 HOME

 CYBEROPS ASSOCIATELEVEL 2
 CCNA SECURITY V2.0LEVEL 3
 CCNAS V2 INSTRUCTOR LAB

 Home
 CyberOps Associate 1.0
 CyberOps Associate (Version 1.0) – Modules 26 – 28: Analyzing Security Data Group Exam

CyberOps Associate (Version 1.0) – Modules 26 –

28: Analyzing Security Data Group Exam
CYBEROPS ASSOCIATE 1.0
Last updated Nov 5, 2020

 0

 Share

CyberOps Associate (Version 1.0) – Modules 26 – 28:

Analyzing Security Data Group Exam
1. When real-time reporting of security events from multiple sources is being received,
which function in SIEM provides capturing and processing of data in a common
format?

 normalization
 aggregation
 compliance
 log collection

2. What is the value of file hashes to network security investigations?

 They ensure data availability.

 They assure nonrepudiation.
 They can serve as malware signatures.
 They offer confidentiality.

3. Which technology is an open source SIEM system?

  StealthWatch
 Wireshark
 Splunk
 ELK

4. A threat actor has successfully breached the network firewall without being detected
by the IDS system. What condition describes the lack of alert?

 false negative
 true negative
 true positive
 false positive

Explanation: A false negative is where no alert exists and exploits are not being
detected by the security systems that are in place.
5. What information is contained in the options section of a Snort rule?

 direction of traffic flow

 text describing the event
 action to be taken
 source and destination address
6. Match the intrusion event defined in the Diamond Model of intrusion to the
description.

 network path used to establish and maintain command and

control : infrastructure
 a tool or technique used to attack the victim : capability
 the parties responsible for the intrusion : adversary
 the target of the attack : victim
7. What two shared sources of information are included within the MITRE ATT&CK
framework? (Choose two.)

 collection of digital evidence from most volatile evidence to least volatile

 attacker tactics, techniques, and procedures
 details about the handling of evidence including times, places, and personnel
involved
 eyewitness evidence from someone who directly observed criminal behavior
 mapping the steps in an attack to a matrix of generalized tactics

Explanation: The MITRE Framework uses stored information on attacker tactics,

techniques, and procedures (TTP) as part of threat defense and attack attribution. This is
done by mapping the steps in an attack to a matrix of generalized tactics and describing
the techniques that are used in each tactic. These sources of information create models
that assist in the ability to attribute a threat.
8. What information is gathered by the CSIRT when determining the scope of a security
incident?

 the networks, systems, and applications affected by an incident

 the amount of time and resources needed to handle an incident
 the strategies and procedures used for incident containment
 the processes used to preserve evidence

Explanation: The scoping activity performed by the CSIRT after an incident determines

which networks, systems, or applications are affected; who or what originated the
incident; and how the incident is occurring.
9. According to NIST standards, which incident response stakeholder is responsible for
coordinating an incident response with other stakeholders to minimize the damage of an
incident?

 human resources
 legal department
 management
 IT support

Explanation: The management team creates the policies, designs the budget, and is in
charge of staffing all departments. Management is also responsible for coordinating the
incident response with other stakeholders and minimizing the damage of an incident.
10. According to NIST, which step in the digital forensics process involves drawing
conclusions from data?

 reporting
  collection
 examination
 analysis

11. A cybersecurity analyst has been called to a crime scene that contains several
technology items including a computer. Which technique will be used so that the
information found on the computer can be used in court?

 Tor
 rootkit
 unaltered disk image
 log collection

Explanation: A normal file copy does not recover all data on a storage device so an
unaltered disk image is commonly made. An unaltered disk image preserves the original
evidence, thus preventing inadvertent alteration during the discovery phase. It also
allows recreation of the original evidence.
12. In which phase of the NIST incident response life cycle is evidence gathered that
can assist subsequent investigations by authorities?

 postincident activities
 detection and analysis
 preparation
 containment, eradication, and recovery

Explanation: NIST defines four phases in the incident response process life cycle. It is
in the containment, eradication, and recovery phase that evidence is gathered to resolve
an incident and to help with subsequent investigations.
13. When dealing with security threats and using the Cyber Kill Chain model, which
two approaches can an organization use to block a potential back door creation?
(Choose two.)

 Audit endpoints to discover abnormal file creations.

 Establish an incident response playbook.
 Consolidate the number of Internet points of presence.
 Conduct damage assessment.
 Use HIPS to alert or place a block on common installation paths.

Explanation: In the installation phase of the Cyber Kill Chain, the threat actor
establishes a back door into the system to allow for continued access to the target.
Among other measures, using HIPS to alert or block on common installation paths and
auditing endpoints to discover abnormal file creations can help block a potential back
door creation.
14. What is defined in the SOP of a computer security incident response capability
(CSIRC)?

 the details on how an incident is handled

 the procedures that are followed during an incident response
 the metrics for measuring incident response capabilities
 the roadmap for increasing incident response capabilities

Explanation: A CSIRC will include standard operating procedures (SOPs) that are
followed during an incident response. Procedures include following technical processes,
filling out forms, and following checklists.
15. How does an application program interact with the operating system?

 sending files
 accessing BIOS or UEFI
 making API calls
 using processes

Explanation: Application programs interact with an operating system through system

calls to the OS application programming interface (API). These system calls allow
access to many aspects of system operation such as software process control, file
management, device management, and network access.
16. Which tool included in the Security Onion provides a visual interface to NSM data?

 Curator
 Beats
 Squert
 OSSEC

Explanation: Dashboards provide a combination of data and visualizations designed to

improve the access of individuals to large amounts of information. Kibana includes the
capability of designing custom dashboards. In addition, other tools that are included in
Security Onion, such as Squert, provide a visual interface to NSM data.
17. Which tool included in the Security Onion includes the capability of designing
custom dashboards?

 Sguil
 Kibana
 Squert
  OSSEC

Explanation: Dashboards are usually interactive and provide a combination of data and

visualizations designed to improve the access of individuals to large amounts of
information. Kibana includes the capability of designing custom dashboards.
18. How is the hash value of files useful in network security investigations?

 It is used to decode files.

 It helps identify malware signatures.
 It verifies confidentiality of files.
 It is used as a key for encryption.

Explanation: When ELSA is used to investigate downloaded files, the hash value of

each file is created and stored with other information about the file. If a cybersecurity
analyst is suspicious of the file, the hash value can be submitted to an online malware
repository site to determine if the file is known malware.
19. Which technology is a major standard consisting of a pattern of symbols that
describe data to be matched in a query?

 OSSEC
 POSIX
 Squert
 Sguil

20. Which tool is a Security Onion integrated host-based intrusion detection system?

 Snort
 OSSEC
 ELK
 Sguil

Explanation: OSSEC is a host-based intrusion detection system (HIDS) that is

integrated into Security Onion and actively monitors host system operation.
21. Which term is used to describe the process of converting log entries into a common
format?

 classification
 systemization
 normalization
 standardization
Explanation: For processing log entries, data normalization can organize and convert
data values in datasets from difference sources into common format. The normalization
makes it easy for further data analysis and reporting.
22. What is the purpose for data normalization?

 to simplify searching for correlated events

 to reduce the amount of alert data
 to enhance the secure transmission of alert data
 to make the alert data transmission fast

Explanation: With data normalization various sources of data are combined into a

common display format, which simplifies the searching for similar or relevant events.
23. Which personnel in a SOC is assigned the task of verifying whether an alert
triggered by monitoring software represents a true security incident?

 SOC Manager
 Tier 3 personnel
 Tier 2 personnel
 Tier 1 personnel

24. Refer to the exhibit. A security analyst is reviewing an alert message generated by
Snort. What does the number 2100498 in the message indicate?

 the id of the user that triggers the alert

 the message length in bits
 the Snort rule that is triggered
 the session number of the message

Explanation: The sid field in a Snort alert message indicates the Snort security rule that
is triggered.
25. What are security event logs commonly based on when sourced by traditional
firewalls?

 static filtering
 application analysis
 signatures
 5-tuples
Explanation: Traditional firewalls commonly provide security event logs based on the
5-tuples of source IP address and port number, destination IP address and port number,
and the protocol in use.
26. What is the purpose for data reduction as it relates to NSM?

 to make the alert data transmission fast

 to remove recurring data streams
 to enhance the secure transmission of alert data
 to diminish the quantity of NSM data to be handled

Explanation: The amount of network traffic that is collected by packet captures and the
number of log file entries and alerts that are generated by network and security devices
can be enormous. For this reason, it is important to identify the NSM-related data that
should be gathered. This process is called data reduction.
27. Why would threat actors prefer to use a zero-day attack in the Cyber Kill Chain
weaponization phase?

 to avoid detection by the target

 to launch a DoS attack toward the target
 to get a free malware package
 to gain faster delivery of the attack on the target

Explanation: When a threat actor prepares a weapon for an attack, the threat actor
chooses an automated tool (weaponizer) that can be deployed through discovered
vulnerabilities. Malware that will carry desired attacks is then built into the tool as the
payload. The weapon (tool plus malware payload) will be delivered to the target
system. By using a zero-day weaponizer, the threat actor hopes that the weapon will not
be detected because it is unknown to security professionals and detection methods are
not yet developed.
28. What is the objective the threat actor in establishing a two-way communication
channel between the target system and a CnC infrastructure?

 to allow the threat actor to issue commands to the software that is installed on the
target
 to send user data stored on the target to the threat actor
 to steal network bandwidth from the network where the target is located
 to launch a buffer overflow attack

Explanation: In the command and control phase of the Cyber Kill Chain, the threat
actor establishes command and control (CnC) with the target system. With the two-way
communication channel, the threat actor is able to issue commands to the malware
software installed on the target.
29. Which meta-feature element in the Diamond Model describes information gained by
the adversary?

 methodology
 resources
 results
 direction

Explanation: The meta-feature element results are used to delineate what the adversary
gained from the intrusion event.
30. In which step of the NIST incident response process does the CSIRT perform an
analysis to determine which networks, systems, or applications are affected; who or
what originated the incident; and how the incident is occurring?

 incident notification
 attacker identification
 scoping
 detection

Explanation: In the detection and analysis phase of the NIST incident response process
life cycle, the CSIRT should immediately perform an initial analysis to determine the
scope of the incident, such as which networks, systems, or applications are affected;
who or what originated the incident; and how the incident is occurring.
31. What is indicated by a Snort signature ID that is below 3464?

 The SID was created by Sourcefire and distributed under a GPL agreement.
 This is a custom signature developed by the organization to address locally
observed rules.
 The SID was created by the Snort community and is maintained in Community
Rules.
 The SID was created by members of EmergingThreats.

Explanation: Snort is an open source network intrusion prevention system (NIPS) and

network intrusion detection system (NIDS) developed by Sourcefire. It has the ability to
perform real time traffic analysis and packet logging on Internet Protocol (IP) networks
and can also be used to detect probes or attacks.
32. After a security monitoring tool identifies a malware attachment entering the
network, what is the benefit of performing a retrospective analysis?

 A retrospective analysis can help in tracking the behavior of the malware from
the identification point forward.
 It can identify how the malware originally entered the network.
  It can calculate the probability of a future incident.
 It can determine which network host was first affected.

Explanation: General security monitoring can identify when a malware attachment

enters a network and which host is first infected. Retrospective analysis takes the next
step and is the tracking of the behavior of the malware from that point forward.
33. Which classification indicates that an alert is verified as an actual security incident?

 false negative
 true positive
 false positive
 true negative

34. A network administrator is trying to download a valid file from an internal server.
However, the process triggers an alert on a NMS tool. What condition describes this
alert?

 false negative
 false positive
 true negative
 true positive

Explanation: Alerts can be classified as follows:

True Positive: The alert has been verified to be an actual security incident.
False Positive: The alert does not indicate an actual security incident. Benign activity
that results in a false positive is sometimes referred to as a benign trigger.
An alternative situation is that an alert was not generated. The absence of an alert can
be classified as:

True Negative: No security incident has occurred. The activity is benign.

False Negative: An undetected incident has occurred.
35. A threat actor collects information from web servers of an organization and searches
for employee contact information. The information collected is further used to search
personal information on the Internet. To which attack phase do these activities belong
according to the Cyber Kill Chain model?

 action on objectives
 exploitation
 reconnaissance
 weaponization
Explanation: According to the Cyber Kill Chain model, in the reconnaissance phase the
threat actor performs research, gathers intelligence, and selects targets.
36. Which HIDS is integrated into the Security Onion and uses rules to detect changes
in host-based operating parameters caused by malware through system calls?

 OSSEC
 Bro
 Snort
 Suricata

Explanation: OSSEC is a HIDS integrated into the Security Onion and uses rules to
detect changes in host-based parameters like the execution of software processes,
changes in user privileges, registry modifications, among many others. OSSEC rules
will trigger events that occurred on the host, including indicators that malware may
have interacted with the OS kernel. Bro, Snort, and Suricata are examples of NIDS
systems.
37. Which type of events should be assigned to categories in Sguil?

 false positive
 true positive
 false negative
 true negative

Explanation: Sguil includes seven pre-built categories that can be assigned to events

that have been identified as true positives.
38. A cybersecurity analyst is going to verify security alerts using the Security Onion.
Which tool should the analyst visit first?

 Bro
 Sguil
 CapME
 ELK

Explanation: The primary duty of a cybersecurity analyst is the verification of security

alerts. In the Security Onion, the first place that a cybersecurity analyst will go to verify
alerts is Sguil because it provides a high-level console for investigating security alerts
from a wide variety of sources.
39. Refer to the exhibit. Which field in the Sguil application window indicates the
priority of an event or set of correlated events?

 ST
 AlertID
 Pr
 CNT

Explanation: The Sguil application window has several fields available that give
information about an event. The ST field gives the status of an event that includes a
color-coded priority from light yellow to red to indicate four levels of priority.
40. Match the Snort rule source to the description.

 0

 ShareFacebookTwitterGoogle+ReddIt
 PREV POST
CyberOps Associate (Version 1.0) – Modules 24 – 25: Protocols and Log Files Group Exam
NEXT POST 
(Answers) 1.1.1.4 Lab – Installing the CyberOps Workstation Virtual Machine (Instructor
Version)
You Might Also LikeMore From Author
CYBEROPS ASSOCIATE 1.0

CyberOps Associate (Version 1.0) – Modules 21 – 23: Cryptography and…

CYBEROPS ASSOCIATE 1.0

CyberOps Associate (Version 1.0) – Modules 18 – 20: Network Defense Group…

CYBEROPS ASSOCIATE 1.0

CyberOps Associate (Version 1.0) – Modules 13 – 17: Threats and Attacks…

 PREV NEXT 
 0
Article Rating

 Subscribe 
 Login

{}[+]
0 COMMENTS

CCNA Cyber Ops Exam Answers

CCNA Cybersecurity Operations (Version 1.1) – CyberOps 1

CCNA Cybersecurity Operations (Version 1.1) – CyberOps 2

CCNA Cybersecurity Operations (Version 1.1) – CyberOps 3

CCNA Cybersecurity Operations (Version 1.1) – CyberOps 4

CCNA Cybersecurity Operations (Version 1.1) – CyberOps 5

CCNA Cybersecurity Operations (Version 1.1) – CyberOps 6

CCNA Cybersecurity Operations (Version 1.1) – CyberOps 7

CCNA Cybersecurity Operations (Version 1.1) – CyberOps 8

CCNA Cybersecurity Operations (Version 1.1) – CyberOps 9

CCNA Cybersecurity Operations (Version 1.1) – CyberOps 10

CCNA Cybersecurity Operations (Version 1.1) – CyberOps 11

CCNA Cybersecurity Operations (Version 1.1) – CyberOps 12

CCNA Cybersecurity Operations (Version 1.1) – CyberOps 13

Practice Final Exam Answers

CCNA Cybersecurity Operations (Version 1.1) FINAL Exam Answers Full

 HOME
  

 CYBEROPS ASSOCIATELEVEL 2

 CCNA SECURITY V2.0LEVEL 3

 CCNAS V2 INSTRUCTOR LAB

© 2022 - CCNASec. All Rights Reserved.

 
Website Design: BetterStudio





1