200-201 Exam Dumps - Cisco CyberOps Associate Questions and Answers

The purpose of command and control (C&C) for network-aware malware is to allow an attacker to remotely control compromised systems. This includes sending commands to the malware, receiving data from the infected host, and updating the malware to evade detection or enhance its capabilities.

The CBROPS course materials cover the topic of network-aware malware and the role of command and control servers in managing such malware

The ‘detection and analysis’ phase of incident response includes identifying all hosts affected by an attack. This step involves analyzing the scope of the incident, determining which systems and data are impacted, and understanding the nature of the attack to inform subsequent containment and eradication efforts45.

References :=

CrowdStrike’s overview of incident response frameworks and steps4.

VCEGuide’s explanation of incident response steps

SQL injection is a type of vulnerability that allows an attacker to execute malicious SQL statements on a database server. This can result in reading, writing, or erasing information from the database, as well as bypassing authentication, executing commands, or compromising the server. SQL injection exploits the lack of input validation or output encoding in web applications that interact with databases. References := Cisco Cybersecurity Operations Fundamentals, Module 1: Security Concepts, Lesson 1.3:Common Network Application Operations and Attacks, Topic 1.3.2: Web Application Attacks

When a server is experiencing heavy CPU and memory load, the initial step is to identify the processes consuming the most resources. The command “ps -ef” provides a detailed view of all running processes, including their IDs, CPU, and memory usage, which helps in pinpointing the resource-intensive processes1234. References: This approach is supportedby various resources on server management and troubleshooting, which recommend using the “ps -ef” command as a starting point for investigating high resource usage on servers

A file hash is a unique identifier that is used to detect a specific file. It is generated by running a file through a cryptographic hash function, which produces a string of characters that represents the contents of the file. If even a single bit in the file changes, the resulting hash will be different, making it an effective way to identify files uniquely.

The source IP address from an audit log that indicates a session which may have exploited a vulnerability is considered corroborative evidence. This type of evidence supports other evidence that suggests a security breach occurred. In the context of cybersecurity, corroborative evidence can help establish that an attack was carried out and can be used in conjunction with other data points to build a case during an investigation.

References := The Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) training material discusses the types of data needed to investigate security incidents, which includes understanding the role of different types of evidence in building a security incident case1.

Persistence mechanisms allow attackers to maintain access to a compromised system across reboots, logoffs, or security events. In Windows environments, two of the most common and well-documented persistence techniques involve Registry Run keys and scheduled tasks.

The exhibit highlights several indicators of compromise, including new Registry entries under the Run key and newly created scheduled tasks that execute during non-business hours. Registry Run keys enable programs to execute automatically when the system or user starts, making them a frequent target for malware and attackers seeking long-term access. Similarly, Task Scheduler allows attackers to execute malicious code at predefined times or events, often designed to evade detection.

Analyzing both the Windows Registry changes and Task Scheduler tasks directly targets these persistence mechanisms. This aligns with host-based analysis best practices, which prioritize startup execution points and scheduled execution artifacts when persistence is suspected.

The other options are incomplete or misaligned. Windows Defender status and login attempts may indicate security tampering or brute-force activity, but they do not directly reveal persistence techniques. User account logins alone do not explain automated re-execution of malicious code, and deleting Run keys without full analysis risks destroying forensic evidence.

Therefore, focusing on Registry changes and Task Scheduler tasks provides the most accurate and operationally sound method for uncovering attacker persistence.