2021 Updated Cisco 350-201 Exam Actual Questions

1. An engineer is utilizing interactive behavior analysis to test malware in a sandbox environment to see how the malware performs when it is successfully executed. A location is secured to perform reverse engineering on a piece of malware .

What is the next step the engineer should take to analyze this malware?

2. An employee abused PowerShell commands and script interpreters, which lead to an indicator of compromise (IOC) trigger. The IOC event shows that a known malicious file has been executed, and there is an increased likelihood of a breach .

Which indicator generated this IOC event?

3. Refer to the exhibit.





An engineer is analyzing this Vlan0386-int12-117.pcap file in Wireshark after detecting a suspicious network activity. The origin header for the direct IP connections in the packets was initiated by a google chrome extension on a WebSocket protocol. The engineer checked message payloads to determine what information was being sent off-site but the payloads are obfuscated and unreadable .

What does this STIX indicate?

4. An engineer receives a report that indicates a possible incident of a malicious insider sending company information to outside parties .

What is the first action the engineer must take to determine whether an incident has occurred?

5. DRAG DROP

Drag and drop the phases to evaluate the security posture of an asset from the left onto the activity that happens during the phases on the right.

6. An organization had several cyberattacks over the last 6 months and has tasked an engineer with looking for patterns or trends that will help the organization anticipate future attacks and mitigate them .

Which data analytic technique should the engineer use to accomplish this task?

7. Refer to the exhibit.





Which command was executed in PowerShell to generate this log?

8. An organization had an incident with the network availability during which devices unexpectedly malfunctioned. An engineer is investigating the incident and found that the memory pool buffer usage reached a peak before the malfunction .

Which action should the engineer take to prevent this issue from reoccurring?

9. An engineer detects an intrusion event inside an organization’s network and becomes aware that files that contain personal data have been accessed .

Which action must be taken to contain this attack?

10. DRAG DROP

Drag and drop the cloud computing service descriptions from the left onto the cloud service categories on the right.

11. Refer to the exhibit.





An employee is a victim of a social engineering phone call and installs remote access software to allow an “MS Support” technician to check his machine for malware. The employee becomes suspicious after the remote technician requests payment in the form of gift cards. The employee has copies of multiple, unencrypted database files, over 400 MB each, on his system and is worried that the scammer copied the files off but has no proof of it. The remote technician was connected sometime between 2:00 pm and 3:00 pm over https .

What should be determined regarding data loss between the employee’s laptop and the remote technician’s system?

12. An engineer returned to work and realized that payments that were received over the weekend were sent to the wrong recipient. The engineer discovered that the SaaS tool that processes these payments was down over the weekend .

Which step should the engineer take first?

13. DRAG DROP

Drag and drop the components from the left onto the phases of the CI/CD pipeline on the right.

14. Refer to the exhibit.





Which code snippet will parse the response to identify the status of the domain as malicious, clean or undefined?

A)





B)





C)





D)

15. Employees receive an email from an executive within the organization that summarizes a recent security breach and requests that employees verify their credentials through a provided link. Several employees report the email as suspicious, and a security analyst is investigating the reports .

Which two steps should the analyst take to begin this investigation? (Choose two.)

16. A logistic company must use an outdated application located in a private VLAN during the migration to new technologies. The IPS blocked and reported an unencrypted communication .

Which tuning option should be applied to IPS?

17. A threat actor attacked an organization’s Active Directory server from a remote location, and in a thirty-minute timeframe, stole the password for the administrator account and attempted to access 3 company servers. The threat actor successfully accessed the first server that contained sales data, but no files were downloaded. A second server was also accessed that contained marketing information and 11 files were downloaded. When the threat actor accessed the third server that contained corporate financial data, the session was disconnected, and the administrator’s account was disabled .

Which activity triggered the behavior analytics tool?

18. Refer to the exhibit.





Which indicator of compromise is represented by this STIX?

19. A SIEM tool fires an alert about a VPN connection attempt from an unusual location. The incident response team validates that an attacker has installed a remote access tool on a user’s laptop while traveling. The attacker has the user’s credentials and is attempting to connect to the network.

What is the next step in handling the incident?

20. How does Wireshark decrypt TLS network traffic?

21. An engineer received an incident ticket of a malware outbreak and used antivirus and malware removal tools to eradicate the threat. The engineer notices that abnormal processes are still occurring in the system and determines that manual intervention is needed to clean the infected host and restore functionality .

What is the next step the engineer should take to complete this playbook step?

22. DRAG DROP

Drag and drop the actions below the image onto the boxes in the image for the actions that should be taken during this playbook step. Not all options are used.

23. Refer to the exhibit.





An engineer configured this SOAR solution workflow to identify account theft threats and privilege escalation, evaluate risk, and respond by resolving the threat. This solution is handling more threats than Security analysts have time to analyze. Without this analysis, the team cannot be proactive and anticipate attacks .

Which action will accomplish this goal?

24. What is idempotence?

25. An organization suffered a security breach in which the attacker exploited a Netlogon Remote Protocol vulnerability for further privilege escalation .

Which two actions should the incident response team take to prevent this type of attack from reoccurring? (Choose two.)

26. Which command does an engineer use to set read/write/execute access on a folder for everyone who reaches the resource?

27. A SOC analyst is investigating a recent email delivered to a high-value user for a customer whose network their organization monitors. The email includes a suspicious attachment titled “Invoice RE: 0004489”. The hash of the file is gathered from the Cisco Email Security Appliance. After searching Open Source Intelligence, no available history of this hash is found anywhere on the web .

What is the next step in analyzing this attachment to allow the analyst to gather indicators of compromise?

28. The incident response team receives information about the abnormal behavior of a host. A malicious file is found being executed from an external USB flash drive. The team collects and documents all the necessary evidence from the computing resource .

What is the next step?

29. Refer to the exhibit.





Cisco Rapid Threat Containment using Cisco Secure Network Analytics (Stealth watch) and ISE detects the threat of malware-infected 802.1x authenticated endpoints and places that endpoint into a Quarantine VLAN using Adaptive Network Control policy .

Which telemetry feeds were correlated with SMC to identify the malware?

30. DRAG DROP

Drag and drop the mitigation steps from the left onto the vulnerabilities they mitigate on the right.

31. Refer to the exhibit.





A threat actor behind a single computer exploited a cloud-based application by sending multiple concurrent API requests. These requests made the application unresponsive .

Which solution protects the application from being overloaded and ensures more equitable application access across the end-user community?

32. DRAG DROP

Refer to the exhibit.





The Cisco Secure Network Analytics (Stealthwatch) console alerted with “New Malware Server Discovered” and the IOC indicates communication from an end-user desktop to a Zeus C&C Server.

Drag and drop the actions that the analyst should take from the left into the order on the right to investigate and remediate this IOC.

33. Refer to the exhibit.





IDS is producing an increased amount of false positive events about brute force attempts on the organization’s mail server .

How should the Snort rule be modified to improve performance?

34. An engineer is analyzing a possible compromise that happened a week ago when the company? (Choose two.)

35. According to GDPR, what should be done with data to ensure its confidentiality, integrity, and availability?

36. An analyst wants to upload an infected file containing sensitive information to a hybrid-analysis sandbox.

According to the NIST.SP 800-150 guide to cyber threat information sharing, what is the analyst required to do before uploading the file to safeguard privacy?

37. An engineer is investigating several cases of increased incoming spam emails and suspicious emails from the HR and service departments. While checking the event sources, the website monitoring tool showed several web scraping alerts overnight .

Which type of compromise is indicated?

38. Which bash command will print all lines from the “colors.txt” file containing the non case-sensitive pattern “Yellow”?

39. An engineer is moving data from NAS servers in different departments to a combined storage database so that the data can be accessed and analyzed by the organization on-demand .

Which data management process is being used?

40. A security manager received an email from an anomaly detection service, that one of their contractors has downloaded 50 documents from the company’s confidential document management folder using a company- owned asset al039-ice-4ce687TL0500. A security manager reviewed the content of downloaded documents and noticed that the data affected is from different departments .

What are the actions a security manager should take?

41. A security analyst receives an escalation regarding an unidentified connection on the Accounting A1 server within a monitored zone. The analyst pulls the logs and discovers that a Powershell process and a WMI tool process were started on the server after the connection was established and that a PE format file was created in the system directory .

What is the next step the analyst should take?

42. DRAG DROP

An organization lost connectivity to critical servers, and users cannot access business applications and internal websites. An engineer checks the network devices to investigate the outage and determines that all devices are functioning.

Drag and drop the steps from the left into the sequence on the right to continue investigating this issue. Not all options are used.

43. Refer to the exhibit.





Two types of clients are accessing the front ends and the core database that manages transactions, access control, and atomicity .

What is the threat model for the SQL database?

44. Refer to the exhibit.





An engineer must tune the Cisco IOS device to mitigate an attack that is broadcasting a large number of ICMP packets. The attack is sending the victim’s spoofed source IP to a network using an IP broadcast address that causes devices in the network to respond back to the source IP address .

Which action does the engineer recommend?

45. Refer to the exhibit.





Where is the MIME type that should be followed indicated?

46. Refer to the exhibit.





Cisco Advanced Malware Protection installed on an end-user desktop automatically submitted a low prevalence file to the Threat Grid analysis engine .

What should be concluded from this report?

47. An engineer implemented a SOAR workflow to detect and respond to incorrect login attempts and anomalous user behavior. Since the implementation, the security team has received dozens of false positive alerts and negative feedback from system administrators and privileged users. Several legitimate users were tagged as a threat and their accounts blocked, or credentials reset because of unexpected login times and incorrectly typed credentials .

How should the workflow be improved to resolve these issues?

48. Refer to the exhibit.





An organization is using an internal application for printing documents that requires a separate registration on the website.

The application allows format-free user creation, and users must match these required conditions to comply with the company’s user creation policy:

- minimum length: 3

- usernames can only use letters, numbers, dots, and underscores

- usernames cannot begin with a number

The application administrator has to manually change and track these daily to ensure compliance. An engineer is tasked to implement a script to automate the process according to the company user creation policy. The engineer implemented this piece of code within the application, but users are still able to create format-free usernames.

Which change is needed to apply the restrictions?

49. The SIEM tool informs a SOC team of a suspicious file. The team initializes the analysis with an automated sandbox tool, sets up a controlled laboratory to examine the malware specimen, and proceeds with behavioral analysis .

What is the next step in the malware analysis process?

50. What is a limitation of cyber security risk insurance?

51. Refer to the exhibit.





Which data format is being used?

52. Refer to the exhibit.





An engineer received a report that an attacker has compromised a workstation and gained access to sensitive customer data from the network using insecure protocols .

Which action prevents this type of attack in the future?

53. Refer to the exhibit.





Where does it signify that a page will be stopped from loading when a scripting attack is detected?

54. A malware outbreak is detected by the SIEM and is confirmed as a true positive. The incident response team follows the playbook to mitigate the threat .

What is the first action for the incident response team?