Cisco CyberOps Associate 200-201 Questions & Answers

• Question 241:

  A SOC analyst is investigating an incident that involves a Linux system that is identifying specific sessions. Which identifier tracks an active program?

  A. application identification number

  B. active process identification number

  C. runtime identification number

  D. process identification number

  Correct Answer: D

• Question 242:

  What causes events on a Windows system to show Event Code 4625 in the log messages?

  A. The system detected an XSS attack

  B. Someone is trying a brute force attack on the network

  C. Another device is gaining root access to the system

  D. A privileged user successfully logged into the system

  Correct Answer: B

• Question 243:

  An engineer discovered a breach, identified the threat's entry point, and removed access. The engineer was able to identify the host, the IP address of the threat actor, and the application the threat actor targeted. What is the next step the engineer should take according to the NIST SP 800-61 Incident handling guide?

  A. Recover from the threat.

  B. Analyze the threat.

  C. Identify lessons learned from the threat.

  D. Reduce the probability of similar threats.

  Correct Answer: A

  Per: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

• Question 244:

  How does an SSL certificate impact security between the client and the server?

  A. by enabling an authenticated channel between the client and the server

  B. by creating an integrated channel between the client and the server

  C. by enabling an authorized channel between the client and the server

  D. by creating an encrypted channel between the client and the server

  Correct Answer: D

• Question 245:

  An analyst is exploring the functionality of different operating systems.

  What is a feature of Windows Management Instrumentation that must be considered when deciding on an operating system?

  A. queries Linux devices that have Microsoft Services for Linux installed

  B. deploys Windows Operating Systems in an automated fashion

  C. is an efficient tool for working with Active Directory

  D. has a Common Information Model, which describes installed hardware and software

  Correct Answer: D

• Question 246:

  What is the impact of false positive alerts on business compared to true positive?

  A. True positives affect security as no alarm is raised when an attack has taken place, while false positives are alerts raised appropriately to detect and further mitigate them.

  B. True-positive alerts are blocked by mistake as potential attacks, while False-positives are actual attacks Identified as harmless.

  C. False-positive alerts are detected by confusion as potential attacks, while true positives are attack attempts identified appropriately.

  D. False positives alerts are manually ignored signatures to avoid warnings that are already acknowledged, while true positives are warnings that are not yet acknowledged.

  Correct Answer: C

• Question 247:

  What is the difference between the ACK flag and the RST flag in the NetFlow log session?

  A. The RST flag confirms the beginning of the TCP connection, and the ACK flag responds when the data for the payload is complete

  B. The ACK flag confirms the beginning of the TCP connection, and the RST flag responds when the data for the payload is complete

  C. The RST flag confirms the receipt of the prior segment, and the ACK flag allows for the spontaneous termination of a connection

  D. The ACK flag confirms the receipt of the prior segment, and the RST flag allows for the spontaneous termination of a connection

  Correct Answer: D

• Question 248:

  Refer to the exhibit.

  

  An analyst received this alert from the Cisco ASA device, and numerous activity logs were produced. How should this type of evidence be categorized?

  A. indirect

  B. circumstantial

  C. corroborative

  D. best

  Correct Answer: C

  Indirect=circumstantail so there is no posibility to match A or B (only one answer is needed in this question). For suer it's not a BEST evidence - this FW data inform only of DROPPED traffic. If smth happend inside network, presented evidence could be used to support other evidences or make our narreation stronger but alone it's mean nothing.

• Question 249:

  DRAG DROP

  Drag and drop the definition from the left onto the phase on the right to classify intrusion events according to the Cyber Kill Chain model.

  Select and Place:

  

  Correct Answer:

  

  Delivery: This step involves transmitting the weapon to the target. Weaponization: In this step, the intruder creates a malware weapon like a virus, worm or such in order to exploit the vulnerabilities of the target. Depending on the target and the purpose of the attacker, this malware can exploit new, undetected vulnerabilities (also known as the zero-day exploits) or it can focus on a combination of different vulnerabilities. Reconnaissance: In this step, the attacker / intruder chooses their target. Then they conduct an in-depth research on this target to identify its vulnerabilities that can be exploited.

• Question 250:

  DRAG DROP

  Drag and drop the data source from the left onto the data type on the right.

  Select and Place:

  

  Correct Answer: