Professional Documents
Culture Documents
SR°t°1
El SPOTO CyberOp Associate Exam l Threat Hunting and Defending using Cisco Technologie for CyberOps (CBROPS) - Custom E am - VCE Player — G X
OMark.Th <••, 0 c6
, 2;-• l'>, - a -, .t — , --, .t..e.-) . ( 0.„\ k. n - !),
. - ,•,.. i k-
= 0 -, \• < < ,0\9 P -, ', •-\ - i --) • < s--, ',,\• t„.0,, t‘.
r
Item 1 of 110 (Chbic k Q1) Show Answer
.N '
■
,.,
0 \\/"',- .N ---'
i‘ - '‘, --.7, ,-1,2 ,•:- \\,' ...\''',-) 7.
''.- ''' - ,c ,;',\,--,117
_.,
<
,.. •-, c--'-',\'--,-1 ,,. \ •, - '):-, „:-:...\`'.. ,-1,-
,
.
L-.6, ,
/ 4. - / 0 ,--, •7:, --
X0- 1><--)
0 .:_= ' 7 0,.\`>:",' .--`).,-. -' . a..
Ei Mark _< =. 0
Item 2 of 110 (Choice, Q2) Show Answer
What should a security analyst consider when comparing inline traffic interrogation with traffic tapping to determine which approach to use in the network?
-0-
1-1`
, • 1
,
0 1. 0 tjZ)
An analyst received a ticket regarding a degraded processing capability for one of the HR departments servers. On the same day, an engineer noticed a disabled antivirus software and was not able to determine when or why it occurred.
According to the NIST Incident Handling Guide, what is the next phase of this investigation?
0 A. Analysis
O B. Eradication
O C. Detection
O D. Recovery
1:1 Mark
t. o
Item 4 of 110 (Choice, Q4) Show Answer
Refer to the exhibit. An analyst received this alert from the Cisco ASA device, and numerous activity logs were produced. How should this type of evidence be categorized?
0 A. circumstantial
O B. best
O C. indirect
O D. corroborative
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologies for CyberOps (CBROPS) - Custom Exam - VCE Player EP X
Mark
\c'.',
o C. N[0-9].{3})
0-9 1 3 3 0-9 1 3
Th ‘ ‘../ 2;....-)
-
■ -
, - ' . "r. \` ' n - ,,,.- ' -`1) .-1,:
0 D. "R[ 1{ , }V X H ]{ , }
.0-
s.„
e
<
%.(' r:
0
k
•. \Y tjZ)
Mark
❑
.49 0 (:)
An engineer needs to discover alive hosts within the 192 168.1_0/24 range without triggering intrusive portscan alerts on the IDS device using Nmap. Which command will accomplish this goal?
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologies for CyberOps (CBROPS) - Custom Exam - VCE Player EP X
4' 0 t.,
Mark L's 1C •C‘ (7) 'T
' n .4 <0
Item 7 of 110 (Choice, Q7) Show Answer
0 A input sanitization
O B. using web based applications Th
0 cx `;x. •
</-*
t)(Z)
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologies for CyberOps (CBROPS) - Custom Exam - VCE Player EP X
Mark 4;4'
.fl
-
C ‘ C.) 'T
< CD
Item 9 of 110 (Choice, Q9) Show Answer
0 A connectivity data
O B. statistical data 0 IA
,„0:) -
O C. session data
O D. alert data
t)(Z
While viewing packet capture data, an analyst sees that one IP is sending and receiving traffic for multiple devices by modifying the IP header Which technology makes this behavior possible'?
O A TOR
O B. encapsulation
O C. NAT
O D. tunneling
An engineer received an alert affecting the degraded performance of a critical server. Analysis showed a heavy CPU and memory load. What is the next step the engineer should take to investigate this resource usage?
0 A. Run "ps -d" to decrease the priority state of high load processes to avoid resource exhaustion.
O B. Run "ps -m" to capture the existing state of daemons and map required processes to find the gap.
O C. Run "ps -u" to find out who executed additional processes that caused a high load on a server.
O D. Run "ps -ef' to understand which processes are taking a high amount of resources.
A company receptionist received a threatening call referencing stealing assets and did not take any action assuming it was a social engineering attempt. Within 48 hours, multiple assets were breached , affecting the confidentiality of sensitive
information. What is the threat actor in this incident?
r-,
i-i'
,• 0 \M0tjZ)
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologies for CyberOps (CBROPS) - Custom Exam - VCE Player EP X
Mark
0 A IDS
- -4
O B. web proxy
0
O C. NetFlow
O firewall
• r-N , 0
< 0, "
J O-
, 0 --\Y t)(Z)
An organization's security team has detected network spikes coming from the internal network. An investigation has concluded that the spike in traffic was from intensive network scanning. How should the analyst collect the traffic to isolate
the suspicious host?
Which attack is the network vulnerable to when a stream cipher like RC4 is used twice with the same key?
0 A forgery
O B. ciphertext-only attack
O C. meet-in-the-middle attack
O D. plaintext-only attack
-
r
..;N c5
-
❑ Mark
TIT - T pzr- tv--nouieTu r) A
CRC32 11638A9B
SHA512 5a43bc7eef279b209e2590432cc3e2eb489d0f78004e265f013b98b4afdc9a
A<>,&9.?5
Ssdeep 1536!OAAH2KthG8,(dE, J 3VETeePxsT65ZZ3 8754:pratic.
0 A. The file has an embedded executable and was matched by PEiD threat signatures for further analysis.
O B. The file was matched by PEiD threat signatures but no suspicious features are identified since the signature list is up to date.
O C. The file has an embedded non-Windows executable but no suspicious features are identified.
O D. The file has an embedded Windows 32 executable and the Yara field lists suspicious features for further analysis.
0 A contractual
O B. compliance
O C. regulated
O D legal
r-, .0-
i-i'
,• 0 — 1. 0 tjZ)
❑ Mark
0 A An attack surface identifies vulnerabilities parts for an attack, and an attack vector specifies which attacks are frasible to those parts-
O B. An attack surface recognizes external vulnerabilities, and an attack vector identifies mitigation techniques and possible workarounds.
O C. An attack vector matches components that can be exploited, and an attack surface classifies the potential path for exploitation.
O D. An attack vector identifies the potential outcomes of an attack, and an attack surface launches an attack using several methods against the identified vulnerabilities.
<
Item 20 of 110 (Choice, Q20) Show Answer
0 A. Risk represents the known and identified loss or danger in the system, while threat is a non-identified impact of possible risks.
O B. Threat represents a potential danger that could take advantage of a weakness, while the risk is the likelihood of a compromise or damage of an asset.
O C. Threat is a state of being exposed to an attack or a compromise, while risk is the calculation of damage or potential loss affecting the organization from an exposure.
O D. Risk is the unintentional possibility of damages or harm to infrastructure, while the threats are certain and intentional.
O.
<</ " 0)
D'
-
171 `
t)z_)
What is the impact of false positive alerts on business compared to true positive?
0 A. True-positive alerts are blocked by mistake as potential attacks, while False-positives are actual attacks identified as harmless-
O B. False-positives alerts are manually ignored signatures to avoid warnings that are already acknowledged, while true positives are warnings that are not yet acknowledged.
O C. False-positive alerts are detected by confusion as potential attacks, while true positives are attack attempts identified appropriately.
O D. True-positives affect security as no alarm is raised when an attack has taken place, while false positives are alerts raised appropriately to detect and further mitigate them.
A developer is working on a project using a Linux tool that enables writing processes to obtain these required results:
• If the process is unsuccessful, a negative value is returned.
• If the process is successful, 0 value is returned to the child process, and the process ID is sent to the parent process.
<</" 0)
' N.) D'
-
❑ Mark .49
Item 23 of 110 (Choice, Q23) ' [Show Answer
An analyst received an alert on their desktop computer showing that an attack was successful on the host. After investigating, the analyst discovered that no mitigation action occurred during the attack. What is the reason for this discrepancy?
r-,
•
o
i-i'
,• 1
, 0 -- 1. 0 tjZ)
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologies for CyberOps (CBROPS) - Custom Exam - VCE Player EP X
Mark
•-■
Os
4' 0
❑
0 <0
Item 25 of 110 (Choice, Q25) Show Answer
<</ 0 0)
-
0 A SIEM predicts and prevents security alerts, while SOAR checks attack patterns and applies the mitigation_
O B. SIEM's primary function is to collect and detect anomalies, while SOAR is more focused on security operations automation and response.
O C SOAR's primary function is to collect and detect anomalies, while SIEM is more focused on security operations automation and response.
O D. SOAR predicts and prevents security alerts, while SIEM checks attack patterns and applies the mitigation_
4, •
❑ Mark
0 \< , u-
Item 27 of 110 (Choice, Q27) Show Answer
An employee reports that someone has logged into their system and made unapproved changes, files are out of order, and several documents have been placed in the recycle bin. The security specialist reviewed the system logs, found
nothing suspicious, and was not able to determine what occurred. The software is up to date, there are no alerts from antivirus and no failed login attempts. What is causing the lack of data visibility needed to detect the attack?
O A. The threat actor used the teardrop technique to confuse and crash login services.
O B. The threat actor gained access to the system by known credentials.
O C. The threat actor used a dictionary-based password attack to obtain credentials.
O D. The threat actor used an unknown vulnerability of the operating system that went undetected.
9 °V
GOe6":
9
• •-t11(‘C'
rAe
c'"<, o
IN S
- .\ - •
V■c-P C
421M E2S9S1X,P
• -- •
e
co 00' • CC\
C:
- ••
, .)$04417•C>,
1.
C.3
\Tc p1
Peer
t ta'cl
cc -
60.06 . 066 ‘'
CC' e 1 66 (17 •
CP ed
Pr - SG .78 op; Ill ST VC ,
0
txos **s
4:.
•
7.37‘10‘0,
4.ort\`;
311e tlie;
n
o 4.I
‘.0
.
°
152 2 ktvl
4 VA%
.4
71.
s
• .4-)CY:
co_
• , 6:
e
0
Ws fo., 2020 944 - 07 SSAvr soiscp• _ ,,,,doc(w ' 3 144 S2599/VP86_
g .",60 LAOs,is L..04.[4.1. 4 1) CACV
Ett 2E, At cp•—•
Refer to the exhibit. What is the potential threat identified in this Steafthwatch dashboard?
0 A Host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91.
O B. Host 10.201.3.149 is sending data to 152.46.6.91 using TCP/443.
O C. Traffic to 152.46.6.149 is being denied by an Advanced Network Control policy.
O D. Host 152.46.6.91 is being identified as a watchlist country for data transfer.
V
Which metric in CVSS indicates an attack that takes a destination bank account number and replaces it with a different bank account number?
0 A Availability
O B. Integrity
O C. Scope
O Confidentiality
,0
-
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologies for CyberOps (CBROPS) - Custom Exam - VCE Player CP X
❑ Mark
What is a difference between data obtained from Tap and SPAN ports?
0 A Tap sends traffic from physical layers to the monitoring device, while SPAN provides a copy of network traffic from switch to destination.
O B. Tap mirrors existing traffic from specified ports, while SPAN presents more structured data for deeper analysis.
O C. SPAN passively splits traffic between a network device and the network without altering it, while Tap alters response times.
O D. SPAN improves the detection of media errors. while Tap provides direct access to traffic with lowered data visibility.
J.
r:k
0 --\ -
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologies for CyberOps (CBROPS) - Custom Exam - VCE Player EP X
Mark n
Item 31 of 110 (Choice, Q31) Show Answer
o a A collection of rules within the sandbox that prevent the communication between sandboxes.
.0-
. 0
0 —\\ ‘• • t)(Z)
< CD
Item 32 of 110 (Choice, Q32) Show Answer
What is personally identifiable information that must be safeguarded from unauthorized access?
0 A gender
O B. date of birth
O C. zip code
O D. driver's license number
.0-
tjZ)
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologies for CyberOps (CBROPS) - Custom Exam - VCE Player CP X
0 Mark
0 </6‘9 t9i
Item 33 of 110 (Choice, Q33) Show Answer
When an event is investigated, which type of data provides the investigative capability to determine if data exfiltration has occurred?
0 A NetFlow data
O B. session data
O C. full packet capture •-
O ft Firewall logs
, •, \Y tjZ)
0—
N*„
e
o
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologies for CyberOps (CBROPS) - Custom Exam - VCE Player EP X
11 Mark \ 0 rk
.fl C‘ (7) ,-/‘
0 f,
\ 0
Item 35 of 110 (Choice, Q35) • Show Answer
Which event artifact is used to identity HTTP GET requests for a specific file?
o A URI
O B. TCP ACK 0 cx
Th ' •; s-\ \
O C HTTP status code
O D. destination IP address
--k
.0
,o
-
i-i'
/0 tjZ)
0 A bluesnarfing
O B. denial-of-service Th
0
O C. SQL injection .
O D. man-in-the-middle
N*„
e
o
An engineer is addressing a connectivity issue between two servers where the remote server is unable to establish a successful session. Initial checks show that the remote server is not receiving an SYN-ACK while establishing a session by
sending the first SYN. What is causing this issue?
Mark n
Item 38 of 110 (Choice, Q38) Show Answer
0 A cause of an attack
O B. exploit of an attack ,,,. ,, cl)
M ',./ \-' \L"-) , \ "•,/ ',... ■,,, K
'''' / 0 /• c. \9
-
t)
O C. vulnerabilities exploited N.
e
o
A threat actor penetrated an organization's network. Using the 5-tuple approach, which data points should the analyst use to isolate the compromised host in a grouped set of logs?
0 A event name, log source, time, source IP, and host name
O B. protocol, source IP, source port, destination IP, and destination port
O C. protocol, log source, source IP, destination IP, and host name
O ft event name, log source, time, source IP, and username
.0-
Mark n
Item 40 of 110 (Choice, Q40) Show Answer
What causes events on a Windows system to show Event Code 4625 in the log messages?
•
o
.•"
1-1`
1
,• , 1. 0
❑ Mark 0 Os
-0 '``1›") u.,
Item 41 of 110 (Choice, Q41) Show Answer
An analyst is exploring the functionality of different operating systems_ What is a feature of Windows Management Instrumentation that must be considered when deciding on an operating system?
0 A queries Linux devices that have Microsoft Services for Linux installed
O B. has a Common Information Model, which describes installed hardware and software
O C. is an efficient tool for working with Active Directory
O D. deploys Windows Operating Systems in an automated fashion
Mark
❑
C \s'- • .9 k,c
Item 42 of 110 (Choice, Q42) Show Answer
Refer to the exhibit During the analysis of a suspicious scanning activity incident an analyst discovered multiple local TCP connection events Which technology provided these logs?
0 k Antivirus
O B. IDS/IPS
O C. proxy
O D. Firewall
Spoto 4 x
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologies for CyberOps (CBROPS) - Custom Exam - VCE Player EP X
❑ Mark
Refer to the exhibit. A security analyst is investigating unusual activity from an unknown IP address Which type of evidence is this file?
0 A. indirect evidence
O B. best evidence
O C. direct evidence
O D. corroborative evidence
Mark
❑
(0
Item 44 of 110 (Choice, Q44) Show Answer
-
0.000093 20.0.2.20 Standard query 1'43441114 NULL
3 0.00000? 10.4141•41■ / 1,. ' query want. laeqpumiplhhpz/' ..lef 1 i*lk
IE
4 0.0011 10. 10.0.7.30 :..andard query response mut.
0.0044 10. 10.0.2.20 steeetarit query MAJ. yroioz *Le. sea
. M11111101 Query resono •
-
to. to.o. 2.30
. 7103 I!t. ', 10.0.2.20 \\O' query _NY:e ".„1‘2103.44.-444143h-Or ink -sal
0.007233 ('. 1:. <0. 2. 10.0.2. 10 4e4(
,• 4
404 44 Mott.
MOM Query mu. 4104a4-1. a .f 1 373t* -r 4 35
,
--,-- 9 0.007346 10.0.2. Pricrir— 10.0.2.20 -
10 0.007460 10.0.2.20 10.0.2.30 Stange, query response Nut.
11 0.007567 10.0.2.30 10.0.2.20 St anglIral query rims riotameccODeff reochritiVoili M1400pPo
12 0.007677 10.0.2.20 10.0. 2. 30 510000r 0 query response 140.1
13 0.007713 10.0. 2. 30 10.0.2.20 Standard query mu. 2ii4040123456769.2 - 4 '175%776 . 477 \ 1001
14 0.0wasa 10.0.2.20 10.0.2.30 standard Query response MULL
IS 0.61M13 10.0.2.30 10 0.2.20 standard query NULL a11ba4\320,321\322\323\32v,323 - .321Mil
-- " — -., -- •- r
J . .. . . .. .
-
rate.sea: t
MOO WT/0 27 C7 6e ba 00 00
3010 00 4A 00 09 40 og 40 31
)020 02 14 ee sr 00 xs oo 30
3030 00 00 00 430 00 00
2040
)050
0 k ARP poisoning
O B. DNS tunneling
O C. DNS amplification
O D. ARP flood
, A N*„
1-1`
, •, 0 \Y tjZ)
0 A Agentless can access the data via API. while agent-base uses a less efficient method and accesses log data through WMI.
O B. Agent-based monitoring is less intrusive in gathering log data, while agentless requires open ports to fetch the logs
O C. Agent-based has a possibility to locally filter and transmit only valuable data, while agentless has much higher network utilization.
O a Agent-based monitoring has a lower initial cost for deployment, while agentless monitoring requires resource-intensive deployment.
O.
<</ 0 0)
-
71
0 1` t*,
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologies for CyberOps (CBROPS) - Custom Exam - VCE Player EP X
4' 0 t.,
Mark Os •C‘ (7) r)%
IN( . fl %./
-0
Item 47 of 110 (Choice, Q47) Show Answer
Which information must an organization use to understand the threats currently targeting the organization?
0 A vulnerability exposure
O B. threat intelligence
O C. vendor suggestions
O ft risk scores
.0-
,o c
-
Spoto I 4 x
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologies for CyberOps (CBROPS) - Custom Exam - VCE Player CP X
4'
Mark t/ Os
n 1C
.4 , C) C‘ C.) 67. 0
<CD
Item 48 of 110 (Choice, Q48) Show Answer
0 A Tunneling
O B. NAT/PAT
• 0 s-\ \ t)
O C. load balancing
O D. encryption
. 0 -
,o
-
4, •
An analyst is using the STEM platform and must extract a custom property from a Cisco device and capture the phrase, "File: Clean." Wich regex must the analyst import?
0 A File: Clean(*)
O B. File: Clean K./ -.9
O C. Parent File: CleanS ) •
O a Pile, CleanS
("N
..; °
-
1:1 Mark
Which type of access control depends on the job function of the user?
■..\° o
O nondiscretionary access control
r-,
•
o
i-i'
, •, 0 \Y1. 0tjZ)