Chapter 1
Domain 1.0: Security Operations

EXAM OBJECTIVES COVERED IN THIS CHAPTER:

• 1.1 Explain the importance of system and network architecture concepts in security operations
  • Log ingestion
  • Operating system (OS) concepts
  • Infrastructure concepts
  • Network architecture
  • Identity and access management
  • Encryption
  • Sensitive data protection
• 1.2 Given a scenario, analyze indicators of potentially malicious activity
  • Network-related
  • Host-related
  • Application-related
  • Other
• 1.3. Given a scenario, use appropriate tools or techniques to determine malicious activity
  • Tools
  • Common techniques
  • Programming languages/scripting
• 1.4. Compare and contrast threat-intelligence and threat-hunting concepts
  • Threat actors
  • Tactics, techniques, and procedures (TTP)
  • Confidence levels
  • Collection methods and sources
  • Threat intelligence sharing
  • Threat hunting
• 1.5. Explain the importance of efficiency and process improvement in security operations
  • Standardize processes
  • Streamline operations
  • Technology and tool integration
  • Single pane of glass

1. Olivia is considering potential sources for threat intelligence information that she might incorporate into her security program. Which one of the following sources is most likely to be available without a subscription fee?
   1. Vulnerability feeds
   2. Open source
   3. Closed source
   4. Proprietary
2. Roger is evaluating threat intelligence information sources and finds that one source results in quite a few false positive alerts. This lowers his confidence level in the source. What criteria for intelligence is not being met by this source?
   1. Timeliness
   2. Expense
   3. Relevance
   4. Accuracy
3. Brad is working on a threat classification exercise, analyzing known threats and assessing the possibility of unknown threats. Which one of the following threat actors is most likely to be associated with an advanced persistent threat (APT)?
   1. Hacktivist
   2. Nation-state
   3. Insider
   4. Organized crime
4. What term is used to describe the groups of related organizations that pool resources to share cybersecurity threat information and analyses?
   1. SOC
   2. ISAC
   3. CERT
   4. CIRT
5. Singh incorporated the Cisco Talos tool into his organization's threat intelligence program. He uses it to automatically look up information about the past activity of IP addresses sending email to his mail servers. What term best describes this intelligence source?
   1. Open source
   2. Behavioral
   3. Reputational
   4. Indicator of compromise
6. Jamal is assessing the risk to his organization from their planned use of AWS Lambda, a serverless computing service that allows developers to write code and execute functions directly on the cloud platform. What cloud tier best describes this service?
   1. SaaS
   2. PaaS
   3. IaaS
   4. FaaS
7. Lauren's honeynet, shown here, is configured to use a segment of unused network space that has no legitimate servers in it. This design is particularly useful for detecting what types of threats?
   1. Zero-day attacks
   2. SQL injection
   3. Network scans
   4. DDoS attacks
8. Fred believes that the malware he is tracking uses a fast flux DNS network, which associates many IP addresses with a single fully qualified domain name as well as using multiple download hosts. How many distinct hosts should he review based on the NetFlow shown here? Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2020-07-11 14:39:30.606 0.448 TCP 192.168.2.1:1451->10.2.3.1:443 10 1510 1 2020-07-11 14:39:30.826 0.448 TCP 10.2.3.1:443->192.168.2.1:1451 7 360 1 2020-07-11 14:45:32.495 18.492 TCP 10.6.2.4:443->192.168.2.1:1496 5 1107 1 2020-07-11 14:45:32.255 18.888 TCP 192.168.2.1:1496->10.6.2.4:443 11 1840 1 2020-07-11 14:46:54.983 0.000 TCP 192.168.2.1:1496->10.6.2.4:443 1 49 1 2020-07-11 16:45:34.764 0.362 TCP 10.6.2.4:443->192.168.2.1:4292 4 1392 1 2020-07-11 16:45:37.516 0.676 TCP 192.168.2.1:4292->10.6.2.4:443 4 462 1 2020-07-11 16:46:38.028 0.000 TCP 192.168.2.1:4292->10.6.2.4:443 2 89 1 2020-07-11 14:45:23.811 0.454 TCP 192.168.2.1:1515->10.6.2.5:443 4 263 1 2020-07-11 14:45:28.879 1.638 TCP 192.168.2.1:1505->10.6.2.5:443 18 2932 1 2020-07-11 14:45:29.087 2.288 TCP 10.6.2.5:443->192.168.2.1:1505 37 48125 1 2020-07-11 14:45:54.027 0.224 TCP 10.6.2.5:443->192.168.2.1:1515 2 1256 1 2020-07-11 14:45:58.551 4.328 TCP 192.168.2.1:1525->10.6.2.5:443 10 648 1 2020-07-11 14:45:58.759 0.920 TCP 10.6.2.5:443->192.168.2.1:1525 12 15792 1 2020-07-11 14:46:32.227 14.796 TCP 192.168.2.1:1525->10.8.2.5:443 31 1700 1 2020-07-11 14:46:52.983 0.000 TCP 192.168.2.1:1505->10.8.2.5:443 1 40 1
   1. 1
   2. 3
   3. 4
   4. 5
9. Which one of the following functions is not a common recipient of threat intelligence information?
   1. Legal counsel
   2. Risk management
   3. Security engineering
   4. Detection and monitoring
10. Alfonzo is an IT professional at a Portuguese university who is creating a cloud environment for use only by other Portuguese universities. What type of cloud deployment model is he using?
    1. Public cloud
    2. Private cloud
    3. Hybrid cloud
    4. Community cloud
11. As a member of a blue team, Lukas observed the following behavior during an external penetration test. What should he report to his managers at the conclusion of the test?
    1. A significant increase in latency.
    2. A significant increase in packet loss.
    3. Latency and packet loss both increased.
    4. No significant issues were observed.
12. The company that Maria works for is making significant investments in infrastructure-as-a-service hosting to replace its traditional datacenter. Members of her organization's management have Maria's concerns about data remanence when Lauren's team moves from one virtual host to another in their cloud service provider's environment. What should she instruct her team to do to avoid this concern?
    1. Zero-wipe drives before moving systems.
    2. Use full-disk encryption.
    3. Use data masking.
    4. Span multiple virtual disks to fragment data.
13. Geoff is reviewing logs and sees a large number of attempts to authenticate to his VPN server using many different username and password combinations. The same usernames are attempted several hundred times before moving on to the next one. What type of attack is most likely taking place?
    1. Credential stuffing
    2. Password spraying
    3. Brute-force
    4. Rainbow table
14. Kaiden is configuring a SIEM service in his IaaS cloud environment that will receive all of the log entries generated by other devices in that environment. Which one of the following risks is greatest with this approach in the event of a DoS attack or other outage?
    1. Inability to access logs
    2. Insufficient logging
    3. Insufficient monitoring
    4. Insecure API
15. Azra believes that one of her users may be taking malicious action on the systems she has access to. When she walks past the user's desktop, she sees the following command on the screen: user12@workstation:/home/user12# ./john -wordfile:/home/user12/mylist.txt -format:lm hash.txt

    What is the user attempting to do?

    1. They are attempting to hash a file.
    2. They are attempting to crack hashed passwords.
    3. They are attempting to crack encrypted passwords.
    4. They are attempting a pass-the-hash attack.
16. Lucas believes that an attacker has successfully compromised his web server. Using the following output of ps, identify the process ID he should focus on: root 507 0.0 0.1 258268 3288 ? Ssl 15:52 0:00 /usr/sbin/rsyslogd -n message+ 508 0.0 0.2 44176 5160 ? Ss 15:52 0:00 /usr/bin/dbusdaemon --system --address=systemd: --nofork --nopidfile --systemd-activa root 523 0.0 0.3 281092 6312 ? Ssl 15:52 0:00 /usr/lib/accountsservice/accounts-daemon root 524 0.0 0.7 389760 15956 ? Ssl 15:52 0:00 /usr/sbin/NetworkManager --no-daemon root 527 0.0 0.1 28432 2992 ? Ss 15:52 0:00 /lib/systemd/systemd-logind apache 714 0.0 0.1 27416 2748 ? ...