Conducting Forensic Analysis and Incident Response Using Cisco CyberOps Technologies (CBRFIR) v1.0
Question 1
An incident response team is recommending changes after analyzing a recent compromise in which:
✑ a large number of events and logs were involved;
✑ team members were not able to identify the anomalous behavior and escalate it in a timely manner;
✑ several network systems were affected as a result of the latency in detection;
✑ security engineers were able to mitigate the threat and bring systems back to a stable state; and
✑ the issue reoccurred shortly after and systems became unstable again because the correct information was not gathered during the initial identification phase.
Which two recommendations should be made for improving the incident response process? (Choose two.)
- A. Formalize reporting requirements and responsibilities to update management and internal stakeholders throughout the incident-handling process effectively.
- B. Improve the mitigation phase to ensure causes can be quickly identified, and systems returned to a functioning state.
- C. Implement an automated operation to pull systems events/logs and bring them into an organizational context.
- D. Allocate additional resources for the containment phase to stabilize systems in a timely manner and reduce an attack"™s breadth.
- E. Modify the incident handling playbook and checklist to ensure alignment and agreement on roles, responsibilities, and steps before an incident occurs.
Answer : CE
Question 2
Which information is provided bout the object file by the "-h" option in the objdump line command objdump ""b oasys ""m vax ""h fu.o?
- A. bfdname
- B. debugging
- C. help
- D. headers
Answer : D
Reference:
https://sourceware.org/binutils/docs/binutils/objdump.html
Question 3
A threat actor attempts to avoid detection by turning data into a code that shifts numbers to the right four times. Which anti-forensics technique is being used?
- A. encryption
- B. tunneling
- C. obfuscation
- D. poisoning
Answer : C
Reference:
https://www.vadesecure.com/en/malware-analysis-understanding-code-obfuscation-techniques/#:~:text=Obfuscation%20of%20character%20strings%
20is,data%20when%20the%20code%20executes
.
Question 4
Which technique is used to evade detection from security products by executing arbitrary code in the address space of a separate live operation?
- A. process injection
- B. privilege escalation
- C. GPO modification
- D. token manipulation
Answer : A
Reference:
https://attack.mitre.org/techniques/T1055/
Question 5
Refer to the exhibit. An HR department submitted a ticket to the IT helpdesk indicating slow performance on an internal share server. The helpdesk engineer checked the server with a real-time monitoring tool and did not notice anything suspicious. After checking the event logs, the engineer noticed an event that occurred 48 hour prior. Which two indicators of compromise should be determined from this information? (Choose two.)
- A. unauthorized system modification
- B. privilege escalation
- C. denial of service attack
- D. compromised root access
- E. malware outbreak
Answer : AD
Question 6
Which magic byte indicates that an analyzed file is a pdf file?
- A. cGRmZmlsZQ
- B. 706466666
- C. 255044462d
- D. 0a0ah4cg
Answer : C
Question 7
An engineer received a call to assist with an ongoing DDoS attack. The Apache server is being targeted, and availability is compromised. Which step should be taken to identify the origin of the threat?
- A. An engineer should check the list of usernames currently logged in by running the command $ who | cut ""d"™ "˜ -f1| sort | uniq
- B. An engineer should check the server"™s processes by running commands ps -aux and sudo ps -a.
- C. An engineer should check the services on the machine by running the command service -status-all.
- D. An engineer should check the last hundred entries of a web server with the command sudo tail -100 /var/log/apache2/access.log.
Answer : D
Question 8
Refer to the exhibit. What do these artifacts indicate?
- A. An executable file is requesting an application download.
- B. A malicious file is redirecting users to different domains.
- C. The MD5 of a file is identified as a virus and is being blocked.
- D. A forged DNS request is forwarding users to malicious websites.
Answer : A
Question 9
Refer to the exhibit. According to the SNORT alert, what is the attacker performing?
- A. brute-force attack against the web application user accounts
- B. XSS attack against the target webserver
- C. brute-force attack against directories and files on the target webserver
- D. SQL injection attack against the target webserver
Answer : C
Question 10
Refer to the exhibit. Which type of code created the snippet?
- A. VB Script
- B. Python
- C. PowerShell
- D. Bash Script
Answer : A
Question 11
DRAG DROP -
Drag and drop the cloud characteristic from the left onto the challenges presented for gathering evidence on the right.
Select and Place:
Answer : 
Question 12
Refer to the exhibit. A security analyst notices unusual connections while monitoring traffic. What is the attack vector, and which action should be taken to prevent this type of event?
- A. DNS spoofing; encrypt communication protocols
- B. SYN flooding, block malicious packets
- C. ARP spoofing; configure port security
- D. MAC flooding; assign static entries
Answer : C
Question 13
Refer to the exhibit. Which two actions should be taken as a result of this information? (Choose two.)
- A. Update the AV to block any file with hash "cf2b3ad32a8a4cfb05e9dfc45875bd70".
- B. Block all emails sent from an @state.gov address.
- C. Block all emails with pdf attachments.
- D. Block emails sent from [email protected] with an attached pdf file with md5 hash "cf2b3ad32a8a4cfb05e9dfc45875bd70".
- E. Block all emails with subject containing "cf2b3ad32a8a4cfb05e9dfc45875bd70".
Answer : AB
Question 14
Refer to the exhibit. What should be determined from this Apache log?
- A. A module named mod_ssl is needed to make SSL connections.
- B. The private key does not match with the SSL certificate.
- C. The certificate file has been maliciously modified
- D. The SSL traffic setup is improper
Answer : D
Question 15
DRAG DROP -
Drag and drop the steps from the left into the order to perform forensics analysis of infrastructure networks on the right.
Select and Place:
Answer : 
Reference:
https://subscription.packtpub.com/book/networking_and_servers/9781789344523/1/ch01lvl1sec12/network-forensics-investigation-methodology