200-201 Cisco Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) Free Practice Exam Questions (2025 Updated)

The Cuckoo sandbox report shows the analysis results of a file named "VirusShare_fc1937c1aa536b3744ebfb1716fd5f4d".

The file type is identified as a PE32 executable for MS Windows.

The "Yara" section indicates that the file contains shellcode, which matches specific shellcode byte patterns.

Shellcode typically indicates that the file will execute a payload, often used to open a command interpreter or execute commands directly.

Additionally, the antivirus result shows that the file was identified as containing a trojan (Trojan.Generic.7654828), which is consistent with behaviors such as opening a command interpreter for malicious purposes.

References

Cuckoo Sandbox Documentation

Analysis of Shellcode Behavior

Understanding Trojan Malware Functionality

 HTTPS traffic is difficult to screen because it is encrypted using the SSL/TLS protocol, which secures the data in transit between the client and the server. This encryption ensures that any intercepted traffic cannot be easily read or tampered with by third parties. Screening or inspecting this encrypted traffic would require decrypting it, which poses significant challenges and potential security risks12.

Transaction data consists of connection level, application-specific records generated from network traffic. It provides information about the source, destination, protocol, and application of each network connection. Transaction data can be used to identify anomalies, malicious activities, and user behaviors on the network. References := Cisco CyberOps Engineer

The exhibit shows a SQL query that is attempting to bypass login controls by modifying the query to always return true. This is a common tactic used in SQL injection attacks where malicious SQL statements are inserted into an entry field for execution. References := Cisco Cybersecurity Source Documents

The situation where endpoint logs show a machine receiving an unusual gateway address and DNS servers via DHCP is indicative of a Man-in-the-Middle (MitM) attack, specificallya DHCP spoofing attack. In this type of attack, an adversary can set up a rogue DHCP server or manipulate the DHCP communication to provide false gateway and DNS information to clients. This allows the attacker to intercept, monitor, or manipulate traffic between the client and the intended gateway or DNS servers2.

The defense-in-depth strategy is a layered approach to security that includes multiple defensive measures to protect against threats. Dividing the network into parts (B) helps isolate potential breaches, making it harder for an attacker to move laterally across the network. Implementing the patch management process (E) ensures that systems are up-to-date with the latest security patches, reducing vulnerabilities that attackers could exploit.

Delivery: This step involves transmitting the weapon to the target.

Weaponization: In this step, the intruder creates a malware weapon like a virus, worm or such in order to exploit the vulnerabilities of the target. Depending on the target and thepurpose of the attacker, this malware can exploit new, undetected vulnerabilities (also known as the zero-day exploits) or it can focus on a combination of different vulnerabilities.

Reconnaissance: In this step, the attacker / intruder chooses their target. Then they conduct an in-depth research on this target to identify its vulnerabilities that can be exploited.

According to NIST SP800-61, the incident response phase called “Containment, Eradication, and Recovery” involves containing the incident, eradicating the threat, and recovering from the incident2. In the scenario described, the engineer worked on containing the DDoS attack by identifying the attacker and the technique used, which is part of the containment process. The recommendation to implement Blackhole filtering is part of the eradication process, where measures are taken to prevent the attack from happening again. Finally, restoring the server is part of the recovery process, where normal operations are resumed. Therefore, the engineer finished work during the “Containment, Eradication, and Recovery” phase. References: NIST SP800-61 Computer Security Incident Handling Guide2.

Deep packet inspection (DPI) is a form of computer network packet filtering that examines the data part (and possibly also the header) of a packet as it passes an inspection point, searching for protocol non-compliance, viruses, spam, intrusions, or defined criteria to decide whether the packet may pass or if it needs to be routed to a different destination, or, for the purpose of collecting statistical information. It is a form of filtering employed at the security layer level of the OSI model. Stateful inspection, on the other hand, is a firewall technology that monitors the state of active connections and determines which network packets to allow through the firewall. Stateful inspection has largely replaced older technologies that were static and examined packets in isolation. Therefore, DPI is considered more secure because it examines the contents of the packets at Layer 7 (the application layer), while stateful inspection typically works up to Layer 4 (the transport layer).

Decision making is a principle that guides an analyst to gather information relevant to a security incident to determine the appropriate course of action. Decision making involves identifying the problem, defining the criteria, analyzing the alternatives, and choosing the best solution. Decision making helps an analyst to respond to an incident effectively and efficiently, while minimizing the impact and risk to the organization. References: https://learningnetworkstore.cisco.com/on-demand-e-learning/understanding-cisco-cybersecurity-operations-fundamentals-cbrops-v1.0/CSCU-LP-CBROPS-V1-028093.html (Module 3: Security Monitoring, Lesson 3.1: Security Operations Center)

The file that is extractable via TCP stream within Wireshark is the one that has the Content-Type header set to application/octet-stream, which indicates binary data. Thisheader is present in frames 7, 14, and 21, which are part of the same TCP stream. The other frames have different Content-Type headers, such as text/html or image/jpeg, which are not extractable as binary files. References := Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 3: Network Intrusion Analysis, Lesson 3.2: Analyze Data from Common TCP/IP Protocols, Topic 3.2.3: HTTP

The regular expression provided is:.\.(pd][Oo][Cc)|[Xx][LI][Ss]|[Pp][Pp][Tt]) HTTP/1 .[01]

This regular expression is designed to match file extensions for Word (.doc), Excel (.xls), and PowerPoint (.ppt) files in HTTP network sessions.

The regular expression uses character classes and alternatives to match different case variations of these file extensions.

The part.\.(pd][Oo][Cc)|[Xx][LI][Ss]|[Pp][Pp][Tt])matches the file extensions, andHTTP/1 .[01]ensures that the match is in the context of HTTP version 1.0 or 1.1.

References

Cisco ASA Regular Expressions Documentation

Understanding Regular Expressions in Network Security

Filtering and Capturing HTTP Traffic with Regex

Deep packet inspection (DPI) analyzes the data part (and possibly also the header) of a packet as it passes an inspection point, searching for protocol non-compliance, viruses, spam, intrusions, or defined criteria to decide whether the packet may pass or if it needs to be routed to a different destination. Stateful inspection, on the other hand, tracks the state of active connections and determines which network packets to allow through the firewall. While stateful inspection tracks the state of connections (Layer 4 - transport layer), DPI goes further by examining the payload of the packet (Layer 7 - application layer).