Cisco CyberOps Associate 200-201 Questions & Answers

• Question 11:

  Which information must an organization use to understand the threats currently targeting the organization?

  A. threat intelligence

  B. risk scores

  C. vendor suggestions

  D. vulnerability exposure

  Correct Answer: A

• Question 12:

  A security specialist notices 100 HTTP GET and POST requests for multiple pages on the web servers. The agent in the requests contains PHP code that, if executed, creates and writes to a new PHP file on the webserver. Which event category is described?

  A. reconnaissance

  B. action on objectives

  C. installation

  D. exploitation

  Correct Answer: C

• Question 13:

  Refer to the exhibit.

  

  Which field contains DNS header information if the payload is a query or a response?

  A. Z

  B. ID

  C. TC

  D. QR

  Correct Answer: B

• Question 14:

  What is a difference between SOAR and SIEM?

  A. SOAR platforms are used for threat and vulnerability management, but SIEM applications are not

  B. SIEM applications are used for threat and vulnerability management, but SOAR platforms are not

  C. SOAR receives information from a single platform and delivers it to a SIEM

  D. SIEM receives information from a single platform and delivers it to a SOAR

  Correct Answer: A

• Question 15:

  An analyst discovers that a legitimate security alert has been dismissed. Which signature caused this impact on network traffic?

  A. true negative

  B. false negative

  C. false positive

  D. true positive

  Correct Answer: B

  A false negative occurs when the security system (usually a WAF) fails to identify a threat. It produces a "negative" outcome (meaning that no threat has been observed), even though a threat exists.

• Question 16:

  During which phase of the forensic process are tools and techniques used to extract information from the collected data?

  A. investigation

  B. examination

  C. reporting

  D. collection

  Correct Answer: D

• Question 17:

  Which step in the incident response process researches an attacking host through logs in a SIEM?

  A. detection and analysis

  B. preparation

  C. eradication

  D. containment

  Correct Answer: A

  Preparation --> Detection and Analysis --> Containment, Erradicaion and Recovery --> Post-Incident Activity

  Detection and Analysis --> Profile networks and systems, Understand normal behaviors, Create a log retention policy, Perform event correlation. Maintain and use a knowledge base of information.Use Internet search engines for research. Run packet sniffers to collect additional data. Filter the data. Seek assistance from others. Keep all host clocks synchronized. Know the different types of attacks and attack vectors. Develop processes and procedures to recognize the signs of an incident. Understand the sources of precursors and indicators. Create appropriate incident documentation capabilities and processes. Create processes to effectively prioritize security incidents. Create processes to effectively

  communicate incident information (internal and external communications). Ref: Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide

• Question 18:

  What is a purpose of a vulnerability management framework?

  A. identifies, removes, and mitigates system vulnerabilities

  B. detects and removes vulnerabilities in source code

  C. conducts vulnerability scans on the network

  D. manages a list of reported vulnerabilities

  Correct Answer: A

• Question 19:

  An analyst is using the SIEM platform and must extract a custom property from a Cisco device and capture the phrase, "File: Clean." Which regex must the analyst import?

  A. File: Clean

  B. ^Parent File Clean$

  C. File: Clean (.*)

  D. ^File: Clean$

  Correct Answer: A

• Question 20:

  How does an attacker observe network traffic exchanged between two users?

  A. port scanning

  B. man-in-the-middle

  C. command injection

  D. denial of service

  Correct Answer: B