The incident response team receives information about the abnormal behavior of a host. A malicious file is found being executed from an external USB flash drive. The team collects and documents all the necessary evidence from the computing resource. What is the next step?
A.Conduct a risk assessment of systems and applications
B.Isolate the infected host from the rest of the subnet
C.Install malware prevention software on the host
D.Analyze network traffic on the host's subnet
An organization had several cyberattacks over the last 6 months and has tasked an engineer with looking for patterns or trends that will help the organization anticipate future attacks and mitigate them. Which data analytic technique should the engineer use to accomplish this task?
A malware outbreak is detected by the SIEM and is confirmed as a true positive. The incident response team follows the playbook to mitigate the threat. What is the first action for the incident response team?
A.Assess the network for unexpected behavior
B.Isolate critical hosts from the network
C.Patch detected vulnerabilities from critical hosts
D.Perform analysis based on the established risk factors
Refer to the exhibit. Cisco Advanced Malware Protection installed on an end-user desktop automatically submitted a low prevalence file to the Threat Grid analysis engine. What should be concluded from this report?
A.Threat scores are high, malicious ransomware has been detected, and files have been modified
B.Threat scores are low, malicious ransomware has been detected, and files have been modified
C.Threat scores are high, malicious activity is detected, but files have not been modified
D.Threat scores are low and no malicious file activity is detected
An organization is using a PKI management server and a SOAR platform to manage the certificate lifecycle. The SOAR platform queries a certificate management tool to check all endpoints for SSL certificates that have either expired or are nearing expiration. Engineers are struggling to manage problematic certificates outside of PKI management since deploying certificates and tracking them requires searching server owners manually. Which action will improve workflow automation?
A.Implement a new workflow within SOAR to create tickets in the incident response system, assign problematic certificate update requests to server owners, and register change requests.
B.Integrate a PKI solution within SOAR to create certificates within the SOAR engines to track, update, and monitor problematic certificates.
C.Implement a new workflow for SOAR to fetch a report of assets that are outside of the PKI zone, sort assets by certification management leads and automate alerts that updates are needed.
D.Integrate a SOAR solution with Active Directory to pull server owner details from the AD and send an automated email for problematic certificates requesting updates.
Refer to the exhibit. Which data format is being used?
The incident response team was notified of detected malware. The team identified the infected hosts, removed the malware, restored the functionality and data of infected systems, and planned a company meeting to improve the incident handling capability. Which step was missed according to the NIST incident handling guide?
A.Contain the malware
B.Install IPS software
C.Determine the escalation path
D.Perform vulnerability assessment
An employee abused PowerShell commands and script interpreters, which lead to an indicator of compromise (IOC) trigger. The IOC event shows that a known malicious file has been executed, and there is an increased likelihood of a breach. Which indicator generated this IOC event?
Refer to the exhibit. Which command was executed in PowerShell to generate this log?
C.Get-WinEvent -ListLog* -ComputerName localhost
Refer to the exhibit. Cisco Rapid Threat Containment using Cisco Secure Network Analytics (Stealthwatch) and ISE detects the threat of malware-infected 802.1x authenticated endpoints and places that endpoint into a Quarantine VLAN using Adaptive Network Control policy.
Which telemetry feeds were correlated with SMC to identify the malware?
A.NetFlow and event data
B.event data and syslog data
C.SNMP and syslog data
D.NetFlow and SNMP
A security architect is working in a processing center and must implement a DLP solution to detect and prevent any type of copy and paste attempts of sensitive data within unapproved applications and removable devices. Which technical architecture must be used?
A.DLP for data in motion
B.DLP for removable data
C.DLP for data in use
D.DLP for data at rest
A security analyst receives an escalation regarding an unidentified connection on the Accounting A1 server within a monitored zone. The analyst pulls the logs and discovers that a Powershell process and a WMI tool process were started on the server after the connection was established and that a PE format file was created in the system directory. What is the next step the analyst should take?
A.Isolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack
B.Identify the server owner through the CMDB and contact the owner to determine if these were planned and identifiable activities
C.Review the server backup and identify server content and data criticality to assess the intrusion risk
D.Perform behavioral analysis of the processes on an isolated workstation and perform cleaning procedures if the file is malicious
A security expert is investigating a breach that resulted in a $32 million loss from customer accounts. Hackers were able to steal API keys and two-factor codes due to a vulnerability that was introduced in a new code a few weeks before the attack. Which step was missed that would have prevented this breach?
A.use of the Nmap tool to identify the vulnerability when the new code was deployed
B.implementation of a firewall and intrusion detection system
C.implementation of an endpoint protection system
D.use of SecDevOps to detect the vulnerability during development
An API developer is improving an application code to prevent DDoS attacks. The solution needs to accommodate instances of a large number of API requests coming for legitimate purposes from trustworthy services. Which solution should be implemented?
A.Restrict the number of requests based on a calculation of daily averages. If the limit is exceeded, temporarily block access from the IP address and return a 402 HTTP error code.
B.Implement REST API Security Essentials solution to automatically mitigate limit exhaustion. If the limit is exceeded, temporarily block access from the service and return a 409 HTTP error code.
C.Increase a limit of replies in a given interval for each API. If the limit is exceeded, block access from the API key permanently and return a 450 HTTP error code.
D.Apply a limit to the number of requests in a given time interval for each API. If the rate is exceeded, block access from the API key temporarily and return a 429 HTTP error code.
Refer to the exhibit. IDS is producing an increased amount of false positive events about brute force attempts on the organization's mail server. How should the Snort rule be modified to improve performance?
A.Block list of internal IPs from the rule
B.Change the rule content match to case sensitive
C.Set the rule to track the source IP
D.Tune the count and seconds threshold of the rule
Where do threat intelligence tools search for data to identify potential malicious IP addresses, domain names, and URLs?
An engineer wants to review the packet overviews of SNORT alerts. When printing the SNORT alerts, all the packet headers are included, and the file is too large to utilize. Which action is needed to correct this problem?
A.Modify the alert rule to "output alert_syslog: output log"
B.Modify the output module rule to "output alert_quick: output filename"
C.Modify the alert rule to "output alert_syslog: output header"
D.Modify the output module rule to "output alert_fast: output filename"
A company's web server availability was breached by a DDoS attack and was offline for 3 hours because it was not deemed a critical asset in the incident response playbook. Leadership has requested a risk assessment of the asset. An analyst conducted the risk assessment using the threat sources, events, and vulnerabilities. Which additional element is needed to calculate the risk?
B.event severity and likelihood
C.incident response playbook
D.risk model framework
An employee who often travels abroad logs in from a first-seen country during non-working hours.
The SIEM tool generates an alert that the user is forwarding an increased amount of emails to an external mail domain and then logs out.
The investigation concludes that the external domain belongs to a competitor.
Which two behaviors triggered UEBA? (Choose two.)
A.domain belongs to a competitor
B.log in during non-working hours
C.email forwarding to an external domain
D.log in from a first-seen country
E.increased number of sent mails
How is a SIEM tool used?
A.To collect security data from authentication failures and cyber attacks and forward it for analysis
B.To search and compare security data against acceptance standards and generate reports for analysis
C.To compare security alerts against configured scenarios and trigger system responses
D.To collect and analyze security data from network devices and servers and produce alerts
Refer to the exhibit. What is the threat in this Wireshark traffic capture?
A.A high rate of SYN packets being sent from multiple sources toward a single destination IP
B.A flood of ACK packets coming from a single source IP to multiple destination IPs
C.A high rate of SYN packets being sent from a single source IP toward multiple destination IPs
D.A flood of SYN packets coming from a single source IP to a single destination IP
An engineer is moving data from NAS servers in different departments to a combined storage database so that the data can be accessed and analyzed by the organization on-demand. Which data management process is being used?
What is a benefit of key risk indicators?
A.clear perspective into the risk position of an organization
B.improved visibility on quantifiable information
C.improved mitigation techniques for unknown threats
D.clear procedures and processes for organizational risk
2021 Latest Braindump2go 350-201 PDF and 350-201 VCE Dumps Free Share: