Jane, a security analyst, while analyzing IDS logs, detected an event matching Regex /((%3C)|<)((%69)|i|(% 49))((%6D)|m|(%4D))((%67)|g|(%47))[^n]+((%3E)|>)/|.
What does this event log indicate?
- A . Directory Traversal Attack
- B . Parameter Tampering Attack
- C . XSS Attack
- D . SQL Injection Attack
C
Explanation:
Reference: https://books.google.com.pk/books?id=PDR4nOAP8qUC&pg=PA87&lpg=PA87&dq=regex+/((%5C%253C)%7C<)((%5C%2569)%7Ci%7C(%5C%2549))((%5C%256D)%7Cm%7C(%5C%25 4D))((%5C% 2567)%7Cg%7C(%5C%2547))%5B%5E%5Cn%5D%2B((%5C%253E)%7C>)/%
7C&source=bl&ots=kOBHNfJmtq&sig=ACfU3U2CG_hELc1HMb1chdc9OS4ooXPlMg&hl=e
n&sa=X&ved=2ahUKEwjYwJmlt_buAhUFShUIHTBNAs8Q6AEwBXoECAUQAw#v=onepage&q&f=false
Harley is working as a SOC analyst with Powell Tech. Powell Inc. is using Internet Information Service (IIS) version 7.0 to host their website.
Where will Harley find the web server logs, if he wants to investigate them for any anomalies?
- A . SystemDrive%inetpublogsLogFilesW3SVCN
- B . SystemDrive%LogFilesinetpublogsW3SVCN
- C . %SystemDrive%LogFileslogsW3SVCN
- D . SystemDrive% inetpubLogFileslogsW3SVCN
In which of the following incident handling and response stages, the root cause of the incident must be found from the forensic results?
- A . Evidence Gathering
- B . Evidence Handling
- C . Eradication
- D . Systems Recovery
A
Explanation:
Reference: https://www.eccouncil.org/wp-content/uploads/2019/02/ECIH-V2-Brochure.pdf
Which of the following data source can be used to detect the traffic associated with Bad Bot User-Agents?
- A . Windows Event Log
- B . Web Server Logs
- C . Router Logs
- D . Switch Logs
Emmanuel is working as a SOC analyst in a company named Tobey Tech. The manager of Tobey Tech recently recruited an Incident Response Team (IRT) for his company. In the process of collaboration with the IRT, Emmanuel just escalated an incident to the IRT.
What is the first step that the IRT will do to the incident escalated by Emmanuel?
- A . Incident Analysis and Validation
- B . Incident Recording
- C . Incident Classification
- D . Incident Prioritization
In which phase of Lockheed Martin’s C Cyber Kill Chain Methodology, adversary creates a deliverable malicious payload using an exploit and a backdoor?
- A . Reconnaissance
- B . Delivery
- C . Weaponization
- D . Exploitation
Which of the following tool can be used to filter web requests associated with the SQL Injection attack?
- A . Nmap
- B . UrlScan
- C . ZAP proxy
- D . Hydra
B
Explanation:
Reference: https://aip.scitation.org/doi/pdf/10.1063/1.4982570
Which of the following threat intelligence helps cyber security professionals such as security operations managers, network operations center and incident responders to understand how the adversaries are expected to perform the attack on the organization, and the technical capabilities and goals of the attackers along with the attack vectors?
- A . Analytical Threat Intelligence
- B . Operational Threat Intelligence
- C . Strategic Threat Intelligence
- D . Tactical Threat Intelligence
D
Explanation:
Reference: https://info-savvy.com/types-of-threat-intelligence/
Banter is a threat analyst in Christine Group of Industries. As a part of the job, he is currently formatting and structuring the raw data.
He is at which stage of the threat intelligence life cycle?
- A . Dissemination and Integration
- B . Processing and Exploitation
- C . Collection
- D . Analysis and Production
B
Explanation:
Reference: https://socradar.io/5-stages-of-the-threat-intelligence-lifecycle/
John, a SOC analyst, while monitoring and analyzing Apache web server logs, identified an event log matching Regex /(.|(%|%25)2E)(.|(%|%25)2E)(/|(%|%25)2F|\|(%|%25)5C)/i.
What does this event log indicate?
- A . XSS Attack
- B . SQL injection Attack
- C . Directory Traversal Attack
- D . Parameter Tampering Attack
Properly applied cyber threat intelligence to the SOC team help them in discovering TTPs.
What does these TTPs refer to?
- A . Tactics, Techniques, and Procedures
- B . Tactics, Threats, and Procedures
- C . Targets, Threats, and Process
- D . Tactics, Targets, and Process
A
Explanation:
Reference: https://www.crest-approved.org/wp-content/uploads/CREST-Cyber-Threat-Intelligence.pdf
David is a SOC analyst in Karen Tech. One day an attack is initiated by the intruders but David was not able to find any suspicious events.
This type of incident is categorized into?
- A . True Positive Incidents
- B . False positive Incidents
- C . True Negative Incidents
- D . False Negative Incidents
An organization is implementing and deploying the SIEM with following capabilities.
What kind of SIEM deployment architecture the organization is planning to implement?
- A . Cloud, MSSP Managed
- B . Self-hosted, Jointly Managed
- C . Self-hosted, Self-Managed
- D . Self-hosted, MSSP Managed
In which log collection mechanism, the system or application sends log records either on the local disk or over the network.
- A . rule-based
- B . pull-based
- C . push-based
- D . signature-based
Chloe, a SOC analyst with Jake Tech, is checking Linux systems logs. She is investigating files at /var/log/wtmp.
What Chloe is looking at?
- A . Error log
- B . System boot log
- C . General message and system-related stuff
- D . Login records
D
Explanation:
Reference: https://stackify.com/linux-logs/
Where will you find the reputation IP database, if you want to monitor traffic from known bad IP reputation using OSSIM SIEM?
- A . /etc/ossim/reputation
- B . /etc/ossim/siem/server/reputation/data
- C . /etc/siem/ossim/server/reputation.data
- D . /etc/ossim/server/reputation.data
According to the forensics investigation process, what is the next step carried out right after collecting the evidence?
- A . Create a Chain of Custody Document
- B . Send it to the nearby police station
- C . Set a Forensic lab
- D . Call Organizational Disciplinary Team
Which of the following command is used to enable logging in iptables?
- A . $ iptables -B INPUT -j LOG
- B . $ iptables -A OUTPUT -j LOG
- C . $ iptables -A INPUT -j LOG
- D . $ iptables -B OUTPUT -j LOG
Peter, a SOC analyst with Spade Systems, is monitoring and analyzing the router logs of the company and wanted to check the logs that are generated by access control list numbered 210.
What filter should Peter add to the ‘show logging’ command to get the required output?
- A . show logging | access 210
- B . show logging | forward 210
- C . show logging | include 210
- D . show logging | route 210
What does the HTTP status codes 1XX represents?
- A . Informational message
- B . Client error
- C . Success
- D . Redirection
A
Explanation:
Reference: https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#:~:text=1xx%20informational%20response%20C%20the%20request,syntax%20or%20cannot%20be%20fulfilled
Which of the following is a report writing tool that will help incident handlers to generate efficient reports on detected incidents during incident response process?
- A . threat_note
- B . MagicTree
- C . IntelMQ
- D . Malstrom
Ray is a SOC analyst in a company named Queens Tech. One Day, Queens Tech is affected by a DoS/DDoS attack. For the containment of this incident, Ray and his team are trying to provide additional bandwidth to the network devices and increasing the capacity of the servers.
What is Ray and his team doing?
- A . Blocking the Attacks
- B . Diverting the Traffic
- C . Degrading the services
- D . Absorbing the Attack
Sam, a security analyst with INFOSOL INC., while monitoring and analyzing IIS logs, detected an event matching regex /\w*((%27)|(’))((%6F)|o|(%4F))((%72)|r|(%52))/ix.
What does this event log indicate?
- A . SQL Injection Attack
- B . Parameter Tampering Attack
- C . XSS Attack
- D . Directory Traversal Attack
A
Explanation:
Reference: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=001f5e09-88b4-4a9a-b310-4c20578eecf9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
Bonney’s system has been compromised by a gruesome malware.
What is the primary step that is advisable to Bonney in order to contain the malware incident from spreading?
- A . Complaint to police in a formal way regarding the incident
- B . Turn off the infected machine
- C . Leave it to the network administrators to handle
- D . Call the legal department in the organization and inform about the incident
Which of the log storage method arranges event logs in the form of a circular buffer?
- A . FIFO
- B . LIFO
- C . non-wrapping
- D . wrapping
D
Explanation:
Reference: https://en.wikipedia.org/wiki/Circular_buffer
According to the Risk Matrix table, what will be the risk level when the probability of an attack is very high, and the impact of that attack is major?
NOTE: It is mandatory to answer the question before proceeding to the next one.
- A . High
- B . Extreme
- C . Low
- D . Medium
Rinni, SOC analyst, while monitoring IDS logs detected events shown in the figure below.
What does this event log indicate?
- A . Directory Traversal Attack
- B . XSS Attack
- C . SQL Injection Attack
- D . Parameter Tampering Attack
D
Explanation:
Reference: https://infosecwriteups.com/what-is-parameter-tampering-5b1beb12c5ba
The threat intelligence, which will help you, understand adversary intent and make informed decision to ensure appropriate security in alignment with risk.
What kind of threat intelligence described above?
- A . Tactical Threat Intelligence
- B . Strategic Threat Intelligence
- C . Functional Threat Intelligence
- D . Operational Threat Intelligence
B
Explanation:
Reference: https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/threat-intelligence/what-is-threat-intelligence/
An attacker exploits the logic validation mechanisms of an e-commerce website. He successfully purchases a product worth $100 for $10 by modifying the URL exchanged between the client and the server.
Original URL: http://www.buyonline.com/product.aspx?profile=12&debit=100 Modified URL:
http://www.buyonline.com/product.aspx?profile=12&debit=10
Identify the attack depicted in the above scenario.
- A . Denial-of-Service Attack
- B . SQL Injection Attack
- C . Parameter Tampering Attack
- D . Session Fixation Attack
An organization wants to implement a SIEM deployment architecture. However, they have the capability to do only log collection and the rest of the SIEM functions must be managed by an MSSP.
Which SIEM deployment architecture will the organization adopt?
- A . Cloud, MSSP Managed
- B . Self-hosted, Jointly Managed
- C . Self-hosted, MSSP Managed
- D . Self-hosted, Self-Managed
Which of the following process refers to the discarding of the packets at the routing level without informing the source that the data did not reach its intended recipient?
- A . Load Balancing
- B . Rate Limiting
- C . Black Hole Filtering
- D . Drop Requests
C
Explanation:
Reference: https://en.wikipedia.org/wiki/Black_hole_(networking)#:~:text=In%20networking%2C%20black% 20holes%20refer,not%20reach%20its%20intended%20recipient.
Which of the following steps of incident handling and response process focus on limiting the scope and extent of an incident?
- A . Containment
- B . Data Collection
- C . Eradication
- D . Identification
Which of the following tool is used to recover from web application incident?
- A . CrowdStrike FalconTM Orchestrator
- B . Symantec Secure Web Gateway
- C . Smoothwall SWG
- D . Proxy Workbench
Which of the following fields in Windows logs defines the type of event occurred, such as Correlation Hint, Response Time, SQM, WDI Context, and so on?
- A . Keywords
- B . Task Category
- C . Level
- D . Source
Which of the following command is used to view iptables logs on Ubuntu and Debian distributions?
- A . $ tailf /var/log/sys/kern.log
- B . $ tailf /var/log/kern.log
- C . # tailf /var/log/messages
- D . # tailf /var/log/sys/messages
B
Explanation:
Reference: https://tecadmin.net/enable-logging-in-iptables-on-linux/