CYSA+ C-002 UPDATED ACTUAL Questions and CORRECT Answers
- Discovering the threat's motivation
- Conducting a trend analysis to identify emerging adver-
How can you determine the Likelihood of a threat?
sary capabilities and attack vectors
_Determining the threat's annual rate of occurrence (ARO)
Which part of the Kill Chain does this describe: The adver-
sary gathers information about the network using network
Reconnaissance probes, Open Source Intelligence (OSINT), and social en-
gineering. The aim is to map an attack surface and identify
potential attack vectors.
which part of the Kill Chain does this describe: The
weaponized code is inserted into the environment using a
Delivery
selected attack vector, such as email attachment, phishing
website/download, USB media, and so on
Which part of the Kill Chain does this describe: The adver-
sary codes an exploit to take advantage of a vulnerability
Weaponization that has been discovered through reconnaissance. The
exploit code is coupled with a payload that will assist the
attacker in maintaining and extending covert access.
Which part of the Kill Chain does this describe: The
Exploitation weaponized code is executed on the target system and
gains the capability to deliver the payload.
Which part of the Kill Chain does this describe: This mech-
Installation anism enables the weaponized code to run a remote ac-
cess tool and achieve persistence on the target system.
Which part of the Kill Chain does this describe: The
weaponized code establishes an outbound channel to a
Command and control (C2 or C&C) remote server that can then be used to control the re-
mote access tool and possibly download additional tools
to progress the attack.
Actions on objectives
,Which part of the Kill Chain does this describe: In this
phase, the attacker typically uses the access he has
achieved to covertly collect information from target sys-
tems and transfer it to a remote system (data exfiltration).
An attacker may have other goals or motives, however.
Requirements, Design, Implementation, Verification, Test-
what are the steps in the Waterfall SDLC
ing, Maintenance, Retirement
Concept, Inception, Iteration (Design, Develop, Test, De-
What are the steps in the Agile SDLC
ploy) Transition, Production, Retirement
xinetd What program starts services on a Linux machine
Which of the following is a senior role with the ultimate re-
Data Owner sponsibility for maintaining confidentiality, integrity, and
availability in a system?
Who is primarily responsible for data quality. This involves
ensuring data are labeled and identified with appropriate
data steward metadata. That data is collected and stored in a format
and with values that comply with applicable laws and
regulations.
who has the role that handles managing the system on
which the data assets are stored. This includes responsi-
data custodian
bility for enforcing access control, encryption, and back-
up/recovery measures.
who is responsible for oversight of any PII/SPI/PHI assets
privacy oflcer
managed by the company.
Which Intrusion analysis framework explores the relation-
Diamon model ship between four core features: adversary, capability, in-
frastructure and victim
adversary, capability, infrastructure, and victim What are the four features of the diamond model
, True or False: STIX provides a A framework for analyzing
True
cybersecurity incidents. It is expressed in JSON.
This protocol provides a means for transmitting CTI data
TAXII
between servers and clients over HTTPS and a REST API.
What tool is used as a passive network monitor that
Zeek(bro) records metadata about the traflc. It saves space by only
recording things of interest in JSON format.
a tool used to gather information about data flowing
NetFlow
through a network.
Preparation, Detection and Analysis, Containment, Eradi-
What are the 5 phases of incident response?
cation and Recovery, Post-incident activity
What phase of the incident response process make the
system resilient to attack in the first place. This includes
hardening systems, writing policies and procedures, and
preparation
setting up confidential lines of communication. It also
implies creating incident response resources and proce-
dures
What phase of the incident response process determine
whether an incident has taken place and assess how se-
Detection and Analysis
vere it might be (triage), followed by notification of the
incident to stakeholders.
What phase of the incident response process Limit the
scope and magnitude of the incident. The principal aim
Containment
of incident response is to secure data while limiting the
immediate impact on customers and business partners.
What phase of the incident response process Once the
incident is contained, the cause can be removed, and
Eradication and Recovery
the system brought back to a secure state. The response
process may have to iterate through multiple phases of
- Discovering the threat's motivation
- Conducting a trend analysis to identify emerging adver-
How can you determine the Likelihood of a threat?
sary capabilities and attack vectors
_Determining the threat's annual rate of occurrence (ARO)
Which part of the Kill Chain does this describe: The adver-
sary gathers information about the network using network
Reconnaissance probes, Open Source Intelligence (OSINT), and social en-
gineering. The aim is to map an attack surface and identify
potential attack vectors.
which part of the Kill Chain does this describe: The
weaponized code is inserted into the environment using a
Delivery
selected attack vector, such as email attachment, phishing
website/download, USB media, and so on
Which part of the Kill Chain does this describe: The adver-
sary codes an exploit to take advantage of a vulnerability
Weaponization that has been discovered through reconnaissance. The
exploit code is coupled with a payload that will assist the
attacker in maintaining and extending covert access.
Which part of the Kill Chain does this describe: The
Exploitation weaponized code is executed on the target system and
gains the capability to deliver the payload.
Which part of the Kill Chain does this describe: This mech-
Installation anism enables the weaponized code to run a remote ac-
cess tool and achieve persistence on the target system.
Which part of the Kill Chain does this describe: The
weaponized code establishes an outbound channel to a
Command and control (C2 or C&C) remote server that can then be used to control the re-
mote access tool and possibly download additional tools
to progress the attack.
Actions on objectives
,Which part of the Kill Chain does this describe: In this
phase, the attacker typically uses the access he has
achieved to covertly collect information from target sys-
tems and transfer it to a remote system (data exfiltration).
An attacker may have other goals or motives, however.
Requirements, Design, Implementation, Verification, Test-
what are the steps in the Waterfall SDLC
ing, Maintenance, Retirement
Concept, Inception, Iteration (Design, Develop, Test, De-
What are the steps in the Agile SDLC
ploy) Transition, Production, Retirement
xinetd What program starts services on a Linux machine
Which of the following is a senior role with the ultimate re-
Data Owner sponsibility for maintaining confidentiality, integrity, and
availability in a system?
Who is primarily responsible for data quality. This involves
ensuring data are labeled and identified with appropriate
data steward metadata. That data is collected and stored in a format
and with values that comply with applicable laws and
regulations.
who has the role that handles managing the system on
which the data assets are stored. This includes responsi-
data custodian
bility for enforcing access control, encryption, and back-
up/recovery measures.
who is responsible for oversight of any PII/SPI/PHI assets
privacy oflcer
managed by the company.
Which Intrusion analysis framework explores the relation-
Diamon model ship between four core features: adversary, capability, in-
frastructure and victim
adversary, capability, infrastructure, and victim What are the four features of the diamond model
, True or False: STIX provides a A framework for analyzing
True
cybersecurity incidents. It is expressed in JSON.
This protocol provides a means for transmitting CTI data
TAXII
between servers and clients over HTTPS and a REST API.
What tool is used as a passive network monitor that
Zeek(bro) records metadata about the traflc. It saves space by only
recording things of interest in JSON format.
a tool used to gather information about data flowing
NetFlow
through a network.
Preparation, Detection and Analysis, Containment, Eradi-
What are the 5 phases of incident response?
cation and Recovery, Post-incident activity
What phase of the incident response process make the
system resilient to attack in the first place. This includes
hardening systems, writing policies and procedures, and
preparation
setting up confidential lines of communication. It also
implies creating incident response resources and proce-
dures
What phase of the incident response process determine
whether an incident has taken place and assess how se-
Detection and Analysis
vere it might be (triage), followed by notification of the
incident to stakeholders.
What phase of the incident response process Limit the
scope and magnitude of the incident. The principal aim
Containment
of incident response is to secure data while limiting the
immediate impact on customers and business partners.
What phase of the incident response process Once the
incident is contained, the cause can be removed, and
Eradication and Recovery
the system brought back to a secure state. The response
process may have to iterate through multiple phases of
