• Home
  • Articles
  • Sample Questions of CPTIA Dumps With 100% Exam Passing Guarantee [Q16-Q39]

Sample Questions of CPTIA Dumps With 100% Exam Passing Guarantee [Q16-Q39]

Share

Sample Questions of CPTIA Dumps With 100% Exam Passing Guarantee

Pass Key features of CPTIA Course with Updated 137 Questions

NEW QUESTION # 16
Which of the following port scanning techniques involves resetting the TCP connection between client and server abruptly before completion of the three-way handshake signals, making the connection half-open?

  • A. Null scan
  • B. Xmas scan
  • C. Full connect scan
  • D. Stealth scan

Answer: D

Explanation:
The port scanning technique that involves resetting the TCP connection between the client and server abruptly before the completion of the three-way handshake, thereby leaving the connection half-open, is known as a Stealth scan (also referred to as a SYN scan). This technique allows the scanner to inquire about the status of a port without establishing a full TCP connection, making the scan less detectible to intrusion detection systems and less likely to be logged by the target. It's a method used to discreetly discover open ports on a target machine without establishing a full connection that would be visible in logs.References:CREST materials often cover different types of network scanning techniques, including Stealth scans, explaining their methodologies, purposes, and how they can be detected or mitigated.


NEW QUESTION # 17
Bob, an incident responder at CyberTech Solutions, is investigating a cybercrime attack occurred in the client company. He acquired the evidence data, preserved it, and started performing analysis on acquired evidentiary data to identify the source of the crime and the culprit behind the incident.
Identify the forensic investigation phase in which Bob is currently in.

  • A. Vulnerability assessment phase
  • B. Investigation phas
  • C. Post-investigation phase
  • D. Pre-investigation phase

Answer: B

Explanation:
Bob is in the Investigation phase of the forensic investigation process. This phase involves the detailed examination and analysis of the collected evidence to identify the source of the crime and the perpetrator behind the incident. It is a crucial step that follows the acquisition and preservation of evidence, where the incident responder applies various techniques and methodologies to analyze the evidentiary data. This analysis aims to uncover how the cybercrime was committed, trace the activities of the culprit, and gather actionable intelligence to support legal actions and prevent future incidents.References:The CREST materials discuss the stages of a forensic investigation, emphasizing the investigation phase as the point at which the incident responder analyzes evidence to draw conclusions about the incident's specifics.


NEW QUESTION # 18
Miko was hired as an incident handler in XYZ company. His first task was to identify the PING sweep attempts inside the network. For this purpose, he used Wireshark to analyze the traffic. What filter did he use to identify ICMP ping sweep attempts?

  • A. udp.lype - 7
  • B. tcp.typc == icmp
  • C. icrrip.lype == icmp
  • D. icmp.type == 8 or icmp.type ==0

Answer: D

Explanation:
In Wireshark, to identify ICMP ping sweep attempts, the filtericmp.type == 8 or icmp.type ==0is used. This filter captures ICMP echo requests and echo replies, which are indicative of ping commands. Type 8 represents an echo request used when a source sends a ping, and type 0 represents an echo reply, which is the response from the target. By filtering for these ICMP types, Miko can detect a surge in ping requests across the network, which could indicate a ping sweep attempt-an exploratory activity often used by attackers to discover active hosts on a network by sending ping requests to multiple addresses.References:Incident Handler (CREST CPTIA) courses and study guides often incorporate training on using network analysis tools like Wireshark, including how to use filters to detect specific types of network activities and potential threats.


NEW QUESTION # 19
Which of the following is an attack that occurs when a malicious program causes a user's browser to perform an unwanted action on a trusted site for which the user is currently authenticated?

  • A. Cross-site request forgery
  • B. Cross-site scripting
  • C. SQL injection
  • D. Insecure direct object references

Answer: A

Explanation:
Cross-site request forgery (CSRF or XSRF) is an attack that tricks the victim's browser into executing unauthorized actions on a website where they are currently authenticated. In this scenario, the attacker exploits the trust that a site has in the user's browser, effectively forcing the browser to perform actions without the user's knowledge or consent. For example, if the user is logged into their bank's website, an attacker could craft a malicious request to transfer funds without the user's direct interaction. CSRF attacks rely on authenticated sessions and typically target state-changing requests to compromise user or application data.
References:The Certified Incident Handler (CREST CPTIA) curriculum by EC-Council discusses various web-based attacks, including CSRF, detailing their mechanisms, implications, and preventive measures to safeguard against such threats.


NEW QUESTION # 20
During the process of threat intelligence analysis, John, a threat analyst, successfully extracted an indication of adversary's information, such as Modus operandi, tools, communication channels, and forensics evasion strategies used by adversaries.
Identify the type of threat intelligence analysis is performed by John.

  • A. Technical threat intelligence analysis
  • B. Tactical threat intelligence analysis
  • C. Strategic threat intelligence analysis
  • D. Operational threat intelligence analysis

Answer: B

Explanation:
Tactical threat intelligence analysis focuses on the immediate, technical indicators of threats, such as the tactics, techniques, and procedures (TTPs) used by adversaries, their communication channels, the tools and software they utilize, and their strategies for evading forensic analysis. This type of analysis is crucial for operational defenses and is used by security teams to adjust their defenses against current threats. Since John successfully extracted information related to the adversaries' modus operandi, tools, communication channels, and evasion strategies, he is performing tactical threat intelligence analysis. This differs from strategic and operational threat intelligence, which focus on broader trends and specific operations, respectively, and from technical threat intelligence, which deals with technical indicators like malware signatures and IPs.References:
* "Tactical Cyber Intelligence," by Cyber Threat Intelligence Network, Inc.
* "Intelligence-Driven Incident Response: Outwitting the Adversary," by Scott J. Roberts and Rebekah Brown


NEW QUESTION # 21
Steve works as an analyst in a UK-based firm. He was asked to perform network monitoring to find any evidence of compromise. During the network monitoring, he came to know that there are multiple logins from different locations in a short time span. Moreover, he also observed certain irregular log in patterns from locations where the organization does not have business relations. This resembles that somebody is trying to steal confidential information.
Which of the following key indicators of compromise does this scenario present?

  • A. Unusual outbound network traffic
  • B. Geographical anomalies
  • C. Unexpected patching of systems
  • D. Unusual activity through privileged user account

Answer: B

Explanation:
The scenario described by Steve's observations, where multiple logins are occurring from different locations in a short time span, especially from locations where the organization has no business relations, points to
'Geographical anomalies' as a key indicator of compromise (IoC). Geographical anomalies in logins suggest unauthorized access attempts potentially made by attackers using compromised credentials. This is particularly suspicious when the locations of these logins do not align with the normal geographical footprint of the organization's operations or employee locations. Monitoring for such anomalies can help in the early detection of unauthorized access and potential data breaches.References:
* SANS Institute Reading Room, "Indicators of Compromise: Reality's Version of the Minority Report"
* "Identifying Indicators of Compromise" by CERT-UK


NEW QUESTION # 22
Which of the following is a technique used by attackers to make a message difficult to understand through the use of ambiguous language?

  • A. Steganography
  • B. Spoofing
  • C. Encryption
  • D. Obfuscation

Answer: D

Explanation:
Obfuscation is a technique used to make data or code difficult to understand. It is often employed by attackers to conceal the true intent of their code or communications, making it harder for security professionals, automated tools, and others to analyze or detect malicious activity. Obfuscation can involve the use of ambiguous or misleading language, as well as more technical methods such as encoding, encryption, or the use of nonsensical variable names in source code to hide its true functionality.
References:The CREST CPTIA program discusses various techniques attackers use to evade detection, including obfuscation, highlighting how it complicates the analysis and understanding of malicious payloads.


NEW QUESTION # 23
For analyzing the system, the browser data can be used to access various credentials.
Which of the following tools is used to analyze the history data files in Microsoft Edge browser?

  • A. MZHistoryView
  • B. BrowsingHistoryView
  • C. MZCacheView
  • D. ChromeHistoryView

Answer: B

Explanation:
BrowsingHistoryView is a tool designed to collect and analyze history data from various web browsers, including Microsoft Edge. It allows users to view the browsing history stored by their browsers in one unified interface. This includes URLs visited, page titles, visit times, and the number of visits to each page. While ChromeHistoryView is specific to Google Chrome, BrowsingHistoryView supports multiple browsers, making it versatile for analyzing history data across different platforms. MZCacheView and MZHistoryView do not exist as tools recognized for this purpose in the context of Microsoft Edge or other browser history analysis.References:Incident Handler (CREST CPTIA) courses and study guides emphasize the importance of using digital forensic tools, such as BrowsingHistoryView, for analyzing web browser data during investigations.


NEW QUESTION # 24
Daniel is a professional hacker whose aim is to attack a system to steal data and money for profit. He performs hacking to obtain confidential data such as social security numbers, personally identifiable information (PII) of an employee, and credit card information. After obtaining confidential data, he further sells the information on the black market to make money.
Daniel comes under which of the following types of threat actor.

  • A. Organized hackers
  • B. Industrial spies
  • C. Insider threat
  • D. State-sponsored hackers

Answer: A

Explanation:
Daniel's activities align with those typically associated with organized hackers. Organized hackers or cybercriminals work in groups with the primary goal of financial gain through illegal activities such as stealing and selling data. These groups often target large amounts of data, including personal and financial information, which they can monetize by selling on the black market or dark web. Unlike industrial spies who focuson corporate espionage or state-sponsored hackers who are backed by nation-states for political or military objectives, organized hackers are motivated by profit. Insider threats, on the other hand, come from within the organization and might not always be motivated by financial gain. The actions described in the scenario-targeting personal and financial information for sale-best fit the modus operandi of organized cybercriminal groups.References:
* ENISA (European Union Agency for Cybersecurity) Threat Landscape Report
* Verizon Data Breach Investigations Report


NEW QUESTION # 25
Which of the following options describes common characteristics of phishing emails?

  • A. Sent from friends or colleagues
  • B. No BCC fields
  • C. Written in French
  • D. Urgency, threatening, or promising subject lines

Answer: D

Explanation:
Phishing emails often share common characteristics designed to manipulate the recipient into taking immediate action. One of the hallmark features is the use of urgency, threatening language, or promising subject lines in the emails. These tactics are intended to create a sense of urgency or fear, compelling the recipient to respond quickly without giving due consideration to the legitimacy of the email. Phishing emails may claim that the recipient's account has been compromised, that they need to confirm personal information immediately, or that they have won a prize. The goal is to trick the recipient into clicking on malicious links, opening attachments, or providing sensitive information.
References:The Certified Incident Handler (CREST CPTIA) program by EC-Council covers the identification and handling of phishing incidents, including the analysis of phishing emails and the importance of educating users on recognizing and responding to phishing attempts.


NEW QUESTION # 26
What is the correct sequence of steps involved in scheduling a threat intelligence program?
1. Review the project charter
2. Identify all deliverables
3. Identify the sequence of activities
4. Identify task dependencies
5. Develop the final schedule
6. Estimate duration of each activity
7. Identify and estimate resources for all activities
8. Define all activities
9. Build a work breakdown structure (WBS)

  • A. 1-->9-->2-->8-->3-->7-->4-->6-->5
  • B. 1-->2-->3-->4-->5-->6-->7-->8-->9
  • C. 1-->2-->3-->4-->5-->6-->9-->8-->7
  • D. 3-->4-->5-->2-->1-->9-->8-->7-->6

Answer: A

Explanation:
The correct sequence for scheduling a threat intelligence program involves starting with the foundational steps of defining the project scope and objectives, followed by detailed planning and scheduling of tasks. The sequence starts with reviewing the project charter (1) to understand the project's scope, objectives, and constraints. Next, building a Work Breakdown Structure (WBS) (9) helps in organizing the team's work into manageable sections. Identifying all deliverables (2) clarifies the project's outcomes. Defining all activities (8) involves listing the tasks required to produce the deliverables. Identifying the sequence of activities (3) and estimating resources (7) and task dependencies (4) sets the groundwork for scheduling. Estimating the duration of each activity (6) is critical before developing the final schedule (5), which combines all these elements into a comprehensive plan. This approach ensures a structured and methodical progression from project initiation to execution.References:
* "A Guide to the Project Management Body of Knowledge (PMBOK Guide)," Project Management Institute
* "Cyber Intelligence-Driven Risk," by Intel471


NEW QUESTION # 27
In which of the following phases of the incident handling and response (IH&R) process is the identified security incidents analyzed, validated, categorized, and prioritized?

  • A. Incident triage
  • B. Containment
  • C. Incident recording and assignment
  • D. Notification

Answer: A

Explanation:
Incident triage is the phase in the Incident Handling and Response (IH&R) process where identified security incidents are analyzed, validated, categorized, and prioritized. This step is crucial for determining the severity of incidents and deciding on the order in which they should be addressed. During triage, incident handlers assess the impact, urgency, and potential harm of an incident to prioritize their response efforts effectively.
This ensures that resources are allocated efficiently, and the most critical incidents are handled first. Incident recording and assignment involve logging incidents and assigning them to handlers, containment focuses on limiting the extent of damage, and notification involves informing stakeholders about the incident.References:
The Incident Handler (CREST CPTIA) courses and study guides detail the IH&R process, emphasizing the importance of triage in managing and responding to security incidents effectively.


NEW QUESTION # 28
John, a professional hacker, is trying to perform APT attack on the target organization network. He gains access to a single system of a target organization and tries to obtain administrative login credentials to gain further access to the systems in the network using various techniques.
What phase of the advanced persistent threat lifecycle is John currently in?

  • A. Search and exfiltration
  • B. Initial intrusion
  • C. Expansion
  • D. Persistence

Answer: C

Explanation:
The phase described where John, after gaining initial access, is attempting to obtain administrative credentials to further access systems within the network, is known as the 'Expansion' phase of an Advanced Persistent Threat (APT) lifecycle. This phase involves the attacker expanding their foothold within the target's environment, often by escalating privileges, compromising additional systems, and moving laterally through the network. The goal is to increase control over the network and maintain persistence for ongoing access.
This phase follows the initial intrusion and sets the stage for establishing long-term presence and eventual data exfiltration or other malicious objectives.References:
* MITRE ATT&CK Framework, specifically the tactics related to Credential Access and Lateral Movement
* "APT Lifecycle: Detecting the Undetected," a whitepaper by CyberArk


NEW QUESTION # 29
In a team of threat analysts, two individuals were competing over projecting their own hypotheses on a given malware. However, to find logical proofs to confirm their hypotheses, the threat intelligence manager used a de-biasing strategy that involves learning strategic decision making in the circumstances comprising multistep interactions with numerous representatives, either having or without any perfect relevant information.
Which of the following de-biasing strategies the threat intelligence manager used to confirm their hypotheses?

  • A. Decision theory
  • B. Cognitive psychology
  • C. Game theory
  • D. Machine learning

Answer: C

Explanation:
Game theory is a mathematical framework designed for understanding strategic situations where individuals' or groups' outcomes depend on their choices and the choices of others. In the context of threat intelligence analysis, game theory can be used as a de-biasing strategy to help understand and predict the actions of adversaries and defenders. By considering the various strategies and potential outcomes in a 'game' where each player's payoff is affected by the actions of others, analysts can overcome their biases and evaluate hypotheses more objectively. This approach is particularly useful in scenarios involving multiple actors with different goals and incomplete information.References:
* "Game Theory and Its Applications in Cybersecurity" in the International Journal of Computer Science and Information Security
* "Applying Game Theory to Cybersecurity" by the SANS Institute


NEW QUESTION # 30
Alice, an analyst, shared information with security operation managers and network operations center (NOC) staff for protecting the organizational resources against various threats. Information shared by Alice was highly technical and include threat actor TTPs, malware campaigns, tools used by threat actors, and so on.
Which of the following types of threat intelligence was shared by Alice?

  • A. Tactical threat intelligence
  • B. Technical threat intelligence
  • C. Strategic threat intelligence
  • D. Operational threat intelligence

Answer: A

Explanation:
The information shared by Alice, which was highly technical and included details such as threat actor tactics, techniques, and procedures (TTPs), malware campaigns, and tools used by threat actors, aligns with the definition of tactical threat intelligence. This type of intelligence focuses on the immediate, technical indicators of threats and is used bysecurity operation managers and network operations center (NOC) staff to protect organizational resources. Tactical threat intelligence is crucial for configuring security solutions and adjusting defense mechanisms to counteract known threats effectively.References:
* "Tactical Cyber Intelligence," Cyber Threat Intelligence Network, Inc.
* "Cyber Threat Intelligence for Front Line Defenders: A Practical Guide," by James Dietle


NEW QUESTION # 31
Rinni is an incident handler and she is performing memory dump analysis.
Which of following tools she can use in order to perform memory dump analysis?

  • A. iNetSim
  • B. Procmon and ProcessExplorer
  • C. OllyDbg and IDA Pro
  • D. Scylla and OllyDumpEx

Answer: D

Explanation:
For memory dump analysis, tools like Scylla and OllyDumpEx are more suited. These tools are designed to analyze and extract information from memory dumps, which can be crucial for understanding the state of a system at the time of an incident. Scylla is used for reconstructing imports in dumped binaries, while OllyDumpEx is an OllyDbg plugin used for dumping process memory. Both tools are valuable for incident handlers like Rinni who are performing memory dump analysis to uncover evidence or understand the behavior of malicious software.


NEW QUESTION # 32
An attacker instructs bots to use camouflage mechanism to hide his phishing and malware delivery locations in the rapidly changing network of compromised bots. In this particular technique, a single domain name consists of multiple IP addresses.
Which of the following technique is used by the attacker?

  • A. Fast-Flux DNS
  • B. Dynamic DNS
  • C. DNS interrogation
  • D. DNS zone transfer

Answer: A

Explanation:
Fast-Flux DNS is a technique used by attackers to hide phishing and malware distribution sites behind an ever- changing network of compromised hosts acting as proxies. It involves rapidly changing the association of domain names with multiple IP addresses, making the detection and shutdown of malicious sites more difficult. This technique contrasts with DNS zone transfers, which involve the replication of DNS data across DNS servers, or Dynamic DNS, which typically involves the automatic updating of DNS records for dynamic IP addresses, but not necessarily for malicious purposes. DNS interrogation involves querying DNS servers to retrieve information about domain names, but it does not involve hiding malicious content. Fast-Flux DNS specifically refers to the rapid changes in DNS records to obfuscate the source of the malicious activity, aligning with the scenario described.References:
* SANS Institute InfoSec Reading Room
* ICANN (Internet Corporation for Assigned Names and Numbers) Security and Stability Advisory Committee


NEW QUESTION # 33
Eric is an incident responder and is working on developing incident-handling plans and procedures. As part of this process, he is performing an analysis on the organizational network to generate a report and develop policies based on the acquired results. Which of the following tools will help him in analyzing his network and the related traffic?

  • A. Wireshark
  • B. Burp Suite
  • C. Whois
  • D. FaceNiff

Answer: A

Explanation:
Wireshark is a widely used network protocol analyzer that helps in capturing and interactively browsing the traffic on a network. It is an essential tool for incident responders like Eric who are developing incident- handling plans and procedures. By analyzing network traffic, Wireshark allows users to see what is happening on their network at a microscopic level, making it invaluable for troubleshooting network problems, analyzing security incidents, and understanding network behavior. Whois is used for querying databases that store registered users or assignees of an Internet resource. Burp Suite is a tool for testing web application security, and FaceNiff is used for session hijacking within a WiFi network, which makes Wireshark the best choice for analyzing network traffic.References:CREST materials often reference Wireshark as a fundamental tool for network analysis, crucial for incident handlers in the analysis phase of incident response.


NEW QUESTION # 34
Joe works as a threat intelligence analyst with Xsecurity Inc. He is assessing the TI program by comparing the project results with the original objectives by reviewing project charter. He is also reviewing the list of expected deliverables to ensure that each of those is delivered to an acceptable level of quality.
Identify the activity that Joe is performing to assess a TI program's success or failure.

  • A. Determining the costs and benefits associated with the program
  • B. Conducting a gap analysis
  • C. Determining the fulfillment of stakeholders
  • D. Identifying areas of further improvement

Answer: B

Explanation:
By assessing the Threat Intelligence (TI) program through a comparison of project results with the original objectives, and by ensuring that all expected deliverables have been produced to an acceptable quality level, Joe is conducting a gap analysis. Gap analysis involves identifying the difference between the current state and the desired state or objectives, in this case, the outcomes of the TI program versus its intended goals as outlined in the project charter. This process allows for the assessment of what was successful, what fell short, and where improvements can be made, thereby evaluating the program's overall effectiveness and identifying areas for future enhancement.References:
* "Project Management Body of Knowledge (PMBOK)" by the Project Management Institute
* "Intelligence Analysis: A Target-Centric Approach" by Robert M. Clark


NEW QUESTION # 35
Which of the following is not a countermeasure to eradicate inappropriate usage incidents?

  • A. Install firewall and IDS/IPS to block services that violate the organization's policy
  • B. Avoid VPN and other secure network channels
  • C. Register the user activity logs and keep monitoring them regularly
  • D. Always store the sensitive data in far located servers and restrict its access

Answer: B

Explanation:
Avoiding VPN (Virtual Private Network) and other secure network channels is not a countermeasure to eradicate inappropriate usage incidents. On the contrary, using VPNs and secure network channels is a best practice for enhancing security, as these technologies help protectdata in transit, ensuring that it is encrypted and less susceptible to interception or eavesdropping. Countermeasures for inappropriate usage typically involve enhancing security and monitoring, not reducing the security of communications.


NEW QUESTION # 36
Which of the following tools helps incident handlers to view the file system, retrieve deleted data, perform timeline analysis, web artifacts, etc., during an incident response process?

  • A. nblslal
  • B. netstat
  • C. Autopsy
  • D. Process Explorer

Answer: C

Explanation:
Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. Autopsy enables incident handlers to view the file system, retrieve deleted data, perform timeline analysis, and analyze web artifacts, among other functionalities. This tool is particularly useful during the incident response process for conducting in-depth investigations into the nature of a security incident, identifying the methods used by attackers, and recovering lost or compromised data.
References:The EC-Council's Certified Incident Handler (CREST CPTIA) program covers digital forensic tools and techniques, highlighting the capabilities of Autopsy for supporting comprehensive incident investigations and response activities.
Top of Form


NEW QUESTION # 37
Which of the following is an attack that attempts to prevent the use of systems, networks, or applications by the intended users?

  • A. Fraud and theft
  • B. Denial of service (DoS) attack
  • C. Unauthorized access
  • D. Malicious code or insider threat attack

Answer: B

Explanation:
A Denial of Service (DoS) attack aims to make a computer resource, network, or application unavailable to its intended users, thereby preventing legitimate users from using the service. This is achieved by overwhelming the target with a flood of internet traffic or sending information that triggers a crash. In contrast, fraud and theft involve the unauthorized acquisition of data or assets, unauthorized access refers to gaining entry into systems without permission, and malicious code or insider threat attacks relate to software designed to cause harm or unauthorized actions by trusted users within the organization. The specific intent of a DoS attack is to disrupt service, making it a distinct category focused on denial of availability.References:The Incident Handler (CREST CPTIA) certification materials discuss various types of cybersecurity threats, including DoS attacks, outlining their methods, objectives, and impacts on targeted systems or networks.


NEW QUESTION # 38
Which of the following is not called volatile data?

  • A. The dale a no Lime of the system
  • B. State of the network interface
  • C. Open sockets er open ports
  • D. Creation dates of files

Answer: D

Explanation:
Volatile data refers to information that is stored temporarily and is lost when a computer is turned off or restarted, such as RAM contents, including open sockets and open ports, the date and time of the system, and the state of the network interface. The creation dates of files, however, are considered non-volatile data because they are preserved on the hard drive and remain available after the system is restarted or turned off.
Non-volatile data is stored on persistent storage mediums like hard drives, SSDs, and magnetic tapes, where it remains until it is deleted or overwritten.References:The Incident Handler (CREST CPTIA) certification emphasizes the distinction between volatile and non-volatile data in the context of digital forensics and incident response, highlighting the importance of understanding what data may be lost upon system shutdown and what data persists.


NEW QUESTION # 39
......

CPTIA Sample Practice Exam Questions 2025 Updated Verified: https://www.updatedumps.com/CREST/CPTIA-updated-exam-dumps.html

Exam Study Guide Free Practice Test LAST UPDATED : https://drive.google.com/open?id=1AOgH9v4_lkzXPiwHlfjyviDBylmUywcR

Related Articles

more
CREST CPTIA Certification Practice Exam