Cer ed SOC Analyst

1. Which of the following command is used to view iptables logs on Ubuntu and Debian
distribu ons?
a. # tailf /var/log/messages
b. $ tailf /var/log/kern.log
c. $ tailf /var/log/sys/kern.log
d. # tailf /var/log/sys/messages

2. Where will you nd the reputa on IP database, if you want to monitor tra c from known
bad IP reputa on using OSSIM SIEM?
a. /etc/ossim/siem/server/reputa on/data
b. /etc/ossim/server/reputa on.data
c. /etc/ossim/reputa on
d. /etc/siem/ossim/server/reputa on.data

3. What does Windows event ID 4740 indicate?

a. A user account was enabled.
b. A user account was disabled.
c. A user account was created.
d. A user account was locked out.

4. In which of the following incident handling and response stages, the root cause of the
incident must be found from the forensic results?
a. Systems Recovery
b. Evidence Gathering
c. Evidence Handling
d. Eradica on

5. Jony, a security analyst, while monitoring IIS logs, iden ed events shown in the gure below

a. SQL Injec on A ack

b. XSS A ack
c. Directory Traversal A ack
d. Parameter Tampering A ack
ti
tt
fi
ti
ti
ti

ti

tt
fi

ti

tt

tt

ti

ti
ti
ti

ti
fi
ffi
fi

 6. Sam, a security analyst with INFOSOL INC., while monitoring and analyzing IIS logs, detected
an event matching regex /\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix. What
does this event log indicate?
a. Parameter Tampering A ack
b. Directory Traversal A ack
c. XSS A ack
d. SQL Injec on A ack

7. Which of the following service provides phishing protec on and content ltering to manage
the Internet experience on and o your network with the acceptable use or compliance
policies?
a. I-Blocklist
b. Apility.io
c. Malstrom
d. OpenDNS

8. Which of the following can help you eliminate the burden of inves ga ng false posi ves?
a. Inges ng the context data
b. Trea ng every alert aas high level
c. Keeping default rules
d. Not trus ng security devices

9. Which of the following threat intelligence helps cyber security professionals such as security
opera ons managers, network opera ons center and incident responders to understand
how the adversaries are expected to perform the a ack on the organiza on, and the
technical capabili es and goals of the a ackers along with the a ack vectors?
a. Opera onal Threat Intelligence
b. Tac cal Threat Intelligence
c. Strategic Threat Intelligence
d. Analy cal Threat Intelligence

10. An a acker, in an a empt to exploit the vulnerability in the dynamically generated welcome
page, inserted code at the end of the company’s URL as follows: h p://technoso .com.com/
<script>alert(“WARNING: The applica on has encountered an error");</script>. Iden fy the
a ack demonstrated in the above scenario.
a. Session Hijacking
b. Denial-of-Service A ack
c. SQL Injec on
d. Cross-Site Scrip ng A ack

11. Peter, a SOC analyst with Spade Systems, is monitoring and analyzing the router logs of the
company and wanted to check the logs that are generated by access control list numbered
210. What lter should Peter add to the ‘show logging’ command to get the required
output?
a. show logging | include 210
b. show logging | forward 210
c. show logging | route 210
d. show logging | access 210
tt
ti
ti
tt
ti
tt
ti
ti
ti

ti

ti
ti

fi

tt
ti

ti
tt
tt

tt

tt
tt

ff

ti
ti
tt

tt
ti
tt
tt
ti
ti
ti
fi

ft
ti
ti

 12. Jane, a security analyst, while analyzing IDS logs, detected an event matching Regex /((|
%3C)|<)((\%69)|i|(\%649))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/l What
does this event log indicates?
a. XSS A ack
b. Directory Traversal A ack
c. SQL Injec on
d. Parameter Tampering A ack

13. Iden fy the a ack when an a acker by several trial and error can read the contents of a
password le present in the restricted etc folder just by manipula ng the URL in the browser
as shown: h p://www.terabytes.com/process.php./../../../../etc/passwd
a. SQL Injec on A ack
b. Directory Traversal A ack
c. Denial-of-Service A ack
d. Form Tampering A ack

14. Which of the following tool is used to recover from web applica on incident?
a. CrowdStrike FalconTM Orchestrator
b. Symantec Secure Web Gateway
c. Smoothwall SWG
d. Proxy Workbench

15. What type of event is recorded when an applica on driver loads successfully in Windows?
a. Informa on
b. Success Audit
c. Warning
d. Error

16. Which of the following technique protects from ooding a acks originated from the valid
pre xes (IP addresses) so that they can be traced to its true source?
a. Rate Limi ng
b. Thro ling
c. Egress Filtering
d. Ingress Filtering

17. John, a SOC analyst, while monitoring and analyzing Apache web server logs, iden ed an
event log matching Regex /(\.|(%|%25)2E)(\.|(%|%25)2E)(\/|(%|%25)2F|\\|(%|%25)5C)/i.
What does this event log indicate?
a. Parameter Tampering A ack
b. XSS A ack
c. SQL Injec on A ack
d. Directory Traversal A ack

18. An organiza on wants to implement a SIEM deployment architecture. However, they have
the capability to do only log collec on and the rest of the SIEM func ons must be managed
by an MSSP. Which SIEM deployment architecture will the organiza on adopt?
a. Cloud, MSSP Managed
fi
ti
tt

tt
tt
ti

ti
ti
ti
ti

fi

ti
tt

tt

tt
tt

tt
tt

tt
tt
tt

tt
tt

tt

ti

ti
fl
tt
ti
ti
ti

ti

ti
fi

 b. Self-hosted, Jointly Managed

c. Self-hosted, MSSP Managed
d. Self-hosted, Self-Managed

19. Which of the following are the responsibili es of SIEM Agents?

1.Collec ng data received from various devices sending data to SIEM before forwarding it to the
central engine.
2.Normalizing data received from various devices sending data to SIEM before forwarding it to the
central engine.
3.Co-rela ng data received from various devices sending data to SIEM before forwarding it to the
central engine.
4.Visualizing data received from various devices sending data to SIEM before forwarding it to the
central engine.
a. 2 & 3
b. 1 & 2
c. 3 & 1
d. 1 & 4

20. The threat intelligence, which will help you, understand adversary intent and make informed
decision to ensure appropriate security in alignment with risk. What kind of threat
intelligence described above?
a. Tac cal Threat Intelligence
b. Strategic Threat Intelligence
c. Opera onal Threat Intelligence
d. Func onal Threat Intelligence

21. Mike is an incident handler for PNP Infosystems Inc. One day, there was a cket raised
regarding a cri cal incident and Mike was assigned to handle the incident. During the
process of incident handling, at one stage, he has performed incident analysis and valida on
to check whether the incident is a true incident or a false posi ve. Iden fy the stage in which
he is currently in.
a. Incident Disclosure
b. Incident Recording and Assignment
c. Incident Triage
d. Post-Incident Ac vi es

22. Which of the following a ack can be eradicated by ltering improper XML syntax?
a. CAPTCHA A acks
b. Insu cient Logging and Monitoring A acks
c. Web Services A acks
d. SQL Injec on A acks

23. Chloe, a SOC analyst with Jake Tech, is checking Linux systems logs. She is inves ga ng les
at /var/log/wtmp. What Chloe is looking at?
a. General message and system-related stu
b. Error log
c. Login records
d. System boot log
ti
ffi
ti

ti
ti

ti
ti
tt

ti

tt

tt

ti

ti

tt

tt
ff

ti

fi
ti

ti
ti
ti

ti
fi
ti
 24. Emmanuel is working as a SOC analyst in a company named Tobey Tech. The manager of
Tobey Tech recently recruited an Incident Response Team (IRT) for his company. In the
process of collabora on with the IRT, Emmanuel just escalated an incident to the IRT. What is
the rst step that the IRT will do to the incident escalated by Emmanuel?
a. Incident Priori za on
b. Incident Recording
c. Incident Analysis and Valida on
d. Incident Classi ca on

25. What is the process of monitoring and capturing all data packets passing through a given
network using di erent tools?
a. Network Scanning
b. DNS Footprin ng
c. Port Scanning
d. Network Sni ng
26. John, a threat analyst at GreenTech Solu ons, wants to gather informa on about speci c
threats against the organiza on. He started collec ng informa on from various sources, such
as humans, social media, chat room, and so on, and created a report that contains malicious
ac vity. Which of the following types of threat intelligence did he use?
a. Technical Threat Intelligence
b. Tac cal Threat Intelligence
c. Strategic Threat Intelligence
d. Opera onal Threat Intelligence
27. Ray is a SOC analyst in a company named Queens Tech. One Day, Queens Tech is a ected by
a DoS/DDoS a ack. For the containment of this incident, Ray and his team are trying to
provide addi onal bandwidth to the network devices and increasing the capacity of the
servers. What is Ray and his team doing?
a. Degrading the Services
b. Blocking the A acks
c. Diver ng the Tra c
d. Absorbing the A ack
28. Properly applied cyber threat intelligence to the SOC team help then in discovering TTPs.
What does these TTPs refers to?
a. Tac cs, Threats and Procedures
b. Tac cs, Targets, and Process
c. Tac cs, Techniques, and Procedures
d. Targets, Threats, and Process
29. Which of the following incidents are reported under the CAT 5 federal agency category?
a. Denial-of-Service (DoS)
b. Exercise/Network Defense Tes ng
c. Malicious Code
d. Scans/Probes/A empted Access
30. Which of the following a ack can be eradicated by conver ng all non-alphanumeric
characters to HTML character en es before displaying the user input in search engines and
forums?
a. Web Services A acks
b. Broken Access Control A acks
ti
ti
ti
ti
ti
fi
ti
ti

ti
ffi
ti

tt
ti
tt
fi
tt

tt
tt
ffi
ff

ti
ti

ti

tt
tt

ti
ti

ti

ti

ti

ti

ti
ti
ti
ti

ff
fi

 c. Session Management A acks

d. XSS A acks
31. Banter is a threat analyst in Chris ne Group of Industries. As a part of the job, he is currently
forma ng and structuring the raw data. He is at which stage of the threat intelligence life
cycle?
a. Dissemina on and Integra on
b. Analysis and Produc on
c. Processing and Exploita on
d. Collec on
32. An organiza on is implemen ng and deploying the SIEM with following capabili es. What
kind of SIEM deployment architecture the organiza on is planning to implement?

a. Self-hosted, MSSP Managed

b. Self-hosted, Self-Managed
c. Cloud, MSSP Managed
d. Self-hosted, Jointly Managed
33. What does the Security Log Event ID 4624 of Windows 10 indicate?
a. An account was successfully logged on
b. Service added to the endpoint
c. New process executed
d. A share was assessed
34. Iden fy the password cracking a empt involving a precomputed dic onary of plaintext
passwords and their corresponding hash values to crack the password.
a. Bruteforce A ack
b. Syllable A ack
c. Rainbow Table A ack
d. Dic onary A ack
35. If the SIEM generates the following four alerts at the same me:

I.Firewall blocking tra c from ge ng into the network alerts

II.SQL injec on a empt alerts

ti
ti
tt
tti
ti

tt

ti
ti

ti
tt
tt

tt
tt

ti

ffi

tt

ti
ti

ti

tt
tti
ti

ti
ti

ti

ti

 III.Data dele on a empt alerts

IV.Brute-force a empt alerts

a. I
b. II
c. IV
d. III
36. Bonney’s system has been compromised by a gruesome malware. What is the primary step
that is advisable to Bonney in order to contain the malware incident from spreading?
a. Leave it to the network administrators to handle
b. Call the legal department in the organiza on and inform about the incident
c. Complaint to police in a formal way regarding the incident
d. Turn o the infected machine
37. Iden fy the a ack in which the a acker exploits a target system through publicly known but
s ll unpatched vulnerabili es.
a. Slow DoS A ack
b. DNS Poisoning A ack
c. Zero-Day A ack
d. DHCP Starva on
38. What is the correct sequence of SOC Work ow?
a. Collect, Ingest, Validate, Document, Report, Respond
b. Collect, Ingest, Document, Validate, Report, Respond
c. Collect, Respond, Validate, Ingest, Report, Document
d. Collect, Ingest, Validate, Report, Respond, Document
39. Which of the following is a default directory in a Mac OS X that stores security-related logs?
a. /var/log/cups/access_log
b. ~/Library/Logs
c. /Library/Logs/Sync
d. /private/var/log
40. Which of the following directory will contain logs related to printer access?
a. /var/log/cups/access_log le
b. /var/log/cups/Printer_log le
c. /var/log/cups/Printeraccess_log le
d. /var/log/cups/accesslog le
41. David is a SOC analyst in Karen Tech. One day an a ack is ini ated by the intruders but David
was not able to nd any suspicious events. This type of incident is categorized into?
a. False posi ve Incidents
b. True Posi ve Incidents
c. True Nega ve Incidents
d. False Nega ve Incidents
42. Which of the following factors determine the choice of SIEM architecture?
a. DNS Con gura on
b. DHCP Con gura on
c. SMTP Con gura on
d. Network Topology
43. Which of the following Windows event is logged every me when a user tries to access the
"Registry" key?

ti

ti
ff
fi
ti
ti
ti
fi
fi
ti
tt
tt
ti
ti
tt
ti

tt
ti
ti
fi

tt

tt

fi

ti
fi
fi

fi
tt

ti
fl

tt

ti

ti

 a. 4660
b. 4657
c. 4656
d. 4663
44. Which of the following a ack can be eradicated by disabling of “allow_url_fopen and
allow_url_include” in the php.ini le
a. File Injec on A acks
b. URL Injec on A acks
c. LDAP Injec on A acks
d. Command Injec on A acks
45. Iden fy the event severity level in Windows logs for the events that are not necessarily
signi cant, but may indicate a possible future problem.
a. Error
b. Warning
c. Failure Audit
d. Informa on
46. Robin, a SOC engineer in a mul na onal company, is planning to implement a SIEM. He
realized that his organiza on is capable of performing only Correla on, Analy cs, Repor ng,
Reten on, Aler ng, and Visualiza on required for the SIEM implementa on and has to take
collec on and aggrega on services from a Managed Security Services Provider (MSSP). What
kind of SIEM is Robin planning to implement?
a. Cloud, Self-Managed
b. Hybrid Model, Jointly Managed
c. Self-hosted, MSSP Managed
d. Self-hosted, Self-Managed
47. In which phase of Lockheed Mar n’s--Cyber Kill Chain Methodology, adversary creates a
deliverable malicious payload using an exploit and a backdoor?
a. Weaponiza on
b. Exploita on
c. Delivery
d. Reconnaissance
48. Which of the following process refers to the discarding of the packets at the rou ng level
without informing the source that the data did not reach its intended recipient?
a. Rate Limi ng
b. Drop Requests
c. Black Hole Filtering
d. Load Balancing
49. Wesley is an incident handler in a company named Maddison Tech. One day, he was learning
techniques for eradica ng the insecure deserializa on a acks. What among the following
should Wesley avoid from considering?
a. Validate untrusted input, which is to be serialized to ensure that serialized data
contain only trusted classes
b. Allow serializa on for security-sensi ve classes
c. Deserializa on of trusted data must cross a trust boundary
d. Understand the security permissions given to serializa on and deserializa on
50. John as a SOC analyst is worried about the amount of Tor tra c hi ng the network. He
wants to prepare a dashborad in the SIEM to get a graph to iden fy the loca ons from where
ti
fi

ti
ti
ti
ti

ti
ti
ti
ti
ti
ti

ti

ti
tt
tt

ti

tt

tt

ti
ti
ti

tt

ti

ti
ti
fi
ti

ti

ti
ti

tt

ti
ffi
ti
tti
ti
ti
ti
ti

ti
ti
 the TOR tra c is coming. Which of the following data source will he use to prepare the
dashboard?
a. DNS/ Web Server logs with IP addresses
b. IIS/ Web Server logs with IP addresses and user agent IPtouseragent resolu on.
c. DHCP/Logs capable of maintaining IP addresses or hostnames with IPtoName
resolu on
d. Apache/ Web Server logs with IP addresses and Host Name
51. Which of the following is a report wri ng tool that will help incident handlers to generate
e cient reports on detected incidents during incident response process?
a. IntelMQ
b. Malstrom
c. threat_note
d. MagicTree
52. Which of the following is a Threat Intelligence Pla orm?
a. Apility.io
b. Keepnote
c. TC Complete
d. SolarWinds MS
53. Charline is working as an L2 SOC Analyst. One day, an L1 SOC Analyst escalated an incident to
her for further inves ga on and con rma on. Charline, a er a thorough inves ga on,
con rmed the incident and assigned it with an ini al priority. What would be her next ac on
according to the SOC work ow?
a. She should immediately contact the network administrator to solve the problem
b. She should formally raise a cket and forward it to the IRT
c. She should communicate this incident to the media immediately
d. She should immediately escalate this issue to the management
54. Which of the following formula is used to calculate the EPS of the organiza on?
a. EPS = average number of correlated events / me in seconds
b. EPS = number of correlated events / me in seconds
c. EPS = number of security events / me in seconds
d. EPS = number of normalized events / me in seconds
55. Which of the following a ack can be eradicated by using a safe API to avoid the use of the
interpreter en rely?
a. LDAP Injec on A acks
b. SQL Injec on A acks
c. Command Injec on A acks
d. File Injec on A acks
ffi
fi
ti

ti
ti

ti

ffi

ti
tt
tt

ti
tt

tt
ti

tt
ti
fl

ti

ti
ti
ti
ti
fi

ti
ti
tf
ti

ft

ti
ti

ti
ti
ti
 56. Iden fy the type of a ack, an a acker is a emp ng on www.example.com website.

a. Denial-of-Service
b. Cross-site Scrip ng A ack
c. SQL Injec on
d. Session A ack
57. Iden fy the HTTP status codes that represents the server error.
a. 2XX
b. 1XX
c. 5XX
d. 4XX
58. Jason, a SOC Analyst with Maximus Tech, was inves ga ng Cisco ASA Firewall logs and came
across the following log entry:
May 06 2018 21:27:27 asa 1: % ASA -5 – 11008: User ‘enable_15’ executed the ‘con gure
term’ command
What does the security level in the above log indicates?
a. Informa onal message
b. Cri cal condi on message
c. Warning condi on message
d. Normal but signi cant message
59. Daniel is a member of an IRT, which was started recently in a company named Mesh Tech. He
wanted to nd the purpose and scope of the planned incident response capabili es. What is
he looking for?
a. Incident Response Vision
b. Incident Response Resources
c. Incident Response Mission
d. Incident Response Intelligence
60. Which of the following command is used to enable logging in iptables?
a. $ iptables -B INPUT -j LOG
b. $ iptables -A OUTPUT -j LOG
ti

ti
ti
ti
ti
tt
fi
ti

ti

ti

fi

tt

tt

tt
tt
ti
ti
ti

ti
fi

 c. $ iptables -A INPUT -j LOG

d. $ iptables -B OUTPUT -j LOG
61. Which of the following data source will a SOC Analyst use to monitor connec ons to the
insecure ports?
a. IIS Data
b. Netstat Data
c. DNS Data
d. DHCP Data
62. What does [-n] in the following checkpoint rewall log syntax represents?
fw log [-f [-t]] [-n] [-l] [-o] [-c ac on] [-h host] [-s star me] [-e end me] [-b star me
end me] [-u uni ca on_scheme_ le] [-m uni ca on_mode(ini al|semi|raw)] [-a] [-k
(alert_name|all)] [-g] [log le]
a. Display detailed log chains (all the log segments a log record consists of)
b. Display both the date and the me for each log record
c. Speed up the process by not performing IP addresses DNS resolu on in the Log
les
d. Display account log records only
63. Which of the following data source can be used to detect the tra c associated with Bad Bot
User-Agents?
a. Web Server Logs
b. Router Logs
c. Switch Logs
d. Windows Event Logs
64. Which of the following threat intelligence is used by a SIEM for supplying the analysts with
context and "situa onal awareness" by using threat actor TTPs, malware campaigns, tools
used by threat actors.
1.Strategic threat intelligence
2.Tac cal threat intelligence
3.Opera onal threat intelligence
4.Technical threat intelligence
a. 1 and 2
b. 2 and 3
c. 1 and 3
d. 3 and 4
65. Which of the following event detec on techniques uses User and En ty Behavior Analy cs
(UEBA)?
a. Heuris c-based detec on
b. Anomaly-based detec on
c. Rule-based detec on
d. Signature-based detec on
66. Which of the following steps of incident handling and response process focus on limi ng the
scope and event of an incident?
a. Eradica on
b. Data Collec on
c. Containment
d. Iden ca on
67. Which of the following Windows Event Id will help you monitors le sharing across the
network?
fi
ti

ti
ti
fi
ti
ti

ti

ti

ti

ti
fi
ti

ti

ti
ti
ti
fi

ti

ti
ti
fi
fi
fi
ti

tti
ffi
ti
ti
fi
ti

ti
ti
ti
tti
ti
 a. 4625
b. 5140
c. 4624
d. 7045
68. A type of threat intelligent that nd out the informa on about the a acker by misleading
them is known as.
a. Counter Intelligence
b. Detec on Threat Intellegence
c. Threat trending Intellegence
d. Opera onal Intellegence
69. John, SOC analyst wants to monitor the a empt of process crea on ac vi es from any of
their Windows endpoints. Which of following Splunk query will help him to fetch related logs
associated with process crea on?
a. index=windows LogName=Security EventCode=5688 NOT (Account_Name=*$) … …
…
b. index=windows LogName=Security EventCode=3688 NOT (Account_Name=*$) .. .. ..
c. i n d e x = w i n d o w s L o g N a m e = S e c u r i t y E v e n t C o d e = 4 6 8 8 N O T
(Account_Name=*$) .. .. ..
d. index=windows LogName=Security EventCode=4678 NOT (Account_Name=*$) .. ..
… ..
70. Which encoding replaces unusual ASCII characters with “%” followed by the character’s two-
digit ASCII code expressed in hexadecimal?
a. Base64 Encoding
b. Unicode Encoding
c. UTF Encoding
d. URL Encoding
71. Which of the following stage executed a er iden fying the required event sources?
a. Iden fying the monitoring Requirements
b. Implemen ng and Tes ng the Use Case
c. Valida ng the event source against monitoring requirement
d. De ning Rule for the Use Case
72. What does HTTPS Status code 403 represents?
a. Not Found Error
b. Internal Server Error
c. Unauthorized Error
d. Forbidden Error
73. The Syslog message severity levels are labelled from level 0 to level 7. What does level 0
indicate?
a. Emergency
b. Debugging
c. Alert
d. No ca on
74. What does the HTTP status codes 1XX represents?
a. Informa onal message
b. Redirec on
c. Client error
d. Success

fi
ti

fi
ti

ti
ti
ti
ti

ti
ti

ti

ti

ti

fi

ft

tt

ti

ti

ti
tt
ti
ti

 75. Which of the following elds in Windows logs de nes the type of event occurred, such as
Correla on Hint, Response Time, SQM, WDI Context, and so on?
a. Keywords
b. Task Category
c. Level
d. Source
76. Which of the following contains the performance measures, and proper project and me
management details?
a. Incident Response Tac cs
b. Incident Response Procedures
c. Incident Response Process
d. Incident Response Policy
77. According to the forensics inves ga on process, what is the next step carried out right a er
collec ng the evidence?
a. Set a Forensic lab
b. Create a Chain of Custody Document
c. Send it to the nearby police sta on
d. Call Organiza onal Disciplinary Team
78. Which of the following a ack inundates DHCP servers with fake DHCP requests to exhaust all
available IP addresses?
a. DHCP Starva on A ack
b. DHCP Cache Poisoning
c. DHCP Spoo ng A ack
d. DHCP Port Stealing
79. Harley is working as a SOC analyst with Powell Tech. Powell Inc. is using Internet Informa on
Service (IIS) version 7.0 to host their website. Where will Harley nd the web server logs, if
he wants to inves gate them for any anomalies?
a. SystemDrive%\LogFiles\inetpub\logs\W3SVCN
b. %SystemDrive%\LogFiles\logs\W3SVCN
c. SystemDrive%\inetpub\logs\LogFiles\W3SVCN
d. SystemDrive%\inetpub\ LogFiles\logs\W3SVCN
80. Which of the following is a set of standard guidelines for ongoing development,
enhancement, storage, dissemina on and implementa on of security standards for account
data protec on?
a. HIPAA
b. PCI-DSS
c. DARPA
d. FISMA
81. Shawn is a security manager working at Lee Inc Solu on. His organiza on wants to develop
threat intelligent strategy plan. As a part of threat intelligent strategy plan, he suggested
various components, such as threat intelligence requirement analysis, intelligence and
collec on planning, asset iden ca on, threat reports, and intelligence buy-in.
Which one of the following component he should include in the above threat intelligent
strategy plan to make it e ec ve?
a. Threat buy-in
b. Threat pivo ng
c. Threat boos ng
d. Threat trending

ti
ti

ti

fi
ti
ti
ti
ti
ti

tt
ti

tt

ti

fi
tt

ff

ti

ti
ti
fi
ti

ti

ti
ti

fi
ti
ti

fi
ti

ti
ti
ft
 82. According to the Risk Matrix table, what will be the risk level when the probability of an
a ack is very high, and the impact of that a ack is major?
a. High
b. Low
c. Extreme
d. Medium
83. Which of the following is a correct ow of the stages in an incident handling and response
(IH&R) process?
a. Containment-->Incident Recording-->Incident Triage-->Prepara on-->Recovery--
>Eradica on -->Post-Incident Ac vi es
b. Incident Recording-->Prepara on-->Containment-->Incident Triage-->Recovery--
>Eradica on -->Post-Incident Ac vi es
c. Incident Triage-->Eradica on-->Containment-->Incident Recording-->Prepara on--
>Recovery -->Post-Incident Ac vi es
d. Prepara on-->Incident Recording-->Incident Triage-->Containment-->Eradica on--
>Recovery-->Post-Incident Ac vi es
84. Which of the log storage method arranges event logs in the form of a circular bu er?
a. Wrapping
b. Non-wrapping
c. FIFO
d. LIFO
85. Which of the following tool can be used to lter web requests associated with the SQL
Injec on a ack?
a. Hydra
b. UrlScan
c. ZAP proxy
d. Nmap
86. Which of the following technique involves scanning the headers of IP packets leaving a
network to make sure that the unauthorized or malicious tra c never leaves the internal
network?
a. Rate Limi ng
b. Ingress Filtering
c. Egress Filtering
d. Thro ling
tt

tt
ti

ti

ti
ti

ti

tt

ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
fl

tt
fi

ffi
ti
ti
ti
ff

 87. Rinni, SOC analyst, while monitoring IDS logs detected events shown in the gure below.

What does this event log indicate?

a. Directory Traversal A ack
b. Parameter Tampering A ack
c. SQL Injec on A ack
d. XSS A ack
88. Which a ack works like a dic onary a ack, but adds some numbers and symbols to the
words from the dic onary and tries to crack the password?
a. Birthday A ack
b. Rainbow Table A ack
c. Hybrid A ack
d. Bruteforce A ack
89. Which of the following framework describes the essen al characteris cs of an organiza on’s
security engineering process that must exist to ensure good security engineering?
a. ITIL
b. SSE-SMM
c. COBIT
d. SOC-CMM
90. InfoSystem LLC, a US-based company, is establishing an in-house SOC. John has been given
the responsibility to nalize strategy, policies, and procedures for the SOC. Iden fy the job
role of John.
a. Security Engineering
b. Security Analyst—L1
c. Security Analyst—L2
d. Chief Informa on Security O cer (CISO)
91. Which of the following security technology is used to a ract and trap people who a empt
unauthorized or illicit u liza on of the host system?
a. Intrusion Detec on System
b. De-Militarized Zone (DMZ)
c. Honeypot
d. Firewall

tt

tt
tt
ti

tt

tt

ti
tt

ti
tt

ti

tt
fi

ti
tt

ti
ffi

ti

tt

ti
tt

ti
fi

ti
tt
ti
 92. Which of the following Windows features is used to enable Security Audi ng in Windows?
a. Windows Defender
b. Bitlocker
c. Local Group Policy Editor
d. Windows Firewall
93. Which one of the following is the correct ow for Se ng Up a Computer Forensics Lab?
a. Planning and budge ng - Physical loca on and structural design considera ons -
Work area considera ons - Human resources considera on - Physical security
recommenda ons - Forensics lab licensing
b. Planning and budge ng - Physical loca on and structural design considera ons -
Forensics lab licensing - Human resources considera on - Work area considera ons -
Physical security recommenda ons
c. Planning and budge ng - Forensics lab licensing - Physical loca on and structural
design considera ons - Work area considera ons - Physical security
recommenda ons - Human resources considera on
d. Planning and budge ng - Physical loca on and structural design considera ons -
Forensics lab licensing - Work area considera ons - Human resources considera on -
Physical security recommenda ons
94. Iden fy the a ack, where an a acker tries to discover all the possible informa on about a
target network before launching a further a ack.
a. Ransomware A ack
b. DoS A ack
c. Reconnaissance A ack
d. Man-in-Middle A ack
95. A US federal agency network was the target of a DoS a ack that prevented and impaired the
normal authorized func onality of the networks. According to agency’s repor ng meframe
guidelines, this incident should be reported within two (2) hours of discovery/detec on if
the successful a ack is s ll ongoing and the agency is unable to successfully mi gate the
ac vity.
Which incident category of US federal agency does this incident belong to?
a. CAT 6
b. CAT 1
c. CAT 5
d. CAT 2
96. In which log collec on mechanism, the system or applica on sends log records either on the
local disk or over the network.
a. Push-based
b. Pull-based
c. Rule-based
d. Signature-based
97. An a acker exploits the logic valida on mechanisms of an e-commerce website. He
successfully purchases a product worth $100 for $10 by modifying the URL exchanged
between the client and the server.
Original URL: h p://www.buyonline.com/product.aspx?pro le=12&debit=100
Modi ed URL: h p://www.buyonline.com/product.aspx?pro le=12&debit=10
Iden fy the a ack depicted in the above scenario.
a. Session Fixa on A ack
b. Denial-of-Service A ack
ti
ti
ti
fi
tt

tt

ti
ti
tt
ti
tt
tt
tt
tt

tt
tt

tt
tt
ti
tt

ti
ti
ti
ti
ti

ti

ti

ti
ti
ti

tt

ti
ti
ti
ti
fl

tt
ti
ti

tti
ti
tt
ti
ti
fi
ti
fi
ti
ti

ti

ti
ti
ti
ti
ti
ti
ti
ti
ti

 c. Parameter Tampering A ack

d. SQL Injec on A ack
98. Juliea a SOC Analyst, while monitoring logs, no ced large TXT, NULL payloads. What does this
indicate?
a. DNS Ex ltra on A empt
b. Covering Tracks A empt
c. Concurrent VPN Connec ons A empt
d. DHCP Starva on A empts
99. According to the Risk Matrix table, what will be the risk level when the probability of an
a ack is very low and the impact of that a ack is major
a. Medium
b. Low
c. Extreme
d. High
100.Which of the following a acks causes sudden changes in le extensions or increase in le
renames at rapid speed?
a. DHCP starva on A ack
b. DoS A ack
c. Ransomware A ack
d. File Injec on A ack
tt

tt
fi

ti

ti

ti
ti
ti
tt
tt
tt
tt
tt
tt
tt

tt
ti

tt

tt

tt
ti

fi
fi