What is the impact of false positive alerts on business compared to true positive?
What describes the impact of false-positive alerts compared to false-negative alerts?
Refer to the exhibit.
What is occurring in this network?
An engineer needs to have visibility on TCP bandwidth usage, response time, and latency, combined with deep packet inspection to identify unknown software by its network traffic flow. Which two features of Cisco Application Visibility and Control should the engineer use to accomplish this goal? (Choose two.)
According to CVSS, what is a description of the attack vector score?
What is the relationship between a vulnerability and a threat?
Refer to the exhibit.
Which application-level protocol is being targeted?
Which two elements are used for profiling a network? (Choose two.)
An investigator is examining a copy of an ISO file that is stored in CDFS format. What type of evidence is this file?
Refer to the exhibit.
What does the message indicate?
Which classification of cross-site scripting attack executes the payload without storing it for repeated use?
Refer to the exhibit.
What is occurring in this network traffic?
Which regular expression matches "color" and "colour"?
What is an advantage of symmetric over asymmetric encryption?
Which security technology allows only a set of pre-approved applications to run on a system?
What is a difference between SI EM and SOAR security systems?
Which step in the incident response process researches an attacking host through logs in a SIEM?
What makes HTTPS traffic difficult to monitor?
Refer to the exhibit.
A suspicious IP address is tagged by Threat Intelligence as a brute-force attempt source After the attacker produces many of failed login entries, it successfully compromises the account. Which stakeholder is responsible for the incident response detection step?
Refer to the exhibit.
Which technology produced the log?
A SOC analyst is investigating an incident that involves a Linux system that is identifying specific sessions. Which identifier tracks an active program?
An analyst is using the SIEM platform and must extract a custom property from a Cisco device and capture the phrase, "File: Clean." Which regex must the analyst import?
An engineer needs to discover alive hosts within the 192.168.1.0/24 range without triggering intrusive portscan alerts on the IDS device using Nmap. Which command will accomplish this goal?
Refer to the exhibit.
A security analyst is investigating unusual activity from an unknown IP address Which type of evidence is this file1?
Which event is user interaction?
Refer to the exhibit.
Which component is identifiable in this exhibit?
An analyst discovers that a legitimate security alert has been dismissed. Which signature caused this impact on network traffic?
How does agentless monitoring differ from agent-based monitoring?
Refer to the exhibit.
An engineer received a ticket about a slowed-down web application. The engineer runs the #netstat -an command. How must the engineer interpret the results?
Which metric is used to capture the level of access needed to launch a successful attack?
Which security principle requires more than one person is required to perform a critical task?
How does an attack surface differ from an attack vector?
What is a purpose of a vulnerability management framework?
While viewing packet capture data, an analyst sees that one IP is sending and receiving traffic for multiple devices by modifying the IP header.
Which technology makes this behavior possible?
A user received an email attachment named "Hr405-report2609-empl094.exe" but did not run it. Which category of the cyber kill chain should be assigned to this type of event?
What are the two characteristics of the full packet captures? (Choose two.)
What specific type of analysis is assigning values to the scenario to see expected outcomes?
What describes the concept of data consistently and readily being accessible for legitimate users?
The security team has detected an ongoing spam campaign targeting the organization. The team's approach is to push back the cyber kill chain and mitigate ongoing incidents. At which phase of the cyber kill chain should the security team mitigate this type of attack?
What are two differences in how tampered and untampered disk images affect a security incident? (Choose two.)
Which metric in CVSS indicates an attack that takes a destination bank account number and replaces it with a different bank account number?
What is a collection of compromised machines that attackers use to carry out a DDoS attack?
Which data type is necessary to get information about source/destination ports?
What ate two categories of DDoS attacks? (Choose two.)
A security incident occurred with the potential of impacting business services. Who performs the attack?
A malicious file has been identified in a sandbox analysis tool.
Which piece of information is needed to search for additional downloads of this file by other hosts?
What is a difference between SIEM and SOAR?
How is NetFlow different from traffic mirroring?
Refer to the exhibit.
During the analysis of a suspicious scanning activity incident, an analyst discovered multiple local TCP connection events Which technology provided these logs?
Which attack represents the evasion technique of resource exhaustion?
An intruder attempted malicious activity and exchanged emails with a user and received corporate information, including email distribution lists. The intruder asked the user to engage with a link in an email. When the fink launched, it infected machines and the intruder was able to access the corporate network.
Which testing method did the intruder use?
What is the difference between the ACK flag and the RST flag in the NetFlow log session?
Refer to the exhibit.
What is shown in this PCAP file?
Drag and drop the elements from the left into the correct order for incident handling on the right.
A security engineer notices confidential data being exfiltrated to a domain "Ranso4134-mware31-895" address that is attributed to a known advanced persistent threat group The engineer discovers that the activity is part of a real attack and not a network misconfiguration. Which category does this event fall under as defined in the Cyber Kill Chain?
STION NO: 102
Refer to the exhibit.
What is the potential threat identified in this Stealthwatch dashboard?
Which technology prevents end-device to end-device IP traceability?
An engineer is working with the compliance teams to identify the data passing through the network. During analysis, the engineer informs the compliance team that external penmeter data flows contain records, writings, and artwork Internal segregated network flows contain the customer choices by gender, addresses, and product preferences by age. The engineer must identify protected data. Which two types of data must be identified'? (Choose two.)
Refer to the exhibit.
Which kind of attack method is depicted in this string?
An analyst received an alert on their desktop computer showing that an attack was successful on the host. After investigating, the analyst discovered that no mitigation action occurred during the attack. What is the reason for this discrepancy?
Refer to the exhibit.
An attacker gained initial access to the company s network and ran an Nmap scan to advance with the lateral movement technique and to search the sensitive data Which two elements can an attacker identify from the scan? (Choose two.)
Which technique is a low-bandwidth attack?
A developer is working on a project using a Linux tool that enables writing processes to obtain these required results:
Which component results from this operation?
Refer to the exhibit.
What is depicted in the exhibit?
Which type of evidence supports a theory or an assumption that results from initial evidence?
A network engineer noticed in the NetFlow report that internal hosts are sending many DNS requests to external DNS servers A SOC analyst checked the endpoints and discovered that they are infected and became part of the botnet Endpoints are sending multiple DNS requests but with spoofed IP addresses of valid external sources What kind of attack are infected endpoints involved in1?
Refer to the exhibit.
Which type of log is displayed?
When trying to evade IDS/IPS devices, which mechanism allows the user to make the data incomprehensible without a specific key, certificate, or password?
Which technology on a host is used to isolate a running application from other applications?
After a large influx of network traffic to externally facing devices, a security engineer begins investigating what appears to be a denial of service attack When the packet capture data is reviewed, the engineer notices that the traffic is a single SYN packet to each port Which type of attack is occurring?
What is a difference between data obtained from Tap and SPAN ports?
Refer to exhibit.
An analyst performs the analysis of the pcap file to detect the suspicious activity. What challenges did the analyst face in terms of data visibility?
An engineer received an alert affecting the degraded performance of a critical server. Analysis showed a heavy CPU and memory load. What is the next step the engineer should take to investigate this resource usage?
A security engineer has a video of a suspect entering a data center that was captured on the same day that files in the same data center were transferred to a competitor.
Which type of evidence is this?
What is the difference between statistical detection and rule-based detection models?
What is the difference between mandatory access control (MAC) and discretionary access control (DAC)?
What is the communication channel established from a compromised machine back to the attacker?
What is the impact of false positive alerts on business compared to true positive?
A security specialist notices 100 HTTP GET and POST requests for multiple pages on the web servers. The agent in the requests contains PHP code that, if executed, creates and writes to a new PHP file on the webserver. Which event category is described?
What matches the regular expression c(rgr)+e?
Which type of data collection requires the largest amount of storage space?
A company encountered a breach on its web servers using IIS 7 5 Dunng the investigation, an engineer discovered that an attacker read and altered the data on a secure communication using TLS 1 2 and intercepted sensitive information by downgrading a connection to export-grade cryptography. The engineer must mitigate similar incidents in the future and ensure that clients and servers always negotiate with the most secure protocol versions and cryptographic parameters. Which action does the engineer recommend?
During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve its integrity?
What is a scareware attack?
A network engineer discovers that a foreign government hacked one of the defense contractors in their home country and stole intellectual property. What is the threat agent in this situation?
The SOC team has confirmed a potential indicator of compromise on an endpoint. The team has narrowed the executable file's type to a new trojan family. According to the NIST Computer Security Incident Handling Guide, what is the next step in handling this event?
A security analyst notices a sudden surge of incoming traffic and detects unknown packets from unknown senders After further investigation, the analyst learns that customers claim that they cannot access company servers According to NIST SP800-61, in which phase of the incident response process is the analyst?
Which signature impacts network traffic by causing legitimate traffic to be blocked?
Which type of attack is a blank email with the subject "price deduction" that contains a malicious attachment?
Refer to the exhibit.
Which type of attack is being executed?
What is the difference between a threat and a risk?
What is a difference between a threat and a risk?
What describes the defense-m-depth principle?