200-201: Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) Part 2
Question #: 61
Topic #: 1
An engineer receives a security alert that traffic with a known TOR exit node has occurred on the network.
What is the impact of this traffic?
A. ransomware communicating after infection
B. users downloading copyrighted content
C. data exfiltration
D. user circumvention of the firewall
Selected Answer: D
Question #: 62
Topic #: 1
What is an example of social engineering attacks?
A. receiving an unexpected email from an unknown person with an attachment from someone in the same company
B. receiving an email from human resources requesting a visit to their secure website to update contact information
C. sending a verbal request to an administrator who knows how to change an account password
D. receiving an invitation to the department’s weekly WebEx meeting
Selected Answer: B
Question #: 63
Topic #: 1
Refer to the exhibit. What is occurring in this network?
A. ARP cache poisoning
B. DNS cache poisoning
C. MAC address table overflow
D. MAC flooding attack
Selected Answer: A
Question #: 64
Topic #: 1
Which data format is the most efficient to build a baseline of traffic seen over an extended period of time?
A. syslog messages
B. full packet capture
C. NetFlow
D. firewall event logs
Selected Answer: C
Question #: 65
Topic #: 1
Which action prevents buffer overflow attacks?
A. variable randomization
B. using web based applications
C. input validation
D. using a Linux operating system
Selected Answer: C
Question #: 66
Topic #: 1
Which type of attack occurs when an attacker is successful in eavesdropping on a conversation between two IP phones?
A. known-plaintext
B. replay
C. dictionary
D. man-in-the-middle
Selected Answer: A
Question #: 67
Topic #: 1
Refer to the exhibit. What should be interpreted from this packet capture?
A. 81.179.179.69 is sending a packet from port 80 to port 50272 of IP address 192.168.122.100 using UDP protocol.
B. 192.168.122.100 is sending a packet from port 50272 to port 80 of IP address 81.179.179.69 using TCP protocol.
C. 192.168.122.100 is sending a packet from port 80 to port 50272 of IP address 81.179.179.69 using UDP protocol.
D. 81.179.179.69 is sending a packet from port 50272 to port 80 of IP address 192.168.122.100 using TCP protocol.
Selected Answer: B
Question #: 68
Topic #: 1
What are the two characteristics of the full packet captures? (Choose two.)
A. Identifying network loops and collision domains.
B. Troubleshooting the cause of security and performance issues.
C. Reassembling fragmented traffic from raw data.
D. Detecting common hardware faults and identify faulty assets.
E. Providing a historical record of a network transaction.
Selected Answer: BE
Question #: 69
Topic #: 1
Refer to the exhibit. An engineer is analyzing this Cuckoo Sandbox report for a PDF file that has been downloaded from an email. What is the state of this file?
A. The file has an embedded executable and was matched by PEiD threat signatures for further analysis.
B. The file has an embedded non-Windows executable but no suspicious features are identified.
C. The file has an embedded Windows 32 executable and the Yara field lists suspicious features for further analysis.
D. The file was matched by PEiD threat signatures but no suspicious features are identified since the signature list is up to date.
Selected Answer: C
Question #: 70
Topic #: 1
DRAG DROP –
Drag and drop the technology on the left onto the data type the technology provides on the right.
Select and Place:
Suggestion Answer:
Question #: 71
Topic #: 1
Refer to the exhibit. What is occurring in this network traffic?
A. High rate of SYN packets being sent from a multiple source towards a single destination IP.
B. High rate of ACK packets being sent from a single source IP towards multiple destination IPs.
C. Flood of ACK packets coming from a single source IP to multiple destination IPs.
D. Flood of SYN packets coming from a single source IP to a single destination IP.
Selected Answer: D
Question #: 72
Topic #: 1
An engineer needs to have visibility on TCP bandwidth usage, response time, and latency, combined with deep packet inspection to identify unknown software by its network traffic flow. Which two features of Cisco Application Visibility and Control should the engineer use to accomplish this goal? (Choose two.)
A. management and reporting
B. traffic filtering
C. adaptive AVC
D. metrics collection and exporting
E. application recognition
Selected Answer: DE
Question #: 73
Topic #: 1
Which security technology guarantees the integrity and authenticity of all messages transferred to and from a web application?
A. Hypertext Transfer Protocol
B. SSL Certificate
C. Tunneling
D. VPN
Selected Answer: B
Question #: 74
Topic #: 1
An engineer is investigating a case of the unauthorized usage of the `Tcpdump` tool. The analysis revealed that a malicious insider attempted to sniff traffic on a specific interface. What type of information did the malicious insider attempt to obtain?
A. tagged protocols being used on the network
B. all firewall alerts and resulting mitigations
C. tagged ports being used on the network
D. all information and data within the datagram
Selected Answer: D
Question #: 75
Topic #: 1
At a company party a guest asks questions about the company’s user account format and password complexity. How is this type of conversation classified?
A. Phishing attack
B. Password Revelation Strategy
C. Piggybacking
D. Social Engineering
Selected Answer: D
Question #: 76
Topic #: 1
Which security monitoring data type requires the largest storage space?
A. transaction data
B. statistical data
C. session data
D. full packet capture
Selected Answer: D
Question #: 77
Topic #: 1
What are two denial of service attacks? (Choose two.)
A. MITM
B. TCP connections
C. ping of death
D. UDP flooding
E. code red
Selected Answer: CD
Question #: 78
Topic #: 1
An engineer needs to discover alive hosts within the 192.168.1.0/24 range without triggering intrusive portscan alerts on the IDS device using Nmap. Which command will accomplish this goal?
A. nmap –top-ports 192.168.1.0/24
B. nmap ג€”sP 192.168.1.0/24
C. nmap -sL 192.168.1.0/24
D. nmap -sV 192.168.1.0/24
Selected Answer: B
Question #: 79
Topic #: 1
Which open-sourced packet capture tool uses Linux and Mac OS X operating systems?
A. NetScout
B. tcpdump
C. SolarWinds
D. netsh
Selected Answer: B
Question #: 80
Topic #: 1
Refer to the exhibit. Which kind of attack method is depicted in this string?
A. cross-site scripting
B. man-in-the-middle
C. SQL injection
D. denial of service
Selected Answer: A
Question #: 81
Topic #: 1
Which two components reduce the attack surface on an endpoint? (Choose two.)
A. secure boot
B. load balancing
C. increased audit log levels
D. restricting USB ports
E. full packet captures at the endpoint
Selected Answer: AD
Question #: 82
Topic #: 1
What is an attack surface as compared to a vulnerability?
A. any potential danger to an asset
B. the sum of all paths for data into and out of the environment
C. an exploitable weakness in a system or its design
D. the individuals who perform an attack
Selected Answer: B
Question #: 83
Topic #: 1
An intruder attempted malicious activity and exchanged emails with a user and received corporate information, including email distribution lists. The intruder asked the user to engage with a link in an email. When the fink launched, it infected machines and the intruder was able to access the corporate network.
Which testing method did the intruder use?
A. social engineering
B. eavesdropping
C. piggybacking
D. tailgating
Selected Answer: A
Question #: 84
Topic #: 1
What are two social engineering techniques? (Choose two.)
A. privilege escalation
B. DDoS attack
C. phishing
D. man-in-the-middle
E. pharming
Selected Answer: CE
Question #: 85
Topic #: 1
Refer to the exhibit. What does the output indicate about the server with the IP address 172.18.104.139?
A. open ports of a web server
B. open port of an FTP server
C. open ports of an email server
D. running processes of the server
Selected Answer: A
Question #: 86
Topic #: 1
What does the Zero Trust security model signify?
A. Zero Trust security means that no one is trusted by default from inside or outside the network.
B. Zero Trust addresses access control and states that an individual should have only the minimum access privileges necessary to perform specific tasks.
C. Zero Trust states that no users should be given enough privileges to misuse the system on their own.
D. Zero Trust states that unless a subject is given explicit access to an object, it should be denied access to that object.
Selected Answer: A
Question #: 87
Topic #: 1
An engineer needs to configure network systems to detect command and control communications by decrypting ingress and egress perimeter traffic and allowing network security devices to detect malicious outbound communications Which technology should be used to accomplish the task?
A. static IP addresses
B. cipher suite
C. digital certificates
D. signatures
Selected Answer: B
Question #: 88
Topic #: 1
What is indicated by an increase in IPv4 traffic carrying protocol 41?
A. deployment of a GRE network on top of an existing Layer 3 network
B. attempts to tunnel IPv6 traffic through an IPv4 network
C. unauthorized peer-to-peer traffic
D. additional PPTP traffic due to Windows clients
Selected Answer: B
Question #: 89
Topic #: 1
When an event is investigated, which type of data provides the investigate capability to determine if data exfiltration has occurred?
A. firewall logs
B. full packet capture
C. session data
D. NetFlow data
Selected Answer: B
Question #: 90
Topic #: 1
Which attack represents the evasion technique of resource exhaustion?
A. SQL injection
B. bluesnarfing
C. denial-of-service
D. man-in-the-middle
Selected Answer: C
Question #: 91
Topic #: 1
Refer to the exhibit. Which event is occurring?
A. A binary named “submit” is running on VM cuckoo1.
B. A binary is being submitted to run on VM cuckoo1
C. A binary on VM cuckoo1 is being submitted for evaluation
D. A URL is being evaluated to see if it has a malicious binary
Selected Answer: B
Question #: 92
Topic #: 1
Refer to the exhibit. In which Linux log file is this output found?
A. /var/log/authorization.log
B. /var/log/dmesg
C. var/log/var.log
D. /var/log/auth.log
Selected Answer: D
Question #: 93
Topic #: 1
An engineer runs a suspicious file in a sandbox analysis tool to see the outcome. The analysis report shows that outbound callouts were made post infection.
Which two pieces of information from the analysis report are needed to investigate the callouts? (Choose two.)
A. signatures
B. host IP addresses
C. file size
D. dropped files
E. domain names
Selected Answer: BE
Question #: 94
Topic #: 1
An analyst is exploring the functionality of different operating systems.
What is a feature of Windows Management Instrumentation that must be considered when deciding on an operating system?
A. queries Linux devices that have Microsoft Services for Linux installed
B. deploys Windows Operating Systems in an automated fashion
C. is an efficient tool for working with Active Directory
D. has a Common Information Model, which describes installed hardware and software
Selected Answer: D
Question #: 95
Topic #: 1
What causes events on a Windows system to show Event Code 4625 in the log messages?
A. The system detected an XSS attack
B. Someone is trying a brute force attack on the network
C. Another device is gaining root access to the system
D. A privileged user successfully logged into the system
Selected Answer: B
Question #: 96
Topic #: 1
Refer to the exhibit. What does the message indicate?
A. an access attempt was made from the Mosaic web browser
B. a successful access attempt was made to retrieve the password file
C. a successful access attempt was made to retrieve the root of the website
D. a denied access attempt was made to retrieve the password file
Selected Answer: C
Question #: 97
Topic #: 1
Refer to the exhibit. This request was sent to a web application server driven by a database.
Which type of web server attack is represented?
A. parameter manipulation
B. heap memory corruption
C. command injection
D. blind SQL injection
Selected Answer: D
Question #: 98
Topic #: 1
A SOC analyst is investigating an incident that involves a Linux system that is identifying specific sessions.
Which identifier tracks an active program?
A. application identification number
B. active process identification number
C. runtime identification number
D. process identification number
Selected Answer: D
Question #: 99
Topic #: 1
An offline audit log contains the source IP address of a session suspected to have exploited a vulnerability resulting in system compromise.
Which kind of evidence is this IP address?
A. best evidence
B. corroborative evidence
C. indirect evidence
D. forensic evidence
Selected Answer: B
Question #: 100
Topic #: 1
Which system monitors local system operation and local network access for violations of a security policy?
A. host-based intrusion detection
B. systems-based sandboxing
C. host-based firewall
D. antivirus
Selected Answer: A
Question #: 101
Topic #: 1
An analyst received an alert on their desktop computer showing that an attack was successful on the host. After investigating, the analyst discovered that no mitigation action occurred during the attack. What is the reason for this discrepancy?
A. The computer has a HIPS installed on it.
B. The computer has a NIPS installed on it.
C. The computer has a HIDS installed on it.
D. The computer has a NIDS installed on it.
Selected Answer: C
Question #: 102
Topic #: 1
Refer to the exhibit. What is the potential threat identified in this Stealthwatch dashboard?
A. A policy violation is active for host 10.10.101.24.
B. A host on the network is sending a DDoS attack to another inside host.
C. There are three active data exfiltration alerts.
D. A policy violation is active for host 10.201.3.149.
Selected Answer: C
Question #: 103
Topic #: 1
What is a difference between tampered and untampered disk images?
A. Tampered images have the same stored and computed hash.
B. Untampered images are deliberately altered to preserve as evidence.
C. Tampered images are used as evidence.
D. Untampered images are used for forensic investigations.
Selected Answer: D
Question #: 104
Topic #: 1
What is a sandbox interprocess communication service?
A. A collection of rules within the sandbox that prevent the communication between sandboxes.
B. A collection of network services that are activated on an interface, allowing for inter-port communication.
C. A collection of interfaces that allow for coordination of activities among processes.
D. A collection of host services that allow for communication between sandboxes.
Selected Answer: C
Question #: 105
Topic #: 1
An analyst is investigating a host in the network that appears to be communicating to a command and control server on the Internet. After collecting this packet capture, the analyst cannot determine the technique and payload used for the communication.
Which obfuscation technique is the attacker using?
A. Base64 encoding
B. transport layer security encryption
C. SHA-256 hashing
D. ROT13 encryption
Selected Answer: B
Question #: 106
Topic #: 1
During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve its integrity?
A. examination
B. investigation
C. collection
D. reporting
Selected Answer: C
Question #: 107
Topic #: 1
Which step in the incident response process researches an attacking host through logs in a SIEM?
A. detection and analysis
B. preparation
C. eradication
D. containment
Selected Answer: A
Question #: 108
Topic #: 1
A malicious file has been identified in a sandbox analysis tool.
Which piece of information is needed to search for additional downloads of this file by other hosts?
A. file type
B. file size
C. file name
D. file hash value
Selected Answer: D
Question #: 109
Topic #: 1
Refer to the exhibit. What is the potential threat identified in this Stealthwatch dashboard?
A. Host 10.201.3.149 is sending data to 152.46.6.91 using TCP/443.
B. Host 152.46.6.91 is being identified as a watchlist country for data transfer.
C. Traffic to 152.46.6.149 is being denied by an Advanced Network Control policy.
D. Host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91.
Selected Answer: D
Question #: 110
Topic #: 1
Refer to the exhibit. What is the potential threat identified in this Stealthwatch dashboard?
A. A policy violation is active for host 10.10.101.24.
B. A host on the network is sending a DDoS attack to another inside host.
C. There are two active data exfiltration alerts.
D. A policy violation is active for host 10.201.3.149.
Selected Answer: C
Question #: 111
Topic #: 1
Which security technology allows only a set of pre-approved applications to run on a system?
A. application-level blacklisting
B. host-based IPS
C. application-level whitelisting
D. antivirus
Selected Answer: C
Question #: 112
Topic #: 1
An investigator is examining a copy of an ISO file that is stored in CDFS format.
What type of evidence is this file?
A. data from a CD copied using Mac-based system
B. data from a CD copied using Linux system
C. data from a DVD copied using Windows system
D. data from a CD copied using Windows
Selected Answer: B
Question #: 113
Topic #: 1
Which piece of information is needed for attribution in an investigation?
A. proxy logs showing the source RFC 1918 IP addresses
B. RDP allowed from the Internet
C. known threat actor behavior
D. 802.1x RADIUS authentication pass arid fail logs
Selected Answer: C
Question #: 114
Topic #: 1
What does cyber attribution identify in an investigation?
A. cause of an attack
B. exploit of an attack
C. vulnerabilities exploited
D. threat actors of an attack
Selected Answer: D
Question #: 115
Topic #: 1
A security engineer has a video of a suspect entering a data center that was captured on the same day that files in the same data center were transferred to a competitor.
Which type of evidence is this?
A. best evidence
B. prima facie evidence
C. indirect evidence
D. physical evidence
Selected Answer: C
Question #: 116
Topic #: 1
DRAG DROP –
Drag and drop the type of evidence from the left onto the description of that evidence on the right.
Select and Place:
Suggestion Answer:
Question #: 117
Topic #: 1
Refer to the exhibit. An analyst received this alert from the Cisco ASA device, and numerous activity logs were produced. How should this type of evidence be categorized?
A. indirect
B. circumstantial
C. corroborative
D. best
Selected Answer: D
Question #: 118
Topic #: 1
Refer to the exhibit. Which piece of information is needed to search for additional downloads of this file by other hosts?
A. file header type
B. file size
C. file name
D. file hash value
Selected Answer: D
Question #: 119
Topic #: 1
An organization’s security team has detected network spikes coming from the internal network. An investigation has concluded that the spike in traffic was from intensive network scanning. How should the analyst collect the traffic to isolate the suspicious host?
A. based on the most used applications
B. by most active source IP
C. by most used ports
D. based on the protocols used
Selected Answer: B
Question #: 120
Topic #: 1
Which technology on a host is used to isolate a running application from other application?
A. application allow list
B. application block list
C. host-based firewall
D. sandbox
Selected Answer: D
