350-201 Cisco Performing CyberOps Using Core Security Technologies (CBRCOR) Free Practice Exam Questions (2025 Updated)

If management decides not to prioritize fixing the vulnerabilities and accepts them, the next step for the engineer is to acknowledge the vulnerabilities and document the risk. This involves recording the decision and the rationale behind it, assessing the potential impact, and ensuring that there is a clear understanding of the risks being accepted. This documentation is crucial for future reference and accountability, and it may also include recommendations for mitigating the risk where possible

The first security threat that should be mitigated when installing a new application server for IP phones is the attack using default accounts. Default accounts often have preset usernames and passwords that are widely known and can be easily exploited by attackers. It is crucial to change these default credentials to prevent unauthorized access

When an unauthorized person gains access to a secured premise, the immediate step is to understand the extent of the breach. This involves tracking the movement of the attacker within the enterprise to determine which areas were compromised. Identifying the attacker’s movement helps in assessing the potential impact and aids in the development of an appropriate response plan. It is crucial to understand where the attacker went and what they had access to before further steps can be taken, such as changing access controls or determining the assets that might have been handled or acquired

Following behavioral analysis in a controlled laboratory, the next step in the malware analysis process is to perform static and dynamic code analysis of the specimen. Static analysis involves examining the malware without executing it, while dynamic analysis involves observing the malware’s behavior in a controlled environment. These analyses provide deeper insights into the malware’s capabilities and intentions2.

Creating an automation script for blocking URLs on the firewall when the rule is triggered will improve the effectiveness of the process by reducing the time between the detection of a request to a malicious URL and the blocking action. This proactive approach ensures that the URLs are blocked immediately, minimizing the window of opportunity for the threat to cause harm

The recommended action to mitigate an attack that is broadcasting a large number of ICMP packets using a spoofed source IP address is to use the subinterface command no ip directed-broadcast. This command prevents the Cisco IOS device from forwarding packets that are addressed to IP broadcast addresses. By disabling the directed broadcast feature, the network devices will not respond to broadcast messages sent to the network’s broadcast address, thus mitigating the attack and preventing the amplification of the ICMP packets back to the victim’s IP address.

After the incident response team has collected and documented all the necessary evidence from the computing resource, the next step is to isolate the infected host from the rest of the subnet. This action is crucial to prevent the spread of the malicious file to other systems on the network. Isolation ensures that the threat is contained and does not propagate, which is a key priority in incident response. Once the host is isolated, further steps such as risk assessment, installation of malware prevention software, and analysis of network traffic can be conducted in a controlled and secure manner

 A Security Information and Event Management (SIEM) tool is primarily used to collect and analyze security data from various sources, such as network devices and servers, and then produce alerts based on this analysis. SIEM tools aggregate and correlate data to identify patterns that may indicate a security incident, allowing organizations to respond to threats more effectively.

When an HTTP response code 301 is received from a web application, it indicates that the requested resource has been permanently moved to a new location. The action to be taken is to confirm the resource’s new location, as the 301 status code is used for permanent URL redirection

To prevent future attacks like the one described, where a compromised workstation gained access to sensitive customer data using insecure protocols, the best action is to use VLANs to segregate zones and configure the firewall to allow only required services and secured protocols. This approach ensures that different segments of the network are isolated, reducing the risk of lateral movement by attackers. Additionally, allowing only necessary and secure protocols through the firewall enhances the security posture by minimizing the attack surface.

References:

Network security best practices often recommend the use of VLANs and strict firewall rules as a means to enhance network security and prevent unauthorized access.

Implementing secure communication protocols and services is crucial in protecting sensitive data from being compromised.

The STIX (Structured Threat Information eXpression) in the context of the exhibit indicates a scenario where a Google Chrome extension is initiating direct IP connections using the WebSocket protocol, and the payloads are obfuscated and unreadable. This behavior is suspicious and suggests that the extension could be a front for malware that is using encrypted channels to communicate with a command and control server. The use of WebSockets and the obfuscation of payloads are common tactics used by malware authors to evade detection and maintain persistent control over compromised systems. The fact that the payloads cannot be decoded or read as UTF-8 text further supports the likelihood of malicious activity, as legitimate extensions would not typically need to obfuscate their communications.

References :=

STIX/TAXII is a framework for sharing cyber threat intelligence, which would include indicators of such suspicious activities1.

Understanding the implications of obfuscated payloads in network traffic, as described in cybersecurity resources23.

The correct code snippet that will parse the response to identify the status of the domain as malicious, clean, or undefined is Option B. This option containsconditional checks for the domain status and prints out the result accordingly. If the domain_status is ‘malicious’, it prints that the domain is found malicious; if the domain_status is ‘clean’, it prints that the domain is found clean; and for any other case, it prints that the domain status is undefined or risky. This aligns with the typical structure of a response parser that handles different statuses and provides a corresponding output.

References :=

Python’s conditional statements documentation for handling multiple conditions.

Best practices for parsing JSON responses in Python, which often involve checking for various statuses and handling each one appropriately.

 When an email attachment’s hash has no history in open source intelligence databases, the next step is to obtain a copy of the file for analysis in a controlled environment, known as a sandbox. This allows the analyst to observe the behavior of the file without risking the security of the network or systems

 In the context of Cisco Advanced Malware Protection (AMP), when a file is submitted to the Threat Grid analysis engine, it undergoes a thorough behavioral analysis to determine if it exhibits characteristics typical of malware. The Threat Grid provides detailed reports that include behavioral indicators of compromise (IoCs), which are actions or artifacts on a network or an endpoint that with high confidence indicate a breach.

In this case, the report generated by the Threat Grid for a low prevalence file shows high severity scores for the behavioral indicators. This suggests that the behaviors observed are strongly indicative of malicious activity, specifically ransomware. The high scores reflect the Threat Grid’s confidence in the malicious nature of the file based on its observed behaviors, which may include patterns of encryption consistent with ransomware, network activity that matches known ransomware command and control patterns, or file system changes that are characteristic of ransomware encryption.

Therefore, the correct answer is C, as the high scores on the behavioral indicators strongly suggest the presence of ransomware, justifying the execution of the ransomware detection mechanisms by Cisco AMP.

To prevent network availability issues related to peak memory pool buffer usage, the engineer should enable memory threshold notifications. This action allows the system to alert administrators before the memory usage reaches a critical level, enabling them to take proactive measures to prevent malfunction

The 2xx series of HTTP response codes indicate that the client’s request was successfully received, understood, and accepted1. These codes are used to communicate that the action requested by the client was processed successfully without any server-sideissues. For example, a 200 OK status code confirms that the request has succeeded, and a 201 Created indicates that a new resource has been created as a result of the request1.

 Upon receiving an alert of a zero-day vulnerability, the first step an engineer should take is to initiate a triage meeting to acknowledge the vulnerability and assess its potential impact2. This step is crucial for understanding the severity of the vulnerability, determining the scope of affected systems, and deciding on the subsequent actions to mitigate the risk. It involves gathering the relevant stakeholders and security experts to evaluate the threat and develop a response plan2.