ISACA Certified Cybersecurity Operations Analyst - CCOA Exam Practice Test

Which of the following Is a PRIMARY function of a network intrusion detection system (IDS)?
Correct Answer: B Vote an answer
Explanation: Only visible for PassTestking members. You can sign-up / login (it's free).
Which of the following is foundational for implementing a Zero Trust model?
Correct Answer: C Vote an answer
Explanation: Only visible for PassTestking members. You can sign-up / login (it's free).
Which ofthe following is .1 PRIMARY output from the development of a cyber risk management strategy?
Correct Answer: A Vote an answer
Explanation: Only visible for PassTestking members. You can sign-up / login (it's free).
Which of the followingBESTdescribes static application security testing (SAST)?
Correct Answer: C Vote an answer
Explanation: Only visible for PassTestking members. You can sign-up / login (it's free).
Which of the following should be completedFIRSTin a data loss prevention (OLP) system implementation project?
Correct Answer: A Vote an answer
Explanation: Only visible for PassTestking members. You can sign-up / login (it's free).
Your enterprise has received an alert bulletin fromnational authorities that the network has beencompromised at approximately 11:00 PM (Absolute) onAugust 19, 2024. The alert is located in the alerts folderwith filename, alert_33.pdf.
Use the IOCs to find the compromised host. Enter thehost name identified in the keyword agent.name fieldbelow.
Correct Answer:
See the solution in Explanation.
Explanation:
To identify the compromised host using thekeyword agent.name, follow these steps:
Step 1: Access the Alert Bulletin
* Navigate to thealerts folderon your system.
* Locate the alert file:
alert_33.pdf
* Open the file with a PDF reader and review its contents.
Key Information to Extract:
* Indicators of Compromise (IOCs) provided in the bulletin:
* File hashes
* IP addresses
* Hostnames
* Keywords related to the compromise
Step 2: Log into SIEM or Log Management System
* Access your organization'sSIEMor centralized log system.
* Make sure you have the appropriate permissions to view log data.
Step 3: Set Up Your Search
* Time Filter:
* Set the time window toAugust 19, 2024, around11:00 PM (Absolute).
* Keyword Filter:
* Use the keywordagent.nameto search for host information.
* IOC Correlation:
* Incorporate IOCs from thealert_33.pdffile (e.g., IP addresses, hash values).
Example SIEM Query:
index=host_logs
| search "agent.name" AND (IOC_from_alert OR "2024-08-19T23:00:00")
| table _time, agent.name, host.name, ip_address, alert_id
Step 4: Analyze the Results
* Review the output for any host names that appear unusual or match the IOCs from the alert bulletin.
* Focus on:
* Hostnames that appeared at 11:00 PM
* Correlation with IOC data(hash, IP, filename)
Example Output:
_time agent.name host.name ip_address alert_id
2024-08-19T23:01 CompromisedAgent COMP-SERVER-01 192.168.1.101 alert_33 Step 5: Verify the Host
* Cross-check the host name identified in the logs with the information fromalert_33.pdf.
* Ensure the host name corresponds to the malicious activity noted.
The host name identified in the keyword agent.name field is: COMP-SERVER-01 Step 6: Mitigation and Response
* Isolate the Compromised Host:
* Remove the affected system from the network to prevent lateral movement.
* Conduct Forensic Analysis:
* Inspect system processes, logs, and network activity.
* Patch and Update:
* Apply security updates and patches.
* Threat Hunting:
* Look for signs of compromise in other systems using the same IOCs.
Step 7: Document and Report
* Create a detailed incident report:
* Date and Time:August 19, 2024, at 11:00 PM
* Compromised Host Name:COMP-SERVER-01
* Associated IOCs:(as per alert_33.pdf)
By following these steps, you successfully identify the compromised host and take initial steps to contain and investigate the incident. Let me know if you need further assistance!
Which of the following controls would BEST prevent an attacker from accessing sensitive data from files or disk images that have been obtained either physically or via the network?
Correct Answer: A Vote an answer
Explanation: Only visible for PassTestking members. You can sign-up / login (it's free).