Sr°T°1 Spoto Cyberop Associate Exam L Threat Hunting and Defending Using Cisco Technologie For Cyberops (Cbrops) - Custom E Am - Vce Player 4 H X - 9

0 4 h X
SR°t°1
El SPOTO CyberOp Associate Exam l Threat Hunting and Defending using Cisco Technologie for CyberOps (CBROPS) - Custom E am - VCE Player — G X
OMark.Th <••, 0 c6
, 2;-• l'>, - a -, .t — , --, .t..e.-) . ( 0.„\ k. n - !),
. - ,•,.. i k-
= 0 -, \• < < ,0\9 P -, ', •-\ - i --) • < s--, ',,\• t„.0,, t‘.
r
Item 1 of 110 (Chbic k Q1) Show Answer
What is a difference between tampered and untampered disk images?
0 A Tampered images have the same stored and computed hash

0 B. Untampered images are deliberately altered to preserve as evidence. /- -k , 0 c.,)
•. '`;?' ' l. k.D ex e", 0 cy,
(--) <(/ \9
,,-,,
_ .,_:._';< 0•-• . t>, C) ---- `;?' •
.N '
■
,.,
0 C. Tampered images are used as evidence 'x' - ' ,.... --

il, 'N -
— , \
,.k \ i'l - N... - " "",, .-•,•,‘ . i l,-
0 D. Untampered images are used for forensic investigations ,
-
0 \\/"',- .N ---'
i‘ - '‘, --.7, ,-1,2 ,•:- \\,' ...\''',-) 7.
''.- ''' - ,c ,;',\,--,117
_.,
<
,.. •-, c--'-',\'--,-1 ,,. \ •, - '):-, „:-:...\`'.. ,-1,-
,
.
L-.6, ,
/ 4. - / 0 ,--, •7:, --
X0- 1><--)
0 .:_= ' 7 0,.\`>:",' .--`).,-. -' . a..
Select the best choice.

\ ,
'-(\ \\ Air4.'
, I
Previous i Next 1 RenewAll ■1 C-. . , ,, \>... 3repildive Session 1 t End Exam
Spoto 4 I> X
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologies for CyberOps (CBROPS) - Custom Exam - VCE Player CP X
Ei Mark _< =. 0
Item 2 of 110 (Choice, Q2) Show Answer
What should a security analyst consider when comparing inline traffic interrogation with traffic tapping to determine which approach to use in the network?
0 A Tapping interrogation replicates signals to a separate port for analyzing traffic

O B. Tapping interrogations detect and block malicious traffic
O C. Inline interrogation detects malicious traffic but does not block the traffic
O D. Inline interrogation enables viewing a copy of traffic to ensure traffic is in compliance with security policies
-0-
1-1`
, • 1
,
0 1. 0 tjZ)
Previous I Next ReviewAll • I ., \>:3C-4iiiive Session I t End Exam

Spoto 4 x
❑ Mark Os
< 0
•,\• t. &
An analyst received a ticket regarding a degraded processing capability for one of the HR departments servers. On the same day, an engineer noticed a disabled antivirus software and was not able to determine when or why it occurred.
According to the NIST Incident Handling Guide, what is the next phase of this investigation?
0 A. Analysis
O B. Eradication
O C. Detection
O D. Recovery
Select the best choice. 100%
Previous I Next ReviewAll ■ Save Session End Exam

Spoto
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologies for CyberOps (CBROPS) - Custom Exam - VCE Player
1:1 Mark
t. o
Aug 24 2020 09:02:37: NASA-4-106023: Deny tcp src outtside:209.165.200.228/515851st

instde:192.162 tr, -, 77/22 by access-group "OUTS' DE 10x5063b82f, OxOJ
Refer to the exhibit. An analyst received this alert from the Cisco ASA device, and numerous activity logs were produced. How should this type of evidence be categorized?
0 A. circumstantial
O B. best
O C. indirect
O D. corroborative
Previous I Next 11 ReviewAll ■ I Save Session End Exam

Spoto I 4 I> X
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologies for CyberOps (CBROPS) - Custom Exam - VCE Player EP X
Mark
Which regular expression is needed to capture the IP address 192.16820.232?
0 A -„_.. .._. c._.

-A -A
0 B. "(740-91{1,3}%.X1,41 .
,;.,,
\c'.',
o C. N[0-9].{3})
0-9 1 3 3 0-9 1 3
Th ‘ ‘../ 2;....-)
-
■ -
, - ' . "r. \` ' n - ,,,.- ' -`1) .-1,:
0 D. "R[ 1{ , }V X H ]{ , }
.0-
s.„
e
<
%.(' r:
0
k
•. \Y tjZ)
Previous I Next I ReviewAll ■ I C-;. . , A>tis iiitive Session I t End Exam

Spoto
Mark
❑
.49 0 (:)
An engineer needs to discover alive hosts within the 192 168.1_0/24 range without triggering intrusive portscan alerts on the IDS device using Nmap. Which command will accomplish this goal?
0 A Nmap -sV 192_168.1.0/24

O B. Namp -sL 192.168.1.0/24
O C. Nmap —top-ports 192.168.1.0/24
O D Nmap -sP 192_168_1_0/24
Previous I Next I ReviewAll ■ I Save Session End Exam

Spoto 4 x
4' 0 t.,
Mark L's 1C •C‘ (7) 'T
' n .4 <0
Which action prevents buffer overflow attacks?
0 A input sanitization
O B. using web based applications Th
0 cx `;x. •
O C. using a Linux operating system

v
O a variable randomization
</-*
t)(Z)
Select the best choice. I

Previous Next ReviewAll ■ ,A>:3C:41Flave Session I t End Exam
-J
Spoto I 4 x
❑ Mark
5,■9 1•,C
,2 _
192.168.10.10 - [(91/Dec/2020:11:12:22 -0200] "GET /icons/powered by_rh.png HTT

P/1.1" 00-1213 "http://192.168.1 102f""Mozilla/5.0 (X1),;y; Linux x86_64; en-U 0-
0
c$:A4.9.0.12) Gecko/2 f f..!‘f UbUntlil8.04 (haW)Vrefox./3.0.12" Gc;\0
192.168.10.10 - - [01/Dec/2020: I 1:13:15 -0200] "GET /favicon.ico HTTP/1.1" 404 2
88 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.12) Gecko/2009070812
Ubuntu/8.04 (hardy) Firefox/3.0.12"
192.168.10.10 - - 191/Dec/2020:11:14:22 -0290) "GET / 6/027%27;!-V03,2')/03CXSS,O3E=& I
HTTP/1.1" 404 310 "." "Mozilla/5.04111; U; Linux x86 64; en-US; rv:I.9.0.12)
G1002009070812 Ubuntu/84)4(Thasdy) Firefox./3.0.)*,e`‘ \o(W'rc
cx-' GC \ GC
Refer to the exhibit. What is occurring within the exhibit?
0 A. cross-site scripting attack

\_0
O B. XML External Entities attack
O C. regular GET requests
O D. insecure deserialization
Previous I Next ReviewAll ■ , 4 1iiiive Session I t End Exam

Spoto 4 x
Mark 4;4'
.fl
-
C ‘ C.) 'T
< CD
Which data type is necessary to get information about source/destination ports?
0 A connectivity data
O B. statistical data 0 IA
,„0:) -
O C. session data
O D. alert data
t)(Z

Previous I Next ReliewAll • I C-;. . , \--'
,. A>:3c:41i1ave Session I t End Exam
Spoto 4 x
❑ Mark
- 9 •<<,6`9, 1>cji
„
While viewing packet capture data, an analyst sees that one IP is sending and receiving traffic for multiple devices by modifying the IP header Which technology makes this behavior possible'?
O A TOR
O B. encapsulation
O C. NAT
O D. tunneling

Spoto 4 x
Mark Os
u.,
❑
An engineer received an alert affecting the degraded performance of a critical server. Analysis showed a heavy CPU and memory load. What is the next step the engineer should take to investigate this resource usage?
0 A. Run "ps -d" to decrease the priority state of high load processes to avoid resource exhaustion.
O B. Run "ps -m" to capture the existing state of daemons and map required processes to find the gap.
O C. Run "ps -u" to find out who executed additional processes that caused a high load on a server.
O D. Run "ps -ef' to understand which processes are taking a high amount of resources.
Previous Next ReviewAll ■ Save Session End Exam

Spoto 4 x
cs .
❑ Mark
A company receptionist received a threatening call referencing stealing assets and did not take any action assuming it was a social engineering attempt. Within 48 hours, multiple assets were breached , affecting the confidentiality of sensitive
information. What is the threat actor in this incident?
0 A. perpetrators of the attack

O B. customer assets that are threatened
O C. company assets that are threatened
O it victims of the attack
Previous I Next ReviewAll • Save Session End Exam

Spoto I 4 x
Mark n
Item 13 of 110 (Chotce, Q13) Show Answer
Which event is a vishing attack?
0 A using a vulnerability scanner on a corporate network

O B. setting up a rogue access point near a public hotspot
O C. impersonating a tech support agent during a phone call -
O D. obtaining disposed documents from an organization
r-,
i-i'
,• 0 \M0tjZ)

ir4'
Previous Next ReviewAll c. , A>tis litive Session I t End Exam
Spoto 4 x
Mark
Mar 07 2020 16:16:48: %ASA-4-106623: Deny tcp src

ou e:10.22.219.22104602 dst outsideq lc.), ,22.250.212/504
access-group "out8ade" [Ox0, Ox0]
Refer to the exhibit. Which technology generates this log?
0 A IDS
- -4
O B. web proxy
0
O C. NetFlow
O firewall
• r-N , 0
< 0, "
J O-
, 0 --\Y t)(Z)

<c.4 tvrt. '
Previous Next ReviewAll ■ ., \>:3C-4iiitive Session I t End Exam

Spoto 4 I> x
SPOTO CyberOps Associate Exam I Threat Hunting and Defending u Cisco Technologies for CyberOps (CBROPS) - Custom Exam - VCE Player — 01 X
❑ Mark ' Os o .)
Item 15 of 110 (Choice, Q15) I Show Answer
An organization's security team has detected network spikes coming from the internal network. An investigation has concluded that the spike in traffic was from intensive network scanning. How should the analyst collect the traffic to isolate
the suspicious host?
0 A. by most used ports

O 11 based on the most used applications
O C. based on the protocols used
O D. by most active source IP

Spoto
01 SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologiet for CyberOps (CBROPS) - Custom Exam - VCE Player
❑ Mark „n_
Which attack is the network vulnerable to when a stream cipher like RC4 is used twice with the same key?
0 A forgery
O B. ciphertext-only attack
O C. meet-in-the-middle attack
O D. plaintext-only attack
-
r
..;N c5
-
Previous Next ReviewAll ■ I .,• A>i—r:1,4 1itive Session I t End Exam

-
Spoto 4 x
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologies for CyberOps (CBROPS) - Custom Exam - VCE Player — 0 X
❑ Mark
TIT - T pzr- tv--nouieTu r) A
File name -2009-4324 PDF 2009-1 r30 note200911.pdf
File size, 408918 bytP s

CW 1 ‘ 6
06\
GC\e CC\
File type PDF document. version 1 6
CRC32 11638A9B
MD5 ) 1baabd6fcl2e4111f f73ceac 73 , c84f 9a
SH A1\0' 0805d0aefa b9a3f 4c 1868d552 f 5s, ptiAbI)

Cu"'"
SHA256 27cced58a0fcbbObbe3894f74d3014611039fefdf3bd2bOba7ad85b18194c
SHA512 5a43bc7eef279b209e2590432cc3e2eb489d0f78004e265f013b98b4afdc9a
A<>,&9.?5
Ssdeep 1536!OAAH2KthG8,(dE, J 3VETeePxsT65ZZ3 8754:pratic.
eG)6 6V‘ None rrtIctned
Yara • embedded_pe (Contains an embedded PE32 file)

• embeddedsvin _aol IA non -Windbags eitecutabli 4;ittains tee132 API
\.• vmdetect (Possibly employs\enivii4lizabon teeimiques1A
VIrueW Permalink Ax.30\n
CC- \ `'c) VirusTcti\gan Date: 2013.12-27 06:-.,Lar

Detection Rate. 32'46 ycwapser
Refer to the exhibit An engineer is analyzing this Cuckoo Sandbox report for a PDF file that has been downloaded from an email_What is the state of this file?
0 A. The file has an embedded executable and was matched by PEiD threat signatures for further analysis.
O B. The file was matched by PEiD threat signatures but no suspicious features are identified since the signature list is up to date.
O C. The file has an embedded non-Windows executable but no suspicious features are identified.
O D. The file has an embedded Windows 32 executable and the Yara field lists suspicious features for further analysis.
Previous I Next II RetiewAll Save Session End Exam

Spoto 4DX
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologiet for CyberOps (CBROPS) - Custom Exam - VCE Player CP X
Mark n
Which category relates to improper use or disclosure of Pll data?
0 A contractual
O B. compliance
O C. regulated
O D legal
r-, .0-
i-i'
,• 0 — 1. 0 tjZ)

ir4'
Previous Next ReviewAll ■ I C-;. . , A>tis iiiiiive Session I t End Exam
Spoto 4 x
,,--...
0 Os
0
❑ Mark
What is the difference between an attack vector and an attack surface?
0 A An attack surface identifies vulnerabilities parts for an attack, and an attack vector specifies which attacks are frasible to those parts-
O B. An attack surface recognizes external vulnerabilities, and an attack vector identifies mitigation techniques and possible workarounds.
O C. An attack vector matches components that can be exploited, and an attack surface classifies the potential path for exploitation.
O D. An attack vector identifies the potential outcomes of an attack, and an attack surface launches an attack using several methods against the identified vulnerabilities.

Spoto
0
Mark Os
CD ',\• &
❑
<
What is the difference between a threat and a risk?
0 A. Risk represents the known and identified loss or danger in the system, while threat is a non-identified impact of possible risks.
O B. Threat represents a potential danger that could take advantage of a weakness, while the risk is the likelihood of a compromise or damage of an asset.
O C. Threat is a state of being exposed to an attack or a compromise, while risk is the calculation of damage or potential loss affecting the organization from an exposure.
O D. Risk is the unintentional possibility of damages or harm to infrastructure, while the threats are certain and intentional.
O.
<</ " 0)
D'
-
171 `
t)z_)
Previous Next ReviewAll ■ I C-;. . , A>tis tilive Session I t End Exam

Spoto
•-■
❑ Mark Os
0 ,
< ' N•
What is the impact of false positive alerts on business compared to true positive?
0 A. True-positive alerts are blocked by mistake as potential attacks, while False-positives are actual attacks identified as harmless-
O B. False-positives alerts are manually ignored signatures to avoid warnings that are already acknowledged, while true positives are warnings that are not yet acknowledged.
O C. False-positive alerts are detected by confusion as potential attacks, while true positives are attack attempts identified appropriately.
O D. True-positives affect security as no alarm is raised when an attack has taken place, while false positives are alerts raised appropriately to detect and further mitigate them.

Spoto
9 0
❑ Mark .
0 < CD
A developer is working on a project using a Linux tool that enables writing processes to obtain these required results:
• If the process is unsuccessful, a negative value is returned.
• If the process is successful, 0 value is returned to the child process, and the process ID is sent to the parent process.
Which component results from this operation?
0 A new process created by parent process

O B. process spawn scheduled
O C. parent directory name of a file pathname
O D. macros for managing CPU sets
O.
<</" 0)
' N.) D'
-

Previous Next ReviewAll ■ \"--
4
:..A>:3C- 4 1iave Session I t End Exam
Spoto 4 I> X
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologies for CyberOps (CBROPS) - Custom Exam - VCE Player — EP X
❑ Mark .49
Item 23 of 110 (Choice, Q23) ' [Show Answer
An analyst received an alert on their desktop computer showing that an attack was successful on the host. After investigating, the analyst discovered that no mitigation action occurred during the attack. What is the reason for this discrepancy?
0 A. The computer has a HIDS installed on it.

O B. The computer has a NIPS installed on a.
O C. The computer has a NIDS installed on it.
O D The computer has a HIPS installed on it.
Previous Next ReviewAn ■ Save Session End Exam

Spoto I 4 x
Mark n
Which piece of information is needed for attribution in an investigation?
0 A proxy logs showing the source RFC 1918 IP addresses

O B. known threat actor behavior
A
O C. 802.1x RADIUS authentication pass arid fail logs
O D RDP allowed from the Internet
r-,
•
o
i-i'
,• 1
, 0 -- 1. 0 tjZ)

Art. '
Previous Next ReviewAn ■ ., Ais tillive Session I t End Exam

Spoto 4 x
Mark
•-■
Os
4' 0
❑
0 <0
How does certificate authority impact a security?
0 A It authenticates client identity when requesting an SSL certificate

O B. It authenticates domain identity when requesting SSL certificate
O C. It validates the domain identity of a SSL certificate
O D. It validates client identity when communicating with the server
<</ 0 0)
-

Previous Next ReviewAll ■ A>:3C-44 1Flave Session I t End Exam
Spoto l x
0
Mark
-0
What is a difference between SIEM and SOAR?
0 A SIEM predicts and prevents security alerts, while SOAR checks attack patterns and applies the mitigation_
O B. SIEM's primary function is to collect and detect anomalies, while SOAR is more focused on security operations automation and response.
O C SOAR's primary function is to collect and detect anomalies, while SIEM is more focused on security operations automation and response.
O D. SOAR predicts and prevents security alerts, while SIEM checks attack patterns and applies the mitigation_
4, •
Previous I Next ReviewAll ■ ., %>:3C-cfs tillave Session I t End Exam

Spoto
❑ Mark
0 \< , u-
An employee reports that someone has logged into their system and made unapproved changes, files are out of order, and several documents have been placed in the recycle bin. The security specialist reviewed the system logs, found
nothing suspicious, and was not able to determine what occurred. The software is up to date, there are no alerts from antivirus and no failed login attempts. What is causing the lack of data visibility needed to detect the attack?
O A. The threat actor used the teardrop technique to confuse and crash login services.
O B. The threat actor gained access to the system by known credentials.
O C. The threat actor used a dictionary-based password attack to obtain credentials.
O D. The threat actor used an unknown vulnerability of the operating system that went undetected.

Spoto 4 x
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologiet for CyberOps (CBROPS) - Custom Exam - VCE Player EP X
•
D Mark (Th <<;" 4/ 0
9 °V
GOe6":
9
• •-t11(‘C'
rAe
c'"<, o
IN S
- .\ - •
SUBJE CT BYTES APPt KAT TOTAL BYTES KIR IP ACME
V■c-P C
421M E2S9S1X,P
• -- •
e
co 00' • CC\
C:
- ••
, .)$04417•C>,
1.
C.3
\Tc p1
Peer
t ta'cl
cc -
60.06 . 066 ‘'
CC' e 1 66 (17 •
CP ed
Pr - SG .78 op; Ill ST VC ,
Lle rl 133 SIILEO
0
txos **s
4:.
•
7.37‘10‘0,
4.ort\`;
311e tlie;
n
o 4.I
‘.0
.
°
152 2 ktvl
4 VA%
.4
71.
s
• .4-)CY:
co_
• , 6:
e
0
Ws fo., 2020 944 - 07 SSAvr soiscp• _ ,,,,doc(w ' 3 144 S2599/VP86_
g .",60 LAOs,is L..04.[4.1. 4 1) CACV
Ett 2E, At cp•—•
• " 04611110p4. Ala.

(5tv 1 .oin Ste oes1 Amos ant lAsototrxt. •
Refer to the exhibit. What is the potential threat identified in this Steafthwatch dashboard?
0 A Host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91.
O B. Host 10.201.3.149 is sending data to 152.46.6.91 using TCP/443.
O C. Traffic to 152.46.6.149 is being denied by an Advanced Network Control policy.
O D. Host 152.46.6.91 is being identified as a watchlist country for data transfer.
V
Previous Next Review AO ■-1, Save Session End Exam

Spoto
❑ Mark _ < ‘k
-‘,\P
Which metric in CVSS indicates an attack that takes a destination bank account number and replaces it with a different bank account number?
0 A Availability
O B. Integrity
O C. Scope
O Confidentiality
,0
-
Previous I Next RenewAll ■ (PikliVe Session I t End Exam

Spoto 4DX
❑ Mark
What is a difference between data obtained from Tap and SPAN ports?
0 A Tap sends traffic from physical layers to the monitoring device, while SPAN provides a copy of network traffic from switch to destination.
O B. Tap mirrors existing traffic from specified ports, while SPAN presents more structured data for deeper analysis.
O C. SPAN passively splits traffic between a network device and the network without altering it, while Tap alters response times.
O D. SPAN improves the detection of media errors. while Tap provides direct access to traffic with lowered data visibility.
J.
r:k
0 --\ -
Previous Next eviewAll ■ I ., \>tik litiwe Session I t End Exam

Spoto 4 x
Mark n
What is a sandbox interprocess communication service?
0 A. A collection of host services that allow for communication between sandboxes_

O B. A collection of interfaces that allow for coordination of activities among processes.
O C. A collection of network services that are activated on an interface, allowing for inter-port communication. •-
o a A collection of rules within the sandbox that prevent the communication between sandboxes.
.0-
. 0
0 —\\ ‘• • t)(Z)
Previous Next ReviewAn ■ ., ,

4.4 4Wave Session I t End Exam
Spoto 4 x
4'
11 Mark .fl
-
C ‘ C.) 'T 0
< CD
What is personally identifiable information that must be safeguarded from unauthorized access?
0 A gender
O B. date of birth
O C. zip code
O D. driver's license number
.0-
tjZ)
Previous I Next ReviewAll ■ A>:3C-41Flave Session I t End Exam

Spoto 4 I> X
0 Mark
0 </6‘9 t9i
When an event is investigated, which type of data provides the investigative capability to determine if data exfiltration has occurred?
0 A NetFlow data
O B. session data
O C. full packet capture •-
O ft Firewall logs
, •, \Y tjZ)
0—
Previous I Next I ReviewAll ■ I C-;. :, . is ive Session I t End Exam

Spoto I 4 x
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologiet for CyberOps (CBROPS) - Custom Exam - VCE Player CP X
12Mark n
What is the principle of defense-in-depth?
0 A Agentless and agent-based protection for security are used

O B. Authentication, authorization, and accounting mechanisms are used.
Th
O C. Access control models are involved.
O D. Several distinct protective layers are involved.
N*„
e
o

Atfr4:'
Previous I Next I ReviewAll ■ I ., A>tis litive Session I t End Exam
Spoto 4 x
11 Mark \ 0 rk
.fl C‘ (7) ,-/‘
0 f,
\ 0
Item 35 of 110 (Choice, Q35) • Show Answer
Which event artifact is used to identity HTTP GET requests for a specific file?
o A URI
O B. TCP ACK 0 cx
Th ' •; s-\ \
O C HTTP status code
O D. destination IP address
--k
.0
,o
-
i-i'
/0 tjZ)
Previous I Next ReviewAll ■ C-;. . , A>:3C:44 iiitave Session I t End Exam

Spoto I 4 x
Mark n
Which attack represents the evasion technique of resource exhaustion?
0 A bluesnarfing
O B. denial-of-service Th
0
O C. SQL injection .
O D. man-in-the-middle
N*„
e
o
Previous Next ReviewAn ■ C-. . , Ais iiiiive Session I t End Exam

Spoto
r-1„.
❑ Mark
An engineer is addressing a connectivity issue between two servers where the remote server is unable to establish a successful session. Initial checks show that the remote server is not receiving an SYN-ACK while establishing a session by
sending the first SYN. What is causing this issue?
0 A. incorrect OSI configuration

O B. incorrect UDP handshake
O C. incorrect TCP handshake
O D. incorrect snaplen configuration
Previous Next ReviewAll ∎I Save Session End Exam

Spoto I
Mark n
What does cyber attribution identity in an investigation?
0 A cause of an attack
O B. exploit of an attack ,,,. ,, cl)
M ',./ \-' \L"-) , \ "•,/ ',... ■,,, K
'''' / 0 /• c. \9
-
t)
O C. vulnerabilities exploited N.
O ft threat actors of an attack
e
o

Atfr4:'
Previous I Next I ReviewAll ■ I ., A>tis tilive Session it End Exam
Spoto 4 I> X
67, 0
Mark
< .,\•`""t. &
A threat actor penetrated an organization's network. Using the 5-tuple approach, which data points should the analyst use to isolate the compromised host in a grouped set of logs?
0 A event name, log source, time, source IP, and host name
O B. protocol, source IP, source port, destination IP, and destination port
O C. protocol, log source, source IP, destination IP, and host name
O ft event name, log source, time, source IP, and username
.0-
Previous Next ReriewAll ■ I ., A>tis iiiive Session I t End Exam

Spoto I
Mark n
What causes events on a Windows system to show Event Code 4625 in the log messages?
0 A Another device is gaining root access to the system

O B. The system detected an XSS attack
O C. Someone is trying a brute force attack on the network •-
O D A privileged user successfully logged into the system
•
o
.•"
1-1`
1
,• , 1. 0
Previous I Next I ReviewAll ■ I C-;. . , A>tis tilive Session I t End Exam

Spoto
❑ Mark 0 Os
-0 '``1›") u.,
An analyst is exploring the functionality of different operating systems_ What is a feature of Windows Management Instrumentation that must be considered when deciding on an operating system?
0 A queries Linux devices that have Microsoft Services for Linux installed
O B. has a Common Information Model, which describes installed hardware and software
O C. is an efficient tool for working with Active Directory
O D. deploys Windows Operating Systems in an automated fashion

Spoto I
SPOTO CyberOps Associate Exam I Threat Hunting and Defending using Cisco Technologiet for CyberOps (CBROPS) - Custom Exam - VCE Player
Mark
❑
C \s'- • .9 k,c
Over IllsamapeiASA- 6 -3112013: Built I inbound I cnktbound ?CP

s.2nnaction to.r.cTnistrface dk.14.,2 sek*t.t -port ( ppet,
-
Tort )'4 (icif u (4551 In tikiace •
v•k'
rt ( lia4ped-para
Refer to the exhibit During the analysis of a suspicious scanning activity incident an analyst discovered multiple local TCP connection events Which technology provided these logs?
0 k Antivirus
O B. IDS/IPS
O C. proxy
O D. Firewall

-
Spoto 4 x
❑ Mark
lkov 30 17:48:38 sshd[22997;: Invalid user password from 218.26.11.11

Nov 30 17:48:39 ip-: - :-31-Z - -_53 sshd[22997]: :valid user password from,:c18.26.11.11
Nov 30 - seld[22999;: Invalid user password from 218.26.11.11..
A
Nov 30 ostil mhd[2 :2999]: Invalid user:R fd from 218.26.11.11 er:
N
706 A8:41 ip-172-3.1-27.7.0 Nihd[22999]: ■ Invalid yT*VaLsinuoid from 218.26. "
17:48:41 ip-172-31-:P=153 sshd[22999]: Invalid er password from 218.2 1.1:
Nov 30 17:48:43 ip-172-31-27-153 sshd[23001]: Invalid user password from
Nov 30 17:48:43 ip-172-31-27-153 sshd[23001]: Invalid user password from 218.2€.:_...:
Nov 30 17:40:44 ip-1 - 2-31-2 7 -'_53 sshd[23001]: Invalid user password from 218.2E. —
Nov 30 17:49:46 sshd[23003]: 3. nvalid user password from:N.19.2E. --
Nov 30 1 7 :47: 4 sshdf2388'3]: Invalid user password from
Nov 39 , 13[i9003]: Invalid user , Wwdrd from cIV•
, `` \\
ip-172-31-Z'- . .Ashd[23003]: Invalid 60-Assword from 218.26.elogIL
llov 30 17:46:48 ip-172-31--'-_.:3 sshd[23005]: InvalicPuser password from 218.24":71.11 C
Nov 30 17:48:48 ip-172-31-2 - -:03 sshd[23005]: Invalid user password from 218.26.11.11
Nov 30 17:48:48 ip-172-31-2 - -.3 sshd[23005]: Invalid user password from 218.26.11.1i
Nov 30 17:48149 ip-172-31-:'-.53 sshd[23005]: Invalid user password from
30 17:40:51 1p-172-31-2 - -.E.3 sshd[23007]: Invalid user password from
NTV 30 17:48:51 ashd[23007]: Vhvalid user password
Nov 30 17:48.:51 - sshd[2300'1: Invalid user password from 218.2e..._
Nov 39 0ed48:51 ip-172-31-27-.51apd[23007]: Invalid use'spI-r5word from 218.26..:.... --
: 76eW17:48:54
7 ip-172-3147(504ishd[23009]: Invalic assword from 218.26cea
::-6v 30 17:48:54 ip-172-31-21-153 sshd[23009]: C
Invalicruser password from 218.2E -1.:
Nov 30 17:40:54 ip-172-31-27-153 sshd[23009]: Invalid user password from 218.2E.:_..
Nov 30 17:48:54 ip-172-31-27-153 sshd[23004]: Invalid user password from 218.2f.1...
Nov 30 17:48:54 ip-172-31-27-153 sshd[230111: Invalid user password from 218.2e....."
Nov 30 17:49:56 ip-1:00-31-27-153 sshd[23011]: 5avalid user password fr ,.! mA18.2E........
Nov 30 17:4' - ' .p-172-31-27-153 sshd[23c...:j: Invalid user passw - l- i from 218.26.11.11
Nov 3 dcc: .1:5? ip-172-31-27-1511161[23013]: Invalid usekspsw::J from 219.26.11.
1 - :i::55 sshd[23013]: Invalid:Od?pa.e.sw:r1 f.T7m.
Refer to the exhibit. A security analyst is investigating unusual activity from an unknown IP address Which type of evidence is this file?
0 A. indirect evidence
O B. best evidence
O C. direct evidence
O D. corroborative evidence

Previous I Next RevimvAll vl Save Session End Exam
Spoto 4 x
Mark
❑
(0
-
0.000093 20.0.2.20 Standard query 1'43441114 NULL
3 0.00000? 10.4141•41■ / 1,. ' query want. laeqpumiplhhpz/' ..lef 1 i*lk
IE
4 0.0011 10. 10.0.7.30 :..andard query response mut.
0.0044 10. 10.0.2.20 steeetarit query MAJ. yroioz *Le. sea
. M11111101 Query resono •
-
to. to.o. 2.30
. 7103 I!t. ', 10.0.2.20 \\O' query _NY:e ".„1‘2103.44.-444143h-Or ink -sal
0.007233 ('. 1:. <0. 2. 10.0.2. 10 4e4(
,• 4
404 44 Mott.
MOM Query mu. 4104a4-1. a .f 1 373t* -r 4 35
,
--,-- 9 0.007346 10.0.2. Pricrir— 10.0.2.20 -
10 0.007460 10.0.2.20 10.0.2.30 Stange, query response Nut.
11 0.007567 10.0.2.30 10.0.2.20 St anglIral query rims riotameccODeff reochritiVoili M1400pPo
12 0.007677 10.0.2.20 10.0. 2. 30 510000r 0 query response 140.1
13 0.007713 10.0. 2. 30 10.0.2.20 Standard query mu. 2ii4040123456769.2 - 4 '175%776 . 477 \ 1001
14 0.0wasa 10.0.2.20 10.0.2.30 standard Query response MULL
IS 0.61M13 10.0.2.30 10 0.2.20 standard query NULL a11ba4\320,321\322\323\32v,323 - .321Mil
-- " — -., -- •- r
J . .. . . .. .
-
Irma 1 (6.2. Ayres' i3n wire. 62 bytes capi74red)

. Sria CaMesOCo...9c:e0:b (90 kW: ' .9c :40:04). Ost : CadeusCo.A.1c(/'. La t06:00:r :c7:6e:ba)
1
+ Et
t Protocol. Src: 10.0.2.30,... . 30). Ost : 10.0.2.20 (10. D.:\ E;UPI
t -
er Datagram aroCoC0 1 . SrC Pr{ '44639 (44639). Dst Port : dosaik-A -S3)
- Domain wawa System (query)
c6\e°°1\'‘
transaction ID: 0s12b0
. Slags: Ox0100 (standard query)
Quest ions: 1
Anwar Rim: 0
Authority ens: 0
Additional MC 0
- Quer lea ' ()
rate.sea: t
MOO WT/0 27 C7 6e ba 00 00
3010 00 4A 00 09 40 og 40 31
)020 02 14 ee sr 00 xs oo 30
3030 00 00 00 430 00 00
2040
)050
Refer to the exhibit. What is occurring?
0 k ARP poisoning
O B. DNS tunneling
O C. DNS amplification
O D. ARP flood
Previous I Next ReviewAll Save Session End Exam

Spoto I 4 x
Mark n
What is threat hunting?
0 A Focusing on proactively detecting possible signs of intrusion and compromise.

O B. Attempting to deliberately disrupt servers by altering their availability.
O C. Pursuing competitors and adversaries to infiltrate their system to acquire intelligence data. N. • -
O a Managing a vulnerability assessment report to mitigate potential threats.
, A N*„
1-1`
, •, 0 \Y tjZ)

,
Previous Next ReviewAn ■ : , cfs tgave Session I t End Exam
Spoto 4 x
0
❑ Mark Os
CD
'
<
How does agentless monitoring differ from agent-based monitoring?
0 A Agentless can access the data via API. while agent-base uses a less efficient method and accesses log data through WMI.
O B. Agent-based monitoring is less intrusive in gathering log data, while agentless requires open ports to fetch the logs
O C. Agent-based has a possibility to locally filter and transmit only valuable data, while agentless has much higher network utilization.
O a Agent-based monitoring has a lower initial cost for deployment, while agentless monitoring requires resource-intensive deployment.
O.
<</ 0 0)
-
71
0 1` t*,
Previous I Next ReviewAll ■ lbw Session I t End Exam

Spoto I 4 x
4' 0 t.,
Mark Os •C‘ (7) r)%
IN( . fl %./
-0
Which information must an organization use to understand the threats currently targeting the organization?
0 A vulnerability exposure
O B. threat intelligence
O C. vendor suggestions
O ft risk scores
.0-
,o c
-
Previous I Next I ReviewAll ■ I C-;. . , A>tis litive Session it End Exam

▪
Spoto I 4 x
4'
Mark t/ Os
n 1C
.4 , C) C‘ C.) 67. 0
<CD
Which technology prevents end-device to end- device IP traceability?
0 A Tunneling
O B. NAT/PAT
• 0 s-\ \ t)
O C. load balancing
O D. encryption
. 0 -
,o
-
4, •
Previous I Next ReviewAll ■ ., \--'

,.. A>:3C-41Flave Session I t End Exam
Spoto 4 x
❑ Mark _< \c=
o
An analyst is using the STEM platform and must extract a custom property from a Cisco device and capture the phrase, "File: Clean." Wich regex must the analyst import?
0 A File: Clean(*)
O B. File: Clean K./ -.9
O C. Parent File: CleanS ) •
O a Pile, CleanS
("N
..; °
-
Previous I Next II RenewAll ■ I .,

A}.
c:1,4 Session i t End Exam
Spoto I
1:1 Mark
Which type of access control depends on the job function of the user?
0 A rule-based access control

O B. role-based access control
O C. discretionary access control
Th . .
■..\° o
O nondiscretionary access control
r-,
•
o
i-i'
, •, 0 \Y1. 0tjZ)
Previous I Next ReviewAll ■ ., \>:3c-4ilive Session I t End Exam

Sr°T°1 Spoto Cyberop Associate Exam L Threat Hunting and Defending Using Cisco Technologie For Cyberops (Cbrops) - Custom E Am - Vce Player 4 H X - 9

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sr°T°1 Spoto Cyberop Associate Exam L Threat Hunting and Defending Using Cisco Technologie For Cyberops (Cbrops) - Custom E Am - Vce Player 4 H X - 9

Uploaded by

Copyright:

Available Formats

0 4 h X

What is a difference between tampered and untampered disk images?

0 A Tampered images have the same stored and computed hash

_ .,_:._';< 0•-• . t>, C) ---- `;?' •

0 C. Tampered images are used as evidence 'x' - ' ,.... --

Select the best choice.

0 A Tapping interrogation replicates signals to a separate port for analyzing traffic

Select the best choice.

Previous I Next ReviewAll • I ., \>:3C-4iiiive Session I t End Exam

Select the best choice. 100%

Previous I Next ReviewAll ■ Save Session End Exam

Aug 24 2020 09:02:37: NASA-4-106023: Deny tcp src outtside:209.165.200.228/515851st

Select the best choice. 100%

Previous I Next 11 ReviewAll ■ I Save Session End Exam

Item 5 of 110 (Choice, Q5) Show Answer

Which regular expression is needed to capture the IP address 192.16820.232?

0 A -„_.. .._. c._.

Select the best choice.

Previous I Next I ReviewAll ■ I C-;. . , A>tis iiitive Session I t End Exam

Item 6 of 110 (Choice, Q6) Show Answer

0 A Nmap -sV 192_168.1.0/24

Select the best choice. 100%

Previous I Next I ReviewAll ■ I Save Session End Exam

Which action prevents buffer overflow attacks?

O C. using a Linux operating system

Select the best choice. I

192.168.10.10 - [(91/Dec/2020:11:12:22 -0200] "GET /icons/powered by_rh.png HTT

Refer to the exhibit. What is occurring within the exhibit?

0 A. cross-site scripting attack

Select the best choice.

Previous I Next ReviewAll ■ , 4 1iiiive Session I t End Exam

Which data type is necessary to get information about source/destination ports?

Select the best choice. I

Item 10 of 110 (Choice, Q10) Show Answer

Select the best choice. 100%

Previous I Next ReviewAll ■ Save Session End Exam

Item 11 of 110 (Choice, Q11) Show Answer

Select the best choice. 100%

Previous Next ReviewAll ■ Save Session End Exam

Item 12 of 110 (Choice, Q12) Show Answer

0 A. perpetrators of the attack

Select the best choice. 100%

Previous I Next ReviewAll • Save Session End Exam

Which event is a vishing attack?

0 A using a vulnerability scanner on a corporate network

O D. obtaining disposed documents from an organization

Select the best choice.

Item 14 of 110 (Choice, Q14) Show Answer

Mar 07 2020 16:16:48: %ASA-4-106623: Deny tcp src

Refer to the exhibit. Which technology generates this log?

Select the best choice.

Previous Next ReviewAll ■ ., \>:3C-4iiitive Session I t End Exam

Item 15 of 110 (Choice, Q15) I Show Answer

0 A. by most used ports

Select the best choice. 100%

Previous Next ReviewAll ■ Save Session End Exam

Select the best choice.

Previous Next ReviewAll ■ I .,• A>i—r:1,4 1itive Session I t End Exam

File name -2009-4324 PDF 2009-1 r30 note200911.pdf

File size, 408918 bytP s

MD5 ) 1baabd6fcl2e4111f f73ceac 73 , c84f 9a

SH A1\0' 0805d0aefa b9a3f 4c 1868d552 f 5s, ptiAbI)