Cisco 200-201 Online Practice Questions and Exam Preparation

Cisco 200-201 Online Questions & Answers

• Question 411:

  What does the SOC metric MTTC provide in incident analysis?

  A. average time it takes to recognize and stop the incident
  B. average time it takes to fix the issues caused by the incident
  C. average time it takes to detect that the incident has occurred
  D. average time the attacker has access to the environment
  A. average time it takes to recognize and stop the incident

• Question 412:

  What describes the impact of false-positive alerts compared to false-negative alerts?

  A. A false negative is alerting for an XSS attack. An engineer investigates the alert and discovers that an XSS attack happened A false positive is when an XSS attack happens and no alert is raised
  B. A false negative is a legitimate attack triggering a brute-force alert. An engineer investigates the alert and finds out someone intended to break into the system A false positive is when no alert and no attack is occurring
  C. A false positive is an event alerting for a brute-force attack An engineer investigates the alert and discovers that a legitimate user entered the wrong credential several times A false negative is when a threat actor tries to brute-force attack a system and no alert is raised.
  D. A false positive is an event alerting for an SQL injection attack An engineer investigates the alert and discovers that an attack attempt was blocked by IPS A false negative is when the attack gets detected but succeeds and results in a breach.
  C. A false positive is an event alerting for a brute-force attack An engineer investigates the alert and discovers that a legitimate user entered the wrong credential several times A false negative is when a threat actor tries to brute-force attack a system and no alert is raised.

• Question 413:

  An analyst is exploring the functionality of different operating systems.

  What is a feature of Windows Management Instrumentation that must be considered when deciding on an operating system?

  A. queries Linux devices that have Microsoft Services for Linux installed
  B. deploys Windows Operating Systems in an automated fashion
  C. is an efficient tool for working with Active Directory
  D. has a Common Information Model, which describes installed hardware and software
  D. has a Common Information Model, which describes installed hardware and software

  ---

  Explanation

  Windows Management Instrumentation (WMI) provides a unified way for users to request system information, including hardware and software inventory data. The Common Information Model (CIM) is an open standard that defines how managed elements in an IT environment are represented as a common set of objects and relationships between them.

  References:

  https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01100.html

• Question 414:

  Which evasion method involves performing actions slower than normal to prevent detection?

  A. timing attack
  B. traffic fragmentation
  C. resource exhaustion
  D. tunneling
  A. timing attack

  ---

  Explanation

  A timing attack involves performing actions slower than normal to avoid detection by security systems. By slowing down the process, attackers may try to avoid triggering thresholds or detection mechanisms that rely on normal or faster behaviors.

• Question 415:

  Which type of evidence directly proves a fact without inference?

  A. circumstantial evidence
  B. indirect evidence
  C. direct evidence
  D. corroborative evidence
  C. direct evidence

  ---

  Explanation

  Direct evidence is evidence that directly proves a fact without requiring any inference or interpretation. For example, a log entry showing a specific user executing a malicious command would be considered direct evidence. Circumstantial evidence (A) requires inference to connect it to a conclusion, such as logs indicating unusual activity that suggests an attack. Indirect evidence (B) is similar to circumstantial evidence. Corroborative evidence (D) supports other evidence but does not independently prove a fact. In cybersecurity investigations, direct evidence is highly valuable because it provides clear and definitive proof of an event or action. However, many investigations rely on a combination of evidence types to build a comprehensive understanding of an incident. Proper evidence classification is important for legal and forensic processes.

• Question 416:

  Refer to the exhibit.

  

  Which type of attack is represented?

  A. TCP/SYN flooding
  B. UDP flooding
  C. IP flooding
  D. MAC flooding
  B. UDP flooding

• Question 417:

  

  Refer to the exhibit.

  Which tool was used to generate this data?

  A. NetFlow
  B. dnstools
  C. firewall
  D. tcpdump
  A. NetFlow

• Question 418:

  Which type of data is used to monitor and detect anomalies within the organization's network?

  A. statistical
  B. metadata
  C. transaction
  D. alert
  A. statistical

• Question 419:

  Refer to the exhibit.

  Which type of evidence is this file?

  

  A. direct evidence
  B. corroborating evidence
  C. best evidence
  D. circumstantial evidence
  A. direct evidence

• Question 420:

  An engineer received a ticket to investigate a potentially malicious file detected by a malware scanner that was trying to execute multiple commands. During the initial review, the engineer discovered that the file was created two days prior.

  Further analyses show that the file was downloaded from a known malicious domain after a successful phishing attempt on an asset owner.

  At which phase of the Cyber Kill Chain was this attack mitigated?

  A. reconnaissance
  B. exploitation
  C. installation
  D. delivery
  C. installation