Which process is used when IPS events are removed to improve data integrity?
What is the difference between deep packet inspection and stateful inspection?
Which information must an organization use to understand the threats currently targeting the organization?
An engineer received an alert affecting the degraded performance of a critical server Analysis showed a heavy CPU and memory load What is the next step the engineer should take to investigate this resource usage7
What is the difference between mandatory access control (MAC) and discretionary access control (DAC)?
Refer to the exhibit. An attacker scanned the server using Nmap. What did the attacker obtain from this scan?
An engineer received a flood of phishing emails from HR with the source address HRjacobm@companycom. What is the threat actor in this scenario?
An investigator is examining a copy of an ISO file that is stored in CDFS format. What type of evidence is this file?
What are two differences between tampered disk images and untampered disk images'? (Choose two.)
What is a benefit of agent-based protection when compared to agentless protection?
Refer to the exhibit.
A security analyst is investigating unusual activity from an unknown IP address Which type of evidence is this file1?
Refer to the exhibit.
An attacker gained initial access to the company s network and ran an Nmap scan to advance with the lateral movement technique and to search the sensitive data Which two elements can an attacker identify from the scan? (Choose two.)
Which list identifies the information that the client sends to the server in the negotiation phase of the TLS handshake?
A system administrator is ensuring that specific registry information is accurate.
Which type of configuration information does the HKEY_LOCAL_MACHINE hive contain?
An offline audit log contains the source IP address of a session suspected to have exploited a vulnerability resulting in system compromise.
Which kind of evidence is this IP address?
Which two pieces of information are collected from the IPv4 protocol header? (Choose two.)
A developer is working on a project using a Linux tool that enables writing processes to obtain these required results:
Which component results from this operation?
An engineer needs to fetch logs from a proxy server and generate actual events according to the data received. Which technology should the engineer use to accomplish this task?
Drag and drop the elements from the left into the correct order for incident handling on the right.
An engineer needs to configure network systems to detect command and control communications by decrypting ingress and egress perimeter traffic and allowing network security devices to detect malicious outbound communications. Which technology should be used to accomplish the task?
Which two components reduce the attack surface on an endpoint? (Choose two.)
Refer to the exhibit.
A company employee is connecting to mail google.com from an endpoint device. The website is loaded but with an error. What is occurring?
A company receptionist received a threatening call referencing stealing assets and did not take any action assuming it was a social engineering attempt. Within 48 hours, multiple assets were breached, affecting the confidentiality of sensitive information. What is the threat actor in this incident?
Which event artifact is used to identify HTTP GET requests for a specific file?
Drag and drop the security concept from the left onto the example of that concept on the right.
What is a collection of compromised machines that attackers use to carry out a DDoS attack?
Refer to the exhibit.
What is the potential threat identified in this Stealthwatch dashboard?
A SOC analyst is investigating an incident that involves a Linux system that is identifying specific sessions. Which identifier tracks an active program?
Which two elements of the incident response process are stated in NIST Special Publication 800-61 r2? (Choose two.)
Which action should be taken if the system is overwhelmed with alerts when false positives and false negatives are compared?
According to the September 2020 threat intelligence feeds a new malware called Egregor was introduced and used in many attacks. Distnbution of Egregor is pnmanly through a Cobalt Strike that has been installed on victim's workstations using RDP exploits Malware exfiltrates the victim's data to a command and control server. The data is used to force victims pay or lose it by publicly releasing it. Which type of attack is described?
An engineer runs a suspicious file in a sandbox analysis tool to see the outcome. The analysis report shows that outbound callouts were made post infection.
Which two pieces of information from the analysis report are needed to investigate the callouts? (Choose two.)
What is the practice of giving an employee access to only the resources needed to accomplish their job?
An employee reports that someone has logged into their system and made unapproved changes, files are out of order, and several documents have been placed in the recycle bin. The security specialist reviewed the system logs, found nothing suspicious, and was not able to determine what occurred. The software is up to date; there are no alerts from antivirus and no failed login attempts. What is causing the lack of data visibility needed to detect the attack?
Refer to the exhibit.
Which stakeholders must be involved when a company workstation is compromised?
A security engineer notices confidential data being exfiltrated to a domain "Ranso4134-mware31-895" address that is attributed to a known advanced persistent threat group The engineer discovers that the activity is part of a real attack and not a network misconfiguration. Which category does this event fall under as defined in the Cyber Kill Chain?
An analyst received a ticket regarding a degraded processing capability for one of the HR department's servers. On the same day, an engineer noticed a disabled antivirus software and was not able to determine when or why it occurred. According to the NIST Incident Handling Guide, what is the next phase of this investigation?
An engineer discovered a breach, identified the threat’s entry point, and removed access. The engineer was able to identify the host, the IP address of the threat actor, and the application the threat actor targeted. What is the next step the engineer should take according to the NIST SP 800-61 Incident handling guide?
What is the communication channel established from a compromised machine back to the attacker?
Which step in the incident response process researches an attacking host through logs in a SIEM?
An analyst is exploring the functionality of different operating systems.
What is a feature of Windows Management Instrumentation that must be considered when deciding on an operating system?
Which type of data must an engineer capture to analyze payload and header information?
Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model.
During which phase of the forensic process are tools and techniques used to extract information from the collected data?
During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve its integrity?
Which security technology guarantees the integrity and authenticity of all messages transferred to and from a web application?
What describes the impact of false-positive alerts compared to false-negative alerts?
An engineer received an alert affecting the degraded performance of a critical server Analysis showed a heavy CPU and memory load. What is the next step the engineer should take to investigate this resource usage?
Which type of data consists of connection level, application-specific records generated from network traffic?
An analyst discovers that a legitimate security alert has been dismissed. Which signature caused this impact on network traffic?
Which security model assumes an attacker within and outside of the network and enforces strict verification before connecting to any system or resource within the organization?
Which type of verification consists of using tools to compute the message digest of the original and copied data, then comparing the similarity of the digests?