures, and the trap here is that candidates may confuse SQL injection with cross-site scripting because both involve injecting code into web applications, but the specific payload (SQL keywords vs. HTML/JavaScript) is the key differentiator.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) typically involves injecting JavaScript or HTML tags (e.g., <script>alert('XSS')</script>) into web pages, not SQL keywords like 'union select'. Option B is wrong because buffer overflow attacks exploit memory corruption by sending excessive data to overflow buffers, often using patterns like long strings of 'A's or shellcode, not SQL syntax. Option D is wrong because directory traversal attacks use path manipulation sequences like '../' or '..\' to access restricted files, not SQL commands like 'union select'.

37
MCQeasy

An analyst sees an alert from the IDS: 'ET TROJAN Possible Zeus Variant Outbound Connection'. What action should the analyst take first?

A.Block the IP address on the firewall
B.Ignore the alert as a false positive
C.Investigate the source host for signs of compromise
D.Reimage the host immediately
AnswerC

Investigation confirms if the alert is valid.

Why this answer

Option C is correct because the first priority when an IDS alerts on a possible Zeus variant (a known Trojan) is to investigate the source host to confirm or rule out compromise. Zeus is a credential-stealing Trojan that often establishes outbound C2 (command-and-control) traffic; blindly blocking the IP (A) could disrupt the investigation and may not stop the malware if it uses domain flux or multiple IPs. Reimaging (D) destroys forensic evidence, and ignoring the alert (B) is negligent given the severity of Zeus.

The analyst must perform host-based analysis (e.g., check processes, registry, network connections) to validate the alert before taking containment actions.

Exam trap

Cisco often tests the principle that IDS/IPS alerts require verification before action—candidates mistakenly choose to block or reimage immediately, but the correct first step is always to investigate the affected host to confirm the alert and preserve evidence.

How to eliminate wrong answers

Option A is wrong because blocking the IP address on the firewall may disrupt the C2 channel but does not address the root cause—the host may still be compromised and could use other IPs or domains (e.g., via DGA). Additionally, blocking without investigation could alert the attacker and destroy forensic evidence. Option B is wrong because ignoring the alert as a false positive is premature; Zeus variants are high-severity threats, and IDS alerts should always be triaged—especially when the signature explicitly names a known Trojan family.

Option D is wrong because reimaging the host immediately destroys volatile data (e.g., memory, running processes, network connections) that are critical for understanding the infection vector and scope of compromise, and it may violate incident response procedures.

38
Multi-Selectmedium

Which TWO actions are examples of false positive reduction techniques? (Choose two.)

Select 2 answers
A.Changing signature action from drop to alert
B.Removing the sensor
C.Adding destination IP to whitelist
D.Disabling all signatures
E.Increasing the signature threshold
AnswersC, E

Whitelists prevent alerts for known safe traffic.

Why this answer

Adding a destination IP to a whitelist (option C) reduces false positives by excluding known benign traffic from triggering alerts. Increasing the signature threshold (option E) reduces false positives by requiring a higher number of matches or a larger event count before an alert is generated, filtering out low-level noise.

Exam trap

Cisco often tests the distinction between reducing false positives (by tuning or whitelisting) versus disabling detection entirely, so candidates mistakenly choose options like disabling signatures or removing sensors as valid reduction techniques.

39
MCQhard

Refer to the exhibit. A firewall log shows denied TCP traffic from an internal host to an external IP on consecutive ports. What type of activity is indicated?

A.Port scanning
B.Worm propagation
C.Denial of service
D.Data exfiltration
AnswerA

The pattern of denied connections to consecutive ports indicates a scan.

Why this answer

The firewall log shows denied TCP traffic from an internal host to an external IP on consecutive ports. This sequential pattern of connection attempts to multiple ports on the same target is a classic indicator of a port scan, where an attacker probes for open ports to identify potential services to exploit. The firewall's deny action confirms the traffic was blocked, but the behavior itself is characteristic of reconnaissance activity, specifically a TCP connect scan.

Exam trap

Cisco often tests the distinction between reconnaissance (port scanning) and exploitation (worm propagation) by presenting a log of denied traffic to consecutive ports, leading candidates to confuse the scanning phase with the actual attack phase, such as worm propagation or DoS.

How to eliminate wrong answers

Option B (Worm propagation) is wrong because worm propagation typically involves self-replicating code that spreads by exploiting vulnerabilities, often generating traffic to random or specific ports based on the exploit, not a sequential scan of consecutive ports. Option C (Denial of service) is wrong because a DoS attack aims to overwhelm a target with traffic to disrupt service, usually flooding a single port or using high-volume traffic, not probing multiple consecutive ports in a low-and-slow manner. Option D (Data exfiltration) is wrong because data exfiltration involves sending sensitive data out of the network, which would use established connections on a single port (e.g., HTTP/HTTPS, DNS, or FTP), not a series of denied connection attempts to consecutive ports.

40
Multi-Selectmedium

Which TWO of the following are indicators of a network scan?

Select 2 answers
A.Single connection to a well-known port
B.ICMP echo requests to multiple hosts
C.DNS queries for many domains
D.Multiple connection attempts from same source to different ports on same destination
E.Large number of SYN packets to a single port from multiple sources
AnswersB, D

Correct. This is a ping sweep to identify live hosts.

Why this answer

Option B is correct because ICMP echo requests (ping sweeps) sent to multiple hosts are a classic reconnaissance technique used to identify live hosts on a network. This type of scan maps the network topology before launching further attacks, and it is a clear indicator of network scanning activity.

Exam trap

Cisco often tests the distinction between a network scan (reconnaissance from a single source) and a denial-of-service attack (flood from multiple sources), so candidates may confuse option E (SYN flood) with a scan.

41
MCQmedium

In Security Onion, an analyst runs 'squert' and sees a high number of alerts from a single source IP across multiple destination ports. What is the most likely cause?

A.Denial of service
B.SQL injection
C.Port scan
D.Phishing attack
AnswerC

A port scanner probes multiple ports to discover services.

Why this answer

Squert is a web interface for Sguil in Security Onion that visualizes alert data from the intrusion detection system (IDS). A high number of alerts from a single source IP targeting multiple destination ports is a classic signature of a port scan, where the attacker probes a range of ports on one or more targets to discover open services. The IDS triggers multiple alerts because each probe (e.g., SYN packets to different ports) matches a detection rule, such as those for TCP SYN scans.

Exam trap

Cisco often tests the distinction between a port scan and a denial of service attack, where candidates mistakenly associate 'high number of alerts' with DoS, but the key differentiator is the single source IP targeting multiple destination ports versus overwhelming a single service.

How to eliminate wrong answers

Option A is wrong because a denial of service (DoS) attack typically floods a single target with traffic to overwhelm it, resulting in alerts from many source IPs or a high volume to a single port, not a single source IP across multiple destination ports. Option B is wrong because SQL injection attacks target web application parameters (e.g., HTTP GET/POST fields) and would generate alerts related to SQL syntax in payloads, not a pattern of probes across many ports. Option D is wrong because phishing attacks involve social engineering via email or malicious links, which would trigger alerts on email headers or URL patterns, not a single IP scanning multiple ports.

42
MCQeasy

You are a security analyst at a medium-sized company. A user reports that their workstation is running slowly and the network is sluggish. You check the firewall logs and see a large number of outgoing connections from the user's workstation to an external IP address (198.51.100.23) on port 4444. The connections are short-lived and occur every few seconds. The workstation has standard corporate antivirus installed, which is up-to-date and shows no threats. You have also noticed that the workstation is making DNS queries to an unusual domain (malicious.example.com) that resolves to the same external IP. What is the most appropriate immediate action?

A.Block the external IP address on the firewall and continue monitoring.
B.Isolate the workstation by disconnecting it from the network immediately.
C.Run a full forensic analysis on the workstation without disconnecting it.
D.Update the antivirus signatures and run a full scan on the workstation.
AnswerB

Isolation stops C2 communication and preserves evidence.

Why this answer

The workstation exhibits classic signs of a command-and-control (C2) infection: periodic outbound connections to an external IP on a non-standard port (4444) and DNS queries to a suspicious domain. Isolating the workstation immediately (Option B) is the most appropriate action because it stops the potential data exfiltration and prevents the malware from receiving further commands, containing the threat before any analysis or remediation.

Exam trap

Cisco often tests the principle that containment (isolation) must precede analysis or remediation when active C2 traffic is observed, and the trap here is that candidates may choose to block the IP or run a scan, mistakenly thinking those actions are sufficient to stop the threat without removing the host from the network.

How to eliminate wrong answers

Option A is wrong because simply blocking the external IP on the firewall does not remove the malware from the workstation; the malware could use a different IP or domain to continue its C2 communication, and the infected host remains a risk to the network. Option C is wrong because running a full forensic analysis without disconnecting the workstation allows the malware to continue its malicious activity (e.g., exfiltrating data, spreading laterally) during the analysis, which violates the containment-first principle of incident response. Option D is wrong because the antivirus is already up-to-date and shows no threats, indicating the malware is likely unknown or obfuscated; running another scan with the same signatures will not detect it, and the infection remains active on the network.

43
MCQmedium

During an incident, an analyst captures network traffic. Which field in a TCP header is used to reassemble fragmented packets?

A.Flags
B.Window size
C.Acknowledgment number
D.Sequence number
AnswerD

Correct. The sequence number indicates the order of bytes for reassembly.

Why this answer

The Sequence Number field in the TCP header is used to reassemble fragmented packets because it indicates the order of data bytes in the stream. When a TCP segment is fragmented at the IP layer, the sequence number allows the receiver to correctly reorder the fragments based on the original byte stream, ensuring proper reassembly.

Exam trap

Cisco often tests the distinction between IP fragmentation (handled by the Identification field and fragment offset in the IP header) and TCP reassembly (handled by the Sequence Number), causing candidates to confuse the two layers.

How to eliminate wrong answers

Option A is wrong because the Flags field in the TCP header (e.g., SYN, ACK, FIN) controls connection state and segment behavior, not packet reassembly. Option B is wrong because the Window Size field indicates the amount of data the receiver is willing to accept for flow control, not for reassembly ordering. Option C is wrong because the Acknowledgment Number field confirms receipt of data up to a certain sequence number, but it does not provide the ordering information needed to reassemble fragmented packets.

44
Multi-Selecthard

Which THREE factors should be considered when tuning an IPS signature? (Choose three.)

Select 3 answers
A.Time of day
B.Application protocol
C.Source and destination IPs
D.Signature severity
E.Packet length
AnswersB, C, D

Signatures should match the intended protocol to reduce false positives.

Why this answer

Application protocol (B) is critical because IPS signatures are protocol-aware and must match the specific protocol context (e.g., HTTP, SMTP, DNS) to avoid false positives. Tuning based on the protocol ensures the signature only inspects traffic where the vulnerability or exploit is relevant, such as applying a SQL injection signature only to HTTP traffic.

Exam trap

Cisco often tests the misconception that time-based or packet-length parameters are valid tuning options, when in fact IPS tuning focuses on protocol context, IP addresses, and severity to balance detection accuracy and performance.

45
MCQhard

An analyst examines a PCAP file and sees a series of HTTP POST requests to an external server with Base64-encoded payloads in the request body. The payloads decode to small text strings. Which type of data exfiltration technique is being used?

A.Session hijacking
B.DNS exfiltration
C.HTTP data exfiltration
D.HTTP tunneling
AnswerC

Data hidden in HTTP POST requests is a typical exfiltration technique.

Why this answer

The analyst observes HTTP POST requests carrying Base64-encoded payloads in the request body that decode to small text strings. This is a classic indicator of HTTP data exfiltration, where sensitive data is encoded and sent over HTTP to an external server, bypassing security controls by blending with normal web traffic.

Exam trap

Cisco often tests the distinction between HTTP data exfiltration and HTTP tunneling, where the trap is that candidates confuse encapsulating another protocol (tunneling) with simply sending encoded data over HTTP (exfiltration).

How to eliminate wrong answers

Option A is wrong because session hijacking involves stealing a valid session token (e.g., via XSS or packet sniffing) to impersonate a user, not exfiltrating data via HTTP POST bodies. Option B is wrong because DNS exfiltration encodes data in DNS queries (e.g., subdomains or TXT records) and uses UDP port 53, not HTTP POST requests. Option D is wrong because HTTP tunneling encapsulates non-HTTP protocols (e.g., SSH, RDP) inside HTTP to bypass firewalls, whereas here the payloads are directly Base64-encoded text strings in the POST body, not a tunnel for another protocol.

46
MCQmedium

An analyst reviews IDS alerts and sees multiple alerts for the same signature from different internal IPs targeting the same external server. One common cause is...

A.A false positive
B.A DDoS attack
C.A worm spreading internally
D.A misconfigured server
AnswerC

Worm infections cause multiple hosts to exhibit similar malicious behavior.

Why this answer

A worm spreading internally (option C) is the most likely cause because worms self-replicate and propagate across a network, generating identical IDS alerts from multiple internal IPs as each infected host attempts to connect to the same external server (e.g., for command-and-control or payload delivery). This pattern—same signature, multiple internal sources, single external target—is a classic indicator of worm activity, where the worm's propagation logic causes each compromised host to initiate similar outbound connections.

Exam trap

Cisco often tests the distinction between a DDoS attack and a worm by focusing on the source distribution—candidates mistakenly choose DDoS because they see multiple sources, but forget that DDoS sources are typically external, not internal, and the signature consistency points to a worm's automated propagation.

How to eliminate wrong answers

Option A is wrong because a false positive would typically produce alerts from a single or few IPs due to benign traffic matching a signature, not a coordinated pattern of multiple distinct internal IPs triggering the same alert. Option B is wrong because a DDoS attack would involve multiple sources targeting a single victim, but the sources are usually external (or a mix), and the alerts would likely show varied signatures or traffic types, not the same signature repeated from internal IPs. Option D is wrong because a misconfigured server would cause alerts from that server's IP only, not from multiple different internal IPs, and the signature would typically reflect the misconfiguration (e.g., protocol violations) rather than a consistent outbound connection pattern.

47
MCQeasy

A security analyst is reviewing a Snort alert that triggered on the signature 'ET TROJAN Win.Trojan.Generic'. What is the most likely reason this alert fired?

A.A system infected with a trojan
B.A legitimate Windows update
C.A misconfigured firewall
D.An attacker attempting to exploit a buffer overflow
AnswerA

The signature specifically detects trojan activity.

Why this answer

The Snort signature 'ET TROJAN Win.Trojan.Generic' is designed to detect network traffic patterns or payloads associated with known Trojan malware. When this alert fires, it indicates that the sensor observed data matching the signature's characteristics, most likely from a system that is infected with a Trojan and is communicating with a command-and-control server or performing malicious activity.

Exam trap

Cisco often tests the distinction between signature categories (e.g., Trojan vs. exploit vs. policy violation) to see if candidates understand that each signature type is tailored to a specific threat behavior, not just any anomaly.

How to eliminate wrong answers

Option B is wrong because a legitimate Windows update uses Microsoft's own signed binaries and update servers, and its traffic does not match the specific patterns of a Trojan signature; Snort would not trigger on benign update traffic unless a false positive occurs due to a poorly tuned signature. Option C is wrong because a misconfigured firewall might cause connectivity issues or block legitimate traffic, but it does not generate Trojan-specific network payloads that would match this signature. Option D is wrong because a buffer overflow exploit typically targets a vulnerability in a service or application and would be detected by a different class of signatures (e.g., 'ET EXPLOIT' or 'SHELLCODE'), not a generic Trojan signature.

48
MCQhard

You are a security analyst at a financial institution. The network consists of a traditional perimeter firewall, an internal IDS (Snort), and a separate network monitoring tool that captures full packet data. Recently, the bank experienced a breach where an attacker exfiltrated customer data via DNS tunneling. The attack went undetected for weeks. The CISO wants to improve detection of data exfiltration and has tasked you with proposing a new monitoring strategy. The current IDS has signatures for common malware C2 channels but no specific DNS tunneling rules. You have access to the full packet capture archive. Which approach would be most effective in detecting DNS tunneling while minimizing false positives?

A.Write custom Snort rules that monitor DNS query size, frequency, and domain name entropy, and use full packet capture to baseline typical DNS behavior.
B.Block all DNS queries to external domains not on a whitelist, and log all blocked queries for review.
C.Increase the Snort signature sensitivity for all DNS-related alerts to maximum.
D.Deploy NetFlow monitoring on the DNS server and look for traffic volume anomalies.
AnswerA

DNS tunneling exhibits abnormal characteristics that can be detected with tailored rules and baselines.

Why this answer

Option A is correct because DNS tunneling exploits legitimate DNS protocol behavior by encoding data in query payloads, making it invisible to signature-based detection. By writing custom Snort rules that monitor query size (typically > 255 bytes for TXT records), frequency (abnormally high query rates per domain), and domain name entropy (random-looking subdomains), and using full packet capture to baseline normal DNS traffic, you can detect anomalies indicative of tunneling with high precision and low false positives.

Exam trap

Cisco often tests the distinction between detection and prevention—candidates may incorrectly choose a blocking strategy (Option B) or a volume-based approach (Option D) instead of a detection method that leverages packet-level analysis and behavioral baselines.

How to eliminate wrong answers

Option B is wrong because blocking all DNS queries to external domains not on a whitelist is a restrictive, policy-based approach that would break normal internet access for users and services, and it does not detect tunneling—it only prevents it, which is not a monitoring strategy. Option C is wrong because increasing Snort signature sensitivity for all DNS-related alerts to maximum would generate an overwhelming number of false positives from legitimate DNS traffic (e.g., normal lookups, NXDOMAIN responses), rendering the IDS alerts useless for actual threat detection. Option D is wrong because NetFlow monitoring on the DNS server for traffic volume anomalies is too coarse—DNS tunneling often uses low-and-slow data transfer that does not create significant volume spikes, and NetFlow lacks the packet-level detail (e.g., query payload size, entropy) needed to distinguish tunneling from normal DNS traffic.

49
MCQmedium

During an investigation, an analyst finds that an internal host has been communicating with a known malicious IP on port 445. Which protocol is most likely involved?

A.SSH
B.RDP
C.SMB
D.HTTP
AnswerC

SMB uses port 445.

Why this answer

Port 445 is the default port for Microsoft SMB (Server Message Block) over TCP, used for file sharing, printer sharing, and other network services. Communication with a known malicious IP on this port strongly indicates SMB-based activity, such as exploitation of vulnerabilities like EternalBlue (MS17-010) or unauthorized file access.

Exam trap

Cisco often tests the association of well-known ports with their protocols, and the trap here is that candidates may confuse port 445 with HTTP (80) or RDP (3389) due to common attack narratives, but the specific port 445 uniquely identifies SMB.

How to eliminate wrong answers

Option A is wrong because SSH (Secure Shell) uses port 22, not 445, and is used for secure remote administration, not file sharing. Option B is wrong because RDP (Remote Desktop Protocol) uses port 3389, not 445, and is used for remote graphical desktop access. Option D is wrong because HTTP uses port 80 (or 443 for HTTPS), not 445, and is used for web traffic, not direct file sharing or SMB operations.

50
MCQmedium

Your organization recently deployed a new web application that uses HTTPS. The security team notices that the IDS is generating a large number of alerts for 'SSL/TLS handshake anomalies' and 'self-signed certificates'. After investigating, you find that many of these alerts are coming from a legitimate internal scanning tool that uses a self-signed certificate. The IDS also reports a high rate of 'TLS renegotiation' attempts from the same source. The CISO wants to reduce false positives while maintaining visibility. The IDS is based on Suricata and uses a default rule set. What is the best course of action?

A.Create a custom Suricata pass rule that excludes traffic from the specific IP address of the scanning tool.
B.Add a whitelist rule that ignores any traffic from any host using self-signed certificates.
C.Disable the Suricata rules that match self-signed certificates and TLS renegotiation.
D.Recommend removing the scanning tool from the network and using a different tool that uses a trusted certificate.
AnswerA

This precisely reduces false positives from a known source while keeping detection for others.

Why this answer

Option A is correct because creating a custom Suricata pass rule for the specific IP address of the legitimate scanning tool will suppress alerts for that known source while maintaining full visibility into all other traffic. This approach reduces false positives without disabling broader security monitoring, as the IDS continues to inspect and alert on SSL/TLS anomalies and self-signed certificates from all other hosts.

Exam trap

Cisco often tests the distinction between a targeted exclusion (like a pass rule for a specific IP) and a broad configuration change (like disabling rules or whitelisting entire categories), where candidates mistakenly choose the latter because they think it is simpler, not realizing it sacrifices security visibility.

How to eliminate wrong answers

Option B is wrong because whitelisting any traffic from hosts using self-signed certificates would broadly disable alerts for all self-signed certificate traffic, including potential malicious activity, thereby creating a significant security blind spot. Option C is wrong because disabling the Suricata rules for self-signed certificates and TLS renegotiation would globally remove detection for these events across all traffic, not just the scanning tool, which undermines the CISO's requirement to maintain visibility. Option D is wrong because removing the scanning tool is an unnecessary operational change; the tool is legitimate and can be safely excluded via a targeted pass rule, preserving both security and functionality.

51
MCQhard

An analyst is investigating a potential data exfiltration. The logs show a series of DNS queries with subdomains that appear to be base64-encoded strings. Which technique is likely being used?

A.DNS tunneling
B.DNS amplification
C.Fast flux
D.Domain generation algorithm
AnswerA

DNS tunneling encapsulates data in DNS queries to exfiltrate information.

Why this answer

DNS tunneling encodes data (e.g., exfiltrated files) into subdomains of DNS queries, which are then sent to a malicious authoritative DNS server controlled by the attacker. The base64-encoded subdomains in the logs are a classic indicator of this technique, as the attacker uses the DNS protocol to bypass network security controls and covertly transmit data.

Exam trap

Cisco often tests the distinction between DNS tunneling (data exfiltration via subdomain encoding) and DNS amplification (a volumetric DDoS attack), so candidates must recognize that base64-encoded subdomains point to tunneling, not amplification.

How to eliminate wrong answers

Option B is wrong because DNS amplification is a reflection-based DDoS attack that uses open resolvers to flood a victim with large DNS responses, not a data exfiltration technique. Option C is wrong because fast flux uses rapid changes in DNS A records to hide the IP addresses of malicious servers, not to encode data in subdomains. Option D is wrong because a domain generation algorithm (DGA) is used to periodically generate random domain names for command-and-control communication, not to encode exfiltrated data in subdomain labels.

52
MCQmedium

A security analyst is reviewing IDS alerts and notices multiple TCP resets sent from an internal host with IP 10.10.10.25 to various external IPs on port 443. The alerts indicate that these resets occur immediately after the corresponding SYN-ACK from the external server, before any data exchange. The analyst suspects a TCP reset attack. Which action is most likely occurring?

A.A firewall is sending RST packets to block outbound traffic.
B.A client is properly closing a session after receiving data.
C.The client is retransmitting lost TCP segments.
D.An attacker is spoofing the client IP to send forged RST packets.
AnswerD

This is a classic TCP reset attack where the attacker spoofs the client's IP to terminate a connection.

Why this answer

The described behavior—TCP RST packets sent immediately after the SYN-ACK, before any data exchange, from an internal host to multiple external IPs on port 443—is characteristic of a TCP reset attack. In this attack, an adversary spoofs the source IP of the legitimate client (10.10.10.25) and sends forged RST segments to the external servers, causing them to abort the TCP handshake prematurely. This prevents the completion of the three-way handshake and disrupts the connection before any application data can be exchanged.

Exam trap

Cisco often tests the distinction between a legitimate RST (sent by a host to abort a connection due to an error or policy) and a spoofed RST (sent by an attacker to disrupt a connection), and the trap here is that candidates may assume the RST is from a firewall or a normal closure without considering the timing and source IP spoofing.

How to eliminate wrong answers

Option A is wrong because a firewall sending RST packets to block outbound traffic would typically do so in response to a policy violation, not immediately after every SYN-ACK from external servers, and the RST would originate from the firewall's IP, not from the internal host's IP. Option B is wrong because a client properly closing a session after receiving data would send a FIN packet, not a RST, and the RSTs here occur before any data exchange, which is not a normal closure. Option C is wrong because retransmitting lost TCP segments involves sending data packets (with sequence numbers), not RST packets; RST is used to abort a connection, not to retransmit data.

53
MCQeasy

A network administrator wants to detect SQL injection attacks against web servers. Which type of IDS/IPS sensor placement would be most effective?

A.Outside the firewall
B.At the core switch
C.On the internal network
D.Inside the firewall on the DMZ
AnswerD

Monitors traffic to web servers after firewall filtering, reducing noise.

Why this answer

Option D is correct because placing the IDS/IPS inside the firewall on the DMZ allows it to inspect traffic that has already passed the firewall's initial access controls but is still destined for the web servers. SQL injection attacks target application-layer vulnerabilities in web services, and the DMZ is the network segment where these servers reside. This placement ensures the sensor can analyze decrypted HTTP/HTTPS payloads for malicious SQL patterns without being overwhelmed by general internet noise, while the firewall provides a first line of defense against non-web threats.

Exam trap

Cisco often tests the misconception that placing the IDS/IPS outside the firewall provides the best visibility, but the trap is that this ignores the need to filter out irrelevant traffic and focus on the specific segment (DMZ) where the targeted servers and their application-layer vulnerabilities exist.

How to eliminate wrong answers

Option A is wrong because placing the IDS/IPS outside the firewall exposes it to unprocessed internet traffic, including floods, scans, and encrypted noise, which can cause false positives and resource exhaustion before the firewall filters legitimate traffic. Option B is wrong because the core switch handles internal VLAN routing and high-speed backbone traffic; placing a sensor there would miss the specific HTTP/HTTPS traffic to web servers in the DMZ and could introduce latency in critical switching paths. Option C is wrong because the internal network is typically for trusted users and internal resources; SQL injection attacks originate from external or untrusted sources targeting web servers, so a sensor on the internal network would not see the attack traffic unless it has already passed through the DMZ and been redirected, which is inefficient and misses the point of early detection.

54
MCQeasy

An IDS generates an alert for a signature that matches HTTP traffic containing 'cmd.exe' in the URI. The analyst checks the packet and sees the URI is actually 'cmd.exe?help'. What should the analyst do?

A.Block the source IP
B.Tune the signature to reduce false positives
C.Disable the signature
D.Escalate to incident response
AnswerB

Tuning allows the signature to still detect malicious usage while ignoring benign occurrences.

Why this answer

The IDS signature triggered on the presence of 'cmd.exe' in the URI, but the actual traffic was 'cmd.exe?help', which is a legitimate help request and not an exploitation attempt. Tuning the signature to account for the query string reduces false positives without losing detection capability for actual attacks. This aligns with best practices for IDS management, where signatures are adjusted to match real threat patterns rather than exact strings.

Exam trap

Cisco often tests the distinction between a false positive and a true positive, and the trap here is that candidates may assume any match for 'cmd.exe' is malicious, leading them to choose escalation or blocking instead of recognizing the need for signature tuning.

How to eliminate wrong answers

Option A is wrong because blocking the source IP would be an overreaction to a false positive; the traffic is benign and does not indicate malicious intent. Option C is wrong because disabling the signature entirely would remove detection for actual 'cmd.exe' exploitation attempts, leaving the network vulnerable. Option D is wrong because escalating to incident response is unnecessary for a confirmed false positive; incident response is reserved for verified security incidents, not benign traffic that triggered a signature.

55
Multi-Selecthard

Which THREE types of network traffic anomalies are strong indicators of a data exfiltration attempt?

Select 3 answers
A.TCP connections with unusual port numbers (e.g., using SSH on port 80)
B.DNS queries with long subdomains encoding data
C.Frequent ARP requests from a single host
D.High number of SYN packets without corresponding ACKs
E.Large amounts of outbound traffic to a single destination during non-business hours
AnswersA, B, E

Unusual port usage can indicate covert channels.

Why this answer

Option A is correct because data exfiltration often involves tunneling covert traffic over non-standard ports to bypass firewall rules. For example, using SSH on TCP port 80 (HTTP) allows an attacker to hide command-and-control or file transfer traffic within allowed web traffic, making it difficult for basic port-based ACLs to detect.

Exam trap

Cisco often tests the distinction between network anomalies that indicate data exfiltration versus those that indicate denial-of-service or reconnaissance; the trap here is confusing a SYN flood (Option D) with a covert channel, when exfiltration requires established, often stealthy, outbound connections.

56
MCQeasy

You are monitoring network traffic and notice a sudden spike in outbound UDP traffic from a single internal host to various external IPs on port 123 (NTP). The traffic pattern shows a high volume of small packets. The host in question is a Linux server that does not run any NTP services. The IDS does not generate any alerts for this traffic. Which type of attack is most likely occurring?

A.The host is participating in an NTP amplification DDoS attack.
B.The host is scanning for open NTP servers.
C.Data exfiltration via NTP tunneling.
D.The host is performing an NTP time synchronization query.
AnswerA

NTP amplification uses small queries to generate large responses; the outbound traffic is the queries.

Why this answer

The sudden spike in outbound UDP traffic from a single internal host to multiple external IPs on port 123 (NTP) with small packets indicates the host is being used as a reflector in an NTP amplification DDoS attack. The attacker spoofs the victim's IP address and sends small queries to open NTP servers, which respond with large replies directed at the victim, but in this scenario the internal host is the one sending the queries (likely due to malware or misconfiguration), making it the amplifier. The lack of IDS alerts suggests the traffic matches normal NTP patterns, but the volume and destination diversity confirm the attack.

Exam trap

Cisco often tests the distinction between being a victim of amplification (receiving large responses) versus being the amplifier (sending queries), and candidates mistakenly assume the host is the victim when the outbound traffic indicates it is the source of the queries.

How to eliminate wrong answers

Option B is wrong because scanning for open NTP servers would involve sending probes to multiple hosts and analyzing responses, not generating a high volume of outbound traffic from a single host to many external IPs; the pattern described is characteristic of an amplification attack, not a scan. Option C is wrong because data exfiltration via NTP tunneling would require encapsulating data in NTP packets, which typically results in irregular packet sizes or timing, not a high volume of small packets to many external IPs; the described pattern lacks the stealth and consistency of tunneling. Option D is wrong because an NTP time synchronization query would involve a small number of packets to a few NTP servers (e.g., pool.ntp.org), not a high volume of small packets to numerous external IPs; the host does not run NTP services, making this behavior anomalous.

57
MCQeasy

Refer to the exhibit. An analyst sees repeated ICMP echo requests from a host to the broadcast address. What is this an example of?

A.Ping sweep
B.Smurf attack
C.ICMP tunneling
D.Denial of service
AnswerB

Smurf attack uses broadcast ICMP to amplify traffic.

Why this answer

A Smurf attack sends ICMP echo requests to a network broadcast address with the source IP spoofed to the victim's address. All hosts on the network reply to the victim, overwhelming it with traffic. This is a classic amplification-based denial-of-service attack.

Exam trap

Cisco often tests the distinction between a generic DoS and a specific named attack (Smurf) to see if candidates recognize the unique broadcast amplification mechanism rather than just the outcome of service disruption.

How to eliminate wrong answers

Option A is wrong because a ping sweep sends ICMP echo requests to multiple individual hosts to map live systems, not to a broadcast address. Option C is wrong because ICMP tunneling encapsulates non-ICMP data (e.g., DNS, HTTP) inside ICMP packets to bypass firewalls, not to flood a victim via broadcast amplification. Option D is wrong because while a Smurf attack results in denial of service, the specific technique described (ICMP echo requests to a broadcast address) is the Smurf attack, not a generic DoS; Cisco expects the precise attack name.

58
Matchingmedium

Match each Linux command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Search text using patterns

Capture and analyze network packets

Display network connections and statistics

Configure firewall rules

Change file permissions

Why these pairings

These commands are essential for Linux system administration and security analysis.

59
MCQmedium

A network engineer is configuring a Cisco Firepower IPS. To reduce false positives from legitimate updates, which action should be taken?

A.Use a whitelist for the update server
B.Enable adaptive profile
C.Disable the signature
D.Set the signature to generate only alert
AnswerB

Adaptive profiles adjust detection based on baseline traffic, reducing false positives.

Why this answer

Enabling adaptive profile allows the IPS to learn normal traffic patterns and reduce false positives. Whitelisting is also useful but adaptive profiles are specifically designed to reduce false positives dynamically.

60
MCQmedium

A security analyst is reviewing logs from a network-based IPS that detected traffic from an internal host connecting to a known malicious IP address on port 6667. The traffic is encrypted IRC. Which conclusion is most likely?

A.The traffic is a normal application update
B.The host is running a legitimate IRC client
C.The host is compromised and part of a botnet
D.The IPS is generating a false positive
AnswerC

Encrypted IRC to a malicious IP is a strong botnet indicator.

Why this answer

Port 6667 is the default port for IRC (Internet Relay Chat), and encrypted IRC traffic to a known malicious IP strongly indicates command-and-control (C2) communication. Botnets commonly use IRC over TLS/SSL to evade detection and issue commands to compromised hosts. Therefore, the host is most likely compromised and part of a botnet.

Exam trap

Cisco often tests the misconception that encrypted traffic is always benign or that port 6667 is only used for legitimate chat, leading candidates to overlook the known malicious IP indicator.

How to eliminate wrong answers

Option A is wrong because normal application updates typically use HTTP/HTTPS on ports 80/443 or vendor-specific ports, not port 6667 with encrypted IRC. Option B is wrong because a legitimate IRC client would not connect to a known malicious IP address; legitimate IRC servers are not blacklisted. Option D is wrong because the IPS signature matched encrypted IRC traffic to a known malicious IP, which is a strong indicator of compromise, not a false positive.

61
MCQmedium

An analyst reviews Snort alert logs and sees many alerts for 'SQL Injection Attempt' from a single external IP to a public-facing web server. Which analysis step is most effective?

A.Block the IP at the firewall immediately
B.Check the web server logs for the same IP
C.Run a port scan against the IP
D.Disable the SQL injection signature
AnswerB

Correct. Web server logs show the actual HTTP requests and can confirm if the attacks were attempted.

Why this answer

Checking the web server logs for the same IP is the most effective step because it allows the analyst to correlate the Snort alerts with actual HTTP requests. This confirms whether the SQL injection attempts were successful or merely reconnaissance, and provides context such as the specific URI, parameters, and response codes (e.g., 200 vs 500) needed to assess impact.

Exam trap

The trap here is that candidates often choose to block the IP immediately (Option A) as a 'quick fix' without realizing that incident response requires validation and evidence collection before taking containment actions.

How to eliminate wrong answers

Option A is wrong because immediately blocking the IP at the firewall is a reactive measure that may disrupt legitimate traffic (e.g., shared NAT IPs) and does not provide forensic evidence or confirm the attack's success. Option C is wrong because running a port scan against the IP is an active reconnaissance technique that could be illegal without authorization, and it does not help analyze the existing alerts or validate the SQL injection attempts. Option D is wrong because disabling the SQL injection signature would suppress all future alerts for that attack vector, leaving the web server vulnerable and eliminating visibility into ongoing or future SQL injection attempts.

62
MCQmedium

You are a security analyst for a medium-sized enterprise. You notice that the network monitoring system has flagged an unusual amount of traffic between two internal hosts: 192.168.1.10 (a file server) and 192.168.1.20 (a workstation in the sales department). The traffic is occurring on port 445 (SMB) and is happening outside of normal business hours. The volume of data transferred is significantly higher than typical usage. The file server logs show that the sales workstation has been accessing a large number of files in quick succession. The sales employee reports that they have been working late, but they cannot explain the high volume of file access. You have access to the file server logs, network flow data, and the workstation's event logs. The workstation has antivirus software installed that is up to date. What should you do FIRST?

A.Isolate the workstation from the network immediately
B.Reimage the workstation to ensure it is clean
C.Run a full antivirus scan on the workstation
D.Analyze network flow data to identify the destination of the data
AnswerA

Isolation stops potential ransomware spread or data theft.

Why this answer

Option A is correct because the anomalous SMB traffic on port 445, occurring outside business hours with a high volume of file access in quick succession, strongly indicates a ransomware or data exfiltration attack. Isolating the workstation immediately contains the threat, preventing lateral movement and further encryption or exfiltration of sensitive data. This aligns with the first step in incident response: containment before analysis.

Exam trap

Cisco often tests the incident response priority of containment over analysis; the trap here is that candidates choose analysis (Option D) or remediation (Option B/C) first, forgetting that immediate isolation prevents further damage and preserves evidence for later investigation.

How to eliminate wrong answers

Option B is wrong because reimaging the workstation destroys forensic evidence (e.g., memory artifacts, logs, malware samples) needed for root cause analysis and attribution. Option C is wrong because running a full antivirus scan is a secondary step after containment; the antivirus is up to date but may not detect a zero-day or fileless malware, and scanning could trigger further malicious activity. Option D is wrong because analyzing network flow data to identify the destination is a post-containment analysis step; delaying isolation risks data exfiltration or encryption completion.

63
Multi-Selectmedium

Which two characteristics are commonly associated with a distributed denial-of-service (DDoS) attack?

Select 2 answers
A.High volume of traffic from multiple sources
B.Multiple failed login attempts
C.Slow application response time
D.Unusual increase in ICMP echo requests
E.Traffic from a single IP address
AnswersA, D

Multiple sources are a defining feature of DDoS.

Why this answer

A DDoS attack is characterized by a high volume of traffic originating from multiple compromised sources (a botnet) to overwhelm a target. This distributed nature distinguishes it from a DoS attack, which typically uses a single source. The goal is to exhaust the target's bandwidth, processing capacity, or application resources, causing denial of service for legitimate users.

Exam trap

Cisco often tests the distinction between a DoS (single source) and a DDoS (multiple sources), so the trap here is that candidates may incorrectly select 'Traffic from a single IP address' (option E) as a DDoS characteristic, confusing the two attack types.

64
Multi-Selecteasy

Which TWO actions should an analyst take when a critical alert is triggered?

Select 2 answers
A.Delete the alert to reduce noise
B.Verify the alert with other sources
C.Escalate to incident response team
D.Search for similar alerts in the past
E.Immediately power off the affected system
AnswersB, C

Correct. Corroborating the alert with other logs confirms its validity.

Why this answer

Option B is correct because verifying a critical alert with other sources (e.g., correlating with firewall logs, NetFlow data, or endpoint detection responses) is a fundamental step to confirm the alert is a true positive and not a false positive. This cross-validation reduces the risk of acting on inaccurate information and ensures that the incident response process is based on reliable evidence. Without verification, an analyst might escalate a non-threatening event, wasting resources and potentially missing a real threat.

Exam trap

Cisco often tests the misconception that immediate containment actions like powering off a system are always the correct first step, when in fact verification and preservation of evidence are prioritized to avoid destroying critical forensic data.

65
MCQhard

During a threat hunt, an analyst discovers sustained outbound traffic from a workstation to multiple IP addresses in different countries on port 443. The traffic patterns show periodic spikes at 5-minute intervals. The workstation is used by a sales representative who frequently accesses cloud CRM. Which additional evidence would most strongly suggest the workstation is compromised?

A.The CRM application uses port 443
B.The sales representative reported slow performance
C.The outbound traffic includes connections to IPs not associated with the CRM
D.The workstation has antivirus installed and up-to-date
AnswerC

Unknown IPs suggest malicious communication.

Why this answer

Option C is correct because outbound traffic to IP addresses not associated with the CRM application indicates the workstation is communicating with unknown or malicious destinations. Since the CRM is accessed via a known domain or IP range, connections to unrelated IPs on port 443 (HTTPS) suggest the workstation may be part of a botnet or exfiltrating data, especially given the periodic spikes at 5-minute intervals, which are characteristic of beaconing behavior used by malware to maintain command-and-control (C2) communications.

Exam trap

Cisco often tests the concept that legitimate application traffic (e.g., CRM on port 443) can be used as a smokescreen, and candidates mistakenly assume that any traffic on a standard port is benign, overlooking the importance of destination IP analysis and traffic patterns like beaconing.

How to eliminate wrong answers

Option A is wrong because the CRM application legitimately uses port 443 for HTTPS traffic, so this alone does not indicate compromise; it is expected behavior. Option B is wrong because slow performance is a subjective symptom that can be caused by many benign factors (e.g., network congestion, resource-heavy applications) and is not a definitive indicator of compromise. Option D is wrong because having antivirus installed and up-to-date does not guarantee the workstation is not compromised; malware can evade detection through techniques like polymorphism or zero-day exploits, and antivirus is not a real-time indicator of current infection status.

66
Multi-Selecthard

Which THREE of the following are common evasion techniques used by attackers?

Select 3 answers
A.Slow scans
B.Fragmentation
C.Using high ports
D.Patching vulnerabilities
E.Encryption
AnswersA, B, E

Correct. Slow scans avoid triggering threshold-based alerts.

Why this answer

Slow scans are a common evasion technique used by attackers to avoid detection by intrusion detection systems (IDS) and intrusion prevention systems (IPS). By sending packets at a very low rate, often over hours or days, the scan falls below the threshold of time-based detection algorithms that trigger alerts on rapid port sweeps. This technique exploits the fact that many security devices rely on timing heuristics to identify reconnaissance activity.

Exam trap

Cisco often tests the distinction between evasion techniques and general security practices; the trap here is that candidates may mistake 'patching vulnerabilities' as an attacker action, when in reality it is a defender's mitigation strategy, not an evasion method.

67
Matchingmedium

Match each analysis type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Examining file without executing it

Running file in a sandbox to observe behavior

Matching patterns against known threats

Detecting deviations from baseline behavior

Using rules to detect unknown threats

Why these pairings

These are key analysis methodologies in cybersecurity.

68
MCQmedium

Refer to the exhibit. What does this Snort rule detect?

A.A NetBIOS name service query
B.A vulnerability in Microsoft RPC
C.Normal SMB traffic
D.Exploit code for a buffer overflow
AnswerD

Correct. The null-byte pattern is indicative of a buffer overflow exploit.

Why this answer

The Snort rule detects a buffer overflow attempt by matching a specific pattern (e.g., a long string of 'A' characters or a shellcode pattern) in the payload, which is characteristic of exploit code targeting a vulnerable service. Buffer overflow exploits often send oversized data to trigger memory corruption, and Snort rules use content matching and byte_test to identify such anomalies. This rule likely targets a known overflow in a protocol like SMB or RPC, but the signature is specific to the exploit payload, not the protocol itself.

Exam trap

Cisco often tests the distinction between protocol-specific signatures (e.g., 'this is SMB traffic') and exploit-specific signatures (e.g., 'this is a buffer overflow payload'), so the trap here is that candidates see 'SMB' in the rule and assume it's normal SMB traffic, missing the exploit pattern in the payload.

How to eliminate wrong answers

Option A is wrong because a NetBIOS name service query uses UDP port 137 and has a specific packet structure (e.g., name query transaction ID), not the payload pattern of a buffer overflow. Option B is wrong because a vulnerability in Microsoft RPC would be detected by a rule matching the RPC interface UUID or opnum, not a generic exploit payload pattern. Option C is wrong because normal SMB traffic follows protocol state machines and does not contain oversized or malformed payloads that trigger buffer overflow signatures.

69
MCQmedium

A network analyst is troubleshooting a false positive alert from an IPS that blocks traffic to a legitimate database server. The alert signature is triggered by the pattern 'OR 1=1'. The analyst determines that the traffic is from a web application that uses dynamic SQL queries. Which action best reduces false positives while maintaining security?

A.Increase the sensitivity of the signature
B.Add the database server IP to an exception list
C.Change the signature to alert-only mode
D.Disable the signature entirely
AnswerB

Whitelisting known good traffic reduces false positives.

Why this answer

Option B is correct because adding the database server IP to an exception list allows the IPS to ignore traffic matching the 'OR 1=1' pattern specifically when it is destined for the legitimate database server. This preserves security by continuing to block the same pattern when it targets other servers, while eliminating the false positive caused by the web application's dynamic SQL queries. Whitelisting by destination IP is a targeted exception that does not weaken overall detection.

Exam trap

Cisco often tests the distinction between 'reducing false positives' and 'reducing security' — candidates mistakenly choose alert-only mode (option C) thinking it stops the blocking, but fail to realize it also stops blocking real attacks, which is not a security-maintaining action.

How to eliminate wrong answers

Option A is wrong because increasing the sensitivity of the signature would make it trigger on even more benign traffic, worsening the false positive problem. Option C is wrong because changing the signature to alert-only mode would stop blocking the false positive but would also prevent the IPS from blocking actual SQL injection attacks using the same pattern, reducing security. Option D is wrong because disabling the signature entirely removes protection against all 'OR 1=1' attacks across the network, which is an overreaction to a single false positive.

70
MCQhard

Refer to the exhibit. What does this packet capture indicate?

A.SYN flood
B.Port scan
C.Session hijack
D.Normal HTTP traffic
AnswerB

Correct. The pattern matches a TCP connect scan.

Why this answer

The packet capture shows multiple TCP SYN packets sent to a single host (10.10.10.10) targeting different ports (80, 443, 22, 21) with no subsequent ACK or RST responses. This pattern is characteristic of a port scan, specifically a SYN scan, where the attacker sends SYN packets to probe for open ports without completing the three-way handshake.

Exam trap

Cisco often tests the distinction between a SYN flood (volume-based attack on a single port) and a SYN scan (probing multiple ports), where candidates mistakenly associate any SYN traffic with a flood rather than recognizing the multi-port pattern as reconnaissance.

How to eliminate wrong answers

Option A is wrong because a SYN flood involves sending a high volume of SYN packets to a single port to exhaust server resources, not probing multiple ports. Option C is wrong because session hijacking requires an established TCP session with sequence number prediction, which is absent here. Option D is wrong because normal HTTP traffic would show completed three-way handshakes (SYN, SYN-ACK, ACK) and subsequent data transfer, not isolated SYN packets to multiple ports.

71
MCQhard

Which type of attack does this Snort alert most likely indicate?

A.Buffer overflow
B.SQL injection
C.Directory traversal
D.Cross-site scripting
AnswerC

Unicode bypass of './' and '../' filters is a known directory traversal technique.

Why this answer

The Snort alert signature 'ET WEB_SERVER ATTACKS Directory Traversal Attempt' specifically detects patterns like '../' or encoded variants (e.g., '%2e%2e%2f') in HTTP requests. This indicates an attempt to access files outside the web root directory, which is the hallmark of a directory traversal attack. The alert triggers on the URI path, not on SQL syntax or script injection patterns.

Exam trap

Cisco often tests the ability to distinguish between web application attacks by focusing on the specific payload pattern in the alert signature, where candidates confuse directory traversal with SQL injection or XSS because all three involve HTTP requests.

How to eliminate wrong answers

Option A is wrong because a buffer overflow attack typically triggers alerts based on oversized payloads or specific shellcode patterns (e.g., NOP sleds, long strings in protocol fields), not directory traversal strings. Option B is wrong because SQL injection alerts would match SQL keywords like 'UNION', 'SELECT', or 'OR 1=1' in query parameters, not path traversal sequences. Option D is wrong because cross-site scripting alerts detect script tags (e.g., '<script>', 'onerror=') or encoded JavaScript in user input, not '../' path manipulation.

72
MCQmedium

A security engineer reviews syslog data and sees multiple authentication failures from a single source IP to different SSH servers. The source IP is internal. What does this indicate?

A.Brute-force attack
B.User error
C.Misconfigured client
D.Network scan
AnswerA

Repeated failed attempts from one source to multiple targets is a classic brute-force pattern.

Why this answer

Multiple authentication failures from a single internal source IP to different SSH servers is a classic indicator of a brute-force attack. The attacker is systematically attempting to guess credentials across multiple targets, which is distinct from a single misconfiguration or user error. This pattern is commonly seen in post-compromise lateral movement or initial foothold attempts within the network.

Exam trap

Cisco often tests the distinction between a network scan (which only checks for open ports) and an actual authentication attack (which generates syslog auth failures), causing candidates to confuse the two.

How to eliminate wrong answers

Option B is wrong because user error typically results in repeated failures to a single server (e.g., mistyped password), not to multiple different SSH servers from the same IP. Option C is wrong because a misconfigured client would likely fail authentication to a specific server due to key mismatch or protocol version, not generate failures across multiple distinct servers. Option D is wrong because a network scan (e.g., using Nmap) would probe for open ports (TCP 22) without attempting SSH authentication, so it would not produce authentication failure logs.

73
MCQeasy

An analyst notices a series of SYN packets sent to a host at increasing speed, with no SYN-ACK replies. What kind of attack is this?

A.SYN flood
B.SSL stripping
C.ARP spoofing
D.Smurf attack
AnswerA

SYN flood exploits the TCP handshake by sending many SYN packets.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a rapid succession of SYN packets to a target host without completing the handshake. The target allocates resources for each half-open connection, eventually exhausting its connection table and denying service to legitimate traffic. The absence of SYN-ACK replies confirms the attacker is not responding to the handshake, a hallmark of this volumetric denial-of-service technique.

Exam trap

Cisco often tests the distinction between a SYN flood (TCP handshake exhaustion) and a Smurf attack (ICMP broadcast amplification), so candidates mistakenly associate any flood of packets with ICMP-based attacks rather than recognizing the specific TCP SYN behavior described.

How to eliminate wrong answers

Option B is wrong because SSL stripping is a man-in-the-middle attack that downgrades HTTPS connections to HTTP, not a network-layer flood using SYN packets. Option C is wrong because ARP spoofing involves sending forged ARP replies to associate the attacker's MAC address with a legitimate IP, enabling traffic interception, not a flood of TCP SYN segments. Option D is wrong because a Smurf attack uses ICMP echo requests sent to a broadcast address with a spoofed source IP, causing all hosts on the network to reply to the victim, which is an ICMP-based amplification attack, not a TCP SYN-based flood.

74
MCQeasy

An analyst notices that a host is sending large amounts of data to an external IP address on TCP port 22 during non-business hours. What is the most likely activity?

A.Remote administration
B.DNS query
C.FTP file transfer
D.Data exfiltration via SSH
AnswerD

SSH on port 22 can be used to tunnel data out.

Why this answer

SSH (TCP port 22) is commonly used for secure remote administration, but the scenario describes large data transfers to an external IP during non-business hours, which is a classic indicator of data exfiltration. Attackers often use SSH tunneling to bypass security controls and exfiltrate data because SSH encrypts the traffic, making it difficult for network monitoring tools to inspect the payload. The combination of high volume, external destination, and off-hours activity strongly suggests malicious data theft rather than legitimate administrative tasks.

Exam trap

Cisco often tests the misconception that SSH is only used for remote administration, causing candidates to overlook the data exfiltration angle when large data transfers occur on port 22 during suspicious hours.

How to eliminate wrong answers

Option A is wrong because remote administration via SSH typically involves interactive sessions or small control commands, not large data transfers; legitimate admins would also likely operate during business hours. Option B is wrong because DNS queries use UDP/TCP port 53, not port 22, and are small packets for name resolution, not bulk data transfer. Option C is wrong because FTP file transfer uses TCP ports 20 and 21, not port 22; while SFTP (SSH File Transfer Protocol) runs over SSH, the question specifies 'FTP file transfer' which refers to the standard FTP protocol.

75
MCQeasy

A security analyst reviews an alert from the IPS that shows a spike in TCP SYN packets from an external IP to multiple internal hosts on port 443. What is the most likely attack type?

A.SYN flood
B.Port scanning
C.Man-in-the-middle
D.DNS amplification
AnswerA

A SYN flood sends many TCP SYN packets to exhaust resources.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a high volume of SYN packets to multiple hosts without completing the handshake, exhausting server resources. The alert describes a spike in TCP SYN packets from an external IP to multiple internal hosts on port 443, which matches the behavior of a distributed SYN flood targeting HTTPS services. This is the most likely attack because the IPS is detecting the initial connection attempts characteristic of a SYN flood.

Exam trap

Cisco often tests the distinction between a SYN flood and port scanning by emphasizing that a SYN flood targets multiple hosts on the same port, while port scanning targets multiple ports on a single host.

How to eliminate wrong answers

Option B is wrong because port scanning typically involves a single source sending SYN packets to multiple ports on a single host to discover open services, not to multiple hosts on the same port. Option C is wrong because a man-in-the-middle attack requires intercepting and potentially modifying traffic between two parties, which does not align with a spike in unsolicited SYN packets. Option D is wrong because DNS amplification attacks use spoofed source IPs to send small queries to open DNS resolvers, which then send large responses to the victim, and they rely on UDP, not TCP SYN packets.

Page 1 of 2 · 115 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Network Intrusion Analysis questions.