Cisco 210-255 SEC OPS

  1. What are the types of Security operations center?
    • Threat-centric SOCs
    • Compliance-based SOCs
    • Operational-based SOCs
  2. Which type of SOC provide the following function:
    "Always looking for malicious threats on a network"




    A.
  3. Which type of SOC provide the following function:
    "always checking the regularity posture of network systems against reference configuration templates or standard system builds"




    C.
  4. Which type of SOC provide the following function:
    "Internally focused organization that is tasked with monitoring the security posture of an organization's internal network"




    A.
  5. Which type of SOC is not valid:




    C.
  6. Which two statements are true regarding a threat-centric SOC? (Choose two.)

    A) A threat-centric SOC proactively hunts for malicious threats on networks.

    B) A threat-centric SOC is focused on comparing the posture of network systems to reference configuration templates or standard system builds.

    C) A threat-centric SOC is an internally focused organization that is tasked with monitoring the security posture of an organization’s internal network.

    D) A threat-centric SOC focuses on addressing security across the entire attack continuum—before, during, and after an attack.

    E) A threat-centric SOC focuses on detecting unauthorized changes and existing configuration problems that could lead to a possible security breach.

    F) A threat-centric SOC is focused on the administration of firewall ACL rules, and so on.
    A, D
  7. Which two statements are true regarding a compliance-based SOC? (Choose two.)

    A) A compliance-based SOC proactively hunts for malicious threats on networks.

    B) A compliance-based SOC focuses on comparing the posture of network systems to reference configuration templates or standard system builds.

    C) A compliance-based SOC is an internally focused organization that monitors the security posture of an organization’s internal network.

    D) A compliance-based SOC focuses on addressing security across the entire attack continuum – before, during and after an attack.

    E) A compliance-based SOC focuses on detecting unauthorized changes and existing configuration problems that could lead to a possible security breach.

    F) A compliance-based SOC is focused on the administration of firewall ACL rules, and so on.
    B, E
  8. Which two of the following tools in Security Onion could be used for intrusion detection? (Choose two.)

    A) Snort
    B) Sguil
    C) Suricata
    D) Squert
    A, C
  9. Which Security Onion component is used to query log data from the different sources?





    B.
  10. Which statement is true regarding data analytics?

    A. Data analytics is the science of examining and deciphering raw data with the purpose of drawing conclusions from it.

    B. Data analytics is an interpretation of a chain of consecutive events that occur during a set period of time.

    C. Data analytics can be used to mine through large amounts of data to build profiles and to identify anomalous behavior.

    D. Data analytics can be used to reconstruct network traffic or to follow it.
    A.
  11. In log mining, which statement is true about sequencing?

    A. Sequencing is the reconstruction or the following of the network traffic flow.

    B. Sequencing is an interpretation of a chain of consecutive events that occur during a set period of time.

    C. Sequencing can be used to make predictions about unknown future attacks or events.

    D. Sequencing can be used to mine through large amounts of data to build profiles and to identify anomalous behavior.

    E. Sequencing labels data packets, allowing them to traverse through the network on different paths, but they will remain identifiable to the destination node when it is reconstructed.
    A.
  12. Match the term to its correct explanation:

    A. for tasks that are repetitive
    B. should not require a security analyst to intervene
    C. can be volume- or feature-based

    SOC automation
    anomaly detection
    false positive alerts
    • A = SOC automation
    • B = false positive alerts
    • C = anomaly detection
  13. Which type of event should an analyst spend the least amount of time investigating?

    A. alerts that are based on anomaly detection

    B. IPS alerts that have the drop action

    C. alerts that are occurring at a frequent interval

    D. false positive alerts
    D.
  14. Which job role in a SOC would most likely perform the initial triage of alerts that are received from SIEM?

    A. forensic specialist

    B. Tier 1 security analyst

    C. malware specialist

    D. SOC manager

    E. threat intelligence researcher
    B.
  15. Which two statements are most correct about the SOC analyst job role? (Choose two.)

    A. All SOCs should follow the NIST 800-181 standard in defining the SOC analyst job role.

    B. The SOC analyst job role is to focus on the security control implementations.

    C. The SOC analyst job role heavily involves the use of the SIEM.

    D. The exact job role of the SOC analyst will vary among different organizations.
    C, D
  16. Match the responsibilities of a security analyst to their tier:

    A. continuously monitors the alert queue; triages security alerts; monitors health of security sensors and endpoints; collects data and context

    B. performs deep-dive incident analysis by correlating data from various sources, determines if a critical system or data set has been impacted; advises on remediation; provides support for new analytic methods for detecting threats

    C. possesses in-depth technical knowledge on the network, endpoint, threat intelligence, forensics and malware reverse engineering, as well as the functioning of specific applications or underlying IT infrastructure; acts as an incident “hunter,” not waiting for escalated incidents; closely involved in developing, tuning, and implementing threat detection analytics

    Tier 1
    Tier 2
    Tier 3
    • A = Tier 1
    • B  = Tier 2
    • C = Tier 3
  17. Which two basic skills must Tier 1 security analysts possess to be effective at their jobs? (Select two.)

    A. device configuration

    B. PC forensic

    C. traffic capture

    D. malware reverse engineering
    A, C
  18. What are three typical requirements for a SOC? (Choose three.)

    A. effective NSM tools

    B. security analysts with comprehensive technical backgrounds

    C. isolation from external organizations

    D. effective processes to support the SOC operations
    A,B,D
  19. Match each function of a centralized syslog management to its step order:

    A. Reception of syslog messages from syslog clients that are distributed across the network and storage of those messages in a flat log file.

    B. Moving messages from the flat log file to a high performance relational database.

    C. Processing low-level data in the relational database to produce higher-level information constructs.

    D. Presenting syslog data in the form of automated reports, dashboards, and real-time query responses.
    A, B,C,D
  20. Which two statements are true regarding commercial and open source SOC tools? (Choose two.)

    A. Commercial tools tend to be polished and full-featured and come with vendor support, but they also tend to be expensive.

    B. Open source tools tend to be polished and full-featured and come with vendor support, but they also tend to be expensive.

    C. Technical support is often considered to be an advantage of commercial tools.

    D. Technical support is often considered to be an advantage of open source tools.

    E. Commercial tools are freely distributable; open source tools are not.
    A, C
  21. Match the example data to the associated NSM data type.

    A. full packet capture

    B. statistical data

    C. metadata

    D. transaction data

    PCAP file
    HTTP GET log
    geolocation specification
    graph showing requests per second
    • A = PCAP file
    • D = HTTP GET log
    • C= geolocation specification
    • B = graph showing requests per second
  22. Which of the following is most useful to an analyst when correlating events in one NSM data set with events in other NSM data sets.




    A.
  23. Which open source Linux distribution focuses on NSM?

    A. Chrome operating system

    B. Ubuntu

    C. Linux Mint

    D. Security Onion

    E. Kali Linux
    D.
  24. Which statement is true regarding Security Onion?

    A. Security Onion is a proprietary Linux distribution that focuses on NSM.

    B. The tools that are selected for Security Onion do not have broad community support.

    C. Security Onion can be deployed as a simple standalone system and a distributed deployment.

    D. Security Onion Solutions does not offer any training or support services.
    C.
  25. Security Onion provides which two tools to analyze PCAP files? (Choose two.)

    A. tcpdump

    B. netsed

    C. Wireshark

    D. OSSEC

    E. barnyard2
    A,C
  26. Which two statements regarding full packet capture are true? (Choose two.)

    A. Placement of sensing interfaces will not affect which conversations will be seen.

    B. Mirroring the traffic on the switch is the most reliable method of full packet capture.

    C. Traffic can be captured using a network tap, which splits a duplex connection into two separate simplex connections.

    D. TCP segmentation offload should be enabled to improve packet capture performance.

    E. Storage requirements and policies must also be considered with full packet capture, because the full packet capture quickly consumes disk space.
    C, E
  27. Which NSM data type can be consulted to determine if any internal systems have communicated with any of the suspicious external IP addresses?

    session data

    transaction data

    alert data

    statistical data

    extracted content
    A
  28. In NSM, session data contains which one of the following elements?

    HTTP URL

    full packet contents

    IPS alert data

    IP 5-tuple
    D.
  29. Which two statements are true about transaction data? (Choose two.)

    A. Transaction data provides audit trails of client requests and server responses.

    B. The logs from the servers such as DHCP servers, DNS servers, mail servers, and proxies are not considered as a source of transaction data.

    C. Some NSM tools can decode application protocols, recognize transactions within the live traffic, and produce transaction logs.

    D. Bro cannot produce transaction logs for common application protocols.
    A, C
  30. Which two logs are examples of transaction data? (Choose two.)

    A. host=127.0.0.1 program=bro_conn class=BRO_CONN srcip=10.10.6.10 srcport=9887 dstip=64.4.54.254 dstport=443 proto=TCP bytes_in=4556 service=ssl conn_duration=60.432303 bytes_out=3176 pkts_out=12 pkts_in=10 resp_country_code=US

    B. host=127.0.0.1 program=bro_http class=BRO_HTTP srcip=10.10.6.10 srcport=9892 dstip=23.209.176.129 dstport=80 status_code=200 content_length=4266 method=GET site=tile-service.weather.microsoft.com uri=/en-US/livetile/preinstall?region=US&appid=C98EA5B0842DBB9405BBF071E1DA76512D21FE36&FORM=Threshold referer=- user_agent=Microsoft-WNS/10.0 mime_type=application/xml

    C. host=127.0.0.1 program=bro_dns class=BRO_DNS srcip=10.10.6.10 srcport=52224 dstip=10.10.4.20 dstport=53 proto=UDP hostname=evan-pc.abc.private answer=- query_class=C_INTERNET query_type=SOA return_code=NOERROR

    D. host=127.0.0.1 program=bro_conn class=BRO_CONN srcip=10.10.4.20 srcport=55060 dstip=8.8.8.8 dstport=53 proto=UDP bytes_in=51 service=dns conn_duration=0.015342 bytes_out=51 pkts_out=1 pkts_in=1 resp_country_code=US
    B,C
  31. Which type of NSM data is primarily associated with IDS and IPS systems?

    A. transaction data

    B. alert data

    C. metadata

    D. session data
    B
  32. Which two statements are true regarding the deployment of IDS and IPS systems? (Choose two.)

    A. If the system is deployed inline so it has the ability to drop traffic that it classifies as malicious, then it is operating in IDS mode.

    B. If the system is deployed using port mirroring or network taps, then it is operating in IPS mode.

    C. If the system is deployed inline so it has the ability to drop traffic that it classifies as malicious, then it is operating in IPS mode.

    D. If the system is deployed using port mirroring or network taps, then it is operating in IDS mode.
    C, D
  33. Which two statements regarding statistical data are true? (Choose two.)

    A. Statistical data aggregates the individual events and provides summaries of the data.

    B. Statistical data records all the network traffic at some particular locations in the network.

    C. The summaries of statistical data can be used by the analyst to develop a clear and coherent picture that may not be discernable from examining individual events.

    D. Statistical data is typically produced by IDS or IPS systems.
    A, C
  34. Which of the following is the best example of extracted content?

    an audit record documenting an HTTP request and response

    a URL in the body of an email

    the geographic location of an IP address

    an executable file that is attached to an email
    D
  35. What is the first action of the attacker when following the classic kill chain model?

    A. exploitation

    B. reconnaissance

    C. installation

    D. delivery

    E. command-and-control
    B
  36. Which of the following is an example of the attacker’s reconnaissance action?


    A. the attacker exfiltrating data from the target


    B. the transmission of the malware to the target


    C. the attacker’s researching, identifying, and selecting the target


    D. the compromised hosts beaconing outbound to the attacker’s controlled server
    c
  37. Which two types of information can be obtained by an attacker when performing a domain registration information lookup? (Choose two.)

    A. the name servers associated with the organization

    B. the web servers associated with the organization

    C. the email servers associated with the organization

    D. the email addresses associated with the organization
    A,D
  38. What is involved during the delivery phase of the kill chain?

    A. transmission of the payload to the target via a communication vector

    B. choosing the cyber weapon that is based on reconnaissance information about a targeted system

    C. information gathering of intelligence about the target organization

    D. the attacker gaining control of the target machine
    A
  39. The actual malware delivery can be typically accomplished by the threat actors using which three of the following methods? (Choose three.)

    A. email attachments

    B. USB removable media

    C. phishing phone calls

    D. network reconnaissance

    E. website redirections
    A,B,E
  40. The exploitation phase typically targets which three weaknesses? (Choose three.)

    A. application vulnerabilities

    B. operating system vulnerabilities

    C. users

    D. passwords

    E. host-based security controls
    A,B,C
  41. What is the attacker’s goal during the exploitation kill chain phase?

    A. establish the command-and-control channel

    B. maintain a persistence presence on the victim’s machine

    C. exploit the vulnerability to gain control of the victim’s machine


    D. perform data exfiltration
    C
  42. What is the attacker’s goal during the installation kill chain phase?

    A. establish the command-and-control channel

    B. maintain a persistence presence on the victim’s machine

    C. exploit the vulnerability to gain control of the victim’s machine

    D. perform data exfiltration
    B
  43. n example of maintaining persistence is when an attack has the ability to do what?

    A. exploit an unknown vulnerability

    B. survive a system reboot

    C. deliver the payload without detection

    D. maintain presence for only a short time period to avoid detection
    B
  44. What could be an indicator to an analyst of suspected command-and-control traffic?

    A. long DNS queries that are initiated from multiple inside hosts to domains using randomized names

    B. multiple inside hosts browsing to the same internal web server

    C. multiple spam emails sent from the same external sender

    D. many blocked inbound connections from the same external host by the firewall
    A
  45. When following the kill chain model, what is normally established before the attacker can begin data exfiltration?

    A. mutual trust relationships between the attacker’s machine and the victim’s machines

    B. non-persistence presence on the victim’s machines

    C. CnC channel

    D. DoS attack on the network security devices
    C
  46. What is the last phase of the kill chain?

    A. actions taken by the threat actor that are objective-dependent

    B. installation of malware on the targets

    C. establishing a persistence presence on the targets

    D. establishing the CnC channel
    A
  47. From an attacker’s point of view, which attack is considered successful?

    A. achieving their ultimate objective

    B. successfully gaining control of the victim’s machine

    C. establishing the CnC channel

    D. gaining persistent back-door access to the victim’s machine
    A
  48. Which network security device or control should an analyst monitor to best detect the attacker’s network reconnaissance activities?

    A. network firewall (or next-gen firewall)

    B. DNS security

    C. web security

    D. threat intelligence feeds
    A.
  49. Which network security device or control should an analyst monitor to best detect the attacker’s exploitation and installation activities?

    A. DNS security

    B. web security

    C. threat intelligence feeds

    D. network-based and host-based anti-malware solutions
    D
  50. Which two statements are true regarding ransomware? (Choose two.)

    A. Ransomware is malware that replicates functional copies of itself and causes damage.

    B. Businesses and individuals can be taken hostage by malware that locks up critical resources—ransomware.

    C. Ransomware spreads from one computer to another, leaving infections as it travels.

    D. Once established, ransomware takes over systems and stored data, encrypting their contents, denying access, and holding them hostage until a ransom is paid.

    E. Ransomware often automate tasks and provide information or services that would otherwise be conducted by a human being.
    B,D
  51. In the diamond model, what are the physical or logical communication nodes that the adversary uses to establish and maintain command and control over their capabilities?

    A. infrastructure

    B. victim

    C. capability

    D. network

    E. attacker
    A.
  52. In the diamond model, the infrastructure node is broken into which three components? (Choose three.)

    A. type 1

    B. type 2

    C. type 3

    D. type 4

    E. type 5

    F. service providers

    G. customer edge

    H. enterprise
    A, B, F
  53. The diamond model uses how many nodes to model an intrusion?

    A. 2

    B. 3

    C. 4

    D. 5

    E. 6
    C
  54. Match the diamond model nodes to their description.

    A. the entity responsible for conducting an intrusion

    B. a tool or technique that the attacker may use in an event

    C. the target of the attacker

    D. the physical or logical communications nodes that the attacker uses to establish and maintain command and control.

    Options: infrastructure,victim,adversary,capability
    • A = adversary
    • B = capability
    • C = victim
    • D = infrastructure
  55. What intrusion analysis approaches are defined in the diamond model whitepaper?

    A. four centered on a specific node of the diamond model

    B. one based on the seven kill chain phase

    C. one centered on the attacker’s infrastructure

    D. one based on using NetFlow for anomaly detections
    A
  56. Analysts that perform reactive network and host monitoring, detection, and defense operations are exercising which diamond model-based intrusion analysis approach?

    A. compliance-centric approach

    B. threat-centric approach

    C. adversary-centered approach

    D. victim-centered approach
    D
  57. Which statements are true regarding exploit kits in the cyber kill chain model? (Choose two.)

    A. Exploitation kits (or exploit kits) are sets of tools that are utilized to gain access to a targeted host, either through manual or automated interaction.

    B. Even today, the automated interaction is not well developed and most exploitation kits are using the manual interaction-based techniques.

    C. The typical exploit kit provides a user-friendly web interface that helps the attacker track the infection campaign.

    D. A key downside of an exploit kit is the complexity with which it can be used only by the technology or the security experts.
    A, C
  58. Which two statements are true about cyber threat hunt mission? (Choose two.)

    A. In a threat-centric SOC, the cyber threat hunt mission involves a proactive approach to detecting malicious activity that is not identified by traditional alerting mechanisms.

    B. If the threat actor evades the antivirus and IPS definitions, then there is no way to detect signs of its activity.

    C. By examining various sources of data, be it authentication logs, event data, or traffic flow, an analyst can start to correlate the data and determine if there is cause for further investigation.

    D. A cyber threat hunting process usually relies on signature-based method of detection.
    A, C
  59. What is the main focus of a threat-centric SOC?

    A. detecting malicious activities

    B. ensuring compliance with various security regulations

    C. ensuring that security controls are functioning as intended

    D. preventing all intrusion attempts
    A
  60. The hunting maturity model has how many levels of maturity?

    A. two

    B. three

    C. four

    D. five

    E. six

    F. seven
    D
  61. Match the hunting maturity levels to the corresponding job roles.

    A. alerting

    B. alerting and collecting

    C. alerting, collecting, and incorporating hunt techniques

    D. alerting, collecting, analyzing, and incorporating hunt techniques

    E. alerting, collecting, analyzing, automating, and incorporating hunt techniques

    Response: HM4, HM2, HM3, HM1, HM0
    • A = HM0
    • B = HM1
    • C = HM2
    • D = HM3
    • E = HM4
  62. List the four-stage loop of the hunting cycle in ascending order.

    investigate

    hypothesis

    inform and enrich

    uncover
    1. hypothesis

    2. investigate

    3. uncover

    4. inform and enrich
  63. During which phase of the hunting cycle does the analyst actively attempt to discover the pattern of the attacker’s tactics, techniques, and procedures?

    A. hypothesis

    B. uncover

    C. investigate

    D. inform and enrich

    E. triage
    B
  64. Which two statements are true regarding CVSS v3.0? (Choose two.)

    A. CVSS stands for the Common Vulnerability Scoring System and is a vendor-dependent, proprietary standard.

    B. CVSS stands for the Common Vulnerability Scoring System and is a vendor agnostic, industry open standard.

    C. CVSS is not designed to convey vulnerability severity and does not help determine urgency and priority of response.

    D. CVSS calculates the chances of being attacked.

    E. CVSS calculates the chances of being compromised in the event of an attack, and severity of damage.
    B, E
  65. In the base metrics, which four attack vector characteristics measure how remote an attacker can be to attack a target? (Choose four.)

    A. local

    B. adjacent

    C. remote

    D. network

    E. physical

    F. virtual
    A,B,D,E
  66. In the base metrics, which three confidentiality impact, integrity impact, and availability impact measures affect the successful exploit of the vulnerability on the target system? (Choose three.)

    A. none

    B. low

    C. medium

    D. high
    A,B,D
  67. Which statement is true about scoring in CVSS v3.0?

    A. Scoring is the process of splitting all the metric values according to specific formulas.

    B. Computing the environmental scoring is mandatory.

    C. Base scoring is computed by the vendor or originator with the intention of being published and once set, is not expected to change.

    D. Temporal scoring is optionally computed by end-user organizations and it is the combination of the base Scoring and the environmental Scoring.
    C
  68. Which CVSS v3.0 scoring component has the largest bearing on the final score?

    A. temporal score

    B. environmental score

    C. base score

    D. severity score
    C
  69. Using the different online research sources, what is the CVSS v3.0 score of the MySQL Stored SQL Injection vulnerability CVE-2013-0375?

    A. 3.1

    B. 4.3

    C. 5.5

    D. 6.4
    D
  70. Using the different online research sources, what is the CVSS v3.0 “Integrity Impact” level of the MySQL Stored SQL Injection vulnerability CVE-2013-0375?

    A. high

    B. medium

    C. low

    D. none
    C
  71. Which two statements regarding a hot threat dashboard are true? (Choose two.)

    A. A hot threat dashboard is a graphical depiction of currently monitored threats.

    B. Threats cannot be added or retired and current information cannot be seen in the hot threat dashboard.

    C. The goal of the hot threat dashboard is to maintain the list of history of the past threats.

    D. The hot threat dashboard should focus on a handful of top-priority threats, in order to maximize efficiency and impact.
  72. Which two statements regarding the recording of hot threats in the database are true? (Choose two.)

    A. When the vulnerability is found with the CVSS Temporal Score of Low, the hot threat is recorded in the database.

    B. When the vulnerability is found with the CVSS base score of high, the hot threat is recorded in the database.

    C. When the reports are received from reliable intelligence indicating attacks, then the threats regarding the attacks will be recorded in the database.

    D. Alerts from the observed anomalies will not be recorded as hot threats in the database even if it is believed to be malicious.
    B, C
  73. List the work that the SOC team performs regarding hot threats in an ascending order:

    1. Monitoring hot threats
    2. Posting hot threats
    3. Reviewing hot threats
    4. Retiring hot threats
    • 1. Posting hot threats
    • 2. Reviewing hot threats
    • 3. Monitoring hot threats
    • 4. Retiring hot threats
  74. Match the vulnerabilities with the correct explanation.

    A. An attacker takes advantage of improper sanitization of user input for a command or query being executed.

    B. An attacker takes advantage of a failure to properly expire sessions, tie a session to an individual user, or perhaps the credentials are stored or transferred in plaintext.

    C. An attacker takes advantage of a failure to sanitize allowed input being displayed to the user, causing the user’s browser to render code.

    D. An attacker takes advantage of a lack of checks to ensure a user requesting a resource actually has permissions to access that resource.

    E. An attacker takes advantage of a failure to properly secure sensitive data.

    F. An attacker takes advantage of a failure to properly authenticate access to restricted sections of a site.

    G. An attacker takes advantage of a failure to ensure that each request was properly originated by a user.

    RESPONSES: injection, XSS,CSRF, broken authentication and session management, insecure direct object reference, sensitive data exposure, missing function level access control
    • G = injection,
    • F = XSS,
    • A = CSRF, 
    • B = broken authentication and session management, 
    • C = insecure direct object reference, 
    • D = sensitive data exposure, 
    • E = missing function level access control
  75. Match the organizations/projects to their corresponding works.

    A. It publishes a report every three years that details the top 10 most widely exploited web application vulnerabilities during that period.

    B. It was founded to address the growing issue of unsolicited commercial bulk email.

    C. This organization specializes in website traffic analytics.

    D. This database provides information to security analysts about DNS.

    RESPONSES: Farsight Security’s DNSDB, Spamhaus, Alexa, OWASP
    • A = OWASP
    • B = Spamhaus
    • C = Alexa
    • D = Farsight Security’s DNSDB
Author
wiztech
ID
338158
Card Set
Cisco 210-255 SEC OPS
Description
Implementing Cisco Cybersecurity Operations
Updated