200-201 Cisco Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) Free Practice Exam Questions (2026 Updated)

A host-based intrusion detection system (HIDS) is designed to detect malicious activity on individual hosts by monitoring system behavior, logs, file integrity, and processes. Unlike firewalls or antivirus tools, a HIDS focuses on detecting suspicious or unauthorized activity rather than blocking traffic or enforcing access rules.

HIDS solutions typically use a combination of signature-based detection, which identifies known attack patterns, and anomaly-based detection, which identifies deviations from normal system behavior. This dual approach allows a HIDS to detect both known threats and previously unseen attacks.

Option A describes antivirus functionality rather than intrusion detection. Option B refers to firewall behavior, which is network-focused, not host-based. Option D describes intrusion prevention, not detection.

Cybersecurity operations fundamentals clearly distinguish HIDS as a detection technology, often paired with host-based intrusion prevention systems (HIPS) for blocking capabilities.

Therefore, the purpose of a HIDS is to detect threats using both signature-based and anomaly-based techniques, making Option C the correct answer.

 During the collection phase of the forensic process, data related to a specific event is labeled and recorded to preserve its integrity. This step ensures that the data remains unaltered and authentic from the time of collection until it is presented as evidence,maintaining the chain of custody. References := Cisco Cybersecurity Operations Fundamentals - Module 6: Security Incident Investigations

 A man-in-the-middle attack occurs when a third party intercepts and potentially alters the communication between two parties (in this case, two IP phones) without them knowing. This type of attack can lead to eavesdropping, where the attacker can gain unauthorized access to sensitive data being communicated between the two parties. References := Cisco Cybersecurity Operations Fundamentals - Module 5: Endpoint Threat Analysis and Computer Forensics

 The attack surface is the sum of all paths for data into and out of the environment, such as network interfaces, applications, services, protocols, ports, and user accounts. The attack surface represents the exposure of the environment to potential threats and attacks. A vulnerability is an exploitable weakness in a system or its design that can allow an attacker to compromise the system or its data. A vulnerability is a subset of the attack surface, as not all paths for data are vulnerable. References: [Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Module 1: Security Concepts]

 Sliding window anomaly detection is a technique used in cybersecurity to identify unusual patterns or behaviors that deviate from the norm. It involves analyzing segments of data over a period of time, referred to as a ‘window,’ and comparing them against typical patterns. Anomalies are detected when observed behaviors significantly differ from expected patterns, indicating potential security incidents or issues that require further investigation. References: An adaptive sliding window for anomaly detection of time series in wireless sensor networks

The lack of data visibility needed to detect the attack is caused by the threat actor gaining access to the system by known credentials. This means that the threat actor either obtained the employee’s username and password through phishing, social engineering, or other means, or used a compromised account that had legitimate access to the system. This would explain why there were no suspicious logs, alerts, or failed login attempts, as the threat actor appeared to be a normal user. References: https://learningnetworkstore.cisco.com/on-demand-e-learning/understanding-cisco-cybersecurity-operations-fundamentals-cbrops-v1-0/CSCU-LP-CBROPS-V1-028093.html (Module 2, Lesson 2.1.2)

Indicators of Attack (IoA) refer to observable behaviors or artifacts that suggest a security breach or ongoing attack.

When internal hosts communicate with countries outside the business range, it may indicate data exfiltration or command-and-control communication to an external threat actor.

Unlike Indicators of Compromise (IoC) which indicate that a system has already been compromised, IoAs are often used to identify malicious activity in its early stages.

Monitoring for unusual outbound connections is a crucial aspect of detecting advanced persistent threats (APTs) and other sophisticated attacks.

References

Difference Between Indicators of Compromise and Indicators of Attack

Cyber Threat Detection Using Indicators of Attack

Network Monitoring for Anomalous Behavior

Untampered images are crucial for security investigations as they provide original evidence that has not been altered or corrupted; their integrity and authenticity can be verified by comparing the stored hash and the computed hash of the image. If they match, the image is untampered and can be used for analysis. Tampered images, on the other hand, are useless for security investigations as they may contain false or misleading information; their integrity and authenticity are compromised by the modification of the image data. Tampered images may be used for incident recovery purposes, such as restoring a system to a previous state, but not for forensic purposes. References := Cisco Cybersecurity Operations Fundamentals - Module 6: Security Incident Investigations

Inline traffic interrogation analyzes traffic in real time and has the ability to prevent certain traffic from being forwarded Traffic mirroring doesn't pass the live traffic instead it copies traffic from one or more source ports and sends the copied traffic to one or more destinations for analysis by a network analyzer or other monitoring device

Delivery: This step involves transmitting the weapon to the target.

Weaponization: In this step, the intruder creates a malware weapon like a virus, worm or such in order to exploit the vulnerabilities of the target. Depending on the target and thepurpose of the attacker, this malware can exploit new, undetected vulnerabilities (also known as the zero-day exploits) or it can focus on a combination of different vulnerabilities.

Reconnaissance: In this step, the attacker / intruder chooses their target. Then they conduct an in-depth research on this target to identify its vulnerabilities that can be exploited.

In the context of the cyber kill chain model, spam campaigns fall under the “delivery” phase where attackers deliver malicious payloads via email or other means to target systems or networks. References: Cisco Cybersecurity Operations Fundamentals, Module 1: Security Concepts, Lesson 1.4: Security Monitoring, Topic 1.4.2: The Cyber Kill Chain Model

Deep packet inspection (DPI) analyzes the data part (and possibly also the header) of a packet as it passes an inspection point, searching for protocol non-compliance, viruses, spam, intrusions, or defined criteria to decide whether the packet may pass or if it needs to be routed to a different destination. Stateful inspection, on the other hand, tracks the state of active connections and determines which network packets to allow through the firewall. While stateful inspection tracks the state of connections (Layer 4 - transport layer), DPI goes further by examining the payload of the packet (Layer 7 - application layer).

Cisco’s official documentation and cybersecurity courses would explain the differences between deep packet inspection and stateful inspection, including their respective layers of operation.

The difference between tampered and untampered disk images is:

Tampered Images: These are disk images that have been altered or modified in some way after their initial creation. The stored hash and the computed hash will not match if the image has been tampered with.

Untampered Images: These are disk images that have not been altered since their creation. They are considered authentic and reliable for forensic investigations. The stored hash and the computed hash will match, confirming that the image has remained unchanged.

Therefore, the correct answer is: D. Untampered images are used for forensic investigations.

A botnet is a network of compromised computers controlled by an attacker. Botnets are often used to carry out Distributed Denial of Service (DDoS) attacks, where the compromised machines are directed to flood a target with traffic, rendering it inaccessible. References: Cisco Cybersecurity Operations Fundamentals, Module 1: Security Concepts, Lesson 1.3: Common Network Application Operations and Attacks, Topic 1.3.4: Denial-of-Service Attacks

The containment phase of the incident response lifecycle is focused on limiting the impact of an active incident and preventing it from continuing or spreading further. In this scenario, the organization is experiencing a suspected Distributed Denial-of-Service (DDoS) attack, as indicated by high-volume traffic and degraded application performance.

During containment, the Computer Security Incident Response Team (CSIRT) takes immediate actions such as rate limiting, blocking malicious IP addresses, diverting traffic through scrubbing services, or engaging DDoS mitigation providers. The goal is to stabilize services and ensure that the attack no longer affects business operations. This phase also includes confirming that defensive measures have been successfully applied.

Preparation occurs before an incident and involves planning and readiness activities. Eradication focuses on removing the root cause of the incident, such as disabling attacker infrastructure or removing malware, which is not applicable to most DDoS scenarios. Recovery occurs after containment and involves restoring systems to normal operation and monitoring for recurrence.

Cybersecurity operations documentation clearly defines containment as the phase where ongoing attacks are stopped or controlled. Therefore, containment is the correct answer.

According to NIST SP800-61, the incident response phase called “Containment, Eradication, and Recovery” involves containing the incident, eradicating the threat, and recovering from the incident2. In the scenario described, the engineer worked on containing the DDoS attack by identifying the attacker and the technique used, which is part of the containment process. The recommendation to implement Blackhole filtering is part of the eradication process, where measures are taken to prevent the attack from happening again. Finally, restoring the server is part of the recovery process, where normal operations are resumed. Therefore, the engineer finished work during the “Containment, Eradication, and Recovery” phase. References: NIST SP800-61 Computer Security Incident Handling Guide2.

 Scareware is a type of malware attack that tricks users into believing their computer is infected with a virus, prompting them to download and pay for fake antivirus software. The attack often uses popup windows with flashing colors (D) to create a sense of urgency and scare the user into taking immediate action.

Cisco Certified CyberOps Associate certification materials