Free Practice Questions for Cisco 200-201 Exam

Answer : B, D

The exhibit shows a pcap file capturing multiple TCP SYN packets directed at the same destination IP address.

High volume of SYN packets with very little variance in time: This pattern is indicative of a SYN flood attack, a type of Denial of Service (DoS) attack where numerous SYN requests are sent to overwhelm the target system.

SYN packets acknowledged from several source IP addresses: This can be indicative of a Distributed Denial of Service (DDoS) attack where multiple compromised hosts (botnet) are used to generate traffic.

These characteristics suggest that the network is under a SYN flood or DDoS attack, aiming to exhaust the target's resources and disrupt service availability.

Understanding SYN Flood Attacks

Analysis of DDoS Attack Patterns

Wireshark Analysis Techniques for Intrusion Detection

Answer : A

Indicators of Attack (IoA) refer to observable behaviors or artifacts that suggest a security breach or ongoing attack.

When internal hosts communicate with countries outside the business range, it may indicate data exfiltration or command-and-control communication to an external threat actor.

Unlike Indicators of Compromise (IoC) which indicate that a system has already been compromised, IoAs are often used to identify malicious activity in its early stages.

Monitoring for unusual outbound connections is a crucial aspect of detecting advanced persistent threats (APTs) and other sophisticated attacks.

Difference Between Indicators of Compromise and Indicators of Attack

Cyber Threat Detection Using Indicators of Attack

Network Monitoring for Anomalous Behavior

Answer : B

SQL injection is a type of injection attack where malicious SQL statements are inserted into an entry field for execution.

The primary way to prevent SQL injection is by validating and sanitizing user input. This involves checking the input for malicious content and ensuring it adheres to expected patterns.

Prepared statements (parameterized queries) are also highly effective, as they treat user input as data rather than executable code.

Implementing these practices ensures that any input received from users does not manipulate SQL queries in a harmful way.

OWASP SQL Injection Prevention Cheat Sheet

Best Practices for Input Validation and Sanitization

Secure Coding Guidelines

Answer : D

According to NIST SP800-61, the incident response lifecycle consists of four phases: Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post-Incident Activity.

When a SOC team member checks the Cisco Firepower Manager dashboard for further isolation actions, they are working within the Eradication and Recovery phase.

This phase focuses on removing the threat from the environment and recovering affected systems to normal operations.

NIST SP800-61 Computer Security Incident Handling Guide

Incident Response Phases Explained

Role of SOC in Incident Response

Answer : A

The weaponization step in the Cyber Kill Chain Model involves the creation or use of a specific weapon (malware, exploit) designed to leverage a vulnerability.

This phase follows the reconnaissance phase where the attacker gathers information and precedes the delivery phase where the weapon is delivered to the target.

Developing specific malware to exploit a vulnerable server is a precise example of weaponization.

Lockheed Martin Cyber Kill Chain Model

Understanding the Weaponization Phase in Cyber Attacks

Steps in the Cyber Kill Chain