Correct answer:

Data type is correct. Data type is the most important factor in determining data criticality during an incident, since the type of data relates to the focus of the data, such as personally identifiable information, protected health data, financial data, and so on. These data types are protected under the law, and the organization could incur serious criminal or civil liabilities in the event of a data breach.

Incorrect answers:

Age of data is incorrect. The age of the data is not as important a factor as the type of data involved, since regardless of age, the type of data the organization possesses could be protected under certain laws and regulations.

Volume of data is incorrect. The volume or amount of the data is not as important a factor as the type of data involved, since regardless of how much data the organization has, the type of data the organization possesses could be protected under certain laws and regulations.

Business impact is incorrect. The business impact of the data is not as important a factor as the type of data involved, since regardless of how data impacts the business, the type of data the organization possesses could be protected under certain laws and regulations.

Correct answer:

-ano is correct. On a Windows host, the command netstat -ano can show you network connection sockets mapped to running processes, enabling you to determine whether some processes are making unusual network connections that might indicate they are malicious in nature.

Incorrect answers:

-nap is incorrect. On Linux hosts, the command netstat -nap shows network connection sockets mapped to processes.

-v is incorrect. On macOS hosts, the command netstat -v shows network connection sockets mapped to processes.

-a is incorrect. On Windows hosts, the command nbtstat -a shows NetBIOS over TCP IP information for the host.

Correct answers:

Threat intelligence sources provide attacker information to threat hunters, which in return provide feedback to threat intelligence sources on the accuracy of that information is correct. Integrated intelligence comes from a reciprocal relationship between threat intelligence sources and threat-hunting teams. Threat intelligence sources provide attacker information such as tactics, techniques, and procedures and other attacker behaviors and characteristics to threat hunters. Threat hunters, in return, provide feedback to threat intelligence sources on the effectiveness, relevance, and accuracy of that information.

Incorrect answers:

Threat-hunting teams provide attacker information to threat intelligence sources, which in return provide feedback to threat-hunting teams on the accuracy of that information is incorrect. This is the opposite of the services and relationship between threat intelligence sources and threat-hunter teams.

Threat intelligence sources and threat-hunting teams are dedicated to separate efforts and do not typically engage with each other is incorrect. Threat intelligence sources and threat-hunting teams are engaged in similar efforts and provide each other information and feedback, hence the term integrated intelligence.

Threat intelligence sources and threat-hunting teams are essentially the same and are already integrated is incorrect. Threat intelligence sources and threat-hunting teams are not the same, although they perform similar, complementary functions.

Correct answer:

Asset inventory is correct. You cannot secure your infrastructure unless you know what is connected to it; without a complete asset inventory, you will not be able to manage threats and vulnerabilities for those assets, since you will not be aware of their characteristics, vulnerabilities, and threats that may exercise those vulnerabilities.

Incorrect answers:

Privilege control is incorrect. Privilege control is of great importance, but it is not the number one control in the CIS Controls; you cannot manage privileges unless you know what assets you need to manage privileges on.

Vulnerability assessment is incorrect. Vulnerability assessment is very important; however, you cannot manage vulnerabilities if you do not have a comprehensive list of what assets you have that you should be looking at for vulnerabilities.

Threat modeling is incorrect. You cannot accurately model threats unless you know what assets those threats may affect. Threat modeling is not number one on the list of CIS Controls.

Correct answer:

Threat intelligence value, crime scene evidence, and ability to restore is correct. The decision to remove an asset must be balanced with the value of the threat intelligence you would gain from leaving the asset on the network, the possibility of disturbing or obliterating crime scene evidence, and your ability to restore it.

Incorrect answers:

Ease of attack, ease of remediation, data criticality is incorrect. Ease of attack, ease of remediation, and data criticality should have no bearing on the decision to remove a system from the network. Even if the attack seems to be easy for the attacker and the remediation is easy, removing an asset from the network could disturb valuable threat intelligence or crime scene evidence. Data criticality may be one reason to remove the asset, but segmenting it or isolating it would likely be better choices.

Data criticality, cost of asset, level of attack incurred on the asset is incorrect. Data criticality, cost of asset, level of attack incurred on the asset are all reasons to segment or isolate an asset, not remove it and possibly eliminate valuable threat intelligence or evidence.

Discovered vulnerabilities on the asset, cost of asset, ability to restore asset is incorrect. Vulnerabilities on the asset are not affected by removing it; those vulnerabilities should have been already mitigated in some way. The cost of the asset or the ability to restore it also does not affect its removal; cost and restorability are even better reasons to segment or isolate the asset.

Correct answer:

Historical analysis is correct. Historical analysis is a form of temporal analysis that enables you to look at data collected over a previous period to explain historical events. This can help you predict future events as well or determine causes for events that can be remediated.

Incorrect answers:

Heuristics analysis is incorrect. Heuristics is a type of analysis that looks at known characteristics, such as those of malware, and attempts to make the best guess based upon experience with those characteristics. It is useful when there is no known pattern for comparison or baseline for behavioral analysis.

Spatial analysis is incorrect. Spatial analysis looks at data collected from various logical or geographical locations to look for trends that may be specific to those locations.

Trend analysis is incorrect. Trend analysis is an overarching term for data analysis that may give clues as to previous or future behaviors or yield insight into events at different locations or events having other characteristics.

Correct answer:

Sinkholing is correct. Sinkholing is a technique used to mitigate malicious and abusive traffic by routing it to an internal server or dropping it altogether. Sinkholing provides a response to a DNS query that does not resolve to the actual IP address. The difference, however, is that DNS sinkholes target the addresses for known malicious domains, such as those associated with a botnet, and return an IP address that does not resolve correctly or that is defined by the administrator.

Incorrect answers:

Funneling is incorrect. This is not the correct term that describes this technique.

Tunneling is incorrect. Tunneling is used to encrypt traffic to a trusted network through an untrusted network. This technique is used in virtual private networks.

Corrupting is incorrect. This is not the correct term that describes this technique.

Correct answer:

Persistence is correct. Once an attacker establishes an initial presence on the system, they will most likely engage in tactics that enable them to maintain long-term access to a target system so they can complete additional attack steps.

Incorrect answers:

Collection is incorrect. Data collection is an activity they are most likely to engage in after they have completed other steps, such as establishing persistence on the system.

Lateral movement is incorrect. Lateral movement is an attack step an adversary is most likely to take after they have established persistence on the system, in the event they are detected.

Privilege escalation is incorrect. Privilege escalation is a step an attacker may take after they have established a longer term persistence on the system, in case they are discovered, so they can maintain their access.

Correct answer:

Preparation, detection and analysis, containment, eradication and recovery, post-incident activities is correct. The correct sequence incident response cycle is preparation, detection and analysis, containment, eradication and recovery, post-incident activities.

Incorrect answers:

Preparation, containment, detection and analysis, eradication and recovery, post-incident activities is incorrect. This is not the correct sequence for the incident response cycle.

Preparation, eradication and recovery, detection and analysis, containment, post-incident activities is incorrect. This is not the correct sequence for the incident response cycle.

Preparation, detection and analysis, eradication and recovery, containment, post-incident activities is incorrect. This is not the correct sequence for the incident response cycle.

Correct answer:

Administrative/managerial controls is correct. Administrative controls, sometimes referred to as managerial controls, are put in place by management and consist of policies, procedures, and other written directives.

Incorrect answers:

Physical/operational controls is incorrect. Physical/operational controls protect facilities, people, and resources.

Technical/logical controls is incorrect. Technical or logical controls use technology components, such as hardware and software, to protect systems and data.

Preventative controls is incorrect. Preventative controls are not a type of control, but a control function. Preventative controls can span administrative, technical, and physical control types.