You are on page 1of 5

CCNA Cyber Ops Practice Questions

Study online at

1. ... ... 7. In the context of incident handling phases, which two D,E
activities fall under scoping? (Choose two.)
2. A CMS plugin creates two files that are accessible from B
A. determining the number of attackers that are
the Internet myplugin.html and exploitable.php. A
associated with a security incident
newly discovered exploit takes advantage of an
B. ascertaining the number and types of
injection vulnerability in exploitable.php. To exploit the
vulnerabilities on your network
vulnerability, one must send an HTTP POST with specific
C. identifying the extent that a security incident is
variables to
impacting protected resources on the network
exploitable.php. You see traffic to your webserver that
D. determining what and how much data may have
consists of only HTTP
been affected
GET requests to myplugin.html. Which category best
E. identifying the attackers that are associated with a
describes this activity?
security incident
A. weaponization
B. exploitation 8. In VERIS, an incident is viewed as a series of events D
C. installation that adversely affects the information assets of an
D. reconnaissance organization. Which option contains the elements that
every event is comprised of according to VERIS
3. During which phase of the forensic process are tools A
incident model'?
and techniques used to extract the relevant information
A. victim demographics, incident description, incident
from the collective data?
details, discovery & response
A. examination
B. victim demographics, incident details, indicators of
B. reporting
compromise, impact assessment
C. collection
C. actors, attributes, impact, remediation
D. investigation
D. actors, actions, assets, attributes
4. During which phase of the forensic process is data that A
9. An organization has recently adjusted its security D
is related to a specific event labeled and recorded to
stance in response to online threats made by a
preserve its integrity?
known hacktivist group. Which term defines the initial
A. collection
event in the NIST SP800-61 r2?
B. examination
A. instigator
C. reporting
B. precursor
D. investigation
C. online assault
5. From a security perspective, why is it important to D D. trigger
employ a clock synchronization protocol on a network?
10. A user on your network receives an email in their C
A. so that everyone knows the local time
mailbox that contains a malicious attachment. There is
B. to ensure employees adhere to work schedule
no indication that the file was run. Which category as
C. to construct an accurate timeline of events when
defined in the Diamond Model of Intrusion does this
responding to an incident
activity fall under?
D. to guarantee that updates are pushed out according
A. reconnaissance
to schedule
B. weaponization
6. In Microsoft Windows, as files are deleted the space B C. delivery
they were allocated eventually is considered available D. installation
for use by other files. This creates alternating used and
11. What information from HTTP logs can be used to find C
unused areas of various sizes. What is this called?
a threat actor?
A. network file storing
A. referer
B. free space fragmentation
B. IP address
C. alternate data streaming
C. user-agent
D. defragmentation
12. What is accomplished in the identification phase of D 19. Which CVSSv3 metric value increases when the B
incident handling? attacker is able to modify all files protected by the
A. determining the responsible user vulnerable component?
B. identifying source and destination IP addresses A. confidentiality
C. defining the limits of your authority related to a B. integrity
security event C. availability
D. determining that a security event has occurred D. complexity
13. What mechanism does the Linux operating system C 20. Which data element must be protected with regards to D
provide to control access to files? PCI?
A. privileges required A. past health condition
B. user interaction B. geographic location
C. file permissions C. full name
D. access complexity D. recent payment amount
14. When performing threat hunting against a DNS server, B 21. Which data type is protected under the PCI B
which traffic toward the affected domain is considered compliance framework?
a starting point? A. credit card type
A. HTTPS traffic B. primary account number
B. TCP traffic C. health conditions
C. HTTP traffic D. provision of individual care
D. UDP traffic
22. Which description of a retrospective malvare detection B
15. Which component of the NIST SP800-61 r2 incident B is true?
handling strategy reviews data? A. You use Wireshark to identify the malware source.
A. preparation B. You use historical information from one or more
B. detection and analysis sources to identify the affected host or file.
C. containment, eradication, and recovery C. You use information from a network analyzer to
D. post-incident analysis identify the malware source.
D. You use Wireshark to identify the affected host or
16. Which CVSSv3 Attack Vector metric value requires the A
attacker to physically touch or manipulate the
vulnerable component? 23. Which element can be used by a threat actor to B
A. local discover a possible opening into a target network and
B. physical can also be used by an analyst to determine the
C. network protocol of the malicious traffic?
D. adjacent A. TTLs
B. ports
17. Which CVSSv3 metric captures the level of access that C
C. SMTP replies
is required for a successful attack?
D. IP addresses
A. attack vector
B. attack complexity 24. Which element is included in an incident response A
C. privileges required plan?
D. user interaction A. organization mission
B. junior analyst approval
18. Which CVSSv3 metric value increases when attacks C
C. day-to-day firefighting
consume network bandwidth, processor cycles, or disk
D. siloed approach to communications
A. confidentiality 25. Which element is part of an incident response plan? A
B. integrity A. organizational approach to incident response
C. availability B. organizational approach to security
D. complexity C. disaster recovery
D. backups
26. Which feature is used to find possible vulnerable D 34. Which option creates a display filter on Wireshark on a D
services running on a server? host IP address or name?
A. CPU utilization A. ip.address == <address> or == <network>
B. security policy B. [tcp|udp] ip.[src|dst] port <port>
C. temporary internet files C. ip.addr == <addr> or == <name>
D. listening ports D. ip.addr == <addr> or == <host>
27. Which goal of data normalization is true? A 35. Which option filters a LibPCAP capture that used a host D
A. Reduce data redundancy. as a gateway?
B. Increase data redundancy. A. tcp|udp] [src|dst] port <port>
C. Reduce data availability. B. [src|dst] net <net> [{mask <mask>}|{len <len>}]
D. Increase data availability C. ether [src|dst] host <ehost>
D. gateway host <host>
28. Which identifies both the source and destination A
location? 36. Which option has a drastic impact on network traffic C
A. IP address because it can cause legitimate traffic to be blocked?
B. URL A. true positive
C. ports B. true negative
D. MAC address C. false positive
D. false negative
29. Which information must be left out of a final incident B
report? 37. Which option is a misuse variety per VERIS A
A. server hardware configurations enumerations?
B. exploit or vulnerability used A. snooping
C. impact and/or the financial loss B. hacking
D. how the incident was detected C. theft
D. assault
30. Which kind of evidence can be considered most A
reliable to arrive at an analytical assertion? 38. Which option is generated when a file is run through an B
A. direct algorithm and generates a string specific to the
B. corroborative contents of that file?
C. indirect A. URL
D. circumstantial B. hash
E. textual C. IP address
D. destination port
31. Which network device creates and sends the initial A
packet of a session? 39. Which process is being utilized when IPS events are A
A. source removed to improve data integrity?
B. origination A. data normalization
C. destination B. data availability
D. network C. data protection
D. data signature
32. Which option allows a file to be extracted from a TCP C
stream within Wireshark? 40. Which regular expression matches "color" and "colour"? C
A. File > Export Objects A. col[0-9]+our
B. Analyze > Extract B. colo?ur
C. Tools > Export > TCP C. colou?r
D. View > Extract D. ]a-z]{7}
33. Which option can be addressed when using B 41. Which Security Operations Center's goal is to provide C
retrospective security techniques? incident handling to a country?
A. if the affected host needs a software update A. Coordination Center
B. how the malware entered our network B. Internal CSIRT
C. why the malware is still in our network C. National CSIRT
D. if the affected system needs replacement D. Analysis Center
42. Which source provides reports of vulnerabilities in C 49. Which type of analysis allows you to see how likely C
software and hardware to a Security Operations an exploit could affect your network?
Center? A. descriptive
A. Analysis Center B. casual
B. National CSIRT C. probabilistic
C. Internal CSIRT D. inferential
D. Physical Security
50. Which type of analysis assigns values to scenarios to A
43. Which stakeholder group is responsible for A see what the outcome might be in each scenario?
containment, eradication, and recovery in incident A. deterministic
handling? B. exploratory
A. facilitators C. probabilistic
B. practitioners D. descriptive
C. leaders and managers
51. You have run a suspicious file in a sandbox analysis A,E
D. decision makers
tool to see what the file does. The analysis report
44. Which statement about threat actors is true? C shows that outbound callouts were made post
A. They are any company assets that are threatened. infection. Which two pieces of information from the
B. They are any assets that are threatened. analysis report are needed or required to investigate
C.They are perpetrators of attacks. the callouts? (Choose two.)
D. They are victims of attacks. A. file size
B. domain names
45. Which string matches the regular expression A
C. dropped files
D. signatures
A. rx
E. host IP addresses
B. regeegex
C. r(ege)x 52. You receive an alert for malicious code that exploits A
D. rege+x Internet Explorer and runs arbitrary code on the site
visitor machine. The malicous code is on an external
46. Which two components are included in a 5-tuple? A,B
site that is being visited by hosts on your network.
(Choose two.)
Which user agent in the HTTP headers in the requests
A. port number
from your internal hosts
B. destination IP address
warrants further investigation?
C. data packet
A. Mozilla/5.0 (compatible, MSIE 10.0, Windows NT 6.2,
D. user name
Trident 6.0)
E. host logs
B. Mozilla/5.0 (XII; Linux i686; rv:
47. Which two HTTP header fields relate to intrusion B,C Gecko/20110805
analysis? (Choose two). C. Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 4O0)
A. user-agent Gecko/20100101
B. host D. Opera/9.80 (XII; Linux i686; Ubuntu/14.10)
C. connection Presto/2.12.388 Version/12.16
D. language
53. You see 100 HTTP GET and POST requests for various D
E. handshake type
pages on one of your webservers. The user agent in
48. Which two options can be used by a threat actor to C,D the requests contain php code that, if executed,
determine the role of a server? (Choose two.) creates and writes to a new php file on the
A. PCAP webserver. Which category does this event fall under
B. tracert as defined in the Diamond Model of Intrusion?
C. running processes A. delivery
D. hard drive configuration B. reconnaissance
E. applications C. action on objectives
D. installation
E. exploitation
54. You see confidential data being exfiltrated to an IP address that is attributed to a known APT group. Assume that this is part D
of a real attach and not a network misconfiguration. Which category does this event fall under as defined in the
Diamond Model of Intrusion?
A. reconnaissance
B. weaponization
C. delivery
D. action on objectives