210-255 Implementing Cisco Cybersecurity Operations

Page 1   
Question 1

During which phase of the forensic process are tools and techniques used to extract the
relevant information from the collective data?

  • A. examination
  • B. reporting
  • C. collection
  • D. investigation


Answer : A

Explanation: Examinations involve forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest, while preserving the integrity of the data. Forensic tools and techniques appropriate to the types of data that were collected are executed to identify and extract the relevant information from the collected data while protecting its integrity. Examination may use a combination of automated tools and manual processes.

Question 2

You receive an alert for malicious code that exploits Internet Explorer and runs arbitrary
code on the site visitor machine. The malicous code is on an external site that is being
visited by hosts on your network. Which user agent in the HTTP headers in the requests
from your internal hosts warrants further investigation?

  • A. Mozilla/5.0 (compatible, MSIE 10.0, Windows NT 6.2, Trident 6.0)
  • B. Mozilla/5.0 (XII; Linux i686; rv: 1.9.2.20) Gecko/20110805
  • C. Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 4O0) Gecko/20100101
  • D. Opera/9.80 (XII; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16


Answer : A

Question 3


Refer to the exhibit. Which application protocol is in this PCAP file?

  • A. TCP
  • B. SSH
  • C. HTTP
  • D. SSL


Answer : A

Question 4

Which information must be left out of a final incident report?

  • A. server hardware configurations
  • B. exploit or vulnerability used
  • C. impact and/or the financial loss
  • D. how the incident was detected


Answer : A

Question 5

What mechanism does the Linux operating system provide to control access to files?

  • A. privileges required
  • B. user interaction
  • C. file permissions
  • D. access complexity


Answer : C

Question 6

Which element can be used by a threat actor to discover a possible opening into a target
network and can also be used by an analyst to determine the protocol of the malicious
traffic?

  • A. TTLs
  • B. ports
  • C. SMTP replies
  • D. IP addresses


Answer : B

Question 7

An organization has recently adjusted its security stance in response to online threats
made by a known hacktivist group. Which term defines the initial event in the NIST SP800-
61 r2?

  • A. instigator
  • B. precursor
  • C. online assault
  • D. trigger


Answer : D

Question 8

Which of the following is an example of a managed security offering where incident
response experts monitor and respond to security alerts in a security operations center
(SOC)?

  • A. Cisco CloudLock
  • B. Cisco's Active Threat Analytics (ATA)
  • C. Cisco Managed Firepower Service
  • D. Cisco Jasper


Answer : B

Question 9

Which process is being utilized when IPS events are removed to improve data integrity?

  • A. data normalization
  • B. data availability
  • C. data protection
  • D. data signature


Answer : B

Question 10

Which stakeholder group is responsible for containment, eradication, and recovery in
incident handling?

  • A. facilitators
  • B. practitioners
  • C. leaders and managers
  • D. decision makers


Answer : A

Question 11

Which of the following can be identified by correlating DNS intelligence and other security
events? (Choose two.)

  • A. Communication to CnC servers
  • B. Configuration issues
  • C. Malicious domains based on reputation
  • D. Routing problems


Answer : A,C

Question 12

Which CVSSv3 metric captures the level of access that is required for a successful attack?

  • A. attack vector
  • B. attack complexity
  • C. privileges required
  • D. user interaction


Answer : C

Question 13


Refer to the exhibit. What can be determined from this ping result?

  • A. The public IP address of cisco.com is 2001:420:1101:1::a.
  • B. The Cisco.com website is down.
  • C. The Cisco.com website is responding with an internal IP.
  • D. The public IP address of cisco.com is an IPv4 address.


Answer : C

Question 14

Which of the following is not a metadata feature of the Diamond Model?

  • A. Direction
  • B. Result
  • C. Devices
  • D. Resources


Answer : C

Question 15

Refer to the exhibit.


We have performed a malware detection on the Cisco website. Which statement about the
result is true?

  • A. The website has been marked benign on all 68 checks.
  • B. The threat detection needs to run again.
  • C. The website has 68 open threats.
  • D. The website has been marked benign on 0 checks.


Answer : A

Page 1