CCNA CyberOps Chapter 13 Exam Online

1. Question

1 points

Which top-level element of the VERIS schema would allow a company to log who the actors were, what actions affected the asset, which assets were affected, and how the asset was affected?

discovery and response
incident description
incident tracking
victim demographics

2. Question

1 points

A threat actor has identified the potential vulnerability of the web server of an organization and is building an attack. What will the threat actor possibly do to build an attack weapon?

Create a point of persistence by adding services.
Install a webshell on the web server for persistent access.
Collect credentials of the web server developers and administrators.
Obtain an automated tool in order to deliver the malware payload through the vulnerability.

3. Question

1 points

Which schema or model was created to anonymously share quality information about security events to the security community?

CSIRT
Cyber Kill Chain
Diamond
VERIS

4. Question

1 points

What is the role of vendor teams as they relate to CSIRT?

Coordinate incident handling across multiple CSIRTs.
Handle customer reports concerning security vulnerabilities.
Provide incident handling to other organizations as a fee-based service.
Use data from many sources to determine incident activity trends.

5. Question

1 points

What is the role of a Computer Emergency Response Team?

Receive, review, and respond to security incidents in an organization.
Provide national standards as a fee-based service.
Provide security awareness, best practices, and security vulnerability information to a specific population.
Coordinate security incident handling across multiple CSIRTs.

6. Question

1 points

What is the purpose of the policy element in a computer security incident response capability of an organization, as recommended by NIST?

It details how incidents should be handled based on the organizational mission and functions.
It defines how the incident response teams will communicate with the rest of the organization and with other organizations.
It provides metrics for measuring the incident response capability and effectiveness.
It provides a roadmap for maturing the incident response capability.

7. Question

1 points

Which action should be included in a plan element that is part of a computer security incident response capability (CSIRC)?

Detail how incidents should be handled based on the mission and functions of an organization.
Prioritize severity ratings of security incidents.
Create an organizational structure and definition of roles, responsibilities, and levels of authority.
Develop metrics for measuring the incident response capability and its effectiveness.

8. Question

1 points

What is defined in the SOP of a computer security incident response capability (CSIRC)?

the procedures that are followed during an incident response
the metrics for measuring incident response capabilities
the details on how an incident is handled
the roadmap for increasing incident response capabilities

9. Question

2 points

According to information outlined by the Cyber Kill Chain, which two approaches can help identify reconnaissance threats? (Choose two.)

Conduct full malware analysis.
Build playbooks for detecting browser behavior.
Analyze web log alerts and historical search data.
Audit endpoints to forensically determine origin of exploit.
Understand targeted servers, people, and data available to attack.

10. Question

2 points

When dealing with security threats and using the Cyber Kill Chain model, which two approaches can an organization use to help block potential exploitations of a system? (Choose two.)

Conduct full malware analysis.
Analyze the infrastructure path used for delivery.
Collect email and web logs for forensic reconstruction.
Conduct employee awareness training and email testing.
Audit endpoints to forensically determine origin of exploit.

11. Question

1 points

What is the goal of an attack in the installation phase of the Cyber Kill Chain?

Break the vulnerability and gain control of the target.
Establish command and control (CnC) with the target system.
Create a back door in the target system to allow for future access.
Use the information from the reconnaissance phase to develop a weapon against the target.

12. Question

1 points

What is the objective the threat actor in establishing a two-way communication channel between the target system and a CnC infrastructure?

to launch a buffer overflow attack
to send user data stored on the target to the threat actor
to steal network bandwidth from the network where the target is located
to allow the threat actor to issue commands to the software that is installed on the target

13. Question

1 points

Which term is used in the Diamond Model of intrusion to describe a tool that a threat actor uses toward a target system?

adversary
capability
infrastructure
weaponization

14. Question

1 points

What is a benefit of using the VERIS community database?

The database can be easily compressed.
It can be used to discover the name of known threat actors.
It can be used to discover how other organizations dealt with a particular type of security incident.
Companies who pay to contribute and access the database are protected from security threats.

15. Question

1 points

Which action is taken in the postincident phase of the NIST incident response life cycle?

Conduct CSIRT response training.
Document the handling of the incident.
identify and validate incidents.
Implement procedures to contain threats.

16. Question

1 points

What information is gathered by the CSIRT when determining the scope of a security incident?

the networks, systems, and applications affected by an incident
the strategies and procedures used for incident containment
the processes used to preserve evidence
the amount of time and resources needed to handle an incident

17. Question

1 points

After containment, what is the first step of eradicating an attack?

Patch all vulnerabilities.
Change all passwords.
Identify all hosts that need remediation.
Hold meetings on lessons learned.

18. Question

3 points

To ensure that the chain of custody is maintained, what three items should be logged about evidence that is collected and analyzed after a security incident has occurred? (Choose three.)

measures used to prevent an incident
location of all evidence
time and date the evidence was collected
serial numbers and hostnames of devices used as evidence
extent of the damage to resources and assets
vulnerabilities that were exploited in an attack

19. Question

1 points

Which meta-feature element in the Diamond Model describes information gained by the adversary?

results
direction
resources
methodology

20. Question

1 points

What is the main purpose of exploitations by a threat actor through the weapon delivered to a target during the Cyber Kill Chain exploitation phase?

Launch a DoS attack.
Establish a back door into the system.
Break the vulnerability and gain control of the target.
Send a message back to a CnC controlled by the threat actor.

21. Question

1 points

A threat actor collects information from web servers of an organization and searches for employee contact information. The information collected is further used to search personal information on the Internet. To which attack phase do these activities belong according to the Cyber Kill Chain model?

exploitation
weaponization
reconnaissance
action on objectives

22. Question

2 points

When a security attack has occurred, which two approaches should security professionals take to mitigate a compromised system during the Actions on Objectives step as defined by the Cyber Kill Chain model? (Choose two.)

Train web developers for securing code.
Build detections for the behavior of known malware.
Perform forensic analysis of endpoints for rapid triage.
Collect malware files and metadata for future analysis.
Detect data exfiltration, lateral movement, and unauthorized credential usage.

23. Question

5 points

Match the security incident stakeholder with the role.

Sort elements

performs disciplinary measures
changes firewall rules
preserves attack evidence
designs the budget
reviews policies for local or federal guideline violations

human resources

information assurance

IT support

management

legal department

24. Question

4 points

Match the attack vector with the description.

Sort elements

initiated through an email attachment
initiated from external storage
uses brute force against devices or services
initiated from a website application

email

media

attrition

web

25. Question

4 points

Match the NIST incident response life cycle phase with the description.

Sort elements

Identify, analyze, and validate incidents.
Conduct training on incident response.
Document how incidents are handled.
Implement procedures to eradicate the impact to organizational assets.

detection and analysis

preparation

post incident actvities

containment, eradication, and recovery

26. Question

5 points

Match the NIST incident response stakeholder with the role.

Sort elements

preserves attack evidence
designs the budget
reviews policies for local or federal guideline violations
performs disciplinary measures
develops firewall rules

IT support

management

legal department

human resources

information assurance

27. Question

1 points

actions on objectives
command and control
delivery
exploitation
installation

28. Question

1 points

Event Viewer
net command
PowerShell
Task Manager

29. Question

1 points

false negative
false positive
true negative
true positive

30. Question

1 points

black hat
gray hat
red hat
white hat

Average score
Your score