Visit here for our full Cisco 200-201 exam dumps and practice test questions.
Question 141
A security analyst is reviewing logs and notices multiple failed login attempts from a single IP address targeting various user accounts. The attempts occur at regular intervals with different usernames but the same password. What type of attack is this?
A) Brute force attack
B) Password spraying attack
C) Credential stuffing attack
D) Rainbow table attack
Answer: B
Explanation:
The correct answer is B) Password spraying attack. Password spraying is an attack technique where attackers attempt to access multiple accounts using a single common password before moving to the next password. This approach differs from traditional brute force attacks that target one account with many passwords. The regular intervals and pattern of different usernames with the same password are characteristic of password spraying.
Attackers use password spraying to avoid account lockout mechanisms. By trying one password across many accounts rather than many passwords against one account, they stay below lockout thresholds. Common passwords like “Password123” or “Company2024” are typically used since many users choose weak, predictable passwords.
Security analysts can detect password spraying by correlating failed authentication events across multiple accounts from single source IPs. SIEM rules should alert on patterns showing single passwords attempted against multiple accounts within short timeframes. Defense measures include implementing multi-factor authentication, enforcing strong password policies, and monitoring for distributed authentication failures.
Option A) is incorrect because brute force attacks target single accounts with multiple password attempts. Option C) is incorrect because credential stuffing uses previously breached username-password pairs, not single passwords across accounts. Option D) is incorrect because rainbow table attacks involve precomputed hash lookups for password cracking, not live authentication attempts.
Question 142
A SOC analyst discovers that an attacker has gained access to a system and is using it to scan other internal systems. According to the Cyber Kill Chain, which phase does this activity represent?
A) Reconnaissance
B) Delivery
C) Command and Control
D) Actions on Objectives
Answer: D
Explanation:
The correct answer is D) Actions on Objectives. In the Cyber Kill Chain framework, Actions on Objectives represents the final phase where attackers achieve their goals after gaining access. Internal network scanning from a compromised system indicates the attacker is actively working toward objectives—potentially identifying additional targets, sensitive data, or critical systems for further compromise.
The Cyber Kill Chain includes seven phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. Internal scanning represents post-compromise activity where the attacker leverages their foothold to expand access or locate valuable assets. This lateral movement preparation falls under Actions on Objectives because the attacker is executing their mission.
Security teams detecting this activity should immediately isolate the compromised system, analyze network traffic for scan patterns, and identify potentially affected systems. The attacker has progressed through earlier kill chain phases and now operates within the network. Incident response should focus on containment and determining the attack’s full scope.
Option A) is incorrect because reconnaissance occurs before initial access when attackers gather external information. Option B) is incorrect because delivery involves transmitting weaponized payloads to targets. Option C) is incorrect because command and control establishes communication channels with compromised systems but doesn’t describe the scanning activity itself.
Question 143
A security analyst is analyzing a packet capture and notices that a host is sending DNS queries to an external server for unusually long subdomain names containing encoded data. What technique is likely being used?
A) DNS amplification attack
B) DNS tunneling for data exfiltration
C) DNS cache poisoning
D) DNS zone transfer attack
Answer: B
Explanation:
The correct answer is B) DNS tunneling for data exfiltration. DNS tunneling encodes data within DNS queries and responses, allowing attackers to bypass firewalls and exfiltrate data through permitted DNS traffic. Unusually long subdomain names containing encoded strings are characteristic indicators of DNS tunneling. Attackers embed stolen data in DNS queries sent to attacker-controlled authoritative servers.
DNS tunneling exploits the fact that most organizations allow outbound DNS traffic. Attackers encode sensitive data (documents, credentials, database contents) into subdomain queries like “aGVsbG8gd29ybGQ.malicious-domain.com” where the subdomain contains base64-encoded payload. The attacker’s DNS server receives these queries and extracts the encoded data.
Detection involves monitoring for anomalous DNS patterns: excessive query volumes, unusually long domain names, high entropy in subdomain strings, and queries to newly registered or suspicious domains. Security tools should analyze DNS traffic for statistical anomalies indicating tunneling activity. Network security monitoring and DNS-specific security solutions help identify this exfiltration technique.
Option A) is incorrect because DNS amplification attacks exploit DNS servers to flood victims with large responses, not encode data in queries. Option C) is incorrect because DNS cache poisoning corrupts DNS resolver caches with false records. Option D) is incorrect because DNS zone transfer attacks attempt to obtain complete DNS zone data from misconfigured servers.
Question 144
An organization’s SIEM generates an alert indicating potential data exfiltration based on unusually large outbound data transfers during non-business hours. What is the appropriate first response action?
A) Immediately block all outbound traffic from the organization
B) Delete the alert as a false positive
C) Investigate the alert by analyzing the source, destination, and data involved
D) Reboot the affected systems to stop the transfer
Answer: C
Explanation:
The correct answer is C) Investigate the alert by analyzing the source, destination, and data involved. Proper incident response requires investigation before taking disruptive actions. Analysts must determine whether the alert represents actual malicious activity or legitimate business operations like scheduled backups, software updates, or authorized after-hours work. Hasty responses without investigation can disrupt legitimate operations.
Investigation involves examining multiple data sources: identifying the source system and user account, determining the destination IP address and geographic location, analyzing the type and sensitivity of transferred data, and correlating with other security events. Network flow data, endpoint logs, and user activity records provide context for determining alert validity.
Analysts should check whether the activity matches known patterns—scheduled jobs, authorized remote access, or cloud synchronization. If investigation confirms malicious exfiltration, appropriate containment measures follow. Documentation throughout the investigation supports incident response procedures and potential legal requirements.
Option A) is incorrect because blocking all outbound traffic causes massive business disruption without confirming malicious activity. Option B) is incorrect because dismissing alerts without investigation risks missing actual security incidents. Option D) is incorrect because rebooting systems destroys forensic evidence and may not stop sophisticated attackers who maintain persistence.
Question 145
A security analyst is reviewing firewall logs and observes repeated connection attempts from an internal host to multiple external IP addresses on port 4444. What does this activity most likely indicate?
A) Normal web browsing activity
B) Potential malware attempting to establish command and control connections
C) Legitimate file transfer operations
D) Standard email communications
Answer: B
Explanation:
The correct answer is B) Potential malware attempting to establish command and control connections. Port 4444 is commonly associated with malware command and control (C2) communications, particularly Metasploit’s default listener port. Repeated connection attempts to multiple external IPs suggest malware attempting to reach C2 servers, possibly trying different addresses if primary servers are unavailable.
Malware often uses non-standard ports for C2 to avoid detection. Port 4444 is well-known in penetration testing tools and subsequently adopted by real-world malware. Multiple destination attempts indicate the malware may have a list of fallback C2 servers or is using domain generation algorithms (DGAs) resolving to different IPs.
Analysts should immediately investigate the internal host for compromise indicators. Actions include isolating the system, capturing memory for analysis, examining running processes, and reviewing recent file modifications. Network traffic analysis reveals communication patterns and potential data exfiltration. The investigation should determine infection vector and check other systems for similar indicators.
Option A) is incorrect because web browsing uses ports 80 (HTTP) and 443 (HTTPS), not 4444. Option C) is incorrect because standard file transfers use ports like 20/21 (FTP), 22 (SFTP), or 445 (SMB). Option D) is incorrect because email uses ports 25 (SMTP), 110 (POP3), 143 (IMAP), or their secure variants.
Question 146
A SOC team is implementing a threat intelligence program. Which type of threat intelligence provides information about specific indicators like malicious IP addresses, file hashes, and domain names?
A) Strategic threat intelligence
B) Tactical threat intelligence
C) Operational threat intelligence
D) Technical threat intelligence
Answer: D
Explanation:
The correct answer is D) Technical threat intelligence. Technical threat intelligence consists of specific, machine-readable indicators of compromise (IOCs) including malicious IP addresses, file hashes, domain names, URLs, email addresses, and registry keys. This intelligence type enables automated detection and blocking through security tools like firewalls, intrusion detection systems, and endpoint protection platforms.
Technical intelligence has the shortest lifespan among intelligence types because attackers frequently change infrastructure. IP addresses and domains may only be active for hours or days. Despite this limitation, technical intelligence provides immediate, actionable data for security operations. SIEM systems ingest technical intelligence feeds to generate alerts when IOCs appear in network traffic or logs.
SOC teams use technical intelligence for real-time threat detection and incident investigation. During investigations, analysts compare observed artifacts against threat intelligence databases to identify known malicious indicators. Automated enrichment tools query multiple intelligence sources simultaneously.
Option A) is incorrect because strategic intelligence provides high-level information about threat trends and attacker motivations for executive decision-making. Option B) is incorrect because tactical intelligence describes attacker techniques, tactics, and procedures (TTPs) used for improving defenses. Option C) is incorrect because operational intelligence provides details about specific attacks or campaigns including timing and targeting.
Question 147
During incident response, a security analyst needs to collect volatile evidence from a potentially compromised Windows system. Which evidence should be collected first according to the order of volatility?
A) Hard drive image
B) System memory (RAM)
C) Network connection logs
D) Windows Event Logs
Answer: B
Explanation:
The correct answer is B) System memory (RAM). The order of volatility principle dictates collecting the most volatile evidence first because it disappears fastest. RAM contents are lost immediately upon system shutdown or reboot. Memory contains critical forensic artifacts including running processes, network connections, encryption keys, malware code, and user activities not written to disk.
Memory forensics reveals evidence that disk analysis cannot capture. Fileless malware operates entirely in memory without touching disk. Attackers may use encrypted communications where keys exist only in RAM. Process injection techniques hide malicious code within legitimate processes visible only through memory analysis.
Forensic analysts use tools like WinPMEM, FTK Imager, or Magnet RAM Capture to acquire memory images before any other collection activities. The acquisition process should minimize system changes. After memory capture, analysts proceed to less volatile evidence following the hierarchy: running processes, network connections, disk contents, and finally backup media.
Option A) is incorrect because hard drive contents are non-volatile and persist after shutdown, making them lower priority than RAM. Option C) is incorrect because while network connections are volatile, active memory is more volatile and contains broader evidence. Option D) is incorrect because Event Logs are stored on disk and remain available after system changes.
Question 148
A security analyst discovers that an attacker used a legitimate system administration tool to move laterally within the network. This technique of using trusted tools for malicious purposes is known as:
A) Zero-day exploitation
B) Living off the land (LOTL)
C) SQL injection
D) Cross-site scripting
Answer: B
Explanation:
The correct answer is B) Living off the land (LOTL). Living off the land describes attack techniques using legitimate, pre-installed tools and features for malicious purposes. Attackers leverage trusted system utilities like PowerShell, WMI, PsExec, or certutil rather than introducing custom malware. This approach evades detection because security tools may not flag activity from trusted applications.
LOTL techniques are increasingly common in sophisticated attacks. Tools like PowerShell provide powerful capabilities for reconnaissance, lateral movement, and data exfiltration. Since these tools are legitimate and often necessary for administration, simply blocking them isn’t practical. Attackers exploit this trust to blend malicious activity with normal operations.
Detection requires behavioral analysis rather than signature-based detection. Security teams must establish baselines for normal tool usage and alert on anomalies. Questions include: Is PowerShell normally used on this system? Is this user typically running administrative tools? Are commands consistent with legitimate tasks? Endpoint detection and response (EDR) solutions monitor for suspicious tool usage patterns.
Option A) is incorrect because zero-day exploitation involves using previously unknown vulnerabilities, not legitimate tools. Option C) is incorrect because SQL injection attacks database applications through malicious queries. Option D) is incorrect because cross-site scripting injects malicious scripts into web applications viewed by other users.
Question 149
An organization experiences a ransomware attack that encrypts critical business data. The security team has isolated affected systems. What should be the next priority action?
A) Pay the ransom immediately to recover data
B) Determine the ransomware variant and assess recovery options including backups
C) Format all systems and reinstall operating systems
D) Publicly announce the breach immediately
Answer: B
Explanation:
The correct answer is B) Determine the ransomware variant and assess recovery options including backups. After containment, incident response requires understanding the specific threat and available recovery paths. Identifying the ransomware variant through ransom notes, encrypted file extensions, or malware analysis helps determine whether decryption tools exist and guides recovery strategy.
Recovery assessment includes evaluating backup availability and integrity. Questions include: When was the last backup? Were backups affected by the ransomware? Are backups stored offline or air-gapped? Testing backup restoration on isolated systems confirms data recoverability before committing to full recovery procedures.
Some ransomware variants have known decryption tools released by security researchers or law enforcement. Resources like No More Ransom (nomoreransom.org) provide free decryptors for many variants. Identifying the specific ransomware enables checking for available decryption solutions before considering other options.
Option A) is incorrect because paying ransom is generally discouraged—it funds criminal operations, doesn’t guarantee decryption, and may violate regulations. Option C) is incorrect because formatting destroys forensic evidence needed for investigation and doesn’t address whether clean backups exist. Option D) is incorrect because public announcements follow specific timelines based on regulatory requirements and should occur after understanding the incident scope.
Question 150
A security analyst is reviewing network traffic and notices a host communicating with an IP address that resolves to a domain registered yesterday. What security concern does this indicate?
A) Normal business communication
B) Potential communication with malicious infrastructure using newly registered domain
C) DNS misconfiguration
D) Load balancing activity
Answer: B
Explanation:
The correct answer is B) Potential communication with malicious infrastructure using newly registered domain. Newly registered domains (NRDs) are commonly associated with malicious activity. Attackers frequently register domains shortly before launching campaigns for phishing, malware distribution, or command and control. Legitimate businesses rarely communicate with domains created within the past 24-48 hours.
Domain age analysis is an effective threat detection technique. Most legitimate websites have existed for extended periods. Newly registered domains lack reputation history and haven’t been categorized by security services. Attackers exploit this gap between domain creation and security service detection.
Security tools can flag communications with NRDs for analyst review. Threat intelligence feeds include domain registration data enabling age-based filtering. Organizations may implement policies blocking or alerting on traffic to domains younger than specific thresholds (24 hours, 7 days, 30 days depending on risk tolerance).
Investigation should examine the communication context: What application initiated the connection? What data was transferred? Does the domain name appear suspicious (random characters, typosquatting)? Correlation with other indicators helps determine whether activity is malicious.
Option A) is incorrect because legitimate business partners typically have established domain histories. Option C) is incorrect because DNS misconfiguration wouldn’t specifically involve newly registered domains. Option D) is incorrect because load balancing uses established infrastructure, not newly created domains.
Question 151
A security analyst is investigating a phishing email that contains a malicious attachment. The analyst needs to safely analyze the attachment without risking the production environment. What is the recommended approach?
A) Open the attachment on a production workstation with antivirus enabled
B) Analyze the attachment in an isolated sandbox environment
C) Forward the email to all employees as a warning
D) Delete the email without analysis
Answer: B
Explanation:
The correct answer is B) Analyze the attachment in an isolated sandbox environment. Sandbox environments provide safe, isolated spaces for executing and analyzing potentially malicious files. Sandboxes monitor file behavior including process creation, file system changes, network connections, and registry modifications without risking production systems. This dynamic analysis reveals malware capabilities that static analysis might miss.
Sandbox analysis captures malware behavior including C2 communications, dropped files, persistence mechanisms, and exploitation attempts. Automated sandboxes like Cuckoo, Any.Run, or commercial solutions provide detailed reports on observed behaviors. Network isolation prevents malware from reaching actual targets or exfiltrating data.
Analysts should also perform static analysis examining file properties, embedded strings, and code structure before or alongside dynamic analysis. Hash values enable checking against threat intelligence databases. Combining static and dynamic analysis provides comprehensive understanding of malicious attachments.
Option A) is incorrect because opening malicious files on production systems risks infection regardless of antivirus presence—new malware may evade detection. Option C) is incorrect because forwarding malicious emails spreads the threat and creates additional exposure. Option D) is incorrect because deleting without analysis prevents understanding the threat, identifying affected users, and improving defenses.
Question 152
An organization’s IDS generates alerts for potential SQL injection attempts against a web application. Upon investigation, the analyst finds the source IP belongs to a legitimate vulnerability scanner authorized by the security team. How should this situation be handled?
A) Disable the IDS to prevent future false positives
B) Block the scanner’s IP address permanently
C) Document the activity and create an exception or whitelist for authorized scanning
D) Ignore all SQL injection alerts going forward
Answer: C
Explanation:
The correct answer is C) Document the activity and create an exception or whitelist for authorized scanning. Authorized security scanning generates alerts identical to actual attacks because scanners probe for the same vulnerabilities attackers exploit. Proper handling involves documenting authorized scanning activities and configuring appropriate exceptions to reduce false positives while maintaining detection capability.
Organizations should maintain documentation of authorized scanning including IP addresses, schedules, and scope. This documentation enables rapid verification when alerts occur. IDS/IPS systems can be configured with whitelist rules suppressing alerts from known scanner IPs during authorized windows while preserving full alerting capability otherwise.
Coordination between security teams ensures scanning activities are communicated in advance. Change management processes should include security tool adjustments for planned assessments. Post-scan reviews confirm that only expected alerts occurred and no actual attacks coincided with authorized testing.
Option A) is incorrect because disabling IDS eliminates protection against real attacks to avoid manageable false positives. Option B) is incorrect because blocking authorized scanners prevents legitimate security assessments. Option D) is incorrect because ignoring all SQL injection alerts eliminates detection of real attacks exploiting a common vulnerability class.
Question 153
A security analyst observes that an endpoint is making HTTP requests to an external server at regular 60-second intervals, each request containing small amounts of encoded data. What technique might this represent?
A) Normal software update checking
B) Beaconing behavior indicating potential malware C2 communication
C) Standard web browsing
D) Email synchronization
Answer: B
Explanation:
The correct answer is B) Beaconing behavior indicating potential malware C2 communication. Beaconing describes regular, periodic communication between compromised systems and command and control servers. Consistent intervals (like exactly 60 seconds), encoded data payloads, and persistent patterns are characteristic indicators. Malware beacons to receive commands and exfiltrate data in small chunks.
Beaconing detection focuses on identifying regular communication patterns. While some legitimate applications communicate periodically, malware beaconing often exhibits precise timing, unusual destinations, and encoded or encrypted payloads. Statistical analysis of connection intervals reveals beaconing patterns—legitimate traffic typically shows more variation.
Security analysts should investigate beaconing indicators by examining the destination server reputation, payload content, associated processes, and historical patterns. Network security monitoring tools can detect beaconing through frequency analysis. Investigation determines whether activity represents malware communication or legitimate application behavior.
Option A) is incorrect because software update checks typically occur less frequently and connect to known, reputable servers. Option C) is incorrect because web browsing generates irregular patterns based on user activity, not precise intervals. Option D) is incorrect because email synchronization intervals vary and connect to known mail servers, not arbitrary external hosts.
Question 154
During a security investigation, an analyst needs to verify the integrity of a collected evidence file. Which cryptographic function should be used?
A) Symmetric encryption
B) Asymmetric encryption
C) Hash function (MD5, SHA-256)
D) Digital certificate
Answer: C
Explanation:
The correct answer is C) Hash function (MD5, SHA-256). Cryptographic hash functions create unique fixed-length fingerprints of data. Any modification to the original file produces a completely different hash value. By comparing hash values before and after collection/storage, analysts verify that evidence hasn’t been altered, establishing integrity for legal and investigative purposes.
Hash functions are fundamental to digital forensics chain of custody. Analysts calculate hashes immediately upon evidence collection, document values, and recalculate when accessing evidence to confirm integrity. SHA-256 is preferred for forensic work due to stronger collision resistance than MD5, though MD5 remains commonly used for quick verification.
Evidence integrity documentation includes file name, path, size, collection timestamp, collector identity, and hash values. This documentation demonstrates that evidence presented in legal proceedings matches originally collected data. Any hash mismatch indicates potential tampering or corruption requiring investigation.
Option A) is incorrect because symmetric encryption provides confidentiality by scrambling data, not integrity verification. Option B) is incorrect because asymmetric encryption also provides confidentiality and authentication, not integrity verification alone. Option D) is incorrect because digital certificates verify identity and enable encrypted communications but don’t directly verify file integrity.
Question 155
An organization implements network segmentation as a security control. Which primary security benefit does network segmentation provide?
A) Eliminates all malware from the network
B) Limits lateral movement and contains potential breaches to specific network segments
C) Provides unlimited bandwidth to all users
D) Removes the need for firewalls
Answer: B
Explanation:
The correct answer is B) Limits lateral movement and contains potential breaches to specific network segments. Network segmentation divides networks into isolated segments with controlled access between them. If attackers compromise one segment, segmentation barriers impede movement to other segments containing different systems or data. This containment limits breach impact and provides time for detection and response.
Segmentation follows defense-in-depth principles, creating multiple security boundaries. Critical assets like databases, financial systems, and executive workstations can be isolated in protected segments with strict access controls. Even if perimeter defenses fail, segmentation provides additional protection layers.
Effective segmentation requires understanding data flows and implementing appropriate access controls between segments. Firewalls, VLANs, and access control lists enforce segmentation policies. Monitoring inter-segment traffic helps detect unauthorized lateral movement attempts. Zero trust architectures extend segmentation principles by verifying all access requests regardless of network location.
Option A) is incorrect because segmentation contains threats but doesn’t eliminate malware—malware can still enter and operate within segments. Option C) is incorrect because segmentation addresses security, not bandwidth allocation. Option D) is incorrect because segmentation requires firewalls or similar controls to enforce boundaries between segments.
Question 156
A security analyst is reviewing access logs and notices that a user account accessed sensitive files at 3:00 AM local time, which is unusual for this user. The user claims they were asleep at that time. What type of indicator is this?
A) Indicator of Compromise (IOC)
B) Indicator of Attack (IOA)
C) User Behavior Analytics (UBA) anomaly
D) False positive alert
Answer: C
Explanation:
The correct answer is C) User Behavior Analytics (UBA) anomaly. User Behavior Analytics establishes baseline patterns of normal user activity and detects deviations indicating potential compromise or insider threats. Access occurring outside typical hours when the legitimate user denies activity represents a behavioral anomaly warranting investigation—the account may be compromised.
UBA systems analyze multiple behavioral dimensions: login times, accessed resources, data volumes, geographic locations, and device characteristics. Machine learning algorithms identify activities deviating from established patterns. Anomalies don’t automatically indicate malicious activity but prioritize events for analyst investigation.
Investigation should examine authentication details: source IP address, device fingerprint, authentication method, and session characteristics. Comparing with the user’s typical patterns reveals whether activity matches their normal behavior. Compromised credentials, session hijacking, or insider threats are possible explanations requiring different responses.
Option A) is incorrect because IOCs are specific technical artifacts like malicious IPs or file hashes, not behavioral patterns. Option B) is incorrect because IOAs describe attack techniques and patterns, not individual user behavioral deviations. Option D) is incorrect because dismissing the alert as false positive without investigation risks missing account compromise.
Question 157
A SOC analyst is investigating a potential security incident. During analysis, the analyst discovers that the attacker modified system logs to hide their activities. What anti-forensic technique was used?
A) Steganography
B) Log tampering/manipulation
C) Encryption
D) Data compression
Answer: B
Explanation:
The correct answer is B) Log tampering/manipulation. Log tampering involves modifying, deleting, or corrupting log files to remove evidence of malicious activity. Attackers with sufficient privileges can edit logs to hide login events, command execution, file access, and network connections. This anti-forensic technique complicates incident investigation by eliminating or falsifying evidence.
Sophisticated attackers prioritize covering their tracks. Techniques include deleting specific log entries, modifying timestamps, clearing entire log files, or disabling logging services. Some malware includes log-cleaning functionality that automatically removes evidence of its activities.
Organizations counter log tampering through centralized log collection, sending logs to secured SIEM systems that attackers cannot easily access. Log integrity monitoring detects unauthorized modifications. Write-once storage prevents log alteration. Comparing logs from multiple sources can reveal discrepancies indicating tampering.
Option A) is incorrect because steganography hides data within other files (images, audio) rather than manipulating system logs. Option C) is incorrect because encryption protects data confidentiality but doesn’t specifically describe log modification activities. Option D) is incorrect because data compression reduces file sizes but isn’t an anti-forensic technique targeting evidence removal.
Question 158
An organization wants to implement a security control that inspects encrypted HTTPS traffic for threats. Which technology enables this capability?
A) Standard firewall
B) SSL/TLS inspection (SSL decryption)
C) Basic packet filtering
D) Network address translation
Answer: B
Explanation:
The correct answer is B) SSL/TLS inspection (SSL decryption). SSL/TLS inspection enables security devices to decrypt, inspect, and re-encrypt HTTPS traffic. The inspection device acts as a trusted intermediary, presenting its certificate to clients while establishing separate encrypted connections to destination servers. This allows examining encrypted traffic content for malware, data exfiltration, and policy violations.
Without SSL inspection, encrypted traffic passes through security controls uninspected. Attackers exploit encryption to hide malicious payloads, C2 communications, and exfiltrated data. As encrypted traffic now represents majority of internet communications, inspection capability is essential for comprehensive security monitoring.
Implementation requires deploying trusted certificates to endpoints recognizing the inspection device as a legitimate certificate authority. Privacy and compliance considerations require careful planning—some traffic types (banking, healthcare) may need bypass rules. Performance impact from encryption processing requires appropriately sized hardware.
Option A) is incorrect because standard firewalls examine packet headers but cannot inspect encrypted payload content. Option C) is incorrect because basic packet filtering operates on IP addresses and ports without content inspection capability. Option D) is incorrect because NAT translates IP addresses but doesn’t provide content inspection of encrypted traffic.
Question 159
A security team discovers that attackers gained initial access through a phishing email, then used stolen credentials to access additional systems. According to the MITRE ATT&CK framework, moving between systems using valid credentials represents which tactic?
A) Initial Access
B) Lateral Movement
C) Persistence
D) Collection
Answer: B
Explanation:
The correct answer is B) Lateral Movement. In the MITRE ATT&CK framework, Lateral Movement describes techniques attackers use to move through networks after gaining initial access. Using valid credentials to access additional systems is a common lateral movement technique, enabling attackers to expand their foothold and reach valuable targets without triggering alerts that might occur from exploitation attempts.
ATT&CK documents lateral movement techniques including Remote Services (using protocols like RDP, SSH, SMB), Pass the Hash, Pass the Ticket, and exploitation of remote services. Valid credential usage makes detection challenging because activity appears legitimate. Attackers often harvest credentials from compromised systems to facilitate further movement.
Detection focuses on identifying anomalous authentication patterns: unusual source systems, atypical access times, accessing resources outside normal job functions, or rapid authentication to multiple systems. Correlation of authentication events across systems reveals lateral movement campaigns that individual system logs might miss.
Option A) is incorrect because Initial Access describes techniques for entering the network (like phishing), not movement within it. Option C) is incorrect because Persistence describes techniques for maintaining access across system restarts. Option D) is incorrect because Collection describes techniques for gathering data of interest to the attacker.
Question 160
A security analyst identifies that a compromised system is communicating with external servers using DNS queries with encoded data in subdomain fields. The analyst needs to block this communication while maintaining legitimate DNS functionality. What is the most effective mitigation?
A) Block all DNS traffic completely
B) Implement DNS filtering and monitoring to detect and block anomalous DNS queries
C) Disable the DNS service on all endpoints
D) Allow all DNS traffic without inspection
Answer: B
Explanation:
The correct answer is B) Implement DNS filtering and monitoring to detect and block anomalous DNS queries. DNS filtering solutions inspect DNS traffic for indicators of tunneling and other malicious use while permitting legitimate name resolution. Advanced DNS security tools analyze query patterns, domain reputation, and content characteristics to identify suspicious queries without disrupting normal DNS functionality.
DNS tunneling detection examines multiple indicators: query frequency, subdomain length and entropy, unusual record types (TXT records with encoded data), and destinations with poor reputation. Machine learning models can identify statistical anomalies distinguishing tunneling from legitimate traffic. Blocking queries to known malicious domains prevents C2 communication.
Organizations can implement DNS security through secure DNS services, next-generation firewalls with DNS inspection, or dedicated DNS security platforms. Forcing all DNS through monitored resolvers prevents endpoints from bypassing security controls. Logging DNS queries provides valuable forensic data for incident investigation.
Option A) is incorrect because blocking all DNS breaks internet connectivity since DNS is essential for name resolution. Option C) is incorrect because disabling DNS prevents all network functionality requiring name resolution. Option D) is incorrect because uninspected DNS traffic allows continued malicious communication.
