Question 1
An incident response team receives an alert to start an investigation of an internet outage. The
outage is preventing all users in multiple locations from accessing external SaaS resources. The team
determines the organization was impacted by a DDoS attack. Which of the following logs should the
team review first?
- A. CDN
- B. Vulnerability scanner
- C. DNS
- D. Web server
Answer:
C
Explanation:
A distributed denial-of-service (DDoS) attack is a type of cyberattack that aims to overwhelm a
target’s network or server with a large volume of traffic from multiple sources. A common technique
for launching a DDoS attack is to compromise DNS servers, which are responsible for resolving
domain names into IP addresses. By flooding DNS servers with malicious requests, attackers can
disrupt the normal functioning of the internet and prevent users from accessing external SaaS
resources. Official Reference: https://www.eccouncil.org/cybersecurity-exchange/threat-
intelligence/cyber-kill-chain-seven-steps-cyberattack/
Comments
Question 2
A malicious actor has gained access to an internal network by means of social engineering. The actor
does not want to lose access in order to continue the attack. Which of the following best describes
the current stage of the Cyber Kill Chain that the threat actor is currently operating in?
- A. Weaponization
- B. Reconnaissance
- C. Delivery
- D. Exploitation
Answer:
D
Explanation:
The Cyber Kill Chain is a framework that describes the stages of a cyberattack from reconnaissance to
actions on objectives. The exploitation stage is where attackers take advantage of the vulnerabilities
they have discovered in previous stages to further infiltrate a target’s network and achieve their
objectives. In this case, the malicious actor has gained access to an internal network by means of
social engineering and does not want to lose access in order to continue the attack. This indicates
that the actor is in the exploitation stage of the Cyber Kill Chain. Official Reference:
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
Comments
Question 3
An analyst finds that an IP address outside of the company network that is being used to run network
and vulnerability scans across external-facing assets. Which of the following steps of an attack
framework is the analyst witnessing?
- A. Exploitation
- B. Reconnaissance
- C. Command and control
- D. Actions on objectives
Answer:
B
Explanation:
Reconnaissance is the first stage in the Cyber Kill Chain and involves researching potential targets
before carrying out any penetration testing. The reconnaissance stage may include identifying
potential targets, finding their vulnerabilities, discovering which third parties are connected to them
(and what data they can access), and exploring existing entry points as well as finding new ones.
Reconnaissance can take place both online and offline. In this case, an analyst finds that an IP
address outside of the company network is being used to run network and vulnerability scans across
external-facing assets. This indicates that the analyst is witnessing reconnaissance activity by an
attacker. Official Reference: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
Comments
Question 4
An incident response analyst notices multiple emails traversing the network that target only the
administrators of the company. The email contains a concealed URL that leads to an unknown
website in another country. Which of the following best describes what is happening? (Choose two.)
- A. Beaconinq
- B. Domain Name System hijacking
- C. Social engineering attack
- D. On-path attack
- E. Obfuscated links
- F. Address Resolution Protocol poisoning
Answer:
C,E
Explanation:
A social engineering attack is a type of cyberattack that relies on manipulating human psychology
rather than exploiting technical vulnerabilities. A social engineering attack may involve deceiving,
persuading, or coercing users into performing actions that benefit the attacker, such as clicking on
malicious links, divulging sensitive information, or granting access to restricted resources. An
obfuscated link is a link that has been disguised or altered to hide its true destination or purpose.
Obfuscated links are often used by attackers to trick users into visiting malicious websites or
downloading malware. In this case, an incident response analyst notices multiple emails traversing
the network that target only the administrators of the company. The email contains a concealed URL
that leads to an unknown website in another country. This indicates that the analyst is witnessing a
social engineering attack using obfuscated links.
Comments
Question 5
During security scanning, a security analyst regularly finds the same vulnerabilities in a critical
application. Which of the following recommendations would best mitigate this problem if applied
along the SDLC phase?
- A. Conduct regular red team exercises over the application in production
- B. Ensure that all implemented coding libraries are regularly checked
- C. Use application security scanning as part of the pipeline for the CI/CDflow
- D. Implement proper input validation for any data entry form
Answer:
C
Explanation:
Application security scanning is a process that involves testing and analyzing applications for security
vulnerabilities, such as injection flaws, broken authentication, cross-site scripting, and insecure
configuration. Application security scanning can help identify and fix security issues before they
become exploitable by attackers. Using application security scanning as part of the pipeline for the
continuous integration/continuous delivery (CI/CD) flow can help mitigate the problem of finding the
same vulnerabilities in a critical application during security scanning. This is because application
security scanning can be integrated into the development lifecycle and performed automatically and
frequently as part of the CI/CD process.
Comments
Question 6
An analyst is reviewing a vulnerability report and must make recommendations to the executive
team. The analyst finds that most systems can be upgraded with a reboot resulting in a single
downtime window. However, two of the critical systems cannot be upgraded due to a vendor
appliance that the company does not have access to. Which of the following inhibitors to
remediation do these systems and associated vulnerabilities best represent?
- A. Proprietary systems
- B. Legacy systems
- C. Unsupported operating systems
- D. Lack of maintenance windows
Answer:
A
Explanation:
Proprietary systems are systems that are owned and controlled by a specific vendor or manufacturer,
and that use proprietary standards or protocols that are not compatible with other systems.
Proprietary systems can pose a challenge for vulnerability management, as they may not allow users
to access or modify their configuration, update their software, or patch their vulnerabilities. In this
case, two of the critical systems cannot be upgraded due to a vendor appliance that the company
does not have access to. This indicates that these systems and associated vulnerabilities are
examples of proprietary systems as inhibitors to remediation
Comments
Question 7
The security team reviews a web server for XSS and runs the following Nmap scan:
Which of the following most accurately describes the result of the scan?
- A. An output of characters > and " as the parameters used m the attempt
- B. The vulnerable parameter ID hccp://l72.31.15.2/1.php?id-2 and unfiltered characters returned
- C. The vulnerable parameter and unfiltered or encoded characters passed > and " as unsafe
- D. The vulnerable parameter and characters > and " with a reflected XSS attempt
Answer:
D
Explanation:
A cross-site scripting (XSS) attack is a type of web application attack that injects malicious code into a
web page that is then executed by the browser of a victim user. A reflected XSS attack is a type of XSS
attack where the malicious code is embedded in a URL or a form parameter that is sent to the web
server and then reflected back to the user’s browser. In this case, the Nmap scan shows that the web
server is vulnerable to a reflected XSS attack, as it returns the characters > and " without any filtering
or encoding. The vulnerable parameter is id in the URL http://172.31.15.2/1.php?id=2.
Comments
Question 8
Which of the following is the best action to take after the conclusion of a security incident to improve
incident response in the future?
- A. Develop a call tree to inform impacted users
- B. Schedule a review with all teams to discuss what occurred
- C. Create an executive summary to update company leadership
- D. Review regulatory compliance with public relations for official notification
Answer:
B
Explanation:
One of the best actions to take after the conclusion of a security incident to improve incident
response in the future is to schedule a review with all teams to discuss what occurred, what went
well, what went wrong, and what can be improved. This review is also known as a lessons learned
session or an after-action report. The purpose of this review is to identify the root causes of the
incident, evaluate the effectiveness of the incident response process, document any gaps or
weaknesses in the security controls, and recommend corrective actions or preventive measures for
future incidents. Official Reference: https://www.eccouncil.org/cybersecurity-exchange/threat-
intelligence/cyber-kill-chain-seven-steps-cyberattack/
Comments
Question 9
A security analyst received a malicious binary file to analyze. Which of the following is the best
technique to perform the analysis?
- A. Code analysis
- B. Static analysis
- C. Reverse engineering
- D. Fuzzing
Answer:
C
Explanation:
Reverse engineering is a technique that involves analyzing a binary file to understand its structure,
functionality, and behavior. Reverse engineering can help security analysts perform malware
analysis, vulnerability research, exploit development, and software debugging. Reverse engineering
can be done using various tools, such as disassemblers, debuggers, decompilers, and hex editors.
Comments
Question 10
An incident response team found IoCs in a critical server. The team needs to isolate and collect
technical evidence for further investigation. Which of the following pieces of data should be
collected first in order to preserve sensitive information before isolating the server?
- A. Hard disk
- B. Primary boot partition
- C. Malicious tiles
- D. Routing table
- E. Static IP address
Answer:
A
Explanation:
The hard disk is the piece of data that should be collected first in order to preserve sensitive
information before isolating the server. The hard disk contains all the files and data stored on the
server, which may include evidence of malicious activity, such as malware installation, data
exfiltration, or configuration changes. The hard disk should be collected using proper forensic
techniques, such as creating an image or a copy of the disk and maintaining its integrity using
hashing algorithms.
Comments
Page 1 out of 42
Viewing questions 1-10 out of 428
page 2