1. What is accomplished in the identification phase of incident handling?

 determining the responsible user

 identifying source and destination IP addresses
 defining the limits of your authority related to a security event
 determining that a security event has occurred

2. Which two HTTP header fields relate to intrusion analysis? (Choose two).

 user-agent
 host
 connection
 language
 handshake type

3. Which component of the NIST SP800-61 r2 incident handling strategy reviews data?

 preparation
 detection and analysis
 containment, eradication, and recovery
 post-incident analysis

4. Which option is generated when a file is run through an algorithm and generates a
string specific to the contents of that file?

 URL
 hash
 IP address
 destination port

5. Which data type is protected under the PCI compliance framework?

 credit card type

 primary account number
 health conditions
 provision of individual care

6. Which CVSSv3 metric captures the level of access that is required for a successful
attack?

 attack vector
 attack complexity
 privileges required
 user interaction

7. From a security perspective, why is it important to employ a clock synchronization

protocol on a network?

 so that everyone knows the local time

 to ensure employees adhere to work schedule
 to construct an accurate timeline of events when responding to an incident
 to guarantee that updates are pushed out according to schedule
8. You see 100 HTTP GET and POST requests for various pages on one of your web servers.
The user agent in the requests contain php code that, if executed, creates and writes to a
new php file on the webserver. Which category does this event fall under as defined in the
Diamond Model of Intrusion?

 delivery
 reconnaissance
 action on objectives
 installation
 exploitation

9. Which option is a misuse variety per VERIS enumerations?

 snooping
 hacking
 theft
 assault

10. Which stakeholder group is responsible for containment, eradication, and recovery in
incident handling?

 facilitators
 practitioners
 leaders and managers
 decision makers

11. Refer to the exhibit. You notice that the email volume history has been abnormally
high. Which potential result is true?

 Email sent from your domain might be filtered by the recipient.

 Messages sent to your domain may be queued up until traffic dies down.
 Several hosts in your network may be compromised.
 Packets may be dropped due to network congestion.

12. A user on your network receives an email in their mailbox that contains a malicious
attachment. There is no indication that the file was run. Which category as defined in the
Kill-chain model does this activity fall under?

 reconnaissance
 weaponization
 delivery
 installation
13. During which phase of the forensic process are tools and techniques used to extract
the relevant information from the collective data?

 examination
 reporting
 collection
 investigation

14. Which option allows a file to be extracted from a TCP stream within Wireshark?

 File > Export Objects

 Analyze > Extract
 Tools > Export > TCP
 View > Extract

15. Refer to the exhibit. Which type of log is this an example of?

 IDS log
 proxy log
 NetFlow log
 syslog

16. Refer to the exhibit. Which type of log is this an example of?

 syslog
 NetFlow log
 proxy log
 IDS log

17. Which element can be used by a threat actor to discover a possible opening into a
target network and can also be used by an analyst to determine the protocol of the
malicious traffic?

 TTLs
 ports
 SMTP replies
 IP addresses
18. In Microsoft Windows, as files are deleted the space they were allocated eventually is
considered available for use by other files. This creates alternating used and unused areas
of various sizes. What is this called?

 network file storing

 free space fragmentation
 alternate data streaming
 defragmentation

19. In the context of incident handling phases, which two activities fall under scoping?
(Choose two.)

 determining the number of attackers that are associated with a security incident
 ascertaining the number and types of vulnerabilities on your network
 identifying the extent that a security incident is impacting protected resources on
the network
 determining what and how much data may have been affected
 identifying the attackers that are associated with a security incident

20. Which regular expression matches "color" and "colour"?

 col[0-9]+our
 colo?ur
 colou?r
 ]a-z]{7}

21. Which description of a retrospective malware detection is true?

 You use Wireshark to identify the malware source.

 You use historical information from one or more sources to identify the affected
host or file.
 You use information from a network analyzer to identify the malware source.
 You use Wireshark to identify the affected host or file.

22. Which process is being utilized when IPS events are removed to improve data
integrity?

 data normalization
 data availability
 data protection
 data signature

23. Which element is included in an incident response plan?

 organization mission
 junior analyst approval
 day-to-day firefighting
 siloed approach to communications
24. Which CVSSv3 metric value increases when attacks consume network bandwidth,
processor cycles, or disk space?

 confidentiality
 integrity
 availability
 complexity

25. Which Security Operations Center’s goal is to provide incident handling to a country?

 Coordination Center
 Internal CSIRT
 National CSIRT
 Analysis Center

26. A CMS plugin creates two files that are accessible from the Internet myplugin.html and
exploitable.php. A newly discovered exploit takes advantage of an injection vulnerability
in exploitable.php. To exploit the vulnerability, one must send an HTTP POST with specific
variables to exploitable.php. You see traffic to your webserver that consists of only HTTP
GET requests to myplugin.html. Which category best describes this activity?

 weaponization
 exploitation
 installation
 reconnaissance

27. Which goal of data normalization is true?

 Reduce data redundancy.

 Increase data redundancy.
 Reduce data availability.
 Increase data availability

28. Refer to the Exhibit. A customer reports that they cannot access your organization’s
website. Which option is a possible reason that the customer cannot access the website?

 The server at 10.33.1.5 is using up too much bandwidth causing a denial- of-service.
 The server at 10.67.10.5 has a virus.
 A vulnerability scanner has shown that 10.67.10.5 has been compromised.
  Web traffic sent from 10.67.10.5 has been identified as malicious by Internet
sensors.

29. Which identifies both the source and destination location?

 IP address
 URL
 ports
 MAC address

30. Which type of analysis assigns values to scenarios to see what the outcome might be in
each scenario?

 deterministic
 exploratory
 probabilistic
 descriptive

31. Which feature is used to find possible vulnerable services running on a server?

 CPU utilization
 security policy
 temporary internet files
 listening ports

32. Refer to the exhibit. Which packet contains a file that is extractable within Wireshark?

 1986
 2318 (would be correct if there was not the GET command with the path)
 2542 (because it has the HTTP/1.1 200 and the gif is in the info.)
 2317

33. Which two options can be used by a threat actor to determine the role of a server?
(Choose two.)

 PCAP
 tracert
 running processes
  hard drive configuration
 applications

34. Which option creates a display filter on Wireshark on a host IP address or name?

 ip.address == <address> or ip.network == <network>

 [tcp|udp] ip.[src|dst] port <port>
 ip.addr == <addr> or ip.name == <name>
 ip.addr == <addr> or ip.host == <host>

35. You receive an alert for malicious code that exploits Internet Explorer and runs
arbitrary code on the site visitor machine. The malicious code is on an external site that is
being visited by hosts on your network. Which user agent in the HTTP headers in the
requests from your internal hosts warrants further investigation?

 Mozilla/5.0 (compatible, MSIE 10.0, Windows NT 6.2, Trident 6.0)

 Mozilla/5.0 (XII; Linux i686; rv: 1.9.2.20) Gecko/20110805
 Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 4O0) Gecko/20100101
 Opera/9.80 (XII; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16

36. During which phase of the forensic process is data that is related to a specific event
labeled and recorded to preserve its integrity?

 collection
 examination
 reporting
 investigation

37. Which information must be left out of a final incident report?

 server hardware configurations

 exploit or vulnerability used
 impact and/or the financial loss
 how the incident was detected

38. Which two components are included in a 5-tuple? (Choose two.)

 port number
 destination IP address
 data packet
 user name
 host logs

39. In VERIS, an incident is viewed as a series of events that adversely affects the
information assets of an organization. Which option contains the elements that every
event is comprised of according to VERIS incident model’?

 victim demographics, incident description, incident details, discovery & response

 victim demographics, incident details, indicators of compromise, impact assessment
 actors, attributes, impact, remediation
 actors, actions, assets, attributes
40. Refer to the exhibit. Which application protocol is in this PCAP file?

 TCP
 SSH
 HTTP
 SSL

41. You see confidential data being exfiltrated to an IP address that is attributed to a
known Advanced Persistent Threat group. Assume that this is part of a real attack and not
a network misconfiguration. Which category does this event fall under as defined in the
Diamond Model of Intrusion?

 reconnaissance
 weaponization
 delivery
 action on objectives

42. Refer to the exhibit. We have performed a malware detection on the Cisco website.
Which statement about the result is true?

 The website has been marked benign on all 68 checks.

 The threat detection needs to run again.
 The website has 68 open threats.
  The website has been marked benign on 0 checks

43. Which option has a drastic impact on network traffic because it can cause legitimate
traffic to be blocked?

 true positive
 true negative
 false positive
 false negative

44. Which CVSSv3 metric value increases when the attacker is able to modify all files
protected by the vulnerable component?

 confidentiality
 integrity
 availability
 complexity

45. Which type of analysis allows you to see how likely an exploit could affect your
network?

 descriptive
 casual
 probabilistic
 inferential

46. Which network device creates and sends the initial packet of a session?

 source
 origination
 destination
 network

47. When performing threat hunting against a DNS server, which traffic toward the
affected domain is considered a starting point?

 HTTPS traffic
 TCP traffic
 HTTP traffic
 UDP traffic

48. An organization has recently adjusted its security stance in response to online threats
made by a known hacktivist group. Which term defines the initial event in the NIST SP800-
61 r2?

 Indicator  is a sign that an incident may have occurred or may be occurring now.
 Precursor  is a sign that an incident may occur in the future
 online assault
 trigger
49. You have run a suspicious file in a sandbox analysis tool to see what the file does. The
analysis report shows that outbound callouts were made post infection. Which two pieces
of information from the analysis report are needed or required to investigate the callouts?
(Choose two.)

 file size
 domain names
 dropped files
 signatures
 host IP addresses

50. Which option filters a LibPCAP capture that used a host as a gateway?

 tcp|udp] [src|dst] port <port>

 [src|dst] net <net> [{mask <mask>}|{len <len>}]
 ether [src|dst] host <ehost>
 gateway host <host>

51. Which source provides reports of vulnerabilities in software and hardware to a

Security Operations Center?

 Analysis Center
 National CSIRT
 Internal CSIRT
 Physical Security

52. What information from HTTP logs can be used to find a threat actor?

 referer
 IP address
 user-agent
 URL

53. Which element is part of an incident response plan?

 organizational approach to incident response

 organizational approach to security
 disaster recovery
 backups

54. Refer to the exhibit. What can be determined from this ping result?
  The public IP address of cisco.com is 2001:420:1101:1::a.
 The Cisco.com website is down.
 The Cisco.com website is responding with an internal IP.
 The public IP address of cisco.com is an IPv4 address.

55. What mechanism does the Linux operating system provide to control access to files?

 privileges required
 user interaction
 file permissions
 access complexity

56. Which string matches the regular expression r(ege)+x?

 rx
 regeegex
 r(ege)x
 rege+x

57. Which statement about threat actors is true?

 They are any company assets that are threatened.

 They are any assets that are threatened.
 They are perpetrators of attacks.
 They are victims of attacks.

58. Which data element must be protected with regards to PCI?

 past health condition

 geographic location
 full name / full account number
 recent payment amount

59. Which kind of evidence can be considered most reliable to arrive at an analytical
assertion?

 direct
 corroborative
 indirect
 circumstantial
 textual

60. Which CVSSv3 Attack Vector metric value requires the attacker to physically touch or
manipulate the vulnerable component?

 local
 physical
 network
 adjacent
61. Which option can be addressed when using retrospective security techniques?

 if the affected host needs a software update

 how the malware entered our network
 why the malware is still in our network
 if the affected system needs replacement

62. Drag and drop the type of evidence from the left onto the correct description(s) of that
evidence on the right.

Select and Place:

Corroborative evidence – NetFlow based spike in DNS traffic

Indirect evidence – firewall log showing successful communication and threat intelligence
stating an IP is known to host malware

Direct evidence – log that shows a command and control check-in from verified malware

63. Drag and drop the elements of incident handling from the left into the correct order on
the right.

Select and Place:

1-Preparation

2-Detection and analysis

3-Containment, eradication and recovery

4-Post incident analysis

64. Refer to the exhibit. Drag and drop the element name from the left onto the correct
piece of the PCAP file on the right.

Select and Place:

10.0.2.15 - Source address

50588 - Source port

443 - Destination port

192.124.249.9 - Destination address

Transmission Control Protocol - Transport protocol

Internet Protocol v4 - Network protocol

Transport Layer Security v1.2 - Application protocol

65. Refer to the exhibit. Drag and drop the element name from the left onto the correct
piece of the NetFlow v5 record from a security event on the right.

Select and Place:

10.232.38.20 - Source address

3120 - Bytes transmitted

80 - Source port

208.100.26.233 - Destination address

60 - Number of packets

39613 - Destination port

TCP – Protocol (είναι το 6 που λεει στο screenshot αλλα ετσι και αλλιως δεν υπηρχε άλλη
επιλογη)

66. Which netstat command show ports? (Choose two)

 netstat –a
 netstat -l
 netstat -v
 netstat -g

67. What is Data mapping used for? (Choose two)

 data accuracy(integrity)
 data availability
 data normalization
 data confidentiality
 data visualisation
68. Filtering ports in wireshark?

 tcp.port == 80
 tcp port equals 80
 tcp.port 80
 port 80

69. What attribute belonging VERIS schema?

 confidentiality/possession
 integrity/authenticity
 availability/utility

70. What is NAC?

 Non-Admin Closure
 Network Access Control
 Nepal Airline Corporations
 Network Address Control

71. What protocol is related to NAC?

 802.1Q
 802.1X (EAP-TLS, EAP-PEAP or EAP-MSCHAP)
 802.1E
 802.1F

72. What is the definition of confidentiality according to CVSSv3 framework?

this metric measures the impact to the confidentiality of the information resources managed
by a software component due to a successfully exploited vulnerability.

73. Which of the following are examples of some of the responsibility of a corporate CSIRT
and the policies it helps create? (Choose four)

 Scanning vendor customer network

 incident classification and handling
 Information classification and protection
 Information dissemination
 Record retentions and destruction

74. Which of the following is not an example of weaponization

 Connecting to a CnC server

 Wrapping software with a RAT
 Creating backdoor in an app
 Developing an automated script to inject commands on a USB device

75. Which of the following has been used to evade IDS / IPS devices?

 SNMP
 HTTP
 TNP
  Fragmentation

76. Which of the following is typically a responsibility of a PSIRT (Product SIRT)?

 Configure the organization’s firewall

 Monitor security logs
 Investigate security incidents in a SOC
 Disclosure vulnerabilities in the organization’s products and services

77. Which of the following is an example of a managed security offering where incident
response experts monitor and respond to security alerts in a SOC?

 Cisco CloudLock
 Cisco’s Active Threat Analytics (ATA)
 Cisco Managed Firepower Service
 Cisco Jasper

78. Which of the following is one of the main goals of data normalization?

 To save duplicate logs for redundancy

 To purge redundant data while maintaining data integrity
 To correlate IPS and IDS logs with DNS
 To correlate IPS and IDS logs with Firewall logs

79. Which of the following can be identified by correlating DNS intelligence and other
security events? (Choose two)

 Communication to CnC servers

 Configuration issues
 Routing problems
 Malicious domain based on reputation

80. Which of the following steps in the kill chain would come before the others?

 C2
 Delivery
 Installation
 Exploitation

81. Which of the following are core responsibilities of a national CSIRT and CERT?

 Provide solutions for bug bounties

 Provide vulnerability brokering to vendors within a country
 Protect their citizens by providing security vulnerability info, security awareness
training, best practices, and other info
 Create regulations around cybersecurity within the country

82. Which of the following is one of the main goals of the CSIRT?

 Configure the organization’s firewall

 Monitor the organizations IPS devices
 Minimize and control the damage associated with incidents, provide guidance for
mitigation and work to prevent future incidents
  Hire security professionals who will be part of the InfoSec team of the organization

83. Which of the following is not a metadata feature of the Diamond Model?

 Direction
 Result
 Devices
 Resources

84. Which of the following are the three metrics, or scores, of the CVSS?

 Baseline
 Base
 Environmental
 Temporal

85. Which of the following are not components of the 5-tuple of a flow in NetFlow?
(Choose two)

 Source IP address
 Flow record ID
 Source port
 Gateway
 Destination port

86. Refer to the following packet capture. Which of the following statements is true?

 The host with IP 93.184.216.34 is the source

 The host omar.cisco is the destination
 The server omar.cisco.com is responding to 93.184.216.34 with four packets
 This is a telnet transaction that is timing out and the server is not responding

87. Which of the following is an example of a coordination center

 Cisco PSIRT
 Microsoft MSRC
 CERT division of the SEI
 FIRST
88. Which of the following is the team that handles the investigation, resolution, and
disclosure of security vulnerabilities in vendor products and services?

 CSIRT
 ICASI
 USIRP
 PSIRT

89. Which of the following are the three broad categories of cybersecurity investigations?

 Public, private, and individual investigations

 Judiciary, private, and individual investigations
 Public, private, and corporate investigations
 Government, corporate, and private investigations

90. In addition to cybercrime and attacks, evidence found on a system or network may be
presented in a court of law to support accusations of crime or civil action, including which
of the following?

 Fraud, money laundering, and theft

 Drug-related crime
 Murder and acts of violence
 All of the above

91. According to NIST what option is unnecessary for containment strategy?

 The delayed containment

 Monitoring with methods other than sandboxing

92. At which stage attacking the vulnerability belongs in Cyber kill chain?

 Exploitation

93. Based on nistsp800-61R2 what are the recommended protections against malware?

Malware prevention software

94. Choose the option that best describes NIST data integrity

 use only sha-1

 use only md5
 you must hash data & backup and compare hashes
 no need to hash data & backup and compare hashes

95. What is the process of remediation the system from attack so that responsible threat
actor can be revealed?

 Validating the Attacking Host’s IP Address

 Researching the Attacking Host through Search Engines.
 Using Incident Databases.
 Monitoring Possible Attacker Communication Channels.
96. According to NIST what option(s) should be contained in issue tracking system?

 The current status of the incident (new, in progress, forwarded for investigation,
resolved, etc.)
 A summary of the incident
 Indicators related to the incident
 Other incidents related to this incident
 Actions taken by all incident handlers on this incident
 Chain of custody, if applicable
 Impact assessments related to the incident
 Contact information for other involved parties (e.g., system owners, system
administrators)
 A list of evidence gathered during the incident investigation
 Comments from incident handlers
 Next steps to be taken (e.g., rebuild the host, upgrade an application).

97. Which of the following is not true about listening ports?

 A listening port is a port held open by a running application in order to accept

inbound connections.
 Seeing traffic from a known port will identify the associated service.
 Listening ports use values that can range between 1 and 65535.
 TCP port 80 is commonly known for Internet traffic.

98. Which of the following is not an example of the VERIS main schema categories

 Incident tracking
 Victim demographics
 Incident descriptions
 Incident forensics ID

99. What is a listening port?

A port that remains open and waiting for incoming connections

100. What is the difference between deterministic and probabilistic assessment method?

 At deterministic method we know the facts beforehand and at probabilistic

method we make assumptions
 At probabilistic method we know the facts beforehand and at deterministic
method we make assumptions
 Probabilistic method has an absolute nature
 Deterministc method has an absolute nature