BANK SOAL

Security Operating Center Analyst (Blue Team)

Yay! Selamat datang : Jul
Klik disini untuk logout.

Add Record Search Now

Bottom
# Question text Question text & Answer

1 What type of event is recorded when an application driver loads Information

successfully in Windows?
Types of Event Logs
An event that describes the successful operation of a task, such as an application, driver, or
service. For example, an Information event is logged when a network driver loads successfully.

https://www.manageengine.com/network-
monitoring/Eventlog_Tutorial_Part_I.html#:~:text=Types%20of%20Event%20Logs&text=An%
20event%20that%20describes%20the,a%20network%20driver%20loads%20successfully.

2 What is the correct sequence of SOC Workflow? Collect, Ingest, Validate, Report, Respond, Document

Gambar : https://prnt.sc/Eo5UlMuVOLW_

Reference: Chapter Security Operation and Management (page 9,10)

Keynote: (CIVRRD)

3 Which of the following attack inundates DHCP servers with fake DHCP Starvation Attacks
DHCP requeststo exhaust all available IP addresses?

Refference : Chapter Understanding Cyber, (Page 48)

4 In which phase of Lockheed Martin's—Cyber Kill Chain
Methodology, adversarycreates a deliverable malicious payload ?

Weaponization

During the Weaponization phase, the attacker creates an attack vector, such as remote
access malware, ransomware, virus or worm that can exploit a known vulnerability.

In this step, the intruder creates a malware weapon like a virus, worm or such in order to
exploit the vulnerabilities of the target. Depending on the target and the purpose of the
attacker, this malware can exploit new, undetected vulnerabilities (also known as the zero-day
exploits) or it can focus on a combination of different vulnerabilities.

reff: https://www.crowdstrike.com/cybersecurity-101/cyber-kill-chain/

5 SOC analyst, while monitoring IDS logs detected events shown in Parameter Tampering Attack
the figure below. What does this event log indicate?
Parameter tampering is a form of Web-based attack in which certain parameters in the
Uniform Resource Locator (URL) or Web page form field data entered by a user are changed
without that user's authorization.

https://www.techtarget.com/searchsecurity/definition/parameter-tampering

6 What attack by manipulating the URL in thebrowser as

shown:http://www.terabytes.com/process.php./../../../../etc/passwd

Directory Traversal Attack

Directory traversal or Path Traversal is an HTTP attack which allows attackers to access
restricted directories and execute commands outside of the web server's root directory. An
Access Control List is used in the authorization process.
7 Which of the following fields in Windows logs defines the type of Keywords
event occurred,such as Correlation Hint, SQM, etc?
Refference : Chapter 3 (Page 166)

8 Which of theses attack can be eradicated by converting all non- XSS Attacks
alphanumchars to HTML char entities before displayed?
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are
injected into otherwise benign and trusted websites.

https://owasp.org/www-community/attacks/xss/

9 Which of the following command is used to view iptables logs on

Ubuntu and Debian distributions?
 Ubuntu and Debian distributions?

$ tailf /var/log/sys/kern.log

Reference: https://tecadmin.net/enable-logging-in-iptables-on-linux/

10 Which of the following data source can be used to detect the Web server logs
traffic associated with Bad Bot User-Agents?
A server log is a log file (or several files) automatically created and maintained by a server
consisting of a list of activities it performed.

A typical example is a web server log which maintains a history of page requests. The W3C
maintains a standard format (the Common Log Format) for web server log files, but other
proprietary formats exist. More recent entries are typically appended to the end of the file.
Information about the request, including client IP address, request date/time, page requested,
HTTP code, bytes served, user agent, and referrer are typically added. This data can be
combined into a single file, or separated into distinct logs, such as an access log, error log, or
referrer log. However, server logs typically do not collect user-specific information.

11 Which of the following attacks causes sudden changes in file Ransomware Attack
extensions or increase in file renames at rapid speed?
his statistic depicts the leading causes of ransomware infections according to MSPs
 his statistic depicts the leading causes of ransomware infections according to MSPs
worldwide in 2020. According to the survey, 54 percent of responding MSPs indicated that
phishing scams were the most common cause of ransomware infection.

https://www.statista.com/statistics/700965/leading-cause-of-ransomware-infection/

12 The Syslog message severity levels are labelled from level 0 to

level 7. What does level 0 indicate?

Emergency

System is unusable

Reff : https://www.paessler.com/it-explained/syslog

13 Jason, a SOC Analyst with Maximus Tech, was investigating Cisco May 06 2018 21:27:27 asa 1: % ASA -5 – 11008: User ‘enable_15’ executed the ‘configure
ASA Firewall logs and came across the following log entry: term’ command

14 What does the security level in the above log indicates?

 Normal but significant message

https://www.paessler.com/it-explained/syslog

15 Identify the type of attack, an attacker is attempting on Cross-site Scripting Attack

www.example.com website.
https://infraexam.com/identify-the-type-of-attack-an-attacker-is-attempting-on-www-
example-com-website/

16 What is the process of monitoring and capturing all data packets Network Sniffing
passing through a given network using different tools? --
Network sniffing involves capturing, decoding, inspecting, and interpreting the information
inside a packet on a TCP/IP network. The purpose is to steal information, usually user IDs,
passwords, network details, credit card numbers, and so on. It is generally referred to as a
“passive” type of attack, where the attacker can be silent/invisible on the network. This makes
it difficult to detect, and it is a dangerous type of attack. The TCP/IP packet contains vital
information required for two network interfaces to communicate with each other. It contains
fields such as source and destination IP addresses ports, sequence numbers, and the
protocol type.

Reference: Understanding Cyber Threats (page 43)

17 Peter, a SOC analyst with Spade Systems, is monitoring and show logging | include 210
analyzing the router logs of the company and wanted to check
the logs that are generated by access control list numbered 210. https://www.exam4training.com/what-filter-should-peter-add-to-the-show-logging-
 the logs that are generated by access control list numbered 210. https://www.exam4training.com/what-filter-should-peter-add-to-the-show-logging-
What filter should Peter add to the ‘show logging’ command to command-to-get-the-required-output/
get the required output?

18 Identify the event severity level in Windows logs for the events Warning
that are not necessarily significant, but may indicate a possible
future problem. An event that is not necessarily significant, but may indicate a possible future problem. For
example, when disk space is low, a Warning event is logged. If an application can recover from
an event without loss of functionality or data, it can generally classify the event as a Warning
event

Refference > https://itexam24.com/identify-the-event-severity-level-in-windows-logs-for-

the-events-that-are-not-necessarily-significant-but-may-indicate-a-possible-future-
problem/

19 Properly applied cyber threat intelligence to the SOC team help

them in discovering TTPs. What does these TTPs refer to?

Tactics, Techniques, and Procedures

A tactic is the highest-level description of the behavior; techniques provide a more detailed
description of the behavior in the context of a tactic; and procedures provide a lower-level,
highly detailed description of the behavior in the context of a technique.
 https://csrc.nist.gov/glossary/term/Tactics_Techniques_and_Procedures#:~:text=A%20tactic
%20is%20the%20highest%2Dlevel%20description%20of%20the%20behavior,the%20conte
xt%20of%20a%20technique.

20 Chloe, a SOC analyst with Jake Tech, is checking Linux systems Login records
logs. She is investigating files at /var/log/wtmp. What Chloe is
looking at? Reference: https://stackify.com/linux-logs/

21 Which attack works like a dictionary attack, but adds some

numbers and symbols to the words from the dictionary and tries

to crack the password? Hybrid Attack

--
It works like a dictionary attack but adds numbers and symbols to the words and tries to crack
the password. These attacks generalize common things people do to make their passwords
hard to guess. The hybrid attacking tool starts guessing a dictionary term and creates other
guesses by appending or prepending the characters to the dictionary term. It appends or
prepends with dates, numbers, alphanumeric characters, and so on to break the password.

Reference: Understanding Cyber Threats (page 45)

22 A organization is establishing an in-house SOC. John Doe has Chief Information Security Officer (CISO)
been given the responsibility to finalize strategy, policies, and
procedures for the SOC. Identify the job role of John Doe ? CISO is the senior-most executive in the organization. His/her duty is to set the organization’s
goals, policies, procedures, strategies, and program to keep the information assets and
technologies always secured. He/she also directs the security team to implement effective
processes across the organization in order to minimize the risks/vulnerabilities.

Reference: Chapter Security Operation and Management (page 14)

23 Which of the following framework describes the essential
characteristics of an company’s security engineering process that

must exist to ensure good security engineering? Systems Security Engineering Capability Maturity Model (SSE-CMM)

SSE-CMM is a process-oriented framework that designs secure systems based on Software

Engineering Capability Maturity Model. It specifies the important properties of the security
engineering process that are needed to maintain security engineering effectively. This model
is used as a tool to monitor security engineering practices and standard mechanism for
analyzing the capability of the provider's security engineering.

Reference: Chapter Security Operation and Management (page 22)

24 John Doe is working as an L2 SOC Analyst. One day, an L1 SOC She should formally raise a ticket and forward it to the IRT
Analyst escalated an incident to her for further investigation and
confirmation. John Doe, after a thorough investigation, confirmed Reporting
the incident and assigned it with an initial priority. What would be Validated incidents are submitted to the incident response teams through a ticketing system
her next action according to the SOC workflow?
Reference: Chapter Security Operation and Management (page 9,10)

25 Identify the attack, where an attacker tries to discover all the Reconnaissance Attacks
possible information about a target network before launching a
further attack. In Reconnaissance attacks, attackers attempt to discover all the possible information about a
target network, including information systems, services, and vulnerabilities which may exist in
the network.

Reference: Understanding Cyber Threats (page 37)

26 What does HTTPS Status code 403 represents? Forbidden

HTTP 403 adalah kode status HTTP yang berarti akses ke sumber daya yang diminta dilarang
karena alasan tertentu. peladen memahami permintaan tersebut, tetapi tidak akan
memenuhinya karena masalah terkait klien. IIS mendefinisikan kode kesalahan "sub-
status" tidak standar yang memberikan alasan yang lebih spesifik untuk merespons
dengan kode status 403.

Reference: Chapter 04 Page 344

27 John as a SOC analyst is worried about the amount of Tor traffic DHCP/Logs capable of maintaining IP address or hostnames with IPtoName
hitting the network. He wants to prepare a dashboard in the SIEM
to get a graph to identify the locations from where the TOR traffic In this method, after analyzing network traffic, you have to match the source and destination
is coming. Which of the following data source will he use to IP addresses with the list of TOR servers
prepare the dashboard?

Reference: Chapter 04 (Page 366)

28 David is a SOC analyst in Karen Tech. One day an attack is False Negative Incidents
initiated by the intruders but David was not able to find any
suspicious events. This type of incident is categorized into? False negatives are the false result for an activity that actually occurred. It is an attack-
negative reply for an actual attack. The false negative is the type of alert which will not raise
the alarm even if an attack is taking place on the network.

Reference: Chapter 04 Page 409

29 An organization is implementing and deploying the SIEM with SOAL : https://prnt.sc/OXPJ-vU5BnTS
following capabilities. What kind of SIEM deployment architecture
the organization is planning to implement? --
Self-hosted, Self-Managed

This is the traditional SIEM deployment model—host the SIEM in your data center, often with a
dedicated SIEM appliance, maintain storage systems, and manage it with trained security
personnel.

Reference: Chapter 04

30 Identify the attack in which the attacker exploits a target system

through publicly known but still unpatched vulnerabilities.

Zero-Day Attack

"Zero-day" is a broad term that describes recently discovered security

vulnerabilities that hackers can use to attack systems. The term "zero-day" refers
to the fact that the vendor or developer has only just learned of the flaw – which means they
have “zero days” to fix it.

Reference: Chapter 04
31 Which of the following can help you eliminate the burden of
investigating false positives?

A. Treating every alert as high level

B. Keeping default rules
C. Ingesting the context data
D. Not trusting the security devices

--ANSWER

Ingesting the context data

First, your security team should not try to feed your SIEM every log generated by your
business’ infrastructure. After all, this creates a serious challenge to your IT security team.

32 Which of the following Windows features is used to enable A. Local Group Policy Editor
Security Auditing in Windows? B. Windows Firewall
C. Windows Defender
D. Bitlocker

---answer
Local Group Policy Editor

Windows security auditing can be enabled using either Group Policy (in Active Directory
environment) or Local Security Policy (for a single computer). Open Windows Control Panel,

33 What code HTTPS Status for server cannot handle the request?

500: Internal Server Error (501)

It indicates that something went wrong inside the web server, due to that it is unable to
process the request. This type of error mainly occurs due to server misconfiguration or
missing packages.
 Reference: Chapter 04 (page 345) https://developer.mozilla.org/en-
US/docs/Web/HTTP/Status

34 What data source for detection such type of attempts with the Netstat Data
host source IP Address?
The netstat command lists out all the services that are listening on the ports and also provide
the information related to any connections made to the ports, like IP addresses to which
daemon is listening, the daemon's process identifier (PID), and the program name.

Reference: Chapter 04 (page 367)

35 What data source for detection any such attempt scanning

activities?

Snort / IDS

Snort IDS have typical rules for detecting various types of scanning attempts such as FIN,
XMAS, SYN, etc. You can ingest log data from such security devices into your SIEM to detect
such type of attempts.

Reference: Chapter 04 (page 370)

36 What data source for detection the trail where user created, used User account management (Windows Domain Control Security)
then deleted the account?
Malicious insiders may create, use, and delete temporary accounts to perform malicious
activities. To prevent such type of anomalies, you need to continuously monitor unwanted and
unauthorized creation, usage, and deletion of user accounts.

Reference: Chapter 04 (page 373)

37 What data source for detection attempt of creating a large
number of new files in a short amount of time? Splunk using the streamstats command

This command prepares the statistics for each event from the time it occurred.

Reference: Chapter 04 (page 383)

38 What data source for detection or identify insecure port and

services that are found open and running on the endpoints?

Netstat

This is possible through netstat command. The netstat command lists out all the services that
are listening on the ports and also provide the information related to any connections made to
the ports, like IP addresses to which daemon is listening, the daemon's process identifier
(PID), and the program name.

Reference: Chapter 04 (page 367)

39 What port number that have anomaly like unusual large amount of UDP port 67
DHCP traffic?
You should know the IP address of the legitimate DHCP server on the network; any other IP
address associated with UDP port 67 would be identified as a rogue DHCP server.

Reference: Chapter 04 (page 389)

40 What data source for detection any attempt of concurrent VPN Logs
connection from the different IP address ?
Clients should have one VPN connection from one IP address at a time. If there is concurrent
VPN connection from the different IP address, then this can be an indication of use of
compromised credentials from malicious users.

Reference: Chapter 04 (page 393)

41 Which of the following is a Threat Intelligence Platform? TC

Complete or Keepnote or SolarWinds MS or Apitily
 TC Complete

TC CompleteTM (security operations and analytics platform) is built on the ThreatConnect

Platform—providing not only the ability to orchestrate your security functions but also the
confidence that you are basing your tasks and decisions on vetted, relevant threat
intelligence.

Reference: Chapter 04 (page 493)

42 Which of the following is a report writing tool that will help MagicTree
incident handlers to generate efficient reports on detected
incidents during incident response process? threat_note or Report writing tools help incident handlers to generate efficient reports on detected incidents
MagicTree or Malstrom or IntelMQ during incident handling and response process.

Reference: Chapter 06 (page 629)

43 Which of the following threat intelligence is used by a SIEM for

supplying the analysts with context and "situational

awareness" by using threat actor TTPs, malware 1.Strategic threat intelligence

campaigns, tools used by threat actors. Choose 2 2.Tactical threat intelligence -
3.Operational threat intelligence
4.Technical threat intelligence
---
Hasil remarin 1 dan 2
Reference: Chapter 05 (page 470)
------

2
Threat intelligence is a contextual information that describes threats and guides organizations
in taking various business decisions. It is extracted from a huge collection of sources and

44 Which of the following technique involves scanning the headers Egress Filtering
of IP packets leaving a network to make sure that the
unauthorized or malicious traffic never leaves the internal Egress filtering scans the headers of IP packets leaving a network. If the packets pass the
network? specifications, they can route out of the subnetwork from which they originated. The packets
will not reach the targeted address if they do not meet the necessary specifications. Egress
 will not reach the targeted address if they do not meet the necessary specifications. Egress
filtering ensures that unauthorized or malicious traffic never leaves the internal network.

Reference: Chapter 06 (page 643)

45 Which one of the following is the correct flow for Setting Up a Planning and budgeting → Physical location and structural design considerations → Work area
Computer Forensics Lab? considerations → Human resource considerations → Physical security recommendations →
Forensics lab licensing
---
- Planning and Budgeting
- Physical Location and Structural Design Considerations
- Work Area Considerations
- Human Resource Considerations
- Physical Security Recommendations
- Forensics Lab Licensing

Reference : Chapter 06 (Page 591 - 592 )

46 According to the Risk Matrix table, what will be the risk level when Extreme
the probability of an attack is very high, and the impact of that
attack is major? Probability 80 - 100 % with the Consequences Very High Probability - Major : Extreme

Reference : Chapter 6 IR (Page : 611 )

47 According to the forensics investigation process, what is the next Create a Chain of Custody Document
step carried out right after collecting the evidence ?
Part of The process flow of evidence gathering
 Part of The process flow of evidence gathering

Reference : Chapter 6 (Page 624)

48 John doe a SOC analyst, while monitoring logs, noticed large TXT DNS Exfiltration Attempt
, NULL payloads. What does this indicate?
Reference : Chapter 4 ( page : 388 )

49 Which of the following steps of incident handling and response Containment

process focus on limiting the scope and extent of an incident?
Containment focuses on limiting the scope and extent of an incident. It deals with information
and computing services. The aim of the containment stage is to stop spread of attack to
similar resources across the organization as well as reduce losses and damages.

reference : Chapter 6 ( page : 620 )

50 Bonney’s system has been compromised by a gruesome malware.

 What is the primary step that is advisable to Bonney in order to
contain the malware incident from spreading?

Turn off the infected machine

Turn off all the malware infected systems present in the network immediately.

Reference : Chapter 6 ( page : 640 )

51 Which of the following tool can be used to filter web requests

associated with the SQL Injection attack?

UrlScan filter atau ( opsi lain WAF fireawlal/IDS juga bisa )

Reference : Chapter 6 (page : 713)

Oke "UrlScan' bnr

52 Which encoding replaces unusual ASCII characters with “%” URL Encoding
followed by the character’s two-digit ASCII code expressed in
hexadecimal? Web browsers/web servers permit URLs to contain only the printable characters of ASCII code
that can be understood by them for addressing. URL encoding is the process of converting
URL into valid ASCII format so that data can be safely transported over HTTP. Several
characters in this range have special meaning when they are mentioned in the URL scheme or
HTTP protocol. Thus, these characters are restricted. URL encoding replaces unusual ASCII
characters with "%" followed by the character’s two-digit ASCII code expressed in
hexadecimal such as:

o %3d =
o %0a New line

53 Which of the following attack can be eradicated by using a safe

API to avoid the use of the interpreter entirely?

command injection attacks: <-- oke

Use a Safe API: Attackers can scan web applications for vulnerabilities due to the existence of
the interpreters. The best way to deal with this is to use a safe API instead of unsafe
interpreters.

Reference Chapter 6 (page 655)

54 Which of the following security technology is used to attract and Honeypot <-- ok
trap people who attempt unauthorized or illicit utilization of the
host system? Reference chapter 6 (page 600)

55 Ray is a SOC analyst in a company named Queens Tech. One Day,

Queens Tech is affected by a DoS/DDoS attack. For the

containment of this incident, Ray and his team are trying to

 containment of this incident, Ray and his team are trying to Absorb the Attack
provide additional bandwidth to the network devices and
increasing the capacity of the servers. What is Ray and his team In this strategy, the organizations can contain the DoS attack by providing additional
doing? bandwidth to the network devices and increasing the capacity of the servers to absorb the
attack. This process is possible only when the organizations have enough available bandwidth
and they are sure that the attack cannot consume all bandwidth

reference chapter 6 page 641

56 what does '1' represent in HTTP status code 1XX (informational message)

57 Emmanuel is working as a SOC analyst in a company named Incident Classification.(p.609)

Tobey Tech. The manager of Tobey Tech recently recruited an
Incident Response Team (IRT) for his company. In the process of
collaboration with the IRT, Emmanuel just escalated an incident to
the IRT. What is the first step that the IRT will do to the incident
escalated by Emmanuel?
58 Shawn is a security manager working at Lee Inc Solution. His
organization wants to develop threat intelligent strategy plan. As a
part of threat intelligent strategy plan, he suggested various
components, such as threat intelligence requirement analysis,
intelligence and collection planning, asset identification, threat
reports, and intelligence buy-in. Which one of the following
components he should include in the above threat intelligent
strategy plan to make it effective?

Threat buy-in (p.475)

59 what data source or command for detection such type of netstat (page 367)
attempts with the host source ip address?
60 what data source or command for detection any such attempt snort/ids (page 370)
scanning activities?

61 what data source or command for detection the trail where user
created, used then deleted the account?

User Account Management (page 374)

62 what data source or command for detection attempt of creating a splunk using the streamstats command (page383)
large number of new file in a short amount of time?
63 what data source of command for detection or identify insecure
port and services that are found open and running on the

endpoints? netstat (367)

64 what port number that have anomaly like unusual large amount of UDP port 67 (page 389)
DHCP traffic?

65 which of the following is a threat intelligence platform tc complete TC Complete (page 493)
or keepnote or solarwinds ms or apitily?
66 What does the Security Log Event ID 4624 of Windows 10 An account was successfully logged on
indicate?
https://www.manageengine.com/products/active-directory-audit/kb/windows-security-log-
event-id-
4624.html#:~:text=Event%20ID%204624%20(viewed%20in,4625%20documents%20failed
%20logon%20attempts. &

67 Properly applied cyber threat intelligence to the SOC team help Tactics, Techniques, and Procedures.
them in discovering TTPs. What does these TTPs refer to?

(hal. 36)

68 Which Following correct answer about SIEM use cases for VPN Certificate Verification Failure
Checkpoint?
69 What is the most common workflow of the SIEM analyst? A. Investigation
B. Alert Triage (@)
C. Escalated
D. Remediation

70 Daniel is a member of an IRT, which was started recently in a

company named Mesh Tech. He wanted to find the purpose and
scope of planned incident response capabilities. What is he
looking for?

A. Incident Response Mission

B. IR Resource
C. IR Intelligence
D. IR Vision

A) Incident Response Mission (Bookshelf p 1035)

71 in which, SOC generation era security incidents and event
managemetn SIEM awas developed

second generation SOC:1996-200

72 Which of the following directory will contain logs related to printer A. /var/logs/cups/Printeraccess_log file
access? B. /var/logs/cups/Printer_log file
C. /var/logs/cups/access_log file
D. /var/logs/cups/accesslog file

C). Ref: Ebook Page 999 -> ref (https://opensource.apple.com/source/cups/cups-

87/doc/sam.shtml#ErrorLog)

73 What kind of SIEM deployment architecture the organization is

planning to implement?

A . Cloud, MSSP Managed

B . Self-hosted, Jointly Managed
C . Self-hosted, Self-Managed
D . Self-hosted, MSSP Managed

Answer C (hal. 330)

74 Which of the following regex that can detect &lt;img src based A. /((%3C)|&lt;)((%2F)|/)*[a-z0-9%]+((%3E)|&gt;)/ix
XSS attempt B. /((%3C)|&lt;)((%69)|i|(%49))((%6D)|m|(%4D))((%67)|g|(%47))[^n] +((%3E)|&gt;)/I
C. /((%27)|('))(select|union|insert|update|delete|replace|truncate/drop)/ix
D. /exec(s|+)+(s|x)pw+/ix

Answer: B. /((%3C)|&lt;)((%69)|i|(%49))((%6D)|m|(%4D))((%67)|g|(%47))[^n] +((%3E)|&gt;)/I

75 After compromising a host and escalating privileges, the attacker

installs a remote access Trojan (RAT). What step of the Cyber Kill

Chain framework has just occurred? A. Reconnaissance

B. Action on Objective
C. Exploitation
D. Installation

Answer: D.Installation

76 Which statement is TRUE with respect to False Negative? A. alert raised an alarm when no attack occurred
B. alert which will not raise the alarm even if an attack is taking place
C. alert raised an alarm when the attack occurred
D. alerts will not raise any alarm because no incident is identified

Answer: B. alert which will not raise the alarm even if an attack is taking place
77 Examine the following ASA system message: %ASA-TM-302015: SOAL
Built inbound connection TCP 12695364 for outside: Examine the following ASA system message:
192.168.5.5/36214 to inside 192.198.5.20/80 Which statement is %ASA-TM-302015: Built inbound connection TCP 12695364 for outside: 192.168.5.5/36214
FALSE? to inside 192.198.5.20/80
Which statement is FALSE?

PILIHAN JAWABAN
A. The destination port is 302015
B. The destination IP is 192.168.5.20
C. The source IP address is 192.168.5.5
D. The source port is 36214

78 An analyst discovers that a legitimate security alert has been

dismissed. Which signature caused this impact on network
traffic?

A. False Positive
B. True Negative
C. True Positive
D. False Negative

Answer: D. False Negative

79 What causes events on a Windows system to show Event Code A. The system detected an XSS attack
4625 in the log messages? B. A privileged user successfully logged into the system
C. Someone is trying a brute force attack on the network
D. Another device is gaining root access to the system

Answer: C. Someone is trying a brute force attack on the network

80 What code HTTPS Status for server cannot handle the request? 5xx

81 What does HTTPS Status code 403 represents?

Forbidden Error
 Forbidden Error

82 John doe is a member of an IRT, which was started recently in a Incident Response Mission
company named Mesh Tech. He wanted to find the purpose and
scope of the planned incident response capabilities. What is he
looking for?

83 According to the forensics investigation process, what is the next

step carried out right after collecting the evidence?

Create a Chain of Custody Document