200-201 Exam Questions
563 real 200-201 exam questions with expert-verified answers and explanations. Page 7 of 12.
- Question #304Security Policies and Procedures
A SOC analyst detected connections to known C&C and port scanning activity to main HR database servers from one of the HR endpoints, via Cisco StealthWatch. What are the two next s...
Incident ResponseNIST SP 800-61ContainmentAnalysis - Question #305Network Intrusion Analysis
Refer to the exhibit. An engineer received a ticket about a slowdown of a web application. During analysis of traffic, the engineer suspects a possible attack on a web server. How...
HTTP Traffic AnalysisPacket CaptureWeb Server AttacksWireshark - Question #306Network Intrusion Analysis
Refer to the exhibit. Which alert is identified from this packet capture?
Brute-force AttackAuthentication AttemptsIntrusion DetectionLog Analysis - Question #307Security Policies and Procedures
An organization that develops high-end technology is going through an internal audit. The organization uses two databases. The main database stores patent information and a seconda...
Data ClassificationIntellectual PropertyPIICompliance - Question #308Security Monitoring
Which option describes indicators of attack?
Indicators of AttackIncident Response - Question #309Host-Based Analysis
Refer to the exhibit. Where is the executable file?
file analysisMIME typesfile forensics - Question #310Network Intrusion Analysis
Refer to the exhibit. A company's user HTTP connection to a malicious site was blocked according to configured policy. What is the source technology used for this measure?
IPSnetwork security devicesthreat preventionsecurity controls - Question #311Security Concepts
What is a difference between a threat and a risk?
threatriskvulnerabilitysecurity concepts - Question #312Network Intrusion Analysis
A SOC analyst observed Ursnif malware at the SIEM dashboard. The analyst opened the PCAP file to search the certificate issue data. Where must the analyst navigate?
PCAP analysisSSL/TLS certificatescertificate validationnetwork forensics - Question #313Network Intrusion Analysis
Which technique is a low-bandwidth attack?
evasion techniquesnetwork attacksstealthy attacksattack types - Question #314Network Intrusion Analysis
Refer to exhibit. An analyst performs the analysis of the pcap file to detect the suspicious activity. What challenges did the analyst face in terms of data visibility?
Packet analysisNetwork visibilityEncryption challenges - Question #315Security Monitoring
What matches the regular expression c(rgr)+e?
Regular expressionsPattern matchingLog analysis - Question #316Network Intrusion Analysis
Refer to the exhibit. An attacker scanned the server using Nmap. What did the attacker obtain from this scan?
NmapPort scanningNetwork reconnaissanceFirewall detection - Question #317Security Concepts
Which classification of cross-site scripting attack executes the payload without storing it for repeated use?
Cross-site scripting (XSS)Web application attacksReflective XSS - Question #318Security Concepts
Which attack method is being used when an attacker tries to compromise a network with an authentication system that uses only 4-digit numeric passwords and no username?
Password attacksBrute-force attackDictionary attackAuthentication weaknesses - Question #319Security Concepts
What is the purpose of a ransomware attack?
RansomwareMalwareData encryptionCybercrime - Question #320Security Policies and Procedures
A company's cyber security team performed a phishing simulation campaign for employees and performed security awareness trainings to affected personal. According to NIST.SP800-61,...
NIST SP 800-61Incident responseSecurity awareness trainingPhishing simulation - Question #321Host-Based Analysis
What do host-based firewalls protect workstations from?
Host-based firewallNetwork securityTraffic filtering - Question #322Network Intrusion Analysis
Which type of data must an engineer capture to analyze payload and header information?
Packet captureNetwork analysisPayload analysisHeader analysis - Question #323Host-Based Analysis
An engineer must compare NIST vs ISO frameworks. The engineer decided to compare as readable documentation and also to watch a comparison video review. Using Windows 10 OS, the eng...
Host troubleshootingWindows forensicsAudio servicesProcess analysis - Question #324Network Intrusion Analysis
Refer to the exhibit. Which application-level protocol is being targeted?
Application layer protocolsWeb application securityHTTP - Question #325Network Intrusion Analysis
How can TOR impact data visibility inside an organization?
TOR networkAnonymity networksNetwork visibilityTraffic analysis - Question #326Network Intrusion Analysis
A network engineer noticed in the NetFlow report that internal hosts are sending many DNS requests to external DNS servers. A SOC analyst checked the endpoints and discovered that...
DNS amplificationBotnetDDoS attackIP spoofing - Question #327Network Intrusion Analysis
Endpoint logs indicate that a machine has obtained an unusual gateway address and unusual DNS servers via DHCP. Which type of attack is occurring?
Man-in-the-Middle (MITM)DHCP spoofingNetwork attacksDNS redirection - Question #328Network Intrusion Analysis
Why should an engineer use a full packet capture to investigate a security breach?
Packet captureNetwork forensicsIncident investigationRoot cause analysis - Question #329Security Concepts
Which action matches the weaponization step of the Cyber Kill Chain model?
Cyber Kill Chainweaponizationattack phases - Question #330Security Concepts
Which process represents the application-level allow list?
allow listapplication whitelistingsecurity controls - Question #331Security Concepts
A cyberattacker notices a security flaw in a software that a company is using. They decide to tailor a specific worm to exploit this flaw and extract saved passwords from the softw...
Cyber Kill Chainweaponizationmalware development - Question #332Security Concepts
According to CVSS, what is a description of the attack vector score?
CVSSattack vectorvulnerability scoring - Question #333Network Intrusion Analysis
Refer to the exhibit. An attacker gained initial access to the company's network and ran an Nmap scan to advance with the lateral movement technique and to search the sensitive dat...
Nmapnetwork scanningreconnaissancelateral movement - Question #334Network Intrusion Analysis
Refer to the exhibit. Which frame numbers contain a file that is extractable from Wireshark PCAP?
WiresharkPCAP analysisfile extractionnetwork forensics - Question #335Security Concepts
Which two measures are used by the defense-in-depth strategy? (Choose two.)
defense-in-depthlayered securitynetwork segmentationpatch management - Question #336Network Intrusion Analysis
Refer to the exhibit. What is the outcome of the command?
IDS/IPS rulesTCP flagsnetwork intrusion detection - Question #337Security Concepts
Which example represents the defense-in-depth principle?
defense-in-depthnetwork segmentationVLANssecurity architecture - Question #338Security Monitoring
What is the purpose of a SIEM solution?
SIEMsecurity monitoringlog managementevent correlation - Question #339Host-Based Analysis
Refer to the exhibit. What does this Cuckoo sandbox report indicate?
Cuckoo Sandboxmalware analysisdynamic analysisspyware - Question #340Network Intrusion Analysis
Which evasion method is being used when TLS is observed between two endpoints?
TLSencryptionnetwork evasionprotocol analysis - Question #341Security Concepts
What is a comparison between rule-based and statistical detection?
intrusion detectionrule-based detectionstatistical detectionanomaly detection - Question #342Security Concepts
What are the two differences between vulnerability and exploit? (Choose two.)
vulnerabilityexploitzero-dayCVE - Question #343Network Intrusion Analysis
What are two differences of deep packet inspection compared to stateful firewall inspection? (Choose two.)
deep packet inspectionstateful firewallnetwork securityapplication-level inspection - Question #344Network Intrusion Analysis
Refer to the exhibit. A network engineer is analyzing a network activity within captured traffic. An engineer notices suspicious behavior, a type of ICMP that Wireshark does not re...
ICMPWiresharknetwork analysisunreachable host - Question #345Network Intrusion Analysis
Refer to the exhibit. What is occurring?
DNS tunnelingDNS attacksnetwork analysisC2 communication - Question #346Network Intrusion Analysis
Refer to the exhibit. A security analyst received a ticket about suspicious traffic from one of the workstations. During the investigation, the analyst discovered that the workstat...
encrypted trafficnetwork visibilityincident responsenetwork analysis challenges - Question #347Security Concepts
What is email greylisting by the mail transfer agent?
email securitygreylistingMTAspam prevention - Question #348Host-Based Analysis
What is used to maintain persistent control of an exploited device?
persistencerootkitpost-exploitationmalware - Question #349Security Concepts
Refer to the exhibit. Which type of evidence is this file?
Digital forensicsEvidence types - Question #350Security Concepts
According to CVSS, which metric group does user interaction belong to?
CVSSVulnerability assessmentMetric groups - Question #351Host-Based Analysis
What is the impact of a ransomware infection?
RansomwareMalware impactData encryption - Question #352Security Monitoring
Which piece of information is needed for attribution in an investigation?
AttributionThreat actorIncident investigation - Question #353Network Intrusion Analysis
What are two types of cross site scripting attacks? (Choose two.)
XSSReflected XSSStored XSSWeb application attacks