1. Which two technologies are used in the ELSA tool? (Choose two.)
- MySQL *
- Sphinx Search *
- Security Onion
2. What is the host-based intrusion detection tool that is integrated into Security Onion?
- OSSEC *
3. According to NIST, which step in the digital forensics process involves drawing conclusions from data?
- Data collection
- Analysis *
4. Which two strings will be matched by the regular expression ? (Choose two.)
- Level2 *
- Level4 *
5. Which alert classification indicates that exploits are not being detected by installed security systems?
- False negative *
- True negative
- True positive
- False positive
6. A cybersecurity analyst is going to verify security alerts using the Security Onion. Which tool should the analyst visit first?
7. What is the purpose for data normalization?
- To reduce the amount of alert data
- To make the alert data transmission fast
- To simplify searching for correlated events *
- To enhance the secure transmission of alert data
8. Which term describes evidence that is in its original state?
- Corroborating evidence
- Best evidence *
- Indirect evidence
- Direct evidence
9. How is the hash value of files useful in network security investigations?
- It helps identify malware signatures.
- It is used to decode files.
- It is used as a key for encryption.
- It verifies confidentiality of files.
10. Which tool is a Security Onion integrated host-based intrusion detection system?
11. Which type of evidence supports an assertion based on previously obtained evidence?
- direct evidence
- corroborating evidence
- best evidence
- indirect evidence
12. Which tool is developed by Cisco and provides an interactive dashboard that allows investigation of the threat landscape?
13. Which term is used to describe the process of converting log entries into a common format?
14. According to NIST, which step in the digital forensics process involves extracting relevant information from data?
15. A law office uses a Linux host as the firewall device for the network. The IT administrator is adding a rule to the firewall iptables to block internal hosts from connecting to a remote device that has the IP address 184.108.40.206. Which command should the administrator use?
- iptables -I FORWARD -p tcp -d 220.127.116.11 –dport 7777 -j DROP
- iptables -I INPUT -p tcp -d 18.104.22.168 –dport 7777 -j DROP
- iptables -I PASS -p tcp -d 22.214.171.124 –dport 7777 -j DROP
- iptables -I OUTPUT -p tcp -d 126.96.36.199 –dport 7777 -j DROP
16. What procedure should be avoided in a digital forensics investigation?
- Secure physical access to the computer under investigation.
- Reboot the affected system upon arrival.
- Make a copy of the hard drive.
- Recover deleted files.
17. Which statement describes a feature of timestamps in Linux?
- Human readable timestamps measure the number of seconds that have passed since January 1, 1970.
- All devices generate human readable and Unix Epoch timestamps.
- It is easier to work with Unix Epoch timestamps for addition and subtraction operations.
- Unix Epoch timestamps are easier for humans to interpret.
18. Which tool is included with Security Onion that is used by Snort to automatically download new rules?
19. Which tool would an analyst use to start a workflow investigation?
20. What is indicated by a Snort signature ID that is below 3464?
- The SID was created by Sourcefire and distributed under a GPL agreement.
- This is a custom signature developed by the organization to address locally observed rules.
- The SID was created by members of EmergingThreats.
- The SID was created by the Snort community and is maintained in Community Rules.
21. How does an application program interact with the operating system?
- accessing BIOS or UEFI
- making API calls
- sending files
- using processes
22. A threat actor has successfully breached the network firewall without being detected by the IDS system. What condition describes the lack of alert?
- true negative
- true positive
- false positive
- false negative
23. Use the following scenario to answer the questions. A company has just had a cybersecurity incident. The threat actor or actors appeared to have a goal of network disruption and appeared to use a common security hack tool that overwhelmed a particular server with a large amount of traffic, which rendered the server inoperable.
a. How would a certified cybersecurity analyst classify this type of threat actor?
b. The security team at this company has removed the compromised server and preserved it with the security hack still embedded. What type of evidence is this?
c. Which type of attack was achieved?
- social engineering
d. What would be the threat attribution in this case?
- evaluating the server alert data
- obtaining the most volatile evidence
- determining who is responsible for the attack
- reporting the incident to the proper authorities
e. What are three common tools used to carry out this type of attack? (Choose three.)
- ping sweep
- TCP SYN flood
- buffer overflow
- IP, MAC, and DHCP spoofing
- smurf attack
24. Refer to the exhibit. A network security specialist issues the command tcpdump to capture events. What is the function provided by the ampersand symbol used in the command?
- It instructs the tcpdump to capture data that starts with the symbol.
- It tells the Linux shell to execute the tcpdump process in the background.
- It tells the Linux shell to display the captured data on the console.
- It tells the Linux shell to execute the tcpdump process indefinitely.
25. Refer to the exhibit. A cybersecurity analyst is using Sguil to verify security alerts. How is the current view sorted?
- by sensor number
- by source IP
- by frequency
- by date/time
26. Which three procedures in Sguil are provided to security analysts to address alerts? (Choose three.)
- Expire false positives.
- Pivot to other information sources and tools.
- Construct queries using Query Builder.
- Escalate an uncertain alert.
- Correlate similar alerts into a single line.
- Categorize true positives.
27. Which two strings will be matched by the regular expression? (Choose two.)
28. Which statement describes the status after the Security Onion VM is started?
- SGUIL becomes enabled via the sudo sguil -e terminal command.
- Awk becomes enabled via the sudo awk terminal command.
- Pullpork is used by ELSA as an open source search engine.
- Snort is enabled by default.
29. What are the three core functions provided by the Security Onion? (Choose three.)
- business continuity planning
- full packet capture
- alert analysis
- intrusion detection
- security device management
- threat containment
30. Refer to the exhibit. A network security analyst is using the Follow TCP Stream feature in Wireshark to rebuild the TCP transaction. However, the transaction data seems indecipherable. What is the explanation for this?
- The transaction data is encoded with Base64.
- The transaction data is a binary file.
- The data shown is line noise.
- The transaction data is corrupted.
31. What is the tool that has alert records linked directly to the search functionality of the Enterprise Log Search and Archive (ELSA)?
32. Refer to the exhibit. A network security analyst is examining captured data using Wireshark. The captured frames indicate that a host is downloading malware from a server. Which source port is used by the host to request the download?
33. Which two types of unreadable network traffic could be eliminated from data collected by NSM? (Choose two.)
- routing updates traffic
- STP traffic
- SSL traffic
- IPsec traffic
- broadcast traffic
34. Match the characteristic to the method of security analysis.
35. Match the field in the Event table of Sguil to the description.
36. Place the evidence collection priority from most volatile to least volatile as defined by the IETF guidelines.