CCNA Cyber Ops FAQ: Intrusion Event Categories

CCNA Cyber Ops FAQ: Intrusion Event Categories

Q1. Which of the following is not true about the Diamond Model of Intrusion?
A. Adversaries use an infrastructure or capability to access a victim.

B. Meta-features are not a required component of the Diamond Model.

C. Technology and social metadata features establish connections between relations.

D. A diamond represents a single event.

Answer: A. Adversaries must use both some form of infrastructure and the capability to access the victim.

Q2. Which of the following is a false statement about activity threads in the Diamond Model?
A. Activity threads are the relationship between diamonds.
B. Activity threads can spread across to other attacks.
C. Activity threads can involve more than one victim.
D. Activity threads are possible attacks the attacker could use against the victim

Answer: D. Activity threads represent attacks that the attacker has already used.

Q3. An activity-attack graph is useful for determining which of the following?
A. Logging attacks seen by an adversary

B. Highlighting the attacker’s preferences for attacking the victim as well as alternative paths that could be used

C. Developing reactive but not proactive security planning

D. An alternative to threat intelligence

Answer: B. Answer B defines what an activity-attack graph is best for. Answers A and C lack the proactive planning value offered by activity-attack graphs. Answer D is simply incorrect.

Q4. Which of the following is not a step in the kill chain?
A. Weaponization
B. C2
C. Installation
D. Data exfiltration

Answer: D. The final step is “action.” One example of an action could be to remove data. Action is not a required step of an attack and not part of the kill chain. For example, an attacker’s goal could be to take down the network from within.

Q5. What is the difference between delivery and exploitation according to the kill chain?
A. Delivery is how the attacker communicates with the victim whereas exploitation is the attack used against the victim.

B. Exploitation is an example of a delivery step in the kill chain.

C. Exploitation and delivery are different names for the same step.

D. Delivery is how the attack is delivered whereas exploitation is the type of attack.

Answer: A. Although answer D is close, answer A provides the best definition.Delivery is how the attacker communicates while exploitation is the attacker taking advantage of a vulnerability.

Q6. Which of the following is not an example of reconnaissance?
A. Searching the robots.txt file
B. Redirecting users to a source and scanning traffic to learn about the target
C. Scanning without completing the three-way handshake
D. Communicating over social media

Answer: B. This is a man-in-the-middle attack and is something done as an attack, not as research.

Q7. Which of the following is the best explanation of the command and control phase of the kill chain?
A. When the compromised system opens ports for communication
B. When the attacker accesses the breached network using a keyboard
C. When the malware reaches back to a remote server for instructions
D. When the attacker breaches a network

Answer: B. The command and control (C2) stage is best defined as when the attacker completes the delivery of the attack and now can access the breached network.

Q8. Which of the following is an example of an action step from the kill chain?
A. Attacking another target
B. Taking data off the network
C. Listening to traffic inside the network
D. All of the above

Answer: D. Attacking internal targets or stealing data could be goals. Sometimes listening to traffic is the goal. For example, hackers might breach a company and use inside information to affect stock trading decisions. This was done by a group, which is believed to have made millions doing this.

Q9. Which of the following is the best explanation of early detection of threats in the kill chain?
A. Starting analysis at the reconnaissance phase to begin detection weaponization

B. Starting analysis at the delivery phase to begin detection at the exploitation phase

C. Starting analysis at the reconnaissance phase to begin detection at the delivery phase

D. Starting analysis at the exploitation phase to begin detection at the installation phase

Answer: C. It’s best to start doing analysis early so you can detect when an adversary attempts to communicate with you and then attack. Waiting for the attack is okay, but proactive measures, such as making it hard for attackers to communicate with you, is the best and earliest detection approach.

Q10. Which of the following is a true statement?
A. Firewalls are best for detecting insider threats.
B. Behavior-based technologies are best for detecting insider threats.
C. Antivirus is effective for detecting known threats.
D. Insider threats are best detected with signature-based security

Answer: B. An insider threat could be an attacker who has breached the network and is now moving around like other users. The best approach to detect this is to look for unusual behavior, such as systems connecting to new systems for the first time, internal recon, data exfiltration, and so on.

Q11. Which of the following is not an example of weaponization?
A. Connecting to a command and control server
B. Wrapping software with a RAT
C. Creating a backdoor in an application
D. Developing an automated script to inject commands on a USB device

Answer: A. Connecting to a command and control server would be C2, not weaponization.

Q12. Which of the following steps in the kill chain would come before the others?
A. C2
B. Delivery
C. Installation
D. Exploitation

Answer: B. Delivery is the earliest option out of the choices listed.

Q13. Which is true regarding the difference between Installation and Command and Control?
A. Installation does not provide keyboard access to the attacker
B. Installation is a form of exploitation
C. Command and Control comes prior to Installation
D. Command and Control is the final step of the kill chain

Answer: A. Installation is when the malware is installed while Command and Control is when that software provides keyboard access to the attacker.

Q14. Which of the following is not an example of a capability in the Diamond Model?
A. Hacker tools
B. Exploit kits
C. Malware
D. Email

Answer: D. Email would be an infrastructure.

Q15. Which of the following statements would represent the delivery stage of a ransomware attack?
A. The ransomware encrypts the hard drive.
B. Ransomware is pushed onto a system through an exploit.
C. The user connects to a malicious website that attacks the system.
D. The exploit page identifies a vulnerability and launches an attack.

Answer: C. The user connecting to a malicious website would represent how the attack is delivered. You might think answer B is correct; however, that is how the ransomware is installed—hence, the installation stage postexploitation.

Q16. Which statement is true about the C2 stage of an attack?
A. The malware post-compromise phoning back to the attacker is the C2 stage.

B. The attacker accesses the internal network through a breached system.

C. The attacker pivots inside the network.

D. The attacker connects to another internal system inside the breached network.

Answer: B. The attacker accessing the internal network through a breached system is an example ofC2. Answers C and D are actions that happen after the attacker gets network access. Answer A doesn’t give the attacker keyboard access yet.

Q17. Which is a false statement about the Diamond Model?
A. Lines in the Diamond Model represent how the attacker reaches the victim.
B. Diamonds represent an adversary, victim, capability, and infrastructure.
C. Diamonds can be grouped together, known as activity threads.
D. Meta-features provide useful context and are core to the model

Answer: D. Meta-features are not required.

Q18. What is the main value of activity-attack graphs?
A. Used to make security product purchasing decisions
B. To predict future attacks
C. An alternative to threat intelligence
D. To map out an attacker’s attack history

Answer: A. Activity-attack graphs are good for both current and future attack data. That data, however, is always changing and wouldn’t typically represent a single product that is needed for purchase. Deciding what to purchase would require more than this type of information.

Q19. Which technology would not be considered part of the “during” phase of the Cisco BDA model?
A. Antivirus
B. Intrusion prevention
C. Application layer firewall threat detection
D. Port security

Answer: D. Port security would be more of a “before” technology. It involves preventing attackers from having the chance to attack the network by physically plugging in an unauthorized device.

Q20. Which of the following is not a metadata feature of the Diamond Model?
A. Direction
B. Result
C. Devices
D. Resources

Answer: C. Devices are the victim, or what is attacked. Direction is additional data about delivery. Result is extra data about the attack. Resources provide more details about what is being used to attack the victim.

More Resources

About the author


Leave a Comment