SANS GCIH (SEC504) UPDATED Exam
Questions and CORRECT Answers
Who should make the decision of when to put a system back into production?
A) Systems administrators
B) Business team
C) Security team
D) Data owner - CORRECT ANSWER - B) Business team
Which command will display ASCII and Unicode strings within a malware sample?
A) cat
B) Get-Strings
C) strings
D) findstr - CORRECT ANSWER - C) strings
Which type of system is most commonly used to investigate malware?
A) Virtual machine
B) Day-to-day host
C) Thick client
D) Production system - CORRECT ANSWER - A) Virtual machine
If you believe your system has been the victim of a rootkit attack, what is the most cost-effective
form of eradication?
A) Restore the OS from the most recent backup.
,B) Reformat, reinstall, and patch the system from the original media.
C) Patch and reboot the compromised system.
D) Install applications from a different vendor. - CORRECT ANSWER - B) Reformat,
reinstall, and patch the system from the original media.
What tool is used to record the state of the registry before and after malware is executed on an
analysis system?
A) Regshot
B) Ollydbg
C) Wireshark
D) Regripper - CORRECT ANSWER - A) Regshot
What method could be used to ensure that an asset under investigation is not put back into
production without approval before the investigation is complete?
A) Move the asset to a different cloud data center.
B) Terminate the asset.
C) Shut off all administrative access to the cloud environment so no admins can make changes.
D) Add an "under investigation" tag to the asset. - CORRECT ANSWER - D) Add an
"under investigation" tag to the asset.
During the remediation phase of incident response, you remove a file from your infected web
server. What is the most important additional thing to do to prevent being compromised again?
A) Determine the root cause of the attack.
B) Review your host-based firewall rules.
C) Restore the host data from backups.
D) Apply patches and harden the system. - CORRECT ANSWER - A) Determine the root
cause of the attack.
,Why is performing memory analysis on RAM images a staple of investigations?
A) Valuable information may exist in RAM, which might not be found on disk.
B) Speed - Evidence from a RAM image will match disk content.
C) RAM provides more consistent images than disk.
D) It's easier to look for historical information in RAM than on disk. - CORRECT
ANSWER - A) Valuable information may exist in RAM, which might not be found on
disk.
An investigator identifies the following POST request. Which log recorded the activity?
1583050850.951 185 192.168.40.123 TCP_MISS/200 1856 POST
https://update.googleapis.com/service/update2? -ORIGINAL_DST/172.219.10.153 text/xml
A) Switch access log
B) Regshot event log
C) Proxy access log
D) Windows event log - CORRECT ANSWER - C) Proxy access log
What are two basic approaches commonly employed when investigating malware?
A) Running a penetration test and running a vulnerability scan.
B) Monitoring the environment and examining code.
C) Taking the environment offline and restoring from backups.
D) Performing a risk assessment and confirming a possible exploit type. - CORRECT
ANSWER - B) Monitoring the environment and examining code.
What step should always be taken first during an incident?
, A) Identifying which systems are unpatched.
B) Verifying whether an incident occurred.
C) Determining which threat intelligence feeds to query.
D) Choosing which systems to rebuild. - CORRECT ANSWER - B) Verifying whether an
incident occurred.
In what way is logging API access to a cloud environment a major incident response benefit?
A) It helps to provide detailed insight into network activity for analysis.
B) It helps to understand the scope of the breach and the actions taken by an attacker.
C) It provides verification of breached data access.
D) It provides full packet capture visibility. - CORRECT ANSWER - B) It helps to
understand the scope of the breach and the actions taken by an attacker.
API access logs include all programmatic access to cloud services, identity and key use, and a
record of attacker tactics used to exploit the cloud. These are the most useful data for
understanding the scope of a breach and the actions taken by the attacker.
In a packet capture, an analyst observes that a system sent a frequent, small, outbound
communication to a known bad IP, over a seven-day period. What type of behavior is possibly
occurring?
A) Ack scan
B) Fragmentation
C) Beaconing
D) Traceroute - CORRECT ANSWER - C) Beaconing
What are the phases of incident handling, in order, in the classic six-step incident response
process?
Questions and CORRECT Answers
Who should make the decision of when to put a system back into production?
A) Systems administrators
B) Business team
C) Security team
D) Data owner - CORRECT ANSWER - B) Business team
Which command will display ASCII and Unicode strings within a malware sample?
A) cat
B) Get-Strings
C) strings
D) findstr - CORRECT ANSWER - C) strings
Which type of system is most commonly used to investigate malware?
A) Virtual machine
B) Day-to-day host
C) Thick client
D) Production system - CORRECT ANSWER - A) Virtual machine
If you believe your system has been the victim of a rootkit attack, what is the most cost-effective
form of eradication?
A) Restore the OS from the most recent backup.
,B) Reformat, reinstall, and patch the system from the original media.
C) Patch and reboot the compromised system.
D) Install applications from a different vendor. - CORRECT ANSWER - B) Reformat,
reinstall, and patch the system from the original media.
What tool is used to record the state of the registry before and after malware is executed on an
analysis system?
A) Regshot
B) Ollydbg
C) Wireshark
D) Regripper - CORRECT ANSWER - A) Regshot
What method could be used to ensure that an asset under investigation is not put back into
production without approval before the investigation is complete?
A) Move the asset to a different cloud data center.
B) Terminate the asset.
C) Shut off all administrative access to the cloud environment so no admins can make changes.
D) Add an "under investigation" tag to the asset. - CORRECT ANSWER - D) Add an
"under investigation" tag to the asset.
During the remediation phase of incident response, you remove a file from your infected web
server. What is the most important additional thing to do to prevent being compromised again?
A) Determine the root cause of the attack.
B) Review your host-based firewall rules.
C) Restore the host data from backups.
D) Apply patches and harden the system. - CORRECT ANSWER - A) Determine the root
cause of the attack.
,Why is performing memory analysis on RAM images a staple of investigations?
A) Valuable information may exist in RAM, which might not be found on disk.
B) Speed - Evidence from a RAM image will match disk content.
C) RAM provides more consistent images than disk.
D) It's easier to look for historical information in RAM than on disk. - CORRECT
ANSWER - A) Valuable information may exist in RAM, which might not be found on
disk.
An investigator identifies the following POST request. Which log recorded the activity?
1583050850.951 185 192.168.40.123 TCP_MISS/200 1856 POST
https://update.googleapis.com/service/update2? -ORIGINAL_DST/172.219.10.153 text/xml
A) Switch access log
B) Regshot event log
C) Proxy access log
D) Windows event log - CORRECT ANSWER - C) Proxy access log
What are two basic approaches commonly employed when investigating malware?
A) Running a penetration test and running a vulnerability scan.
B) Monitoring the environment and examining code.
C) Taking the environment offline and restoring from backups.
D) Performing a risk assessment and confirming a possible exploit type. - CORRECT
ANSWER - B) Monitoring the environment and examining code.
What step should always be taken first during an incident?
, A) Identifying which systems are unpatched.
B) Verifying whether an incident occurred.
C) Determining which threat intelligence feeds to query.
D) Choosing which systems to rebuild. - CORRECT ANSWER - B) Verifying whether an
incident occurred.
In what way is logging API access to a cloud environment a major incident response benefit?
A) It helps to provide detailed insight into network activity for analysis.
B) It helps to understand the scope of the breach and the actions taken by an attacker.
C) It provides verification of breached data access.
D) It provides full packet capture visibility. - CORRECT ANSWER - B) It helps to
understand the scope of the breach and the actions taken by an attacker.
API access logs include all programmatic access to cloud services, identity and key use, and a
record of attacker tactics used to exploit the cloud. These are the most useful data for
understanding the scope of a breach and the actions taken by the attacker.
In a packet capture, an analyst observes that a system sent a frequent, small, outbound
communication to a known bad IP, over a seven-day period. What type of behavior is possibly
occurring?
A) Ack scan
B) Fragmentation
C) Beaconing
D) Traceroute - CORRECT ANSWER - C) Beaconing
What are the phases of incident handling, in order, in the classic six-step incident response
process?
