Which of the following would be the BEST way to analyze diskless malware that has infected a VDI?


A. Shut down the VDI and copy off the event logs.
B. Take a memory snapshot of the running system.
C. Use NetFlow to identify command-and-control IPs.
D. Run a full on-demand scan of the root volume.

A large bank with two geographically dispersed data centers is concerned about major power disruptions at
both locations. Every day each location experiences very brief outages that last for a few seconds. However,
during the summer a high risk of intentional brownouts that last up to an hour exists, particularly at one of the
locations near an industrial smelter. Which of the following is the BEST solution to reduce the risk of data loss?


A. Dual supply
B. Generator
C. UPS
D. PDU
E. Daily backups

HOTSPOT
An incident has occurred in the production environment.

INSTRUCTIONS
Analyze the command outputs and identify the type of compromise.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Hot Area:

SIMULATION
A systems administrator needs to install a new wireless network for authenticated guest access. The wireless network should support 802.1X using the most secure encryption and protocol available.
INSTRUCTIONS
Perform the following steps:
1. Configure the RADIUS server.
2. Configure the WiFi controller.
3. Preconfigure the client for an incoming guest. The guest AD credentials are:

User: guest01
Password: guestpass

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

SIMULATION
An attack has occurred against a company.

INSTRUCTIONS
You have been tasked to do the following:
Identify the type of attack that is occurring on the network by clicking on the attacker’s tablet and reviewing the output.
Identify which compensating controls a developer should implement on the assets, in order to reduce the effectiveness of future attacks by dragging them to the correct server.
All objects will be used, but not all placeholders may be filled. Objects may only be used once.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Which of the following is a cryptographic concept that operates on a fixed length of bits?


A. Block cipher
B. Hashing
C. Key stretching
D. Salting

HOTSPOT
Select the appropriate attack and remediation from each drop-down list to label the corresponding attack with its remediation.

INSTRUCTIONS
Not all attacks and remediation actions will be used.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Hot Area:

A security incident has been resolved. Which of the following BEST describes the importance of the final phase
of the incident response plan?


A. It examines and documents how well the team responded, discovers what caused the incident, and
determines how the incident can be avoided in the future.

B. It returns the affected systems back into production once systems have been fully patched, data restored,
and vulnerabilities addressed.

C. It identifies the incident and the scope of the breach, how it affects the production environment, and the
ingress point.

D. It contains the affected systems and disconnects them from the network, preventing further spread of the
attack or breach.

A SOC operator is analyzing a log file that contains the following entries:

Which of the following explains these log entries?

A. SQL injection and improper input-handling attempts
B. Cross-site scripting and resource exhaustion attempts
C. Command injection and directory traversal attempts
D. Error handling and privilege escalation attempts