Professional Documents
Culture Documents
26 28
26 28
false negative
true negative
true positive
true negative
2. Which type of alert has happened when an alert is received, but no incident has occurred?
true positive
true negative
false positive
false negative
3. Which type of incident has occurred when nothing is reported, however an exploit has occurred?
false negative
true negative
false positive
true positive
4. Which type of alert is it when an alert is received, and an exploit has been verified?
false negative
true negative
false positive
true positive
5. True or False? A benign event should trigger an alert.
true
False
1. What classification is used for an alert that correctly identifies that an exploit has occurred?
true negative
false negative
true positive
false positive
2. Which type of analysis relies on predefined conditions and can analyze applications that only use
well-known fixed ports?
log
deterministic
probabilistic
statistical
3. Which tool is included with Security Onion that is used by Snort to automatically download new
rules?
ELK
PulledPork
Sguil
Wireshark
4. Which tool included in Security Onion is an interactive dashboard interface to Elasticsearch data?
Kibana
Zeek
Sguil
Wireshark
5. Which type of analysis relies on different methods to establish the likelihood that a security event
has happened or will happen?
probabilistic
deterministic
log
statistical
6. Which NIDS tool uses a signature-based approach and native multithreading for alert detection?
Bro
Snort
Zeek
Suricata
7. What is the host-based intrusion detection tool that is integrated into Security Onion?
Sguil
Wireshark
OSSEC
Snort
8. What are three analysis tools that are integrated into Security Onion? (Choose three.)
Snort
OSSEC
Kibana
Wireshark
Sguil
Suricata
9. What function is provided by Snort as part of the Security Onion?
to normalize logs from various NSM data logs so they can be represented, stored, and accessed
through a common schema
to generate network intrusion alerts by the use of rules and signatures
Zeek
Suricata
Snort
Wazuh
11. Which tool would an analyst use to start a workflow investigation?
Snort
Zeek
Sguil
ELK
12. Which alert classification indicates that exploits are not being detected by installed security systems?
true negative
true positive
false negative
false positive
1. When real-time reporting of security events from multiple sources is being received, which function
in SIEM provides capturing and processing of data in a common format?
compliance
log collection
aggregation
normalization
2. What is the value of file hashes to network security investigations?
Wireshark
Splunk
StealthWatch
ELK
4. A network administrator is working with ELK. The amount of network traffic to be collected by packet
captures and the number of log file entries and alerts that will be generated by network and security
devices can be enormous. What is the default time configured in Kibana to show the log entries?
48 hours
36 hours
12 hours
24 hours
5. In which programming language is Elasticsearch written?
Python
C++
Java
C
6. For how long does the Payment Card Industry Security Standards Council (PCI DSS) require that an
audit trail of user activities related to protected information be retained?
12 months
6 months
24 months
18 months
7. What is the host-based intrusion detection tool that is integrated into Security Onion?
Sguil
OSSEC
Wireshark
Snort
8. Which core open source component of the Elastic-stack is responsible for accessing, visualizing,
and investigating data?
Elasticsearch
Kibana
Beats
Logstash
9. What is the default time set in the securityonion.conf file for Sguil alert data retention?
30 days
45 days
60 days
15 days
10. Which tool would an analyst use to start a workflow investigation?
Zeek
Snort
Sguil
ELK
11. Which core open source component of the Elastic-stack is responsible for storing, indexing, and
analyzing data?
Elasticsearch
Kibana
Logstash
Beats
12. Which tool concentrates security events from multiple sources and can interact with other tools such
as Wireshark?
Curator
Kibana
Sguil
Bro
1. Which technique involves assessment and extraction of relevant information from collected data?
reporting
collection
analysis
examination
2. Which technique involves drawing conclusions from the data?
examination
analysis
collection
reporting
3. Which is technique incudes identification of potential sources of forensic data and acquisition,
handling, and storage of that data?
collection
reporting
analysis
examination
4. Which technique includes preparation and presentation of the information which resulted from the
analysis?
examination
reporting
analysis
Collection
indirect evidence
direct evidence
corroborating evidence
best evidence
2. Which type of evidence supports an assertation that is developed from best evidence?
direct evidence
indirect evidence
corroborating evidence
best evidence
3. Which type of evidence is circumstantial evidence that, in combination with other facts, establishes a
hypothesis?
direct evidence
indirect evidence
corroborating evidence
best evidence
4. Which type of evidence is in its original state?
direct evidence
indirect evidence
corroborating evidence
best evidence
1. In which step does the threat actor exploit the vulnerability and gain control of the target?
reconnaissance
action on objectives
installation
delivery
exploitation
2. In which step is the weapon transmitted to the target through the use of a website, removable USB
media, an email attachment, or by other means?
reconnaissance
delivery
installation
weaponization
3. In which step does the threat actor gather intelligence and select targets?
delivery
action on objectives
exploitation
reconnaissance
installation
4. In which step does the threat actor use a communication method such as IRC to issue commands to
the software that is installed on the target?
action on objectives
installation
delivery
weaponization
5. In which step does the threat actor use vulnerabilities of the assets that were discovered and builds
them into a tool?
exploitation
delivery
reconnaissance
Weaponization
adversary
infrastructure
direction
capability
result
victim
2. What part of the Diamond model represents the network path that is used for an exploit?
adversary
infrastructure
direction
capability
result
victim
3. What part of the Diamond Model represents the target of an exploit?
adversary
infrastructure
direction
capability
result
victim
4. Which meta-feature represents what the threat actor gained from an exploit? It can be characterized
as confidentially compromised, integrity compromised, and availability compromised.
adversary
infrastructure
direction
capability
result
victim
5. What part of the Diamond Model represents the tools or techniques that the threat actor uses to
attack a target?
adversary
infrastructure
direction
capability
result
victim
6. Which meta-feature of the Diamond Model indicates the path between the parts of the Diamond
Model that is used by an exploit?
adversary
infrastructure
direction
capability
result
victim
1. The definition of computer security incidents and related terms element is in which part of the
incident response plan?
policy
plan
procedure
2. The strategy and goals element is in which part of the incident response plan?
plan
procedure
policy
3. The organizational structure and definition of roles, responsibilities, and levels of authority element is
in which part of the incident response plan?
policy
plan
procedure
4. The prioritization and severity ratings of incidents element is in which part of the incident response
plan?
policy
plan
procedure
5. Checklist may be found in which part of the incident response plan?
policy
plan
procedure
6. The techniques element is in the procedure part of the plan.
policy
plan
Procedure
1. What term is used for a sign that a threat actor maybe be preparing to attack an asset?
CSIRT
precursor
indicator
event
incident
incident handling
2. What term is used for the group of people who provide incident response services to an
organization?
precursor
indicator
event
incident
incident handling
CSIRT
3. What term is used for a time-bound activity that is restricted to a specific step in which an adversary
attacks a network?
CSIRT
precursor
security event
incident
incident handling
CSIRT
4. What is a sign that a network security event may have occurred or is occurring?
CSIRT
precursor
indicator
event
incident
incident handling
5. What has occurred when there is a violation or threat of violation of security policies?
CSIRT
precursor
indicator
event
incident
incident handling
6. What is the term for a set of policies, plans, and procedures that are designed to address
cybersecurity breaches?
CSIRT
precursor
indicator
event
incident
1. To ensure that the chain of custody is maintained, what three items should be logged about
evidence that is collected and analyzed after a security incident has occurred? (Choose three.)
action on objectives
exploitation
delivery
resources
direction
methodology
results
4. Which action should be included in a plan element that is part of a computer security incident
response capability (CSIRC)?
Detail how incidents should be handled based on the mission and functions of an organization.
Develop metrics for measuring the incident response capability and its effectiveness.
Create an organizational structure and definition of roles, responsibilities, and levels of authority.
5. Which two actions can help identify an attacking host during a security incident? (Choose two.)
Develop identifying criteria for all evidence such as serial number, hostname, and IP address.
Use an Internet search engine to gain additional information about the attack.
Log the time and date that the evidence was collected and the incident remediated.
6. What is a MITRE ATT&CK framework?
reporting
collection
analysis
examination
8. When dealing with security threats and using the Cyber Kill Chain model, which two approaches can
an organization use to help block potential exploitations of a system? (Choose two.)
Analyze the infrastructure path used for delivery.
adversary
weaponization
infrastructure
capability
10. What is the purpose of the policy element in a computer security incident response capability of an
organization, as recommended by NIST?
It provides metrics for measuring the incident response capability and effectiveness.
It defines how the incident response teams will communicate with the rest of the organization and
with other organizations.
It details how incidents should be handled based on the organizational mission and functions.
11. According to NIST, which step in the digital forensics process involves extracting relevant
information from data?
reporting
analysis
examination
collection
12. Which statement describes the Cyber Kill Chain?
It uses the OSI model to describe cyberattacks at each of the seven layers.
It is a set of metrics designed to create a way to describe security incidents in a structured and
repeatable way.
It identifies the steps that adversaries must complete to accomplish their goals.
13. After containing an incident that infected user workstations with malware, what are three effective
remediation procedures that an organization can take for eradication? (Choose three.)
Disconnect or disable all wired and wireless network adapters until the remediation is complete.
Update and patch the operating system and installed software of all hosts.
reconnaissance
weaponization
exploitation
action on objectives
15. Which task describes threat attribution?