Cisco (350-201-CBRCOR) Exam Questions And Answers page 9
A SOC analyst detected a ransomware outbreak in the organization coming from a malicious email attachment. Affected parties are notified, and the incident response team is assigned to the case. According to the NIST incident response handbook, what is the next step in handling the incident?
Perform a vulnerability assessment to find existing vulnerabilities.
Eradicate malicious software from the infected machines.
Collect evidence and maintain a chain-of-custody during further analysis.
Network Security
Threat Intelligence and Incident Response
Refer to the exhibit. A threat actor behind a single computer exploited a cloud-based application by sending multiple concurrent API requests. These requests made the application unresponsive. Which solution protects the application from being overloaded and ensures more equitable application access across the end-user community?
Limit the number of API calls that a single client is allowed to make
Add restrictions on the edge router on how often a single client can access the API
Reduce the amount of data that can be fetched from the total pool of active clients that call the API
Increase the application cache of the total pool of active clients that call the API
Security Concepts
Cloud Security
Refer to the exhibit. Which command was executed in PowerShell to generate this log?
Get-EventLog -LogName*
Get-EventLog -List
Get-WinEvent -ListLog* -ComputerName localhost
Get-WinEvent -ListLog*
Security Concepts
Network Security
An organization had an incident with the network availability during which devices unexpectedly malfunctioned. An engineer is investigating the incident and found that the memory pool buffer usage reached a peak before the malfunction. Which action should the engineer take to prevent this issue from reoccurring?
Disable memory limit.
Disable CPU threshold trap toward the SNMP server.
Enable memory tracing notifications.
Enable memory threshold notifications.
Network Security
Endpoint Security
A payroll administrator noticed unexpected changes within a piece of software and reported the incident to the incident response team. Which actions should be taken at this step in the incident response workflow?
Classify the criticality of the information, research the attacker s motives, and identify missing patches
Determine the damage to the business, extract reports, and save evidence according to a chain of custody
Classify the attack vector, understand the scope of the event, and identify the vulnerabilities being exploited
Determine the attack surface, evaluate the risks involved, and communicate the incident according to the escalation plan
Security Concepts
Threat Intelligence and Incident Response
A security engineer discovers that a spreadsheet containing confidential information for nine of their employees was fraudulently posted on a competitor s website. The spreadsheet contains names, salaries, and social security numbers. What is the next step the engineer should take in this investigation?
Determine if there is internal knowledge of this incident.
Check incoming and outgoing communications to identify spoofed emails.
Disconnect the network from Internet access to stop the phishing threats and regain control.
Engage the legal department to explore action against the competitor that posted the spreadsheet.
Security Concepts
Network Security
What is happening in this packet capture exhibit?
Single Choice
Refer to the exhibit. What is occurring in this packet capture?
TCP port scan
TCP flood
DNS flood
DNS tunneling
Security Concepts
Network Security
Refer to the exhibit. An engineer is reverse engineering a suspicious file by examining its resources. What does this file indicate?
a DOS MZ executable format
a MS-DOS executable archive
an archived malware
a Windows executable file
Security Concepts
Network Security
Which bash command will print all lines from the colors.txt file containing the non case-sensitive pattern Yellow ?
grep -i yellow colors.txt
locate yellow colors.txt
locate -i Yellow colors.txt
grep Yellow colors.txt
Security Concepts
Network Security
An engineer implemented a SOAR workflow to detect and respond to incorrect login attempts and anomalous user behavior. Since the implementation, the security team has received dozens of false positive alerts and negative feedback from system administrators and privileged users. Several legitimate users were tagged as a threat and their accounts blocked, or credentials reset because of unexpected login times and incorrectly typed credentials. How should the workflow be improved to resolve these issues?
Meet with privileged users to increase awareness and modify the rules for threat tags and anomalous behavior alerts
Change the SOAR configuration flow to remove the automatic remediation that is increasing the false positives and triggering threats
Add a confirmation step through which SOAR informs the affected user and asks them to confirm whether they made the attempts
Increase incorrect login tries and tune anomalous user behavior not to affect privileged accounts
Security Concepts
Threat Intelligence and Incident Response
Comments