200-201: Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) Part 4
Question #: 181
Topic #: 1
An engineer discovered a breach, identified the threat’s entry point, and removed access. The engineer was able to identify the host, the IP address of the threat actor, and the application the threat actor targeted. What is the next step the engineer should take according to the NIST SP 800-61 Incident handling guide?
A. Recover from the threat.
B. Analyze the threat.
C. Identify lessons learned from the threat.
D. Reduce the probability of similar threats.
Selected Answer: A
Question #: 182
Topic #: 1
DRAG DROP –
Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model.
Select and Place:
Suggestion Answer:
Question #: 183
Topic #: 1
A user received an email attachment named `Hr402-report3662-empl621.exe` but did not run it. Which category of the cyber kill chain should be assigned to this type of event?
A. delivery
B. reconnaissance
C. weaponization
D. installation
Selected Answer: C
Question #: 184
Topic #: 1
An analyst received a ticket regarding a degraded processing capability for one of the HR department’s servers. On the same day an engineer noticed a disabled antivirus software and was not able to determine when or why it occurred. According to the NIST Incident Handling Guide, what is the next phase of this investigation?
A. Analysis
B. Eradication
C. Detection
D. Recovery
Selected Answer: A
Question #: 185
Topic #: 1
The SOC team has confirmed a potential indicator of compromise on an endpoint. The team has narrowed the executable file’s type to a new trojan family.
According to the NIST Computer Security Incident Handling Guide, what is the next step in handling this event?
A. Perform forensics analysis on the infected endpoint
B. Isolate the infected endpoint from the network
C. Prioritize incident handling based on the impact
D. Collect public information on the malware behavior
Selected Answer: B
Question #: 186
Topic #: 1
What is an incident response plan?
A. an organizational approach to events that could lead to asset loss or disruption of operations
B. an organizational approach to security management to ensure a service lifecycle and continuous improvements
C. an organizational approach to disaster recovery and timely restoration of operational services
D. an organizational approach to system backup and data archiving aligned to regulations
Selected Answer: B
Question #: 187
Topic #: 1
What are two categories of DDoS attacks? (Choose two.)
A. direct
B. reflected
C. split brain
D. scanning
E. phishing
Selected Answer: AB
Question #: 188
Topic #: 1
What is the impact of encryption?
A. Data is unaltered and its integrity is preserved.
B. Data is accessible and available to permitted individuals.
C. Confidentiality of the data is kept secure and permissions are validated.
D. Data is secure and unreadable without decrypting it.
Selected Answer: D
Question #: 189
Topic #: 1
Refer to the exhibit. What must be interpreted from this packet capture?
A. IP address 192.168.88.12 is communicating with 192.168.88.149 with a source port 49098 to destination port 80 using TCP protocol.
B. IP address 192.168.88.149 is communicating with 192.168.88.12 with a source port 49098 to destination port 80 using TCP protocol.
C. IP address 192.168.88.149 is communicating with 192.168.88.12 with a source port 80 to destination port 49098 using TCP protocol.
D. IP address 192.168.88.12 is communicating with 192.168.88.149 with a source port 74 to destination port 49098 using TCP protocol.
Selected Answer: A
Question #: 190
Topic #: 1
Refer to the exhibit. A company employee is connecting to mail.google.com from an endpoint device. The website is loaded but with an error. What is occurring?
A. man-in-the-middle attack
B. Certificate is not in trusted roots.
C. DNS hijacking attack.
D. Endpoint local time is invalid.
Selected Answer: B
Question #: 191
Topic #: 1
What is the difference between deep packet inspection and stateful inspection?
A. Stateful inspection is more secure due to its complex signatures, and deep packet inspection requires less human intervention.
B. Deep packet inspection is more secure due to its complex signatures, and stateful inspection requires less human intervention.
C. Deep packet inspection gives insights up to Layer 7, and stateful inspection gives insights only up to Layer 4.
D. Stateful inspection verifies data at the transport layer, and deep packet inspection verifies data at the application layer.
Selected Answer: C
Question #: 192
Topic #: 1
What is the difference between the ACK flag and the RST flag?
A. The RST flag approves the connection, and the ACK flag indicates that a packet needs to be resent.
B. The ACK flag marks the connection as reliable, and the RST flag indicates the failure within TCP Handshake.
C. The RST flag approves the connection, and the ACK flag terminates spontaneous connections.
D. The ACK flag confirms the received segment, and the RST flag terminates the connection.
Selected Answer: D
Question #: 193
Topic #: 1
An automotive company provides new types of engines and special brakes for rally sports cars. The company has a database of inventions and patents for their engines and technical information. Customers can acces the database through the company’s website after they register and identify themselves. Which type of protected data is accessed by customers?
A. IP data
B. PII data
C. PSI data
D. PHI data
Selected Answer: A
Question #: 194
Topic #: 1
What is the difference between vulnerability and risk?
A. A vulnerability represents a flaw in a security that can be exploited, and the risk is the potential damage it might cause.
B. A risk is potential threat that adversaries use to infiltrate the network, and a vulnerability is an exploit.
C. A risk is a potential threat that an exploit applies to, and a vulnerability represents the threat itself.
D. A vulnerability is a sum of possible malicious entry points, and a risk represents the possibility of the unauthorized entry itself.
Selected Answer: A
Question #: 195
Topic #: 1
The security team has detected an ongoing spam campaign targeting the organization. The team’s approach is to push back the cyber kill chain and mitigate ongoing incidents. At which phase of the cyber kill chain should the security team mitigate this type of attack?
A. installation
B. reconnaissance
C. actions
D. delivery
Selected Answer: D
Question #: 196
Topic #: 1
What describes the concept of data consistently and readily being accessible for legitimate users?
A. accessibility
B. availability
C. integrity
D. confidentiality
Selected Answer: B
Question #: 197
Topic #: 1
How does an attack surface differ from an attack vector?
A. An attack vector recognizes the potential outcomes of an attack, and the attack surface is choosing a method of an attack.
B. An attack vector matches components that can be exploited, and an attack surface classifies the potential path for exploitation.
C. An attack surface mitigates external vulnerabilities, and an attack vector identifies mitigation techniques and possible workarounds.
D. An attack surface identifies vulnerable parts for an attack, and an attack vector specifies which attacks are feasible to those parts.
Selected Answer: D
Question #: 198
Topic #: 1
What describes the defense-in-depth principle?
A. defining precise guidelines for new workstation installations
B. implementing alerts for unexpected asset malfunctions
C. categorizing critical assets within the organization
D. isolating guest Wi-Fi from the local network
Selected Answer: D
Question #: 199
Topic #: 1
How does statistical detection differ from rule-based detection?
A. Statistical detection involves the evaluation of events, and rule-based detection requires an evaluated set of events to function.
B. Rule-based detection involves the evaluation of events, and statistical detection requires an evaluated set of events to function.
C. Statistical detection defines legitimate data over time, and rule-based detection works on a predefined set of rules.
D. Rule-based detection defines legitimate data over a period of time, and statistical detection works on a predefined set of rules.
Selected Answer: C
Question #: 200
Topic #: 1
Which type of access control depends on the job function of the user?
A. role-based access control
B. rule-based access control
C. nondiscretionary access control
D. discretionary access control
Selected Answer: A
Question #: 201
Topic #: 1
What is a collection of compromised machines that attackers use to carry out a DDoS attack?
A. subnet
B. VLAN
C. command and control
D. botnet
Selected Answer: D
Question #: 202
Topic #: 1
What is the difference between inline traffic interrogation (TAPS) and traffic mirroring (SPAN)?
A. SPAN ports filter out physical layer errors, making some types of analyses more difficult, and TAPS receives all packets, including physical errors.
B. TAPS replicates the traffic to preserve integrity, and SPAN modifies packets before sending them to other analysis tools.
C. TAPS interrogation is more complex because traffic mirroring applies additional tags to data, and SPAN does not alter integrity and provides full visibility within full-duplex networks.
D. SPAN results in more efficient traffic analysis, and TAPS is considerably slower due to latency caused by mirroring.
Selected Answer: A
Question #: 203
Topic #: 1
A security engineer notices confidential data being exfiltrated to a domain `Ransome4144-mware73-978` address that is attributed to a known advanced persistent threat group. The engineer discovers that the activity is part of a real attack and not a network misconfiguration. Which category does this event fall under as defined in the Cyber Kill Chain?
A. reconnaissance
B. delivery
C. action on objectives
D. weaponization
Selected Answer: C
Question #: 204
Topic #: 1
Which of these describes SOC metrics in relation to security incidents?
A. probability of outage caused by the incident
B. probability of compromise and impact caused by the incident
C. time it takes to assess the risks of the incident
D. time it takes to detect the incident
Selected Answer: C
Question #: 205
Topic #: 1
What is a benefit of using asymmetric cryptography?
A. encrypts data with one key
B. decrypts data with one key
C. secure data transfer
D. fast data transfer
Selected Answer: B
Question #: 206
Topic #: 1
What is obtained using NetFlow?
A. full packet capture
B. session data
C. application logs
D. network downtime report
Selected Answer: B
Question #: 207
Topic #: 1
What are the two differences between stateful and deep packet inspection? (Choose two.)
A. Deep packet inspection is capable of TCP state monitoring only, and stateful inspection can inspect TCP and UDP.
B. Stateful inspection is capable of packet data inspections, and deep packet inspection is not.
C. Deep packet inspection is capable of malware blocking, and stateful inspection is not.
D. Stateful inspection is capable of TCP state tracking, and deep packet filtering checks only TCP source and destination ports.
E. Deep packet inspection operates on Layer 3 and 4, and stateful inspection operates on Layer 3 of the OSI model.
Selected Answer: CD
Question #: 208
Topic #: 1
An engineer received a flood of phishing emails from HR with the source address HRjacobrn@company.com. What is the threat actor in this scenario?
A. sender
B. phishing email
C. receiver
D. HR
Selected Answer: A
Question #: 209
Topic #: 1
How does agentless monitoring differ from agent-based monitoring?
A. Agentless can access the data via API, while agent-based uses a less efficient method and accesses log data through WMI.
B. Agent-based monitoring has a lower initial cost for deployment, while agentless requires resource-intensive deployment.
C. Agent-based monitoring is less intrusive in gathering log data, while agentless requires open ports to fetch the logs.
D. Agent-based has a possibility to locally filter and transmit only valuable data, while agentless has much higher network utilization.
Selected Answer: D
Question #: 210
Topic #: 1
Syslog collecting software is installed on the server. For the log containment, a disk with FAT type partition is used. An engineer determined that log files are being corrupted when the 4 GB file size is exceeded. Which action resolves the issue?
A. Use NTFS partition for log containment.
B. Use the Ext4 partition because it can hold files up to 16 TB.
C. Use FAT32 to exceed the limit of 4 GB.
D. Add space to the existing partition and lower the retention period.
Selected Answer: A
Question #: 211
Topic #: 1
Which type of verification consists of using tools to compute the message digest of the original and copied data, then comparing the similarity of the digests?
A. evidence collection order
B. volatile data collection
C. data integrity
D. data preservation
Selected Answer: C
Question #: 212
Topic #: 1
What are two denial-of-service (DoS) attacks? (Choose two.)
A. port scan
B. phishing
C. man-in-the-middle
D. teardrop
E. SYN flood
Selected Answer: DE
Question #: 213
Topic #: 1
What is threat hunting?
A. Focusing on proactively detecting possible signs of intrusion and compromise.
B. Managing a vulnerability assessment report to mitigate potential threats.
C. Attempting to deliberately disrupt servers by altering their availability.
D. Pursuing competitors and adversaries to infiltrate their system to acquire intelligence data.
Selected Answer: A
Question #: 214
Topic #: 1
According to the September 2020 threat intelligence feeds, a new malware called Egregor was introduced and used in many attacks. Distribution of Egregor is primarily through a Cobalt Strike that has been installed on victim’s workstations using RDP exploits. Malware exfiltrates the victim’s data to a command and control server. The data is used to force victims pay or lose it by publicly releasing it. Which type of attack is described?
A. malware attack
B. insider threat
C. ransomware attack
D. whale-phishing
Selected Answer: C
Question #: 215
Topic #: 1
A company encountered a breach on its web servers using IIS 7.5. During the investigation, an engineer discovered that an attacker read and altered the data on a secure communication using TLS 1.2 and intercepted sensitive information by downgrading a connection to export-grade cryptography. The engineer must mitigate similar incidents in the future and ensure that clients and servers always negotiate with the most secure protocol versions and cryptographic parameters.
Which action does the engineer recommend?
A. Upgrade to TLS v1.3.
B. Install the latest IIS version.
C. Deploy an intrusion detection system.
D. Downgrade to TLS 1.1.
Selected Answer: B
Question #: 216
Topic #: 1
What is the difference between discretionary access control (DAC) and role-based access control (RBAC)?
A. DAC administrators pass privileges to users and groups, and in RBAC, permissions are applied to specific groups.
B. DAC requires explicit authorization for a given user on a given object, RBAC requires specific conditions.
C. RBAC is an extended version of DAC where you can add an extra level of authorization based on time.
D. RBAC access is granted when a user meets specific conditions, and in DAC, permissions are applied on user and group levels.
Selected Answer: A
Question #: 217
Topic #: 1
The SOC team has confirmed a potential indicator of compromise on an isolated endpoint. The team has narrowed the potential malware type to a new trojan family. According to the NIST Computer Security Incident Handling Guide, what is the next step in handling the event?
A. Perform an AV scan on the infected endpoint.
B. Isolate the infected endpoint from the network.
C. Prioritize incident handling based on the impact.
D. Analyze the malware behavior.
Selected Answer: D
Question #: 218
Topic #: 1
An engineer is working with the compliance teams to identify the data passing through the network. During analysis, the engineer informs the compliance team that external perimeter data flows contain records, writings, and artwork. Internal segregated network flows contain the customer choices by gender, addresses, and product preferences by age? The engineer must identify protected data. Which two types of data must be identified? (Choose two.)
A. SOX
B. PII
C. PCI
D. PHI
E. copyright
Selected Answer: BE
Question #: 219
Topic #: 1
Refer to the exhibit. Which stakeholders must be involved when a company workstation is compromised?
A. Employee 1, Employee 2, Employee 3, Employee 4, Employee 5, Employee 7
B. Employee 4, Employee 6, Employee 7
C. Employee 1, Employee 2, Employee 4, Employee 5
D. Employee 2, Employee 3, Employee 4, Employee 5
Selected Answer: C
Question #: 220
Topic #: 1
Refer to the exhibit. Which field contains DNS header information if the payload is a query or response?
A. ID
B. Z
C. QR
D. TC
Selected Answer: C
Question #: 221
Topic #: 1
What is the difference between a threat and an exploit?
A. An exploit is an attack path, and a threat represents a potential vulnerability.
B. An exploit is an attack vector, and a threat is a potential path the attack must go through.
C. A threat is a potential attack on an asset, and an exploit takes advantage of the vulnerability of the asset.
D. A threat is a result of utilizing flow in a system, and an exploit is a result of gaining control over the system.
Selected Answer: C
Question #: 222
Topic #: 1
Refer to the exhibit. A SOC engineer is analyzing the provided Cuckoo Sandbox report for a file that has been downloaded from an URL, received via email. What is the state of this file?
A. The file was identified as PE32 executable for MS Windows and the Yara filed lists it as Trojan.
B. The file was detected as executable and was matched by PEiD threat signatures for further analysis.
C. The file was detected as executable, but no suspicious features are identified.
D. The calculated SHA256 hash of the file was matched and identified as malicious.
Selected Answer: A
Question #: 223
Topic #: 1
A security analyst notices a sudden surge of incoming traffic and detects unknown packets from unknown senders. After further investigation, the analyst learns that customers claim that they cannot access company servers. According to NIST SP800-61, in which phase of the incident response process is the analyst?
A. preparation
B. post-incident activity
C. containment, eradication, and recovery
D. detection and analysis
Selected Answer: D
Question #: 224
Topic #: 1
An engineer is analyzing a recent breach where confidential documents were altered and stolen by the receptionist. Further analysis shows that the threat actor connected an external USB device to bypass security restrictions and steal data. The engineer could not find an external USB device. Which piece of information must an engineer use for attribution in an investigation?
A. receptionist and the actions performed
B. stolen data and its criticality assessment
C. external USB device
D. list of security restrictions and privileges boundaries bypassed
Selected Answer: A
Question #: 225
Topic #: 1
How does TOR alter data content during transit?
A. It encrypts content and destination information over multiple layers.
B. It traverses source traffic through multiple destinations before reaching the receiver.
C. It redirects destination traffic through multiple sources avoiding traceability.
D. It spoofs the destination and source information protecting both sides.
Selected Answer: A
Question #: 226
Topic #: 1
Which information must an organization use to understand the threats currently targeting the organization?
A. vendor suggestions
B. threat intelligence
C. risk scores
D. vulnerability exposure
Selected Answer: B
Question #: 227
Topic #: 1
An analyst is using the SIEM platform and must extract a custom property from a Cisco device and capture the phrase, `File: Clean.` Which regex must the analyst import?
A. File: Clean (.*)
B. ^Parent File: Clean$
C. File: Clean
D. ^File: Clean$
Selected Answer: C
Question #: 228
Topic #: 1
Which technology prevents end-device to end-device IP traceability?
A. encryption
B. tunneling
C. load balancing
D. NAT/PAT
Selected Answer: D
Question #: 229
Topic #: 1
What is the difference between inline traffic interrogation and traffic mirroring?
A. Inline replicates the traffic to preserve integrity rather than modifying packets before sending them to other analysis tools.
B. Traffic mirroring results in faster traffic analysis and inline is considerably slower due to latency.
C. Inline interrogation is less complex as traffic mirroring applies additional tags to data.
D. Traffic mirroring copies the traffic rather than forwarding it directly to the analysis tools.
Selected Answer: D
Question #: 230
Topic #: 1
What is an advantage of symmetric over asymmetric encryption?
A. It is a faster encryption mechanism for sessions.
B. A one-time encryption key is generated for data transmission.
C. A key is generated on demand according to data type.
D. It is suited for transmitting large amounts of data.
Selected Answer: A
Question #: 231
Topic #: 1
Refer to the exhibit. During the analysis of a suspicious scanning activity incident, an analyst discovered multiple local TCP connection events. Which technology provided these logs?
A. antivirus
B. IDS/IPS
C. firewall
D. proxy
Selected Answer: C
Question #: 232
Topic #: 1
An organization is cooperating with several third-party companies. Data exchange is on an unsecured channel using port 80. Internal employees use the FTP service to upload and download sensitive data. An engineer must ensure confidentiality while preserving the integrity of the communication. Which technology must the engineer implement in this scenario?
A. RADIUS server
B. web application firewall
C. X.509 certificates
D. CA server
Selected Answer: C
Question #: 233
Topic #: 1
What describes the impact of false-positive alerts compared to false-negative alerts?
A. A false negative is alerting for an XSS attack. An engineer investigates the alert and discovers that an XSS attack happened. A false positive is when an XSS attack happens and no alert is raised.
B. A false positive is an event altering for an SQL injection attack. An engineer investigates the alert and discovers that an attack attempt was blocked by IPS. A false negative is when the attack gets detected but succeeds and results in a breach.
C. A false positive is an event altering for a brute-force attack. An engineer investigates the alert and discovers that a legitimate user entered the wrong credential several times. A false negative is when a threat actor tries to brute-force attack a system and no alert is raised.
D. A false negative is a legitimate attack triggering a brute-force alert. An engineer investigates the alert and finds out someone intended to break into the system. A false positive is when no alert and no attack is occurring.
Selected Answer: C
Question #: 234
Topic #: 1
Which vulnerability type is used to read, write, or erase information from a database?
A. cross-site request forgery
B. SQL injection
C. cross-site scripting
D. buffer overflow
Selected Answer: D
Question #: 235
Topic #: 1
Refer to the exhibit. A security analyst is investigating unusual activity from an unknown IP address. Which type of evidence is this file?
A. indirect evidence
B. best evidence
C. direct evidence
D. corroborative evidence
Selected Answer: A
Question #: 236
Topic #: 1
Refer to the exhibit. A network administrator is investigating suspicious network activity by analyzing captured traffic. An engineer notices abnormal behavior and discovers that the default user agent is present in the headers of requests and data being transmitted. What is occurring?
A. indicators of denial-of-service attack: due to the frequency of requests
B. indicators of data exfiltration: HTTP requests must be plain text
C. cache bypassing attack: attacker is sending requests for noncacheable content
D. garbage flood attack: attacker is sending garbage binary data to open ports
Selected Answer: C
Question #: 237
Topic #: 1
Refer to the exhibit. An engineer received an event log file to review. Which technology generated the log?
A. IDS/IPS
B. firewall
C. proxy
D. NetFlow
Selected Answer: B
Question #: 238
Topic #: 1
Refer to the exhibit. An analyst was given a PCAP file, which is associated with a recent intrusion event in the company FTP server. Which display filters should the analyst use to filter the FTP traffic?
A. dst.port = 21
B. tcp.port == 21
C. dstport == FTP
D. tcpport = FTP
Selected Answer: B
Question #: 239
Topic #: 1
Refer to the exhibit. A workstation downloads a malicious .docx file from the Internet and a copy is sent to FTDv. The FTDv sends the file hash to FMC and the file event is recorded. What would have occurred with stronger data visibility?
A. An extra level of security would have been in place.
B. Malicious traffic would have been blocked on multiple devices.
C. The traffic would have been monitored at any segment in the network.
D. Detailed information about the data in real time would have been provided.
Selected Answer: D
Question #: 240
Topic #: 1
Refer to the exhibit. Which frame numbers contain a file that is extractable via TCP stream within Wireshark?
A. 7 to 21
B. 7 and 21
C. 7, 14, and 21
D. 14, 16, 18, and 19
Selected Answer: D
