2021 Updated Cisco 350-201 Exam Actual Questions

Pdfprep

3 years ago

Cisco certification 350-201 exam actual questions have been updated, which are the best preparation material for you to clear 350-201 test. Cisco CyberOps Professional 350-201 CBRCOR exam is a 120-minute test that is associated with the Cisco CyberOps Professional Certification. Share some free updated Cisco 350-201 CBRCOR exam actual questions below.

Page 1 of 6

1. An engineer is utilizing interactive behavior analysis to test malware in a sandbox environment to see how the malware performs when it is successfully executed. A location is secured to perform reverse engineering on a piece of malware .

What is the next step the engineer should take to analyze this malware?

Run the program through a debugger to see the sequential actions

Unpack the file in a sandbox to see how it reacts

Research the malware online to see if there are noted findings

Disassemble the malware to understand how it was constructed

2. An employee abused PowerShell commands and script interpreters, which lead to an indicator of compromise (IOC) trigger. The IOC event shows that a known malicious file has been executed, and there is an increased likelihood of a breach .

Which indicator generated this IOC event?

ExecutedMalware.ioc

Crossrider.ioc

ConnectToSuspiciousDomain.ioc

W32 AccesschkUtility.ioc

3. Refer to the exhibit.

An engineer is analyzing this Vlan0386-int12-117.pcap file in Wireshark after detecting a suspicious network activity. The origin header for the direct IP connections in the packets was initiated by a google chrome extension on a WebSocket protocol. The engineer checked message payloads to determine what information was being sent off-site but the payloads are obfuscated and unreadable .

What does this STIX indicate?

The extension is not performing as intended because of restrictions since ports 80 and 443 should be accessible

The traffic is legitimate as the google chrome extension is reaching out to check for updates and fetches this information

There is a possible data leak because payloads should be encoded as UTF-8 text

There is a malware that is communicating via encrypted channels to the command and control server

4. An engineer receives a report that indicates a possible incident of a malicious insider sending company information to outside parties .

What is the first action the engineer must take to determine whether an incident has occurred?

Analyze environmental threats and causes

Inform the product security incident response team to investigate further

Analyze the precursors and indicators

Inform the computer security incident response team to investigate further

5. DRAG DROP

Drag and drop the phases to evaluate the security posture of an asset from the left onto the activity that happens during the phases on the right.

6. An organization had several cyberattacks over the last 6 months and has tasked an engineer with looking for patterns or trends that will help the organization anticipate future attacks and mitigate them .

Which data analytic technique should the engineer use to accomplish this task?

diagnostic

qualitative

predictive

statistical

7. Refer to the exhibit.

Which command was executed in PowerShell to generate this log?

Get-EventLog -LogName*

Get-EventLog -List

Get-WinEvent -ListLog* -ComputerName localhost

Get-WinEvent -ListLog*

8. An organization had an incident with the network availability during which devices unexpectedly malfunctioned. An engineer is investigating the incident and found that the memory pool buffer usage reached a peak before the malfunction .

Which action should the engineer take to prevent this issue from reoccurring?

Disable memory limit.

Disable CPU threshold trap toward the SNMP server.

Enable memory tracing notifications.

Enable memory threshold notifications.

9. An engineer detects an intrusion event inside an organization’s network and becomes aware that files that contain personal data have been accessed .

Which action must be taken to contain this attack?

Disconnect the affected server from the network.

Analyze the source.

Access the affected server to confirm compromised files are encrypted.

Determine the attack surface.

10. DRAG DROP

Drag and drop the cloud computing service descriptions from the left onto the cloud service categories on the right.

Page 2 of 6

11. Refer to the exhibit.

An employee is a victim of a social engineering phone call and installs remote access software to allow an “MS Support” technician to check his machine for malware. The employee becomes suspicious after the remote technician requests payment in the form of gift cards. The employee has copies of multiple, unencrypted database files, over 400 MB each, on his system and is worried that the scammer copied the files off but has no proof of it. The remote technician was connected sometime between 2:00 pm and 3:00 pm over https .

What should be determined regarding data loss between the employee’s laptop and the remote technician’s system?

No database files were disclosed

The database files were disclosed

The database files integrity was violated

The database files were intentionally corrupted, and encryption is possible

12. An engineer returned to work and realized that payments that were received over the weekend were sent to the wrong recipient. The engineer discovered that the SaaS tool that processes these payments was down over the weekend .

Which step should the engineer take first?

Utilize the SaaS tool team to gather more information on the potential breach

Contact the incident response team to inform them of a potential breach

Organize a meeting to discuss the services that may be affected

Request that the purchasing department creates and sends the payments manually

13. DRAG DROP

Drag and drop the components from the left onto the phases of the CI/CD pipeline on the right.

14. Refer to the exhibit.

Which code snippet will parse the response to identify the status of the domain as malicious, clean or undefined?

A)

Option A

Option B

Option C

Option D

15. Employees receive an email from an executive within the organization that summarizes a recent security breach and requests that employees verify their credentials through a provided link. Several employees report the email as suspicious, and a security analyst is investigating the reports .

Which two steps should the analyst take to begin this investigation? (Choose two.)

Evaluate the intrusion detection system alerts to determine the threat source and attack surface.

Communicate with employees to determine who opened the link and isolate the affected assets.

Examine the firewall and HIPS configuration to identify the exploited vulnerabilities and apply recommended mitigation.

Review the mail server and proxy logs to identify the impact of a potential breach.

Check the email header to identify the sender and analyze the link in an isolated environment.

16. A logistic company must use an outdated application located in a private VLAN during the migration to new technologies. The IPS blocked and reported an unencrypted communication .

Which tuning option should be applied to IPS?

Allow list only authorized hosts to contact the application’s IP at a specific port.

Allow list HTTP traffic through the corporate VLAN

Allow list traffic to application’s IP from the internal network at a specific port.

Allow list only authorized hosts to contact the application’s VLA

17. A threat actor attacked an organization’s Active Directory server from a remote location, and in a thirty-minute timeframe, stole the password for the administrator account and attempted to access 3 company servers. The threat actor successfully accessed the first server that contained sales data, but no files were downloaded. A second server was also accessed that contained marketing information and 11 files were downloaded. When the threat actor accessed the third server that contained corporate financial data, the session was disconnected, and the administrator’s account was disabled .

Which activity triggered the behavior analytics tool?

accessing the Active Directory server

accessing the server with financial data

accessing multiple servers

downloading more than 10 files

18. Refer to the exhibit.

Which indicator of compromise is represented by this STIX?

website redirecting traffic to ransomware server

website hosting malware to download files

web server vulnerability exploited by malware

cross-site scripting vulnerability to backdoor server

19. A SIEM tool fires an alert about a VPN connection attempt from an unusual location. The incident response team validates that an attacker has installed a remote access tool on a user’s laptop while traveling. The attacker has the user’s credentials and is attempting to connect to the network.

What is the next step in handling the incident?

Block the source IP from the firewall

Perform an antivirus scan on the laptop

Identify systems or services at risk

Identify lateral movement

20. How does Wireshark decrypt TLS network traffic?

with a key log file using per-session secrets

using an RSA public key

by observing DH key exchange

by defining a user-specified decode-as

Page 3 of 6

21. An engineer received an incident ticket of a malware outbreak and used antivirus and malware removal tools to eradicate the threat. The engineer notices that abnormal processes are still occurring in the system and determines that manual intervention is needed to clean the infected host and restore functionality .

What is the next step the engineer should take to complete this playbook step?

Scan the network to identify unknown assets and the asset owners.

Analyze the components of the infected hosts and associated business services.

Scan the host with updated signatures and remove temporary containment.

Analyze the impact of the malware and contain the artifacts.

22. DRAG DROP

Drag and drop the actions below the image onto the boxes in the image for the actions that should be taken during this playbook step. Not all options are used.

23. Refer to the exhibit.

An engineer configured this SOAR solution workflow to identify account theft threats and privilege escalation, evaluate risk, and respond by resolving the threat. This solution is handling more threats than Security analysts have time to analyze. Without this analysis, the team cannot be proactive and anticipate attacks .

Which action will accomplish this goal?

Exclude the step “BAN malicious IP” to allow analysts to conduct and track the remediation

Include a step “Take a Snapshot” to capture the endpoint state to contain the threat for analysis

Exclude the step “Check for GeoIP location” to allow analysts to analyze the location and the associated risk based on asset criticality

Include a step “Reporting” to alert the security department of threats identified by the SOAR reporting engine

24. What is idempotence?

the assurance of system uniformity throughout the whole delivery process

the ability to recover from failures while keeping critical services running

the necessity of setting maintenance of individual deployment environments

the ability to set the target environment configuration regardless of the starting state

25. An organization suffered a security breach in which the attacker exploited a Netlogon Remote Protocol vulnerability for further privilege escalation .

Which two actions should the incident response team take to prevent this type of attack from reoccurring? (Choose two.)

Implement a patch management process.

Scan the company server files for known viruses.

Apply existing patches to the company servers.

Automate antivirus scans of the company servers.

Define roles and responsibilities in the incident response playbook.

26. Which command does an engineer use to set read/write/execute access on a folder for everyone who reaches the resource?

chmod 666

chmod 774

chmod 775

chmod 777

27. A SOC analyst is investigating a recent email delivered to a high-value user for a customer whose network their organization monitors. The email includes a suspicious attachment titled “Invoice RE: 0004489”. The hash of the file is gathered from the Cisco Email Security Appliance. After searching Open Source Intelligence, no available history of this hash is found anywhere on the web .

What is the next step in analyzing this attachment to allow the analyst to gather indicators of compromise?

Run and analyze the DLP Incident Summary Report from the Email Security Appliance

Ask the company to execute the payload for real time analysis

Investigate further in open source repositories using YARA to find matches

Obtain a copy of the file for detonation in a sandbox

28. The incident response team receives information about the abnormal behavior of a host. A malicious file is found being executed from an external USB flash drive. The team collects and documents all the necessary evidence from the computing resource .

What is the next step?

Conduct a risk assessment of systems and applications

Isolate the infected host from the rest of the subnet

Install malware prevention software on the host

Analyze network traffic on the host’s subnet

29. Refer to the exhibit.

Cisco Rapid Threat Containment using Cisco Secure Network Analytics (Stealth watch) and ISE detects the threat of malware-infected 802.1x authenticated endpoints and places that endpoint into a Quarantine VLAN using Adaptive Network Control policy .

Which telemetry feeds were correlated with SMC to identify the malware?

NetFlow and event data

event data and syslog data

SNMP and syslog data

NetFlow and SNMP

30. DRAG DROP

Drag and drop the mitigation steps from the left onto the vulnerabilities they mitigate on the right.

Page 4 of 6

31. Refer to the exhibit.

A threat actor behind a single computer exploited a cloud-based application by sending multiple concurrent API requests. These requests made the application unresponsive .

Which solution protects the application from being overloaded and ensures more equitable application access across the end-user community?

Limit the number of API calls that a single client is allowed to make

Add restrictions on the edge router on how often a single client can access the API

Reduce the amount of data that can be fetched from the total pool of active clients that call the API

Increase the application cache of the total pool of active clients that call the API

32. DRAG DROP

Refer to the exhibit.

The Cisco Secure Network Analytics (Stealthwatch) console alerted with “New Malware Server Discovered” and the IOC indicates communication from an end-user desktop to a Zeus C&C Server.

Drag and drop the actions that the analyst should take from the left into the order on the right to investigate and remediate this IOC.

33. Refer to the exhibit.

IDS is producing an increased amount of false positive events about brute force attempts on the organization’s mail server .

How should the Snort rule be modified to improve performance?

Block list of internal IPs from the rule

Change the rule content match to case sensitive

Set the rule to track the source IP

Tune the count and seconds threshold of the rule

34. An engineer is analyzing a possible compromise that happened a week ago when the company? (Choose two.)

firewall

Wireshark

autopsy

SHA512

IPS

35. According to GDPR, what should be done with data to ensure its confidentiality, integrity, and availability?

Perform a vulnerability assessment

Conduct a data protection impact assessment

Conduct penetration testing

Perform awareness testing

36. An analyst wants to upload an infected file containing sensitive information to a hybrid-analysis sandbox.

According to the NIST.SP 800-150 guide to cyber threat information sharing, what is the analyst required to do before uploading the file to safeguard privacy?

Verify hash integrity.

Remove all personally identifiable information.

Ensure the online sandbox is GDPR compliant.

Lock the file to prevent unauthorized access.

37. An engineer is investigating several cases of increased incoming spam emails and suspicious emails from the HR and service departments. While checking the event sources, the website monitoring tool showed several web scraping alerts overnight .

Which type of compromise is indicated?

phishing

dumpster diving

social engineering

privilege escalation

38. Which bash command will print all lines from the “colors.txt” file containing the non case-sensitive pattern “Yellow”?

grep -i “yellow” colors.txt

locate “yellow” colors.txt

locate -i “Yellow” colors.txt

grep “Yellow” colors.txt

39. An engineer is moving data from NAS servers in different departments to a combined storage database so that the data can be accessed and analyzed by the organization on-demand .

Which data management process is being used?

data clustering

data regression

data ingestion

data obfuscation

40. A security manager received an email from an anomaly detection service, that one of their contractors has downloaded 50 documents from the company’s confidential document management folder using a company- owned asset al039-ice-4ce687TL0500. A security manager reviewed the content of downloaded documents and noticed that the data affected is from different departments .

What are the actions a security manager should take?

Measure confidentiality level of downloaded documents.

Report to the incident response team.

Escalate to contractor’s manager.

Communicate with the contractor to identify the motives.

Page 5 of 6

41. A security analyst receives an escalation regarding an unidentified connection on the Accounting A1 server within a monitored zone. The analyst pulls the logs and discovers that a Powershell process and a WMI tool process were started on the server after the connection was established and that a PE format file was created in the system directory .

What is the next step the analyst should take?

Isolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack

Identify the server owner through the CMDB and contact the owner to determine if these were planned and identifiable activities

Review the server backup and identify server content and data criticality to assess the intrusion risk

Perform behavioral analysis of the processes on an isolated workstation and perform cleaning procedures if the file is malicious

42. DRAG DROP

An organization lost connectivity to critical servers, and users cannot access business applications and internal websites. An engineer checks the network devices to investigate the outage and determines that all devices are functioning.

Drag and drop the steps from the left into the sequence on the right to continue investigating this issue. Not all options are used.

43. Refer to the exhibit.

Two types of clients are accessing the front ends and the core database that manages transactions, access control, and atomicity .

What is the threat model for the SQL database?

An attacker can initiate a DoS attack.

An attacker can read or change data.

An attacker can transfer data to an external server.

An attacker can modify the access logs.

44. Refer to the exhibit.

An engineer must tune the Cisco IOS device to mitigate an attack that is broadcasting a large number of ICMP packets. The attack is sending the victim’s spoofed source IP to a network using an IP broadcast address that causes devices in the network to respond back to the source IP address .

Which action does the engineer recommend?

Use command ip verify reverse-path interface

Use global configuration command service tcp-keepalives-out

Use subinterface command no ip directed-broadcast

Use logging trap 6

45. Refer to the exhibit.

Where is the MIME type that should be followed indicated?

x-test-debug

strict-transport-security

x-xss-protection

x-content-type-options

46. Refer to the exhibit.

Cisco Advanced Malware Protection installed on an end-user desktop automatically submitted a low prevalence file to the Threat Grid analysis engine .

What should be concluded from this report?

Threat scores are high, malicious ransomware has been detected, and files have been modified

Threat scores are low, malicious ransomware has been detected, and files have been modified

Threat scores are high, malicious activity is detected, but files have not been modified

Threat scores are low and no malicious file activity is detected

47. An engineer implemented a SOAR workflow to detect and respond to incorrect login attempts and anomalous user behavior. Since the implementation, the security team has received dozens of false positive alerts and negative feedback from system administrators and privileged users. Several legitimate users were tagged as a threat and their accounts blocked, or credentials reset because of unexpected login times and incorrectly typed credentials .

How should the workflow be improved to resolve these issues?

Meet with privileged users to increase awareness and modify the rules for threat tags and anomalous behavior alerts

Change the SOAR configuration flow to remove the automatic remediation that is increasing the false positives and triggering threats

Add a confirmation step through which SOAR informs the affected user and asks them to confirm whether they made the attempts

Increase incorrect login tries and tune anomalous user behavior not to affect privileged accounts

48. Refer to the exhibit.

An organization is using an internal application for printing documents that requires a separate registration on the website.

The application allows format-free user creation, and users must match these required conditions to comply with the company’s user creation policy:

- minimum length: 3

- usernames can only use letters, numbers, dots, and underscores

- usernames cannot begin with a number

The application administrator has to manually change and track these daily to ensure compliance. An engineer is tasked to implement a script to automate the process according to the company user creation policy. The engineer implemented this piece of code within the application, but users are still able to create format-free usernames.

Which change is needed to apply the restrictions?

modify code to return error on restrictions def return false_user(username, minlen)

automate the restrictions def automate_user(username, minlen)

validate the restrictions, def validate_user(username, minlen)

modify code to force the restrictions, def force_user(username, minlen)

49. The SIEM tool informs a SOC team of a suspicious file. The team initializes the analysis with an automated sandbox tool, sets up a controlled laboratory to examine the malware specimen, and proceeds with behavioral analysis .

What is the next step in the malware analysis process?

Perform static and dynamic code analysis of the specimen.

Unpack the specimen and perform memory forensics.

Contain the subnet in which the suspicious file was found.

Document findings and clean-up the laboratory.

50. What is a limitation of cyber security risk insurance?

It does not cover the costs to restore stolen identities as a result of a cyber attack

It does not cover the costs to hire forensics experts to analyze the cyber attack

It does not cover the costs of damage done by third parties as a result of a cyber attack

It does not cover the costs to hire a public relations company to help deal with a cyber attack

Page 6 of 6

51. Refer to the exhibit.

Which data format is being used?

JSON

HTML

XML

CSV

52. Refer to the exhibit.

An engineer received a report that an attacker has compromised a workstation and gained access to sensitive customer data from the network using insecure protocols .

Which action prevents this type of attack in the future?

Use VLANs to segregate zones and the firewall to allow only required services and secured protocols

Deploy a SOAR solution and correlate log alerts from customer zones

Deploy IDS within sensitive areas and continuously update signatures

Use syslog to gather data from multiple sources and detect intrusion logs for timely responses

53. Refer to the exhibit.

Where does it signify that a page will be stopped from loading when a scripting attack is detected?

x-frame-options

x-content-type-options

x-xss-protection

x-test-debug

54. A malware outbreak is detected by the SIEM and is confirmed as a true positive. The incident response team follows the playbook to mitigate the threat .

What is the first action for the incident response team?

Assess the network for unexpected behavior

Isolate critical hosts from the network

Patch detected vulnerabilities from critical hosts

Perform analysis based on the established risk factors

Categories: Cisco Online Questions