Examples of scanning include:

Select $4$ correct answer$($s$)$

Question $1$ options:

SMB Enumeration

NMAP and ARP Scanning

Use of CLI commands like $-$sS$,-$sU$,$ and $-6$

Searches for open ports

Question $2$

From the following list, select all the places where you might find evidence of scanning attempts.

Question $2$ options:

Router Logs

DNS logs

VOIP$/$VTC logs

Firewall logs

Question $3$

This activity in the reconnaissance phase will identify live hosts and IP addresses

Question $3$ options:

Vulnerability Scanning

Port Scanning

Ping Sweep

None of the above

Question$4$

You are the network administrator at American Express. Your best attitude to cyber defense is to assume that adversaries are already resident on your network.

Question $4$ options:

TrueFalse

Question $5$

As a threat hunter you discovered an IP address inside the perimeter with the highest number of external connections; that also has extremely long connection times; and transfers significant numbers of large TCP packets out of the network. You determine this is perfectly normal.

Question $5$ options:

True

False

Question $6$

Network Security Monitoring $($NSM$)$ can be used for which of the following purposes?

Question $6$ options:

Connecting the dots between seemingly disparate information.

Detecting indications of abnormal network activity.

Monitoring traffic into and out of network$-$based assets containing sensitive information.

All of the above

Question $7$

The TCP three$-$way handshake refers to the TCP header with certain flags set and exchanged in a particular order. Place the flags in their proper order.

Question $7$ options:

$1$

$2$

$3$

SYN ACK$1$

$2$

$3$

SYN$1$

$2$

$3$

ACK

Question $8$

Snort is used to detect anomalous network activity based on which of the following?

Question $8$ options:

Signatures

Behaviors

Alerts

None of the above

Question $9$

One limitation of Snort is that it cannot be used to alert on blacklisted IP addresses.

Question $9$ options:

True

False

Question $10$

Signs of excessive failed logon attempts from external IP addresses fits into which stage of the cyber kill chain?

Question $10$ options:

Reconnaissance

Weaponization

Actions on Objectives

Command and Control

Question $11$

Review the Security Onion Dashboards for the range of June $01$ to August $312018.$ Select the "Security Onion $-$ Alerts $-$ Suricata" Dashboard. In the "Security Onion $-$ Rule $-$ Name" tile find the $"$ET MALWARE Possible Metasploit Payload Common Construct Bind$\_$API $($from server$)"$ link. Hover over it to get the plus sign. Click the plus sign.

From the options below, select the three $(3)$ Destination IP addresses which received the payload.

Question $11$ options:

$10\mathrm{.}252\mathrm{.}9\mathrm{.}131$

$10\mathrm{.}139\mathrm{.}205\mathrm{.}204$

$10\mathrm{.}252\mathrm{.}4\mathrm{.}249$

$10\mathrm{.}252\mathrm{.}4\mathrm{.}130$

Question $12$

While reviewing the Kibana web interface you notice SIP traffic on port $5060.$ Select the correct answer from the list below.

Question $12$ options:

This is evidence of port scanning

None of the selections are correct

This is anomalous behavior and warrants investigation.

This is normal VoIP traffic.

Question $13$

Review the Security Onion Dashboards for the range of June $01$ to August $312018.$ Select the "Security Onion $-$ Alerts" Dashboard. In the "Security Onion $-$ Rule $-$ Category" find the "Potential Corporate Privacy Violation" link. Hover over it to get the plus sign. Click the plus sign.

From the options below, select the two $(2)$ rules that generated the alert.

Question $13$ options:

ET POLICY PE EXE or DLL Windows file download HTTP

ET POLICY DNS Update From External net

ET SCAN Suspicious inbound to Oracle SQL port $1521$

Generic Protocol Command Decode

Question $14$

Your firewall does not allow ICMP requests. What else should you look for that might indicate enumeration is ongoing?

Question $14$ options:

ARP

SMTP

HTTPS on port $443$

None of the above

Question $15$

Review the Security Onion Dashboards for the range of June $01$ to August $312018.$ Select the "Security Onion $-$ RDP$"$ Dashboard. From the options below, select the source IP addresses from the Deepship network initiating Remote Desktop connections.

Question $15$ options:

$10\mathrm{.}139\mathrm{.}58\mathrm{.}240$

$10\mathrm{.}252\mathrm{.}2\mathrm{.}194$

$192\mathrm{.}168\mathrm{.}37\mathrm{.}121$

$10\mathrm{.}252\mathrm{.}1\mathrm{.}60$

Question $16$

If we cannot prevent a breach $100\%$ of the time, we must decrease the dwell time of the adversary.

Question $16$ options:

True

False

Question $17$

From the list below select all that apply to the Applied Collection Framework $($ACF$)$

Question $17$ options:

Define Threats

Quantify Risks

Identify Data Feeds

Narrow the Focus

Question $18$

An attacker already on the network can completely hide data exfiltration by encrypting the data stream. Encryption will make the data exfiltration impossible to find.

Question $18$ options:

True

False

Question $19$

You are reviewing network activity through the Kibana web interface. You see that a server in the DMZ is sending TCP SYN packets to an internal IP address. Select the correct answer from the list below.