Correct answer:

Cross-site scripting attack is correct. Cross-site scripting (XSS) is a type of injection attack that leverages a user’s browser to execute malicious code that can access sensitive information in the user’s browser, such as passwords and session information. Because the malicious code resides on the site that the user accesses, it’s often difficult for the user’s browser to know that the code should not be trusted. XSS thus takes advantage of this inherent trust between browser and site to run the malicious code at the security level of the website.

Incorrect answers:

SQL injection attack is incorrect. SQL injection is an attack focused on a database in which an attacker injects arbitrary SQL commands to extract data, read files, or even escalate to remote code execution.

XML injection attack is incorrect. XML injection is a class of attacks that relies on manipulation or compromise of an application by abusing the logic of an XML parser to cause some unwanted action.

Buffer overflow attack is incorrect. Buffer overflow attacks attempt to disrupt the memory allocated for an application typically by overflowing the memory with either too much or the wrong type of data.

Correct answer:

Jump box is correct. A jump box is a specially configured machine that serves as a “jumping off” point for external users to access protected parts of a network. The intent is to keep special users from logging into a particularly important host using the same workstation they use for all other activities.

Incorrect answers:

VLAN is incorrect. A VLAN is created by using network switches to apply a tag to each frame received at a port and assigning it to a specified logical LAN.

Honeypot is incorrect. A honeypot is a machine intentionally designed to appear to be a highly valuable, yet unprotected, target, in the hopes of attracting potential attackers.

Serverless architecture is incorrect. A serverless architecture consists of an architecture facilitating specific functions provided by cloud resource. In this architecture, no physical infrastructure is needed, as those functions are provided specifically through software applications.

Correct answer:

Timestomping is correct. Timestomping is the correct term used to describe how an attacker may attempt to alter the system clock or other time mechanisms on the host to hide the details of their actions.

Incorrect answers:

Timeframing is incorrect. This is not the correct term for this process.

Timeouts is incorrect. This is not the correct term for this process.

Timeshifting is incorrect. This is not the correct term for this process.

Correct answer:

VLAN is correct. A virtual LAN (VLAN) is created by using network switches to apply a tag to each frame received at a port and assigning it to a specified logical local area network.

Incorrect answers:

Jump box is incorrect. A jump box is a specially configured machine that serves as a “jumping off” point for external users to access protected parts of a network. The intent is to keep special users from logging into a particularly important host using the same workstation they use for all other activities.

Honeypot is incorrect. A honeypot is a machine intentionally designed to appear to be a highly valuable, yet unprotected, target in the hopes of attracting potential attackers.

Serverless architecture is incorrect. A serverless architecture consists of an architecture facilitating specific functions provided by cloud resources. In this architecture, no physical infrastructure is needed, as those functions are provided specifically through software applications.

Correct answer:

Guest is correct. The Guest account is a Windows 10 local account that enables unauthenticated network users to log on without a password. For security purposes, you should disable the Guest account whenever possible to force all network users to authenticate before being able to access resources on the host.

Incorrect answers:

Administrator is incorrect. The administrator account must have a password and does not allow unauthenticated access.

Backup operators is incorrect. Backup operators is a group, versus a single account, and does not allow unauthenticated access by default.

Users is incorrect. Users is a local group, not an account, and does not allow unauthenticated access to the host by default.

Correct answer:

Workflow orchestration is correct. Workflow orchestration is a general term referring to the overarching integration and management of automated tools, processes, and activities under one centralized management umbrella.

Incorrect answers:

SIEM is incorrect. Security information and event management (SIEM) refers to the technologies involved in collecting disparate data from multiple infrastructure sources and ingesting and aggregating that data for correlation and analysis.

UEBA is incorrect. User and entity behavioral analytics (UEBA) is the process of observing user and entity behaviors for the purposes of baselining those behaviors and detecting anomalous behaviors that do not conform to the normal baseline developed.

Integrated intelligence is incorrect. Integrated intelligence refers to the cyclic relationship between threat intelligence sources and threat hunting.

Correct answer:

Fileless malware is correct. Fileless malware is written directly to memory without the need for a file on a disk. This makes it extremely difficult to detect and perform forensics procedures.

Incorrect answers:

Rootkit is incorrect. A rootkit uses compromised system files.

Memory malware is incorrect. This is not the correct term for this type of malware.

Trojan is incorrect. A Trojan compromises files with a malicious payload.

Correct answer:

Agent-based scan is correct. An agent-based scan uses an agent that resides on the network host and performs the scan but sends the results only to a centralized server. This limits the amount of traffic that must go back and forth between the scanning server and the scanned network host.

Incorrect answers:

Credentialed scan is incorrect. A credentialed scan is used to elicit more detail about vulnerabilities from a host, but it typically has nothing to do with the amount of network traffic that is passed between the scanning server and the network hosts.

Server-based scan is incorrect. A server-based scan sends a large amount of traffic back and forth between the server and the host, since the scan is essentially conducted from the server.

Noncredentialed scan is incorrect. A noncredentialed scan limits the amount of detail obtained from a host during a vulnerability scan but is not used to reduce network traffic between the host and the network server.

Correct answer:

Improved detection capabilities is correct. While the other options can assist you in threat hunting, improving your ability to detect threats has the most direct effect on your efforts to hunt and locate threats in your network. As part of your threat-hunting efforts, detection capabilities will likely improve since you will need them to increase your threat-hunting capability.

Incorrect answers:

Improved threat modeling is incorrect. Improved threat modeling can certainly assist in threat-hunting efforts, but detection capabilities will help you the most in locating threats on your infrastructure.

Additional network infrastructure dedicated to security is incorrect. Additional security infrastructure will assist you in threat-hunting efforts, but improved detection capabilities will most directly affect your ability to locate threats on your particular infrastructure.

Improved threat intelligence is incorrect. Improved threat intelligence can assist you in your threat-hunting efforts, but improved detection capabilities will directly help you the most when attempting to locate threats on your infrastructure.

Correct answer:

Segmentation, isolation, and removal is correct. These are all viable options during the containment phase of the incident response lifecycle. The idea is to separate the attack and the attacker from the asset in some way.

Incorrect answers:

Segmentation, isolation, and restoration is incorrect. Restoration is not part of the containment process.

Elimination, isolation, and sanitization is incorrect. Elimination and sanitization are not part of the containment process.

Segmentation, sanitization, and reconstruction is incorrect. Sanitization and reconstruction are not part of the containment process.