350-201 Exam Dumps - Performing CyberOps Using Core Security Technologies (CBRCOR)

 To review packet overviews of SNORT alerts without including all the packet headers, which can result in excessively large files, the engineer should modify the output module rule to use the “alert_fast” option. This option allows SNORT to log alerts in a ‘fast’ format, which includes the timestamp, alert message, and the IP addresses and ports involved, but omits the packet headers. The correct syntax for this action would be output alert_fast: output filename, where ‘filename’ is the desired name for the alert log file.

The file in question indicates a DOS MZ executable format. The MZ signature at the beginning of the file (as seen in the hexadecimal representation) is characteristic of an executable file format for DOS. This signature, combined with the text “This program cannot be run in DOS mode,” which is typically included as a message in DOS MZ executables to be displayed when they are run in a non-DOS environment, confirms that the file is a DOS MZ executable.

While this format can be used for Windows executables as well (as they may start with a DOS MZ header for backward compatibility), the presence of the MZ header is a clear indicator of the DOS MZ executable format. The other options, such as an MS-DOS executable archive or archived malware, are less specific and do not directly relate to the evidence presented in the file’s resources. A Windows executable file would also have a DOS MZ header, but thequestion specifically asks about the indication from examining the file’s resources, which points to the DOS MZ format. Therefore, the most accurate answer is A. a DOS MZ executable format.

Hardening machine images for deployment reduces the attack surface by eliminating unnecessary services, closing open network ports, removing unused software, and applying security configurations. This process minimizes the number of potential vulnerabilities that can be exploited by attackers3.

Cisco Rapid Threat Containment integrates Cisco Secure Network Analytics (Stealthwatch) and ISE to detect malware-infected endpoints. The telemetry feeds that were correlated with the Stealthwatch Management Console (SMC) to identify the malware are NetFlow and event data. NetFlow provides visibility into network traffic patterns and volumes, while event data includes logs and alerts generated by network devices and security systems. Together, these feeds enable the SMC to analyze network behavior and identify potential threats, leading to the quarantine of the infected endpoint.

References:

Cisco Secure Network Analytics (Stealthwatch) documentation would detail the types of telemetry feeds used for threat detection.

Cisco Identity Services Engine (ISE) documentation would explain how Adaptive Network Control policies are applied to respond to detected threats.

The STIX (Structured Threat Information eXpression) provided in the exhibit indicates a risk associated with a file that redirects users to a malicious website. The code snippet shows an HTTP request being made to a URL known fordistributing ransomware. This type of threat involves tricking users into downloading and executing malicious software that encrypts their files and then demands payment for decryption. The static analysis of the file’s behavior, as shown in the code, supports the conclusion that the file poses a risk of ransomware infection1.

References:

Cisco CyberOps Using Core Security Technologies documentation.

Understanding Cisco CyberOps Using Core Security Technologies from Cisco’s official training and certifications resources.

Foundation Topics > Security Principles | Cisco Press1.

Conducting Forensic Analysis and Incident Response Using Cisco Technologies for CyberOps (CBRFIR) v1.02.

CBRFIR Exam Topics - Cisco Learning Network

When dealing with an outdated application in a private VLAN, the IPS should be tuned to allow list only authorized hosts to contact the application’s IP at a specific port. This ensures that only known and trusted entities can communicate with the application, reducing the risk of unauthorized access or data leakage3.

The behaviors that triggered the User and Entity Behavior Analytics (UEBA) are the employee logging in during non-working hours and from a first-seen country. UEBA systems are designed to detect anomalies in user behavior that could indicate security threats. Logging in from a new location, especially during unusual hours, deviates from the user’s typical behavior patterns and raises flags about potential unauthorized access or compromised credentials.

 According to the NIST incident handling guide, the steps for handling an incident include preparation, detection and analysis, containment, eradication, recovery, and post-incident activity12. In the scenario described, the incident response team has detected the malware, eradicated it by removing the malware, and recovered by restoring the functionality and data of infected systems. However, the step of containment, which should occur before eradication and recovery to prevent the spread of malware and further damage, appears to have been missed. Containment strategies are crucial to limit the scope and magnitude of an incident1.

References :=

NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide1

NIST Incident Response: Your Go-To Guide to Handling Cybersecurity2