Account for instability is correct because unreliable network conditions can impact scan accuracy and lead to inconsistent results. Accept the most recent scan is incorrect because it may still be inaccurate. Ignore inconsistent hosts is incorrect because they may be valid targets. Escalate immediately is incorrect because further validation is needed. OBJ. 3.2

OBJ 5.2: After obtaining credentials with Mimikatz, Frank should use these credentials to establish connections, such as remote desktop to other machines within the network. This approach allows him to move laterally and assess the security measures in place on other systems. Disabling antivirus software, installing/using programs such as Mimikatz on every machine, or randomly selecting machines without first using the gathered credentials are not appropriate next steps as the actions and could lead to unnecessary detection, disruption, or incomplete assessment of the network's security posture. OBJ. 5.2

OBJ 5.3: Alternate data streams (ADS) allow you to hide data within a file without changing its attributes, making it a useful technique for evading detection. Text storage sites and virtual drive mounting do not offer the same stealth capabilities for hiding data within another file's structure. File system tunneling is not the correct method for this particular purpose. OBJ. 5.3

You should accept the risk if the residual risk is low enough is correct because in risk management it is often impossible to eliminate all vulnerabilities, so organizations typically mitigate risk to an acceptable level and then formally accept the remaining residual risk if it falls within the organization’s risk tolerance. You should continue to apply additional controls until there is zero risk is incorrect because eliminating all risk is rarely achievable and attempting to do so is impractical and cost-prohibitive in most real-world environments. You should remove the current controls since they are not completely effective is incorrect because removing existing mitigations would increase the organization’s exposure and make exploitation easier. You should ignore any remaining risk is incorrect because residual risk must always be documented and formally accepted or further mitigated rather than disregarded. OBJ. 1.1

Urgency is focused on the element of time. An attacker encourages the victim to act quickly, which often leads to them making security mistakes. Urgency is related to scarcity, and the two are often effectively used together. Scarcity is used to create a fear in a person of missing out on a special deal or offer. This technique is used in advertising all the time, such as "supplies are limited," "only available for the next 4 hours", and other such artificial limitations being used. Authority is used to take advantage of people's willingness to act when directed to by someone with the power or right to give orders. For example, an attacker may pose as a police officer, government agent, or high-level executive to force an employee to take some form of action, whether it is ethically dubious or counter to their interests. OBJ. 4.8

JSON is an open standard data encoding format of data representation that can be used and manipulated easily with scripts. It is designed to be human-readable and machine-processable. It is based on JavaScript concepts but is entirely script and language-independent. This excerpt is a JSON object used by the STIX protocol to convey threat information. STIX (Structured Threat Information eXpression) is a standardized XML programming language for conveying data about cybersecurity threats in a common language that can be easily understood by humans and security technologies. A comma-separated value (CSV) file is a file where entries are separated by commas. CSV files were originally used as an export from spreadsheets but have since become a very popular way to import and export data. A key-value pair is made of a key name and a value of that key separated by a colon(:), such as type:intrusion-set. An array is a data structure consisting of a collection of elements, each identified by at least one array index or key. In the JSON data structure shown, there are multiple arrays and key-value pairs included, but the overall data structure is JSON formatted making it the better answer. OBJ. 2.3

OBJ 1.5: Transport Layer Security (TLS) is a widely adopted security protocol designed to facilitate privacy and data security for communications over the internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS was developed in 1999 as SSLv3.1, but its name was changed to separate itself from Netscape, which developed the original SSL protocol. Because of this history, the terms TLS and SSL are often used interchangeably. Secure Socket Layer uses three versions: SSLv1, SSLv2, and SSLv3. All of these versions of SSL are considered obsolete and insecure. OBJ. 1.5

OBJ 4.8 - Authority is used to take advantage of people's willingness to act when directed to by someone with the power or right to give orders. For example, an attacker may pose as a police officer, government agent, or high-level executive to force an employee to take some form of action, whether it is ethically dubious or counter to their interests. Scarcity is used to create a fear in a person of missing out on a special deal or offer. This technique is used in advertising all the time, such as "supplies are limited," "only available for the next 4 hours", and other such artificial limitations being used. Social proof relies on the fact that people want to fit in and conform. If a victim sees or believes others are performing some action, they will believe it is okay for them to do it. OBJ. 4.8

OBJ 4.5 - A SQL injection poses the most direct and more impactful threat to an organization's database. A SQL injection could allow the attacker to execute remote commands on the database server and lead to sensitive information disclosure. A buffer overflow attack attempts to overwrite the memory buffer to send additional data into adjacent memory locations. A buffer overflow attack might target a database server, but it isn't intended to disclose information directly. Instead, a buffer overflow attack may be used to gain initial access to a server and allow for other malicious code running. A denial of service targets the availability of the information by attempting to take the server offline. A cross-site scripting attack typically is focused on the user, not the server or database. OBJ. 4.5 

Use -gt to check if the number of open ports is greater than the limit is correct because -gt is the Bash numeric comparison operator for “greater than,” ensuring the alert triggers only when the open port count exceeds the predefined threshold, which supports attack surface prioritization. Use -eq is incorrect because it only evaluates true when the values are exactly equal and would not detect when the count surpasses the limit. Use -le is incorrect because it checks for values less than or equal to the limit and would not trigger an alert when the port count is too high. Use -ge is incorrect because it would also trigger when the port count is exactly equal to the threshold, which does not match the requirement of exceeding the maximum limit. OBJ. 2.3