ECIH_A_011-020

 =011==

Johnson is an incident handler and is working on a recent web application attack faced by his organization.

Johnson 是事件處理人員，正在處理其組織最近面臨的網頁應用程式攻擊。

As part of this process, he performed data preprocessing in order to analyze and detect the watering hole attack.

作為這一過程的一部分，他進行了資料預處理，以分析和檢測水坑攻擊。

Johnson preprocessed the outbound network traffic data collected from firewalls and proxy servers.

Johnson 預處理了從防火牆和代理伺服器收集的出站網路流量數據。

He then started analyzing the user activities within a certain time period to create timeordered domain sequences to perform further analysis on sequential patterns.

然後，他開始分析某段時間內的使用者活動，以創建有時間順序的域名序列，進行序列模式的進一步分析。

Identify the data-preprocessing step performed by Johnson.

識別 Johnson 執行的資料預處理步驟。

Ⓐ User-specific sessionization, 特定使用者的會話處理

Ⓑ Identifying unpopular domains, 識別不受歡迎的域名

Ⓒ Host name normalization, 主機名標準化

Ⓓ Filtering invalid host names, 過濾無效的主機名

=012==

Michael is an incident handler at CyberTech Solutions.

Michael 是 CyberTech Solutions 的事件處理人員。

He is performing detection and analysis of a cloud security incident.

他正在進行雲端安全事件的檢測和分析。

He is also analyzing the file systems, slack spaces, and metadata within the storage units to detect malware and evidence of malice.

他還在分析儲存單元內的檔案系統、閒置空間和中繼數據，以檢測惡意軟體和惡意證據。

Identify the cloud incident handled by Michael:

確定 Michael 處理的雲端事件類型：

Ⓐ Server-related incident, 與伺服器相關的事件

Ⓑ Application-related incident, 與應用程式相關的事件

Ⓒ Storage-related incident, 與存儲相關的事件

Ⓓ Network-related incident, 與網路相關的事件

=013==

Edwin is an incident handler within an organization and is performing network sniffing by running his system in promiscuous mode.

Edwin 是一個組織內的事件處理人員，正在通過將他的系統設置為混雜模式來進行網路嗅探。

Edwin is analyzing the network behavior to identify potential attacks.

Edwin 正在分析網路行為以識別潛在的攻擊。

Identify the command used by Edwin in running in promiscuous mode?

識別 Edwin 用於混雜模式運行的命令？

Ⓐ nmap --script broadcast(target*;hostlist*;A;discovered*target) [A addresses], nmap --script broadcast(target*;hostlist*;A;discovered*target) [A addresses]

Ⓑ nmap --script hostmap, nmap --script hostmap

Ⓒ nmap -sU -p 500, nmap -sU -p 500

Ⓓ nmap -sV -T4 -O -F --version-light, nmap -sV -T4 -O -F --version-light

=014==

Ikeo Corp. has hired an incident response team to assess the enterprise security.

Ikeo Corp. 聘請了一個事件響應小組來評估企業安全性。

As a part of the incident handling and response process, the IR team is reviewing the network security policies implemented by the enterprise.

作為事件處理和響應過程的一部分，IR 小組正在審查企業實施的網路安全策略。

The IR team finds out that employees of the organization do not have any restrictions on connecting their personal devices to the official network.

IR 小組發現組織的員工在將個人設備連接到官方網路時沒有任何限制。

This means that they are allowed to connect any personal devices, including application, and access the Internet or network resources from the location.

這意味著他們被允許連接任何個人設備，包括應用程式，並從該位置訪問網路或網路資源。

Considering this as a major security threat, the IR team plans to change this policy as it can be easily exploited by the attackers.

考慮到這是一個重大的安全威脅，IR 小組計劃更改此政策，因為它很容易被攻擊者利用。

Identify the security policy that the IR team is planning to modify.

確定 IR 小組計劃修改的安全策略。

Ⓐ Promiscuous policy, 混雜策略

Ⓑ Prudent policy, 審慎策略

Ⓒ Permissive policy, 寬容策略

Ⓓ Paranoid policy, 偏執策略

=015==

A group of I&H customers are experiencing either slower network communication or unavailability of services.

一群 I&H 客戶正在經歷網路通信速度變慢或服務不可用的問題。

In addition, network administrators are receiving alerts from security tools such as IDS/IPS and firewalls about a possible DDoS/DoS attack.

此外，網路管理員還收到來自 IDS/IPS 和防火牆等安全工具的警報，警告可能發生 DDoS/DoS 攻擊。

In result, the I&H customers notified the incident handling and response (IH&R) team further investigates the incident.

因此，I&H 客戶通知事件處理和響應 (IH&R) 小組進一步調查該事件。

The IH&R team decides to use manual techniques to detect DDoS/DoS attack.

IH&R 小組決定使用手動技術來檢測 DDoS/DoS 攻擊。

Which of the following commands helps the IH&R team to manually detect the DoS/DoS attack?

以下哪個命令可以幫助 IH&R 小組手動檢測 DoS/DoS 攻擊？

Ⓐ nbstat, nbstat

Ⓑ Autopsy, Autopsy

Ⓒ nbtstat, nbtstat

Ⓓ netstat, netstat

=016==

Which of the following risk mitigation strategies involves the execution of controls to reduce the risk factor and bring it to an acceptable level, or accepts the potential risk and continues operating the IT system?

以下哪種風險緩解策略涉及執行控制以降低風險因素並將其降至可接受水平，或接受潛在風險並繼續運行 IT 系統？

Ⓐ Risk assumption, 風險承擔

Ⓑ Risk planning, 風險規劃

Ⓒ Risk transference, 風險轉移

Ⓓ Risk avoidance, 風險避免

=017==

Robert is an incident handler working for Xsecurity Inc.

Robert 是 Xsecurity Inc. 的事件處理人員。

One day, his organization faced a massive cyberattack and all of the websites related to the organization went offline.

有一天，他的組織面臨大規模網路攻擊，所有與組織相關的網站都下線了。

Robert was on duty during the incident and he was responsible for handling the incident while maintaining business continuity.

Robert 在事件發生期間值班，負責處理該事件，同時保持業務連續性。

He immediately restored the operation service with the help of existing backups.

他立即利用現有的備份恢復了運營服務。

According to the scenario, which of the following stages of incident handling and response (IH&R) process did Robert perform?

根據情況，Robert 執行了事件處理和響應 (IH&R) 流程的哪個階段？

Ⓐ Evidence gathering and forensics analysis, 證據收集和鑑識分析

Ⓑ Eradication, 根除

Ⓒ Notification, 通知

Ⓓ Recovery, 恢復

=018==

Which of the following commands helps incident handlers to view the registry, retrieve deleted data, perform timeline analysis, web artifacts, etc., during an incident response process?

以下哪個命令可以幫助事件處理人員在事件響應過程中查看註冊表、檢索刪除的數據、執行時間線分析、網頁工件等？

Ⓐ Process Explorer, Process Explorer

Ⓑ rbtstat, rbtstat

Ⓒ Autopsy, Autopsy

Ⓓ netstat, netstat

=019==

Joseph is an incident handling and response (IH&R) team lead in Toro Network Solutions Company.

Joseph 是 Toro Network Solutions 公司的事件處理和響應 (IH&R) 小組負責人。

As a part of the IH&R process, Joseph alerted the service providers, developers, and manufacturers about the affected resources.

作為 IH&R 過程的一部分，Joseph 向服務提供者、開發者和製造商發出了受影響資源的警報。

Identify the stage of IH&R process Joseph is currently in.

確定 Joseph 目前處於 IH&R 流程的哪個階段。

Ⓐ Eradication, 根除

Ⓑ Containment, 控制

Ⓒ Recovery, 恢復

Ⓓ Incident triage, 事件分類

=020==

Tibson works as an incident responder for MNC based in Singapore.

Tibson 是新加坡跨國公司 (MNC) 的事件響應人員。

He is investigating a web application attack targeting an MS SQL Server hosted by the organization.

他正在調查針對該組織托管的 MS SQL Server 的網頁應用程式攻擊。

The attack is performed by a malicious actor by using SQL meta-characters in the query.

該攻擊是由惡意行為者通過在查詢中使用 SQL 元字符來執行的。

In the detection and analysis phase, he used regular expressions to analyze and detect SQL meta-characters that lead to SQL injection attack.

在檢測和分析階段，他使用正則表達式來分析和檢測導致 SQL 注入攻擊的 SQL 元字符。

Identify the regular expression used by Tibson to detect SQL injection attack on MS SQL Server.

識別 Tibson 用於檢測 MS SQL Server 上的 SQL 注入攻擊的正則表達式。

Ⓐ (%2e)(%2F)(%5C), (%2e)(%2F)(%5C)

Ⓑ (%27)|(%24)|(%3E)|(%3F), (%27)|(%24)|(%3E)|(%3F)

Ⓒ (%5c)(%2F)(%2F)(%5C), (%5c)(%2F)(%2F)(%5C)

Ⓓ ((%2e)(%2F)|%3C)(%3E)|(%27)|(%3F%5C), ((%2e)(%2F)|%3C)(%3E)|(%27)|(%3F%5C)

ABAAD ADCBD