CCNA Cyber Ops FAQ: Intrusion Event Categories
Q1. Which of the following is not true about the Diamond Model of Intrusion?
A. Adversaries use an infrastructure or capability to access a victim.
B. Meta-features are not a required component of the Diamond Model.
C. Technology and social metadata features establish connections between relations.
D. A diamond represents a single event.
Q2. Which of the following is a false statement about activity threads in the Diamond Model?
A. Activity threads are the relationship between diamonds.
B. Activity threads can spread across to other attacks.
C. Activity threads can involve more than one victim.
D. Activity threads are possible attacks the attacker could use against the victim
Q3. An activity-attack graph is useful for determining which of the following?
A. Logging attacks seen by an adversary
B. Highlighting the attacker’s preferences for attacking the victim as well as alternative paths that could be used
C. Developing reactive but not proactive security planning
D. An alternative to threat intelligence
Q4. Which of the following is not a step in the kill chain?
D. Data exfiltration
Q5. What is the difference between delivery and exploitation according to the kill chain?
A. Delivery is how the attacker communicates with the victim whereas exploitation is the attack used against the victim.
B. Exploitation is an example of a delivery step in the kill chain.
C. Exploitation and delivery are different names for the same step.
D. Delivery is how the attack is delivered whereas exploitation is the type of attack.
Q6. Which of the following is not an example of reconnaissance?
A. Searching the robots.txt file
B. Redirecting users to a source and scanning traffic to learn about the target
C. Scanning without completing the three-way handshake
D. Communicating over social media
Q7. Which of the following is the best explanation of the command and control phase of the kill chain?
A. When the compromised system opens ports for communication
B. When the attacker accesses the breached network using a keyboard
C. When the malware reaches back to a remote server for instructions
D. When the attacker breaches a network
Q8. Which of the following is an example of an action step from the kill chain?
A. Attacking another target
B. Taking data off the network
C. Listening to traffic inside the network
D. All of the above
Q9. Which of the following is the best explanation of early detection of threats in the kill chain?
A. Starting analysis at the reconnaissance phase to begin detection weaponization
B. Starting analysis at the delivery phase to begin detection at the exploitation phase
C. Starting analysis at the reconnaissance phase to begin detection at the delivery phase
D. Starting analysis at the exploitation phase to begin detection at the installation phase
Q10. Which of the following is a true statement?
A. Firewalls are best for detecting insider threats.
B. Behavior-based technologies are best for detecting insider threats.
C. Antivirus is effective for detecting known threats.
D. Insider threats are best detected with signature-based security
Q11. Which of the following is not an example of weaponization?
A. Connecting to a command and control server
B. Wrapping software with a RAT
C. Creating a backdoor in an application
D. Developing an automated script to inject commands on a USB device
Q12. Which of the following steps in the kill chain would come before the others?
Q13. Which is true regarding the difference between Installation and Command and Control?
A. Installation does not provide keyboard access to the attacker
B. Installation is a form of exploitation
C. Command and Control comes prior to Installation
D. Command and Control is the final step of the kill chain
Q14. Which of the following is not an example of a capability in the Diamond Model?
A. Hacker tools
B. Exploit kits
Q15. Which of the following statements would represent the delivery stage of a ransomware attack?
A. The ransomware encrypts the hard drive.
B. Ransomware is pushed onto a system through an exploit.
C. The user connects to a malicious website that attacks the system.
D. The exploit page identifies a vulnerability and launches an attack.
Q16. Which statement is true about the C2 stage of an attack?
A. The malware post-compromise phoning back to the attacker is the C2 stage.
B. The attacker accesses the internal network through a breached system.
C. The attacker pivots inside the network.
D. The attacker connects to another internal system inside the breached network.
Q17. Which is a false statement about the Diamond Model?
A. Lines in the Diamond Model represent how the attacker reaches the victim.
B. Diamonds represent an adversary, victim, capability, and infrastructure.
C. Diamonds can be grouped together, known as activity threads.
D. Meta-features provide useful context and are core to the model
Q18. What is the main value of activity-attack graphs?
A. Used to make security product purchasing decisions
B. To predict future attacks
C. An alternative to threat intelligence
D. To map out an attacker’s attack history
Q19. Which technology would not be considered part of the “during” phase of the Cisco BDA model?
B. Intrusion prevention
C. Application layer firewall threat detection
D. Port security
Q20. Which of the following is not a metadata feature of the Diamond Model?