CCNA Security Questions

12 of 162 questions · Page 3/3 · Security topic · Answers revealed

151
MCQhard

A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Web server access logs from the public website
B.Packet captures from user laptops only
C.Endpoint antivirus quarantine reports only
D.Cloud audit logs for identity, policy, and key-management API calls
AnswerD

Control-plane attacks are best investigated through authoritative audit events that record who changed identity and access configuration.

Why this answer

Option D is correct because cloud audit logs (e.g., AWS CloudTrail, Azure Monitor, GCP Cloud Audit Logs) capture control-plane API calls such as IAM policy changes, access key creation, and authentication events. These logs provide the strongest evidence of identity and access management (IAM) compromise at the control plane, as they directly record who made what change, from which source IP, and with what outcome. In the containment trade-off phase, preserving these logs while disabling compromised keys or applying a deny-all policy balances stopping the attacker with retaining forensic evidence.

Exam trap

CompTIA often tests the distinction between control-plane and data-plane telemetry, and the trap here is that candidates confuse web server logs or endpoint logs with cloud audit logs, failing to recognize that only cloud audit logs capture identity and policy API calls at the control plane.

How to eliminate wrong answers

Option A is wrong because web server access logs from a public website only record HTTP requests to the application layer (e.g., GET/POST to web pages), not IAM policy changes, access key creation, or failed console logons—these are control-plane operations, not data-plane web traffic. Option B is wrong because packet captures from user laptops only show network-layer traffic (e.g., TCP/UDP flows) and cannot capture cloud API calls made to the cloud provider's control plane endpoints (e.g., `iam.amazonaws.com`), which are encrypted over TLS and not visible at the laptop's network interface. Option C is wrong because endpoint antivirus quarantine reports only log malware detections on local endpoints (e.g., file hashes, process names), not cloud-side identity or policy changes; they provide no visibility into cloud control-plane API calls.

152
Multi-Selecthard

A SOC wants to measure whether alert enrichment is improving operations. Which metrics are useful? (Choose two.)

Select 2 answers
A.Reduction in analyst triage time for enriched alerts
B.Percentage of enriched alerts with asset owner and criticality populated
C.Amount of storage used by desktop screenshots
D.Number of unused browser bookmarks
AnswersA, B

Faster triage indicates operational value.

Why this answer

Option A is correct because a primary goal of alert enrichment is to reduce the time analysts spend investigating alerts. By automatically populating context such as asset owner, criticality, and vulnerability data, enrichment eliminates manual lookup steps, directly lowering mean time to triage (MTTT). This metric quantifies operational efficiency gains from enrichment.

Exam trap

Cisco often tests the distinction between metrics that measure operational improvement (e.g., triage time reduction) versus metrics that measure data completeness (e.g., enrichment field population), and candidates may mistakenly choose a storage-related metric that seems tangentially related to operations but is irrelevant to enrichment effectiveness.

153
MCQmedium

During incident reconstruction, firewall events appear five minutes earlier than endpoint events for the same connection. What should the analyst check first? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Time synchronization and timezone normalization across log sources
B.Delete one source from the timeline
C.Prioritize only the source with the highest EPS
D.Assume the firewall logs are falsified
AnswerA

Clock drift and timezone parsing commonly distort event order in SIEM timelines.

Why this answer

A five-minute discrepancy between firewall and endpoint logs for the same connection strongly indicates a time synchronization issue. The analyst should first verify NTP configuration and timezone normalization across all log sources to ensure a consistent timeline. Without synchronized clocks, event ordering and correlation are unreliable, which can lead to incorrect conclusions during incident reconstruction.

Exam trap

Cisco often tests the misconception that log volume or event priority should dictate which logs to trust, when in fact time synchronization is the foundational prerequisite for any timeline-based analysis.

How to eliminate wrong answers

Option B is wrong because deleting one source from the timeline discards potentially critical evidence and does not resolve the root cause of the time offset; it merely hides the discrepancy. Option C is wrong because prioritizing the source with the highest events per second (EPS) does not address the time offset; EPS is a measure of logging throughput, not clock accuracy, and this approach would ignore the synchronization issue entirely.

154
Multi-Selectmedium

A security analyst is reviewing a suspicious email attachment. Which THREE of the following are safe analysis techniques? (Choose THREE)

Select 3 answers
A.Open the attachment on a production machine
B.Submit the file to a public online scanner
C.Extract and examine the source code of the attachment
D.Use an automated malware analysis tool
E.Open the attachment in a sandbox environment
AnswersB, D, E

Online scanners like VirusTotal allow safe analysis without exposing your environment.

Why this answer

Option B is correct because submitting a suspicious file to a public online scanner (e.g., VirusTotal) allows the analyst to check the file against multiple antivirus engines and threat intelligence feeds without executing it on a live system. This technique is safe as it avoids direct exposure of the production environment to potential malware while leveraging community-sourced detection data.

Exam trap

Cisco often tests the distinction between 'safe' and 'unsafe' analysis techniques, where candidates mistakenly think examining source code (Option C) is always safe, but it can still trigger execution if the file is opened in an unsecured environment (e.g., enabling macros in Office documents).

155
MCQmedium

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Only check whether antivirus signatures are current
B.Reinstall the browser used by the user
C.Ignore it because certutil is signed by Microsoft
D.Living-off-the-land binary misuse and the downloaded file's hash, origin, and child process
AnswerD

Certutil can be abused to download payloads; file and process context establishes whether execution is malicious.

Why this answer

Option D is correct because certutil.exe is a known living-off-the-land binary (LOLBin) that attackers abuse to download payloads, bypassing application whitelisting. The analyst must focus on the downloaded file's hash (to check reputation), origin URL (to assess maliciousness), and child process (to trace execution), as these provide direct evidence of malicious intent or compromise.

Exam trap

Cisco often tests the misconception that a signed Microsoft binary is inherently safe, but the trap here is that attackers leverage trusted tools (LOLBins) to evade detection, so the focus must be on the binary's misuse and the artifacts it produces, not its signature status.

How to eliminate wrong answers

Option A is wrong because antivirus signatures being current does not address the abuse of a trusted Microsoft binary; attackers use LOLBins specifically to evade signature-based detection. Option B is wrong because reinstalling the browser does not remediate the underlying compromise; the execution from a user-writable directory indicates a potential backdoor or persistence mechanism unrelated to browser integrity. Option C is wrong because certutil being signed by Microsoft is exactly why it is dangerous; attackers exploit its trust to bypass security controls, so ignoring it would miss the attack entirely.

156
MCQhard

A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Close all similar alerts as duplicates
B.Disable the reporting user's account immediately
C.Automatically delete all messages from the sender across all mailboxes
D.Enrich URLs, detonate attachments in a sandbox, and collect mailbox search counts
AnswerD

Early automation should gather context and evidence while keeping analysts in control of disruptive actions.

Why this answer

Option D is correct because it aligns with the SOAR playbook's goal of reducing analyst workload through automated enrichment and triage without taking destructive action. Enriching URLs and detonating attachments in a sandbox provides threat intelligence, while collecting mailbox search counts helps quantify the incident's scope. This non-destructive evidence gathering allows analysts to make informed decisions before any containment or remediation steps.

Exam trap

Cisco often tests the distinction between 'investigative' and 'remediative' actions in SOAR playbooks, trapping candidates who confuse automated triage with automated containment or cleanup.

How to eliminate wrong answers

Option A is wrong because closing all similar alerts as duplicates prematurely assumes the detection is a false positive or already handled, which can suppress legitimate threats and bypass proper investigation. Option B is wrong because disabling the reporting user's account immediately is a destructive containment action that should only occur after confirmation of compromise, not in the first automated phase. Option C is wrong because automatically deleting all messages from the sender across all mailboxes is a destructive remediation action that could remove critical forensic evidence and impact legitimate communications if the detection is incorrect.

157
MCQmedium

A SOC analyst is reviewing logs from a web server and sees the following request: GET /../../etc/passwd HTTP/1.1. Which type of web attack is this?

A.SQL injection
B.Cross-site request forgery (CSRF)
C.Directory traversal
D.Cross-site scripting (XSS)
AnswerC

The ../ sequence is used to navigate directories.

Why this answer

The request GET /../../etc/passwd HTTP/1.1 uses '../' sequences to traverse directories outside the web root, attempting to read the /etc/passwd file. This is the classic signature of a directory traversal (path traversal) attack, which exploits insufficient input validation to access unauthorized files on the server.

Exam trap

CompTIA often tests the distinction between directory traversal and file inclusion; the trap here is confusing the '../' path manipulation with SQL injection or XSS because the request looks like a simple GET, but the attack vector is purely about file system access, not database or script injection.

How to eliminate wrong answers

Option A is wrong because SQL injection involves injecting SQL commands into input fields to manipulate a database, not path manipulation in HTTP requests. Option B is wrong because CSRF tricks a user's browser into executing unwanted actions on a trusted site, not directly requesting files via path traversal. Option D is wrong because XSS injects client-side scripts into web pages viewed by others, not server-side file access via directory traversal.

158
MCQmedium

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Ignore the indicators because TLP markings are optional
B.Publish the indicators on a public GitHub repository
C.Send the indicators to all customers
D.Use them internally with only people who need to know and avoid wider redistribution
AnswerD

TLP:AMBER+STRICT restricts sharing to the recipient organisation on a need-to-know basis.

Why this answer

Option D is correct because TLP:AMBER+STRICT restricts sharing to individuals within the organization who have a specific need to know, and prohibits any wider redistribution. In the alert triage phase, using the indicators internally ensures the SOC can investigate and respond without violating the information-sharing constraints set by the vendor, which is a mandatory security practice, not optional.

Exam trap

CompTIA often tests the misconception that TLP markings are merely advisory or optional, leading candidates to choose 'ignore' or 'publish' options, when in fact TLP is a mandatory handling framework with strict enforcement requirements.

How to eliminate wrong answers

Option A is wrong because TLP markings are mandatory for handling sensitive threat intelligence; ignoring them would violate security policies and potentially expose the organization to legal or operational risks. Option B is wrong because publishing TLP:AMBER+STRICT indicators on a public GitHub repository directly violates the strict no-redistribution rule and could compromise ongoing investigations or expose the vendor's sources. Option C is wrong because sending the indicators to all customers, even if they are internal, violates the 'need to know' restriction of TLP:AMBER+STRICT, which limits sharing to only those individuals directly involved in the response.

159
MCQmedium

An analyst wants to capture all traffic to and from a specific IP address for analysis. Which command-line tool is most appropriate?

A.nmap -sS 10.0.0.1
B.netstat -ant | grep 10.0.0.1
C.iptables -L -v
D.tcpdump host 10.0.0.1
AnswerD

Captures all packets to/from that host.

Why this answer

Option D is correct because `tcpdump host 10.0.0.1` captures all packets where the source or destination IP address matches 10.0.0.1, making it the ideal tool for capturing all traffic to and from a specific IP for analysis. It operates at the packet level, using libpcap to intercept raw network frames, and the `host` filter instructs it to match both directions of traffic without additional parsing or state tracking.

Exam trap

The trap here is that candidates confuse tools that probe or display state (nmap, netstat, iptables) with tools that capture raw traffic (tcpdump), leading them to select a tool that does not actually capture packets for analysis.

How to eliminate wrong answers

Option A is wrong because `nmap -sS 10.0.0.1` performs a SYN stealth scan against the target IP, which sends crafted packets to probe open ports, not capture existing traffic. Option B is wrong because `netstat -ant | grep 10.0.0.1` displays current network connections and listening ports from the system's socket table, but it does not capture live packets or traffic content; it only shows connection state at a single point in time. Option C is wrong because `iptables -L -v` lists the current firewall rules and their packet/byte counters, but it does not capture or log individual packets for analysis; it only shows aggregate statistics for rules.

160
Multi-Selectmedium

An incident response team is analyzing a suspected malware outbreak on a corporate network. Which three of the following actions should be performed as part of the containment phase? (Choose three.)

Select 3 answers
.Isolating affected systems from the network by disabling their network interfaces.
.Creating a forensic image of the infected systems for later analysis.
.Blocking outbound communication from infected hosts at the firewall.
.Identifying and patching the vulnerability exploited by the malware.
.Implementing network segmentation to prevent lateral movement.
.Notifying law enforcement agencies about the incident.

Why this answer

Isolating affected systems from the network by disabling their network interfaces is a core containment action because it immediately stops the malware from communicating with command-and-control (C2) servers or spreading to other hosts. Blocking outbound communication from infected hosts at the firewall prevents data exfiltration and further C2 activity without requiring physical access to each machine. Implementing network segmentation (e.g., VLANs or ACLs) restricts lateral movement by limiting the infected system's ability to reach other subnets, which is critical in containing a worm or ransomware outbreak.

Exam trap

CompTIA often tests the distinction between containment actions (immediate isolation) and eradication actions (patching, imaging), so candidates mistakenly select 'creating a forensic image' or 'patching the vulnerability' as containment steps when they actually belong to later phases of the incident response process.

161
MCQmedium

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Password spraying only
B.DNS tunnelling
C.MFA fatigue or push-bombing attack
D.SSL certificate expiry
AnswerC

Repeated unsolicited prompts that lead to approval are characteristic of MFA fatigue attacks.

Why this answer

Option C is correct because the scenario describes MFA fatigue (also called push-bombing), where an attacker repeatedly sends MFA push notifications to a user until the user, annoyed or confused, approves one. This exploits human behavior rather than a technical vulnerability, and is a common initial access vector in credential-stuffing or password-spraying campaigns. The root-cause analysis would directly identify the repeated unsolicited MFA prompts as the mechanism that led to unauthorized approval.

Exam trap

Cisco often tests the distinction between a technical attack (like password spraying) and a social-engineering variant (MFA fatigue), trapping candidates who focus only on the credential aspect and ignore the repeated-prompt behavior described in the question.

How to eliminate wrong answers

Option A is wrong because password spraying only involves trying a few common passwords against many accounts; it does not explain the repeated MFA prompts or the user's eventual approval. Option B is wrong because DNS tunnelling is a data exfiltration or command-and-control technique that encodes data in DNS queries, unrelated to MFA prompt bombardment or user approval behavior.

162
MCQmedium

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Use them internally with only people who need to know and avoid wider redistribution
B.Send the indicators to all customers
C.Publish the indicators on a public GitHub repository
D.Ignore the indicators because TLP markings are optional
AnswerA

TLP:AMBER+STRICT restricts sharing to the recipient organisation on a need-to-know basis.

Why this answer

Option A is correct because TLP:AMBER+STRICT restricts sharing to individuals within the organization who have a specific need to know, and explicitly prohibits redistribution beyond that group. In detection engineering, using these indicators to create tuned detection rules (e.g., SIEM correlation logic) reduces false positives by focusing on verified threat data while preserving the signal by not over-broadening the rule scope.

Exam trap

The trap here is that candidates may think TLP:AMBER+STRICT allows sharing with all internal staff or partners, but the '+STRICT' modifier explicitly restricts distribution to only those with a direct need to know within the same organization.

How to eliminate wrong answers

Option B is wrong because TLP:AMBER+STRICT forbids sharing with all customers; it is limited to internal personnel with a need to know. Option C is wrong because publishing on a public GitHub repository violates the TLP:AMBER+STRICT restriction and could expose sensitive threat intelligence to adversaries. Option D is wrong because TLP markings are mandatory for handling classified threat intelligence; ignoring them would breach trust and potentially violate data-sharing agreements.

← PreviousPage 3 of 3 · 162 questions total

Ready to test yourself?

Try a timed practice session using only Security questions.