A company wants to run a leaner team and needs to deploy a threat management system with minimal human Interaction. Which of the following is the server component of the threat management system that can accomplish this goal?

1. A. STIX
2. B. OpenlOC
3. C. CVSS
4. D. TAXll

Correct Answer: D
TAXII stands for Trusted Automated eXchange of Indicator Information, and it is a server component of a threat management system that can facilitate the exchange of threat intelligence data between different sources and consumers, using a standard protocol and format. TAXII can help deploy a threat management system with minimal human interaction, by automating the collection, processing, and dissemination of threat intelligence data.

During a routine security review, anomalous traffic from 9.9.9.9 was observed accessing a web server in the corporate perimeter network. The server is mission critical and must remain accessible around the world to serve web content. The Chief Information Security Officer has directed that improper traffic must be restricted. The following output is from the web server:

Which of the following is the best method to accomplish this task?

1. A. Adjusting the IDS to block anomalous activity
2. B. Implementing port security
3. C. Adding 9.9.9.9 to the blocklist
4. D. Adjusting the firewall

Correct Answer: D
Based on the output of the “netstat -an” command, it seems that the web server is listening on port 80 for HTTP traffic and port 443 for HTTPS traffic. The anomalous traffic from 9.9.9.9 is accessing the web server on port 443, which means it is using a secure connection.
The best method to accomplish the task of restricting improper traffic from 9.9.9.9 is D. Adjusting the firewall. A firewall is a device or software that controls the flow of network traffic based on predefined rules. By adjusting the firewall rules, you can block or allow specific IP addresses, ports, protocols, or domains from accessing your web server.

A cybersecunty analyst needs to harden a server that is currently being used as a web server The server needs to be accessible when entenng www company com into the browser Additionally web pages require frequent updates which are performed by a remote contractor Given the following output:

Which of the following should the cybersecunty analyst recommend to harden the server? (Select TWO).

1. A. Uninstall the DNS service
2. B. Perform a vulnerability scan
3. C. Change the server's IP to a private IP address
4. D. Disable the Telnet service
5. E. Block port 80 with the host-based firewall
6. F. Change the SSH port to a non-standard port

Correct Answer: DF
Disabling the Telnet service would harden the server by removing an insecure protocol that transmits data in cleartext and could allow unauthorized access to the server. Changing the SSH port to a non-standard port would harden the server by reducing the exposure to brute-force attacks or port scans that target the default SSH port (22). Uninstalling the DNS service, performing a vulnerability scan, changing the server’s IP to a private IP address, or blocking port 80 with the host-based firewall would not harden the server or could affect its functionality as a web server. Reference:
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

A threat intelligence group issued a warning to its members regarding an observed increase in attacks performed by a specific threat actor and the related loCs. Which is of the following is (he best method to operationalize these loCs to detect future attacks?

1. A. Analyzing samples of associated malware
2. B. Publishing an internal executive threat report
3. C. Executing an adversary emulation exercise
4. D. Integrating the company's SIEM platform

Correct Answer: D
This is the best method to operationalize these loCs to detect future attacks because it allows the company to collect, correlate, analyze, and alert on the indicators of compromise (loCs) from various sources and systems. A SIEM stands for security information and event management, which is a software or service that provides centralized visibility and management of security events and data.

During an incident response procedure, a security analyst acquired the needed evidence from the hard drive of a compromised machine. Which of the following actions should the analyst perform next to ensure the data integrity of the evidence?

1. A. Generate hashes for each file from the hard drive.
2. B. Create a chain of custody document.
3. C. Determine a timeline of events using correct time synchronization.
4. D. Keep the cloned hard drive in a safe place.

Correct Answer: A
Generating hashes for each file from the hard drive is the next action that the analyst should perform to ensure the data integrity of the evidence. Hashing is a technique that produces a unique and fixed-length value for a given input, such as a file or a message. Hashing can help to verify the data integrity of the evidence by comparing the hash values of the original and copied files. If the hash values match, then the evidence has not been altered or corrupted. If the hash values differ, then the evidence may have been tampered with or damaged .