Dive into practice questions
Question 1
A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps between the firewall and the host under investigation are off by 43 minutes. Which of the following is the most likely scenario occurring with the time stamps?
A. The NTP server is not configured on the host.
B. The cybersecurity analyst is looking at the wrong information.
C. The firewall is using UTC time.
D. The host with the logs is offline.
Question 2
An analyst receives an alert from the EDR indicating a user has downloaded a malicious file that is attempting to compromise the laptop. The analyst gathers the following information after isolating the machine to determine which file was in fact malicious:
| Attribute | Value |
| zipcontainer.dll | 6C635BF98BD79102F6096458572... |
| xwizard.dtd | 20052F52C677845A63B2436952E... |
| svch0st.exe | 0AD27DC6B692903C4E129B1AD7... |
Which of the following techniques is the analyst using to identify the files?
A. Hashing
B. File extensions
C. Pattern recognition
D. Interpreting commands
Question 3
An organization's security operations team has been experiencing issues with fake news events about potential cyberattacks that could impact the organization's systems. Which of the following is the most trusted source for gathering threat intelligence?
A. Popular hacker blogs
B. Industry-related government bulletins
C. Cybersecurity social media groups
D. Dark web cyber resource groups
Question 4
A SOC analyst determined that a significant number of the reported alarms could be closed after removing the duplicates. Which of the following could help the analyst reduce the number of alarms with the least effort?
A. SOAR
B. API
C. XDR
D. REST
Question 5
A manufacturing company's assembly line machinery only functions on an end-of-life OS. Consequently, no patches exist for several highly exploitable OS vulnerabilities. Which of the following is the best mitigating control to reduce the risk of these current conditions?
A. Enforce strict network segmentation to isolate vulnerable systems from the production network.
B. Increase the system resources for vulnerable devices to prevent denial of service.
C. Perform penetration testing to verify the exploitability of these vulnerabilities.
D. Develop in-house patches to address these vulnerabilities.
Question 6
Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?
A. MITRE ATT&CK
B. Cyber Kill Chain
C. OWASP
D. STIX/TAXII
Question 7
During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed immediately?
A. Shut down the server.
B. Reimage the server.
C. Quarantine the server.
D. Update the OS to latest version.
Question 8
During which of the following incident response phases would root cause analysis occur?
A. Post-incident activity
B. Containment, eradication, and recovery
C. Preparation
D. Detection and analysis
Question 9
Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?
A. Develop a call tree to inform impacted users.
B. Schedule a review with all teams to discuss what occurred.
C. Create an executive summary to update company leadership.
D. Review regulatory compliance with public relations for official notification.
Question 10
An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Which of the following steps of the process does this describe?
A. Eradication
B. Recovery
C. Containment
D. Preparation
Answer key
Question 1: A (The NTP server is not configured on the host)
Question 10: A (Eradication)