Cisco (300-215-CBRFIR) Exam Questions And Answers page 1
Which scripts will search a log file for the IP address of 192.168.100.100 and create an output file named parsed_host.log while printing results to the console?
Network Forensics
Host Forensics
What is the indicator of attack in the exhibited email?
Single Choice
Refer to the exhibit. Which element in this email is an indicator of attack?
IP Address: 202.142.155.218
content-Type: multipart/mixed
attachment: Card-Refund
subject: Service Credit Card
Introduction to Forensic Analysis and Incident Response
Malware Analysis
An attacker embedded a macro within a word processing file opened by a user in an organization s legal department. The attacker used this technique to gain access to confidential financial data. Which two recommendations should a security expert make to mitigate this type of attack? (Choose two.)
controlled folder access
removable device restrictions
signed macro requirements
firewall rules creation
network access control
Network Forensics
Malware Analysis
A security team is discussing lessons learned and suggesting process changes after a security breach incident. During the incident, members of the security team failed to report the abnormal system activity due to a high project workload. Additionally, when the incident was identified, the response took six hours due to management being unavailable to provide the approvals needed. Which two steps will prevent these issues from occurring in the future? (Choose two.)
Introduce a priority rating for incident response workloads.
Provide phishing awareness training for the fill security team.
Conduct a risk audit of the incident response workflow.
Create an executive team delegation plan.
Automate security alert timeframes with escalation triggers.
Introduction to Forensic Analysis and Incident Response
Incident Response
What is a concern for gathering forensics evidence in public cloud environments?
High Cost: Cloud service providers typically charge high fees for allowing cloud forensics.
Configuration: Implementing security zones and proper network segmentation.
Timeliness: Gathering forensics evidence from cloud service providers typically requires substantial time.
Multitenancy: Evidence gathering must avoid exposure of data from other tenants.
Introduction to Forensic Analysis and Incident Response
Incident Response
Refer to the exhibit. A network engineer is analyzing a Wireshark file to determine the HTTP request that caused the initial Ursnif banking Trojan binary to download. Which filter did the engineer apply to sort the Wireshark traffic logs?
http.request.un matches
tls.handshake.type ==1
tcp.port eq 25
tcp.window_size ==0
Network Forensics
Malware Analysis
Over the last year, an organization s HR department has accessed data from its legal department on the last day of each month to create a monthly activity report. An engineer is analyzing suspicious activity alerted by a threat intelligence platform that an authorized user in the HR department has accessed legal data daily for the last week. The engineer pulled the network data from the legal department s shared folders and discovered above average-size data dumps. Which threat actor is implied from these artifacts?
privilege escalation
internal user errors
malicious insider
external exfiltration
Introduction to Forensic Analysis and Incident Response
Network Forensics
Refer to the exhibit. According to the SNORT alert, what is the attacker performing?
brute-force attack against the web application user accounts
XSS attack against the target webserver
brute-force attack against directories and files on the target webserver
SQL injection attack against the target webserver
Introduction to Forensic Analysis and Incident Response
Incident Response
Refer to the exhibit. What is the IOC threat and URL in this STIX JSON snippet?
malware; http://x4z9arb.cn/4712/
malware; x4z9arb backdoor
x4z9arb backdoor; http://x4z9arb.cn/4712/
malware; malware--162d917e-766f-4611-b5d6-652791454fca
stix; http://x4z9arb.cn/4712/
Introduction to Forensic Analysis and Incident Response
Incident Response
Refer to the exhibit. An engineer is analyzing a .LNK (shortcut) file recently received as an email attachment and blocked by email security as suspicious. What is the next step an engineer should take?
Delete the suspicious email with the attachment as the file is a shortcut extension and does not represent any threat.
Upload the file to a virus checking engine to compare with well-known viruses as the file is a virus disguised as a legitimate extension.
Quarantine the file within the endpoint antivirus solution as the file is a ransomware which will encrypt the documents of a victim.
Open the file in a sandbox environment for further behavioral analysis as the file contains a malicious script that runs on execution.
Network Forensics
Malware Analysis
Comments