Free 350-201 Sample Questions — Performing CyberOps Using Core Security Technologies (CBRCOR)

A SOC team is investigating a recent, targeted social engineering attack on multiple employees. Cross-correlated log analysis revealed that two hours before the attack, multiple assets received requests on TCP port 79. Which action should be taken by the SOC team to mitigate this attack?

• A. Disable BIND forwarding from the DNS server to avoid reconnaissance
• B. Disable affected assets and isolate them for further investigation
• C. Configure affected devices to disable NETRJS protocol
• D. Configure affected devices to disable the Finger service

Employees receive an email from an executive within the organization that summarizes a recent security breach and requests that employees verify their credentials through a provided link. Several employees report the email as suspicious, and a security analyst is investigating the reports. Which two steps should the analyst take to begin this investigation? (Choose two.)

• A. Evaluate the intrusion detection system alerts to determine the threat source and attack surface
• B. Communicate with employees to determine who opened the link and isolate the affected assets
• C. Examine the firewall and HIPS configuration to identify the exploited vulnerabilities and apply recommended mitigation
• D. Review the mail server and proxy logs to identify the impact of a potential breach
• E. Check the email header to identify the sender and analyze the link in an isolated environment

An engineer returned to work and realized that payments that were received over the weekend were sent to the wrong recipient. The engineer discovered that the SaaS tool that processes these payments was down over the weekend. Which step should the engineer take first?

• A. Utilize the SaaS tool team to gather more information on the potential breach
• B. Contact the incident response team to inform them of a potential breach
• C. Organize a meeting to discuss the services that may be affected
• D. Request that the purchasing department creates and sends the payments manually

The SIEM tool informs a SOC team of a suspicious file. The team initializes the analysis with an automated sandbox tool, sets up a controlled laboratory to examine the malware specimen, and proceeds with behavioral analysis. What is the next step in the malware analysis process?

• A. Perform static and dynamic code analysis of the specimen
• B. Unpack the specimen and perform memory forensics
• C. Contain the subnet in which the suspicious file was found
• D. Document findings and clean-up the laboratory

What is a benefit of key risk indicators?

• A. clear perspective into the risk position of an organization
• B. improved visibility on quantifiable information
• C. improved mitigation techniques for unknown threats
• D. clear procedures and processes for organizational risk

An employee abused PowerShell commands and script interpreters, which lead to an indicator of compromise (IOC) trigger. The IOC event shows that a known malicious file has been executed, and there is an increased likelihood of a breach. Which indicator generated this IOC event?

• A. ExecutedMalware.ioc
• B. Crossrider.ioc
• C. ConnectToSuspiciousDomain.ioc
• D. W32.AccesschkUtility.ioc

An engineer wants to review the packet overviews of SNORT alerts. When printing the SNORT alerts, all the packet headers are included, and the file is too large to utilize. Which action is needed to correct this problem?

• A. Modify the alert rule to "output alert_syslog: output log"
• B. Modify the output module rule to "output alert_quick: output filename"
• C. Modify the alert rule to "output alert_syslog: output header"
• D. Modify the output module rule to "output alert_fast: output filename"

An organization suffered a security breach in which the attacker exploited a Netlogon Remote Protocol vulnerability for further privilege escalation. Which two actions should the incident response team take to prevent this type of attack from reoccurring? (Choose two.)

• A. Implement a patch management process
• B. Scan the company server files for known viruses
• C. Apply existing patches to the company servers
• D. Automate antivirus scans of the company servers
• E. Define roles and responsibilities in the incident response playbook

An analyst is alerted for a malicious file hash. After analysis, the analyst determined that an internal workstation is communicating over port 80 with an external server and that the file hash is associated with Duqu malware. Which tactics, techniques, and procedures align with this analysis?

• A. Command and Control, Application Layer Protocol, Duqu
• B. Discovery, Remote Services: SMB/Windows Admin Shares, Duqu
• C. Lateral Movement, Remote Services: SMB/Windows Admin Shares, Duqu
• D. Discovery, System Network Configuration Discovery, Duqu

Where do threat intelligence tools search for data to identify potential malicious IP addresses, domain names, and URLs?

• A. customer data
• B. internal database
• C. internal cloud
• D. Internet

A SOC analyst is notified by the network monitoring tool that there are unusual types of internal traffic on IP subnet 103.921.2239.0/24. The analyst discovers unexplained encrypted data files on a computer system that belongs on that specific subnet. What is the cause of the issue?

• A. DDoS attack
• B. phishing attack
• C. virus outbreak
• D. malware outbreak

A company recently completed an internal audit and discovered that there is CSRF vulnerability in 20 of its hosted applications. Based on the audit, which recommendation should an engineer make for patching?

• A. Identify the business applications running on the assets
• B. Update software to patch third-party software
• C. Validate CSRF by executing exploits within Metasploit
• D. Fix applications according to the risk scores

An engineer is moving data from NAS servers in different departments to a combined storage database so that the data can be accessed and analyzed by the organization on-demand. Which data management process is being used?

• A. data clustering
• B. data regression
• C. data ingestion
• D. data obfuscation

A company recently started accepting credit card payments in their local warehouses and is undergoing a PCI audit. Based on business requirements, the company needs to store sensitive authentication data for 45 days. How must data be stored for compliance?

• A. post-authorization by non-issuing entities if there is a documented business justification
• B. by entities that issue the payment cards or that perform support issuing services
• C. post-authorization by non-issuing entities if the data is encrypted and securely stored
• D. by issuers and issuer processors if there is a legitimate reason

What is the difference between process orchestration and automation?

• A. Orchestration combines a set of automated tools, while automation is focused on the tools to automate process flows
• B. Orchestration arranges the tasks, while automation arranges processes
• C. Orchestration minimizes redundancies, while automation decreases the time to recover from redundancies
• D. Automation optimizes the individual tasks to execute the process, while orchestration optimizes frequent and repeatable processes

An engineer received multiple reports from users trying to access a company website and instead of landing on the website, they are redirected to a malicious website that asks them to fill in sensitive personal data. Which type of attack is occurring?

• A. Address Resolution Protocol poisoning
• B. session hijacking attack
• C. teardrop attack
• D. Domain Name System poisoning

What do 2xx HTTP response codes indicate for REST APIs?

• A. additional action must be taken by the client to complete the request
• B. the server takes responsibility for error status codes
• C. communication of transfer protocol-level information
• D. successful acceptance of the client's request

An organization had an incident with the network availability during which devices unexpectedly malfunctioned. An engineer is investigating the incident and found that the memory pool buffer usage reached a peak before the malfunction. Which action should the engineer take to prevent this issue from reoccurring?

• A. Disable memory limit
• B. Disable CPU threshold trap toward the SNMP server
• C. Enable memory tracing notifications
• D. Enable memory threshold notifications

A payroll administrator noticed unexpected changes within a piece of software and reported the incident to the incident response team. Which actions should be taken at this step in the incident response workflow?

• A. Classify the criticality of the information, research the attacker's motives, and identify missing patches
• B. Determine the damage to the business, extract reports, and save evidence according to a chain of custody
• C. Classify the attack vector, understand the scope of the event, and identify the vulnerabilities being exploited
• D. Determine the attack surface, evaluate the risks involved, and communicate the incident according to the escalation plan

A threat actor used a phishing email to deliver a file with an embedded macro. The file was opened, and a remote code execution attack occurred in a company's infrastructure. Which steps should an engineer take at the recovery stage?

• A. Determine the systems involved and deploy available patches
• B. Analyze event logs and restrict network access
• C. Review access lists and require users to increase password complexity
• D. Identify the attack vector and update the IDS signature list