SANS FOR578 / GIAC GCTI Certification Exam Prep LATEST
EXAM QUESTIONS AND VERIFIED ANSWERS GRADED A+ |
ASSURED SUCCESS .
What team typically collects info to be analyzed for intelligence
context during an
intrusion investigation? - ANSWER-Incident
responders
What 2 techniques can be used to pivot to kill chain phase 7 from
phase 6 using
network based evidence? - ANSWER-Victim
infrastructure pivoting
C2
decoding
What is victim infrastructure pivoting? - ANSWER-Searching
available data
sources for other suspicious
network activity.
Give 2 preconditions for c2 decoding - ANSWER-Robust
understanding of C2
,protocol
Complete data (Full packet
capture)
What 3 types of opportunity exist? - ANSWER-Technical
(e.g. zero day)
Political (e.g. new
president)
Logistical (e.g. merger of 2
companies)
What is the #1 key to sharing intelligence? - ANSWER-Know your
audience
How can intelligence gaps for an intrusion be spotted by
combining CKC and DM?
- ANSWER-To describe an intrusion, fill in as many vertices of the
DM as possible
for each stage on the CKC. Any gaps represent intelligence
gaps to be further
investigated.
What is a web bug? - ANSWER-A link in an email that will
cause an image or
,some other HTTP activity to occur when the user views
the message.
What are the 2 passive course of actions? -
ANSWER-Discover
Detect
Which type of host forensics can establish an entire phase 7
timeline? - ANSWER-
Disk
forensics
What is an active measure? - ANSWER-a semi-covert or
covert intelligence
operation to shape an adversaries
decisions
countermeasures mapping to ? reduce ? to actualise
? - ANSWER-
countermeasures mapping to capabilities reduce opportunity
to actualise intent
An analyst is working with a graphical representation that shows
tracking of when
, adversaries interact with the firm and how frequent their activity
is. What tool is he
using? - ANSWER-Campaign
Heatmap
Which mistake creates ambiguity in a report which may
lead to incorrect
conclusions? - ANSWER-Combining observations and
interpretations
How should an indicator that is an RFC1918 address sourced
from an external
intel feed be handled? - ANSWER-
Discard it
Using the Indicator Lifecycle, an indicator had been vetted and
deemed appropriate for additional courses of action (COA). The
Disrupt CoA was chosen as the indicator's mitigation action.
What additional CoA should also be assigned to it?
Deceive
Detect
Degrade
Discover - ANSWER-Detect
EXAM QUESTIONS AND VERIFIED ANSWERS GRADED A+ |
ASSURED SUCCESS .
What team typically collects info to be analyzed for intelligence
context during an
intrusion investigation? - ANSWER-Incident
responders
What 2 techniques can be used to pivot to kill chain phase 7 from
phase 6 using
network based evidence? - ANSWER-Victim
infrastructure pivoting
C2
decoding
What is victim infrastructure pivoting? - ANSWER-Searching
available data
sources for other suspicious
network activity.
Give 2 preconditions for c2 decoding - ANSWER-Robust
understanding of C2
,protocol
Complete data (Full packet
capture)
What 3 types of opportunity exist? - ANSWER-Technical
(e.g. zero day)
Political (e.g. new
president)
Logistical (e.g. merger of 2
companies)
What is the #1 key to sharing intelligence? - ANSWER-Know your
audience
How can intelligence gaps for an intrusion be spotted by
combining CKC and DM?
- ANSWER-To describe an intrusion, fill in as many vertices of the
DM as possible
for each stage on the CKC. Any gaps represent intelligence
gaps to be further
investigated.
What is a web bug? - ANSWER-A link in an email that will
cause an image or
,some other HTTP activity to occur when the user views
the message.
What are the 2 passive course of actions? -
ANSWER-Discover
Detect
Which type of host forensics can establish an entire phase 7
timeline? - ANSWER-
Disk
forensics
What is an active measure? - ANSWER-a semi-covert or
covert intelligence
operation to shape an adversaries
decisions
countermeasures mapping to ? reduce ? to actualise
? - ANSWER-
countermeasures mapping to capabilities reduce opportunity
to actualise intent
An analyst is working with a graphical representation that shows
tracking of when
, adversaries interact with the firm and how frequent their activity
is. What tool is he
using? - ANSWER-Campaign
Heatmap
Which mistake creates ambiguity in a report which may
lead to incorrect
conclusions? - ANSWER-Combining observations and
interpretations
How should an indicator that is an RFC1918 address sourced
from an external
intel feed be handled? - ANSWER-
Discard it
Using the Indicator Lifecycle, an indicator had been vetted and
deemed appropriate for additional courses of action (COA). The
Disrupt CoA was chosen as the indicator's mitigation action.
What additional CoA should also be assigned to it?
Deceive
Detect
Degrade
Discover - ANSWER-Detect
