Question 211
A security analyst notices a sudden surge of incoming traffic and detects unknown packets from unknown senders. After further investigation, the analyst learns that customers claim that they cannot access company servers. According to NIST SP800-61, in which phase of the incident response process is the analyst?
A. preparation
B. post-incident activity
C. containment, eradication, and recovery
D. detection and analysis
Question 212
An analyst is using the SIEM platform and must extract a custom property from a Cisco device and capture the phrase, `File: Clean.` Which regex must the analyst import?
A. File: Clean (.*)
B. ^Parent File: Clean$
C. File: Clean
D. ^File: Clean$
Question 213
What is an advantage of symmetric over asymmetric encryption?
A. It is a faster encryption mechanism for sessions.
B. A one-time encryption key is generated for data transmission.
C. A key is generated on demand according to data type.
D. It is suited for transmitting large amounts of data.
Question 214
Refer to the exhibit. During the analysis of a suspicious scanning activity incident, an analyst discovered multiple local TCP connection events. Which technology provided these logs?
A. antivirus
B. IDS/IPS
C. firewall
D. proxy
Question 215
An organization is cooperating with several third-party companies. Data exchange is on an unsecured channel using port 80. Internal employees use the FTP service to upload and download sensitive data. An engineer must ensure confidentiality while preserving the integrity of the communication. Which technology must the engineer implement in this scenario?
A. RADIUS server
B. web application firewall
C. X.509 certificates
D. CA server
Question 216
Refer to the exhibit. A security analyst is investigating unusual activity from an unknown IP address. Which type of evidence is this file?
A. indirect evidence
B. best evidence
C. direct evidence
D. corroborative evidence
Question 217
Refer to the exhibit. An engineer received an event log file to review. Which technology generated the log?
A. IDS/IPS
B. firewall
C. proxy
D. NetFlow
Question 218
Refer to the exhibit. A workstation downloads a malicious .
docx file from the Internet and a copy is sent to FTDv. The FTDv sends the file hash to FMC and the file event is recorded. What would have occurred with stronger data visibility?
A. An extra level of security would have been in place.
B. Malicious traffic would have been blocked on multiple devices.
C. The traffic would have been monitored at any segment in the network.
D. Detailed information about the data in real time would have been provided.
Question 219
Refer to the exhibit. Which frame numbers contain a file that is extractable via TCP stream within Wireshark?
A. 7 to 21
B. 7 and 21
C. 7, 14, and 21
D. 14, 16, 18, and 19
Question 220
Refer to the exhibit. What is occurring?
A. DNS tunneling
B. DNS amplification
C. ARP poisoning
D. ARP flood
