← Back to exam page

300-215 Conducting Forensic Analysis and Incident Response Using Cisco CyberOps Technologies (CBRFIR)

Loading demo links...

Showing 4–6 of 10 questions

Question 4

An incident response team is recommending changes after analyzing a recent compromise in which:

a large number of events and logs were involved;

team members were not able to identify the anomalous behavior and escalate it in a timely manner; several network systems were affected as a result of the latency in detection;

security engineers were able to mitigate the threat and bring systems back to a stable state; and the issue reoccurred shortly after and systems became unstable again because the correct information was not gathered during the initial identification phase.

Which two recommendations should be made for improving the incident response process? (Choose two.)

Select all that apply, then click Submit answer.

  • Formalize reporting requirements and responsibilities to update management and internal stakeholders throughout the incident-handling process effectively.

  • Improve the mitigation phase to ensure causes can be quickly identified, and systems returned to a functioning state.

  • Implement an automated operation to pull systems events/logs and bring them into an organizational context.

  • Allocate additional resources for the containment phase to stabilize systems in a timely manner and reduce an attack’s breadth.

  • Modify the incident handling playbook and checklist to ensure alignment and agreement on roles, responsibilities, and steps before an incident occurs.
Question 5

A security team received reports of users receiving emails linked to external or unknown URLs that are non-returnable and non-deliverable. The ISP also reported a 500% increase in the amount of ingress and egress email traffic received. After detecting the problem, the security team moves to the recovery phase in their incident response plan. Which two actions should be taken in the recovery phase of this incident? (Choose two.)

Select all that apply, then click Submit answer.

  • verify the breadth of the attack

  • collect logs

  • request packet capture

  • remove vulnerabilities

  • scan hosts with updated signatures
Question 6

An organization uses a Windows 7 workstation for access tracking in one of their physical data centers on which a guard documents entrance/exit activities of all personnel. A server shut down unexpectedly in this data center, and a security specialist is analyzing the case. Initial checks show that the previous two days of entrance/exit logs are missing, and the guard is confident that the logs were entered on the workstation. Where should the security specialist look next to continue investigating this case?

Select an option, then click Submit answer.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList

  • HKEY_CURRENT_USER\Software\Classes\Winlog

  • HKEY_LOCAL_MACHINES\SOFTWARE\Microsoft\WindowsNT\CurrentUser