1. Which type of alert would have no incident reported and no incident has occurred?

false negative

true negative

true positive

true negative
2. Which type of alert has happened when an alert is received, but no incident has occurred?

true positive

true negative

false positive

false negative
3. Which type of incident has occurred when nothing is reported, however an exploit has occurred?

false negative

true negative

false positive

true positive
4. Which type of alert is it when an alert is received, and an exploit has been verified?

false negative
 true negative

false positive

true positive
5. True or False? A benign event should trigger an alert.

true

False
1. What classification is used for an alert that correctly identifies that an exploit has occurred?

true negative

false negative

true positive

false positive
2. Which type of analysis relies on predefined conditions and can analyze applications that only use
well-known fixed ports?

log

deterministic

probabilistic

statistical
3. Which tool is included with Security Onion that is used by Snort to automatically download new
rules?
 ELK

PulledPork

Sguil

Wireshark
4. Which tool included in Security Onion is an interactive dashboard interface to Elasticsearch data?

Kibana

Zeek

Sguil

Wireshark
5. Which type of analysis relies on different methods to establish the likelihood that a security event
has happened or will happen?

probabilistic

deterministic

log

statistical
6. Which NIDS tool uses a signature-based approach and native multithreading for alert detection?

Bro

Snort
 Zeek

Suricata
7. What is the host-based intrusion detection tool that is integrated into Security Onion?

Sguil

Wireshark

OSSEC

Snort
8. What are three analysis tools that are integrated into Security Onion? (Choose three.)

Snort

OSSEC

Kibana

Wireshark

Sguil

Suricata
9. What function is provided by Snort as part of the Security Onion?

to view pcap transcripts generated by intrusion detection tools

to normalize logs from various NSM data logs so they can be represented, stored, and accessed
through a common schema
 to generate network intrusion alerts by the use of rules and signatures

to display full-packet captures for analysis

10. Which tool is a Security Onion integrated host-based intrusion detection system?

Zeek

Suricata

Snort

Wazuh
11. Which tool would an analyst use to start a workflow investigation?

Snort

Zeek

Sguil

ELK
12. Which alert classification indicates that exploits are not being detected by installed security systems?

true negative

true positive

false negative

false positive
1. When real-time reporting of security events from multiple sources is being received, which function
in SIEM provides capturing and processing of data in a common format?

compliance

log collection

aggregation

normalization
2. What is the value of file hashes to network security investigations?

They ensure data availability.

They assure nonrepudiation.

They can serve as malware signatures.

They offer confidentiality.

3. Which technology is an open source SIEM system?

Wireshark

Splunk

StealthWatch

ELK
4. A network administrator is working with ELK. The amount of network traffic to be collected by packet
captures and the number of log file entries and alerts that will be generated by network and security
devices can be enormous. What is the default time configured in Kibana to show the log entries?
 48 hours

36 hours

12 hours

24 hours
5. In which programming language is Elasticsearch written?

Python

C++

Java

C
6. For how long does the Payment Card Industry Security Standards Council (PCI DSS) require that an
audit trail of user activities related to protected information be retained?

12 months

6 months

24 months

18 months
7. What is the host-based intrusion detection tool that is integrated into Security Onion?

Sguil

OSSEC
 Wireshark

Snort
8. Which core open source component of the Elastic-stack is responsible for accessing, visualizing,
and investigating data?

Elasticsearch

Kibana

Beats

Logstash
9. What is the default time set in the securityonion.conf file for Sguil alert data retention?

30 days

45 days

60 days

15 days
10. Which tool would an analyst use to start a workflow investigation?

Zeek

Snort

Sguil

ELK
11. Which core open source component of the Elastic-stack is responsible for storing, indexing, and
analyzing data?

Elasticsearch

Kibana

Logstash

Beats
12. Which tool concentrates security events from multiple sources and can interact with other tools such
as Wireshark?

Curator

Kibana

Sguil

Bro
1. Which technique involves assessment and extraction of relevant information from collected data?

reporting

collection

analysis

examination
2. Which technique involves drawing conclusions from the data?

examination
 analysis

collection

reporting
3. Which is technique incudes identification of potential sources of forensic data and acquisition,
handling, and storage of that data?

collection

reporting

analysis

examination
4. Which technique includes preparation and presentation of the information which resulted from the
analysis?

examination

reporting

analysis

Collection

1. Which type of evidence was indisputably in the possession of the accused?

indirect evidence

direct evidence
 corroborating evidence

best evidence
2. Which type of evidence supports an assertation that is developed from best evidence?

direct evidence

indirect evidence

corroborating evidence

best evidence
3. Which type of evidence is circumstantial evidence that, in combination with other facts, establishes a
hypothesis?

direct evidence

indirect evidence

corroborating evidence

best evidence
4. Which type of evidence is in its original state?

direct evidence

indirect evidence

corroborating evidence

best evidence
1. In which step does the threat actor exploit the vulnerability and gain control of the target?

reconnaissance

action on objectives

installation

delivery

exploitation
2. In which step is the weapon transmitted to the target through the use of a website, removable USB
media, an email attachment, or by other means?

reconnaissance

delivery

installation

command and control

weaponization
3. In which step does the threat actor gather intelligence and select targets?

delivery

action on objectives

exploitation
 reconnaissance

installation
4. In which step does the threat actor use a communication method such as IRC to issue commands to
the software that is installed on the target?

command and control

action on objectives

installation

delivery

weaponization
5. In which step does the threat actor use vulnerabilities of the assets that were discovered and builds
them into a tool?

exploitation

delivery

reconnaissance

command and control

Weaponization

1. What part of the Diamond Model represents the threat actor?

adversary
 infrastructure

direction

capability

result

victim
2. What part of the Diamond model represents the network path that is used for an exploit?

adversary

infrastructure

direction

capability

result

victim
3. What part of the Diamond Model represents the target of an exploit?

adversary

infrastructure

direction

capability
 result

victim
4. Which meta-feature represents what the threat actor gained from an exploit? It can be characterized
as confidentially compromised, integrity compromised, and availability compromised.

adversary

infrastructure

direction

capability

result

victim
5. What part of the Diamond Model represents the tools or techniques that the threat actor uses to
attack a target?

adversary

infrastructure

direction

capability

result

victim
6. Which meta-feature of the Diamond Model indicates the path between the parts of the Diamond
Model that is used by an exploit?

adversary

infrastructure

direction

capability

result

victim

1. The definition of computer security incidents and related terms element is in which part of the
incident response plan?

policy

plan

procedure
2. The strategy and goals element is in which part of the incident response plan?

plan

procedure

policy
3. The organizational structure and definition of roles, responsibilities, and levels of authority element is
in which part of the incident response plan?
 policy

plan

procedure
4. The prioritization and severity ratings of incidents element is in which part of the incident response
plan?

policy

plan

procedure
5. Checklist may be found in which part of the incident response plan?

policy

plan

procedure
6. The techniques element is in the procedure part of the plan.

policy

plan

Procedure

1. What term is used for a sign that a threat actor maybe be preparing to attack an asset?

CSIRT
 precursor

indicator

event

incident

incident handling
2. What term is used for the group of people who provide incident response services to an
organization?

precursor

indicator

event

incident

incident handling

CSIRT
3. What term is used for a time-bound activity that is restricted to a specific step in which an adversary
attacks a network?

CSIRT

precursor

security event
 incident

incident handling

CSIRT
4. What is a sign that a network security event may have occurred or is occurring?

CSIRT

precursor

indicator

event

incident

incident handling
5. What has occurred when there is a violation or threat of violation of security policies?

CSIRT

precursor

indicator

event

incident
 incident handling
6. What is the term for a set of policies, plans, and procedures that are designed to address
cybersecurity breaches?

CSIRT

precursor

indicator

event

incident

incident handling capability

1. To ensure that the chain of custody is maintained, what three items should be logged about
evidence that is collected and analyzed after a security incident has occurred? (Choose three.)

vulnerabilities that were exploited in an attack

measures used to prevent an incident

serial numbers and hostnames of devices used as evidence

time and date the evidence was collected

extent of the damage to resources and assets

location of all evidence

2. A threat actor has gained administrative access to a system and achieved the goal of controlling the
system for a future DDoS attack by establishing a communication channel with a CnC owned by the
threat actor. Which phase in the Cyber Kill Chain model describes the situation?

action on objectives

exploitation

delivery

command and control

3. Which meta-feature element in the Diamond Model describes tools and information (such as
software, black hat knowledge base, username and password) that the adversary uses for the
intrusion event?

resources

direction

methodology

results
4. Which action should be included in a plan element that is part of a computer security incident
response capability (CSIRC)?

Prioritize severity ratings of security incidents.

Detail how incidents should be handled based on the mission and functions of an organization.

Develop metrics for measuring the incident response capability and its effectiveness.

Create an organizational structure and definition of roles, responsibilities, and levels of authority.
5. Which two actions can help identify an attacking host during a security incident? (Choose two.)
 Develop identifying criteria for all evidence such as serial number, hostname, and IP address.

Validate the IP address of the threat actor to determine if it is viable.

Determine the location of the recovery and storage of all evidence.

Use an Internet search engine to gain additional information about the attack.

Log the time and date that the evidence was collected and the incident remediated.
6. What is a MITRE ATT&CK framework?

a collection of malware exploits and prevention solutions

documented processes and procedures for digital forensic analysis

guidelines for the collection of digital evidence

a knowledge base of threat actor behavior

7. According to NIST, which step in the digital forensics process involves identifying potential sources
of forensic data, its acquisition, handling, and storage?

reporting

collection

analysis

examination
8. When dealing with security threats and using the Cyber Kill Chain model, which two approaches can
an organization use to help block potential exploitations of a system? (Choose two.)
 Analyze the infrastructure path used for delivery.

Conduct full malware analysis.

Audit endpoints to forensically determine origin of exploit.

Conduct employee awareness training and email testing.

Collect email and web logs for forensic reconstruction.

9. Which term is used in the Diamond Model of intrusion to describe a tool that a threat actor uses
toward a target system?

adversary

weaponization

infrastructure

capability
10. What is the purpose of the policy element in a computer security incident response capability of an
organization, as recommended by NIST?

It provides metrics for measuring the incident response capability and effectiveness.

It provides a roadmap for maturing the incident response capability.

It defines how the incident response teams will communicate with the rest of the organization and
with other organizations.

It details how incidents should be handled based on the organizational mission and functions.
11. According to NIST, which step in the digital forensics process involves extracting relevant
information from data?
 reporting

analysis

examination

collection
12. Which statement describes the Cyber Kill Chain?

It specifies common TCP/IP protocols used to fight against cyberattacks.

It uses the OSI model to describe cyberattacks at each of the seven layers.

It is a set of metrics designed to create a way to describe security incidents in a structured and
repeatable way.

It identifies the steps that adversaries must complete to accomplish their goals.
13. After containing an incident that infected user workstations with malware, what are three effective
remediation procedures that an organization can take for eradication? (Choose three.)

Rebuild hosts with installation media if no backups are available.

Rebuild DHCP servers using clean installation media.

Disconnect or disable all wired and wireless network adapters until the remediation is complete.

Update and patch the operating system and installed software of all hosts.

Change assigned names and passwords for all devices.

Use clean and recent backups to recover hosts.

14. After a threat actor completes a port scan of the public web server of an organization and identifies a
potential vulnerability, what is the next phase for the threat actor in order to prepare and launch an
attack as defined in the Cyber Kill Chain?

reconnaissance

weaponization

exploitation

action on objectives
15. Which task describes threat attribution?

obtaining the most volatile evidence

determining who is responsible for the attack

evaluating the server alert data

reporting the incident to the proper authorities