The Lockheed Martin Cyber Kill Chain® breaks an attack lifecycle into several stages. A threat actor modified the registry on a compromised Windows system to ensure that their malware would automatically run at boot time. Into which phase of the Kill Chain would this fall?
A. Act on Objectives
B. Exploitation
C. Delivery
D. Installation
Explanation:
The Lockheed Martin Cyber Kill Chain® outlines the stages of a cyberattack. Let's break down the scenario and match it to the correct phase:
Scenario: A threat actor modifies the registry on a compromised Windows system to ensure malware runs at boot time.
What’s Happening? This is a persistence mechanism, ensuring the malware remains active after reboot.
Phases of the Cyber Kill Chain:
1. Reconnaissance – Attacker gathers info (e.g., scanning for vulnerabilities). (Not this phase.)
2. Weaponization – Malware is created (e.g., crafting a malicious payload). (Not this phase.)
3. Delivery – Malware is sent to the victim (e.g., via phishing email). (Not this phase.)
4. Exploitation – Vulnerability is exploited to execute code. (Not this phase, since the system is already compromised.)
5. Installation – Malware is installed and establishes persistence. (This is the correct phase!)
6. Command & Control (C2) – Attacker establishes remote control. (Happens after installation.)
7. Act on Objectives – Attacker achieves their goal (e.g., data theft). (Final stage, not this one.)
Why Not Other Options?
A. Act on Objectives – Too late; this is about achieving the final goal (e.g., data exfiltration).
B. Exploitation – This is when the initial breach occurs (e.g., exploiting a vulnerability to gain access).
C. Delivery – This is how malware reaches the victim (e.g., via email attachment), not execution.
Exam Tip:
Memorize the 7 stages of the Cyber Kill Chain and associate real-world attack steps with them.
Persistence mechanisms (like registry changes, cron jobs, or startup scripts) almost always fall under Installation.
A Risk Notable Event has been triggered in Splunk Enterprise Security, an analyst investigates the alert, and determines it is a false positive. What metric would be used to define the time between alert creation and close of the event?
A. MTTR (Mean Time to Respond)
B. MTBF (Mean Time Between Failures)
C. MTTA (Mean Time to Acknowledge)
D. MTTD (Mean Time to Detect)
Explanation:
The question asks for the metric that measures the time between alert creation and closure when an analyst investigates and resolves a false positive.
Breaking Down the Options:
1. MTTR (Mean Time to Respond)
Measures the average time taken to detect, analyze, and resolve an incident.
Best fit here because it includes the full lifecycle from alert creation to closure.
2. MTBF (Mean Time Between Failures)
A reliability metric that measures how often a system fails over time.
Not relevant for incident response time tracking.
3. MTTA (Mean Time to Acknowledge)
Measures how long it takes for a team to acknowledge an alert (but not necessarily resolve it).
Does not cover the full resolution time.
4. MTTD (Mean Time to Detect)
Measures how long it takes to detect a threat (before an alert is even created).
Not relevant for post-alert resolution time.
Why MTTR is Correct?
The scenario describes investigation + closure (response actions).
False positives still require response effort, so MTTR applies.
In Splunk ES, MTTR tracks efficiency in handling notable events, including triage and resolution.
Exam Tip:
MTTR = Detection → Resolution (full lifecycle).
MTTA = Only until acknowledgment (no resolution).
MTTD = Pre-alert (e.g., time from attack start to detection).
An analyst is attempting to investigate a Notable Event within Enterprise Security. Through the course of their investigation they determined that the logs and artifacts needed to investigate the alert are not available. What event disposition should the analyst assign to the Notable Event?
A. Benign Positive, since there was no evidence that the event actually occurred.
B. False Negative, since there are no logs to prove the activity actually occurred.
C. True Positive, since there are no logs to prove that the event did not occur.
D. Other, since a security engineer needs to ingest the required logs.
Explanation:
In Splunk Enterprise Security (ES), when an analyst investigates a Notable Event but cannot verify it due to missing logs, the correct disposition depends on the situation.
Breaking Down the Options:
A. Benign Positive
Incorrect. A "Benign Positive" means the activity happened but was harmless (e.g., authorized admin activity).
Here, there’s no evidence at all, so this doesn’t apply.
B. False Negative
Incorrect. A "False Negative" refers to a missed detection (i.e., an attack occurred but was not flagged by Splunk).
This is about alert accuracy, not log availability.
C. True Positive
Incorrect. A "True Positive" means the alert was correct (i.e., malicious activity occurred).
Since no logs exist, we cannot confirm this.
D. Other
Correct. When logs are missing, the issue is data collection or ingestion failure, not the alert itself.
The analyst should:
Mark as "Other" (since none of the standard dispositions fit).
Escalate to security engineers to ensure proper log collection.
Why "Other" is the Best Choice?
The alert cannot be properly investigated due to missing data.
This is a gap in logging, not a false/true positive/negative scenario.
Splunk ES allows "Other" for cases needing further action (e.g., log onboarding).
Exam Tip:
False Positive = Alert was wrong (no malicious activity).
True Positive = Alert was correct (attack happened).
Benign Positive = Activity was legitimate (e.g., admin work).
Other = Unresolved due to external factors (e.g., missing logs).
Upon investigating a report of a web server becoming unavailable, the security analyst
finds that the web server’s access log has the same log entry millions of times:
147.186.119.200 - - [28/Jul/2023:12:04:13 -0300] "GET /login/ HTTP/1.0" 200 3733
What kind of attack is occurring?
A. Denial of Service Attack
B. Distributed Denial of Service Attack
C. Cross-Site Scripting Attack
D. Database Injection Attack
Explanation:
Let’s break down the situation:
The same IP address (147.186.119.200) is repeatedly sending millions of identical requests to the web server.
The request is a simple HTTP GET to the /login/ endpoint.
This high volume of repeated requests has led to the web server becoming unavailable, indicating resource exhaustion.
Why it's a Denial of Service (DoS) Attack:
A Denial of Service (DoS) attack is when a single system or actor sends excessive traffic to a server or resource to make it unavailable to legitimate users.
The key indicators here are:
Single source IP (not distributed)
High frequency of identical requests
Service outage or degradation
Why the other options are incorrect:
B. Distributed Denial of Service Attack (DDoS):
This would involve multiple IP addresses or systems attacking the target simultaneously. In this case, it’s only one IP.
C. Cross-Site Scripting Attack (XSS):
XSS involves injecting malicious scripts into web pages viewed by other users. There’s no indication of script injection in this log.
D. Database Injection Attack:
SQL Injection or similar attacks attempt to manipulate backend queries. There’s no SQL-like pattern or malformed request in this log entry.
Conclusion:
Since the traffic is originating from a single IP and is overwhelming the server with repeated requests, this is a textbook example of a Denial of Service (DoS) Attack.
The Security Operations Center (SOC) manager is interested in creating a new dashboard for typosquatting after a successful campaign against a group of senior executives. Which existing ES dashboard could be used as a starting point to create a custom dashboard?
A. IAM Activity
B. Malware Center
C. Access Anomalies
D. New Domain Analysis
Explanation:
Typosquatting is a form of cyberattack where attackers register domain names similar to legitimate ones (e.g., g00gle.com instead of google.com) to trick users into visiting malicious websites. These are often used in phishing attacks or to install malware.
Why “New Domain Analysis” is the best fit:
The New Domain Analysis dashboard in Splunk Enterprise Security (ES) is specifically designed to help analysts monitor and investigate newly observed domain names.
It is ideal for detecting:
Typosquatting domains
Lookalike domains
Domains with odd registration patterns
This makes it the most relevant starting point for building a custom dashboard focused on typosquatting detection.
Why the other options are not ideal:
A. IAM Activity:
Focuses on identity and access management events (e.g., logins, account changes), not domain-based anomalies.
B. Malware Center:
Focuses on malware detections and indicators of compromise, not domain name anomalies.
C. Access Anomalies:
Tracks abnormal access behaviors, such as logins from unusual locations or at strange times, but not domain name analysis.
Conclusion:
For identifying and tracking potentially malicious domains—especially those used in typosquatting campaigns—the New Domain Analysis dashboard provides the best foundation.
During their shift, an analyst receives an alert about an executable being run from C:\Windows\Temp. Why should this be investigated further?
A. Temp directories aren't owned by any particular user, making it difficult to track the process owner when files are executed.
B. Temp directories are flagged as non-executable, meaning that no files stored within can be executed, and this executable was run from that directory
C. Temp directories contain the system page file and the virtual memory file, meaning the attacker can use their malware to read the in memory values of running programs
D. Temp directories are world writable thus allowing attackers a place to drop, stage, and execute malware on a system without needing to worry about file permissions.
Explanation:
An executable running from theC:\Windows\Tempdirectory is a significant
red flag because temporary directories are often world writable, meaning any user or
process can write files to them. This characteristic makes these directories an attractive target for attackers who want to drop, stage, and execute malware without worrying about
restrictive file permissions.
Temp Directories Characteristics:
Security Risks:
Investigation Importance: The fact that an executable is running
fromC:\Windows\Tempwarrants further investigation to determine whether it is
malicious. Analysts should check:
Windows Security Best Practices: Documentation on how to secure temp
directories and monitor for suspicious activity is available from both Microsoft and
various security communities.
Incident Response Playbooks: Many playbooks include steps for investigating
suspicious activity in temp directories as part of broader malware detection and
response strategies.
MITRE ATT&CK Framework: Techniques involving the use of temporary directories
are well-documented in the framework, offering insights into how adversaries
leverage these locations during an attack.
An analyst is not sure that all of the potential data sources at her company are being correctly or completely utilized by Splunk and Enterprise Security. Which of the following might she suggest using, in order to perform an analysis of the data types available and some of their potential security uses?
A. Splunk ITSI
B. Security Essentials
C. SOAR
D. Splunk Intelligence Management
Explanation:
Splunk Security Essentials (SSE) is a free app provided by Splunk that helps organizations understand what data sources they have, what security use cases they can support, and what gaps may exist in their environment.
Key Features of Security Essentials:
Maps data sources to use cases, MITRE ATT&CK techniques, and compliance frameworks.
Provides example searches and detections based on the data you have in Splunk.
Identifies missing data sources or underutilized ones.
Helps with onboarding new data and ensuring your environment is making full use of available telemetry.
This makes it perfect for analysts who are uncertain whether Splunk and ES are fully leveraging the organization’s data.
Why the other options are not correct:
A. Splunk ITSI (IT Service Intelligence):
Focuses on IT operations and performance monitoring—not security use cases or data source analysis.
C. SOAR (Security Orchestration, Automation, and Response):
Automates response actions, not designed for analyzing the breadth or depth of ingested data.
D. Splunk Intelligence Management (formerly TruSTAR):
Focuses on threat intelligence aggregation and sharing, not auditing or validating data ingestion and usage.
Conclusion:
If the analyst wants to assess whether all relevant data is being used effectively for security purposes, Splunk Security Essentials is the right tool.
| Page 1 out of 10 Pages |
Contact Us - Privacy Policy ... Copyright © - All Rights Reserved