












































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The Cisco CyberOps Associate Ultimate Exam focuses on security operations center (SOC) skills, including monitoring, detecting, analyzing, and responding to cyber threats. It covers SIEM tools, intrusion detection systems, network forensics, and incident handling. This exam is ideal for aspiring cybersecurity analysts and SOC professionals seeking to develop operational security expertise within Cisco environments.
Typology: Exams
1 / 84
This page cannot be seen from the preview
Don't miss anything!













































































Question 1. Which CIA triad element is primarily concerned with preventing unauthorized data disclosure? A) Integrity B) Availability C) Confidentiality D) Authentication Answer: C Explanation: Confidentiality ensures that information is accessed only by authorized entities. Question 2. In a security deployment, which technology provides real‑time visibility of endpoint processes and file activity? A) Network IDS B) EDR C) Firewall D) SIEM Answer: B Explanation: Endpoint Detection and Response (EDR) monitors and records endpoint behavior continuously. Question 3. Which statement best describes an agentless security solution? A) Installs a lightweight client on each host B) Requires no software on the protected system C) Uses hardware appliances only D) Provides deep packet inspection on the endpoint Answer: B Explanation: Agentless tools collect data remotely without installing software on the target.
Question 4. Which of the following is a characteristic of modern antimalware compared to legacy antivirus? A) Signature‑only detection B) Heuristic analysis and behavior monitoring C) Manual update of virus definitions D) Only scans executable files Answer: B Explanation: Modern solutions use heuristics and behavioral analytics to detect unknown threats. Question 5. What is the primary function of a SIEM platform? A) Block malicious traffic at the perimeter B) Correlate log data and generate alerts C) Perform automated forensic imaging D) Deploy patches to vulnerable hosts Answer: B Explanation: SIEM aggregates logs, correlates events, and alerts on suspicious activity. Question 6. Which cloud security model protects container workloads in Kubernetes? A) Host‑based firewall B) Network Access Control List (ACL) C) Container Runtime Security (CRS) D) DNS sinkhole Answer: C Explanation: CRS tools monitor and enforce security policies for container images and runtime behavior.
Question 10. Runbook automation (RBA) is used to: A) Write new security policies B) Standardize and script response actions C) Conduct manual forensic interviews D) Generate cryptographic keys Answer: B Explanation: RBA codifies repeatable steps into automated workflows. Question 11. Which phase of reverse engineering involves disassembling a binary into assembly code? A) Decompilation B) Debugging C) Disassembly D) Obfuscation removal Answer: C Explanation: Disassembly translates machine code into readable assembly instructions. Question 12. In risk management, a vulnerability is best defined as: A) A threat actor’s capability B) A weakness that can be exploited C) The probability of an attack occurring D) The impact of a successful exploit Answer: B Explanation: Vulnerabilities are system flaws that may be leveraged by threats.
Question 13. Which scoring component of CVSS reflects how easy it is to exploit a vulnerability? A) Base B) Temporal C) Environmental D) Exploitability sub‑score (part of Base) Answer: D Explanation: The Exploitability sub‑score within the Base metric measures attack complexity. Question 14. Discretionary Access Control (DAC) bases permissions on: A) Security labels assigned by the system B) Owner’s discretion to grant rights C) User roles defined by administrators D) Attributes of the user and resource Answer: B Explanation: DAC lets resource owners decide who can access their objects. Question 15. Which AAA component is responsible for verifying user identity? A) Authentication B) Authorization C) Accounting D) Auditing Answer: A Explanation: Authentication confirms that a user is who they claim to be.
Question 19. Which log type would most likely contain DNS query details? A) Firewall log B) DNS server log C) HTTP proxy log D) Syslog from a router Answer: B Explanation: DNS server logs record each query and response. Question 20. Application Visibility and Control (AVC) primarily operates at which OSI layer? A) Layer 2 (Data Link) B) Layer 3 (Network) C) Layer 4 (Transport) D) Layer 7 (Application) Answer: D Explanation: AVC inspects and controls traffic based on application‑level characteristics. Question 21. TLS encryption impacts network monitoring by: A) Increasing packet size only B) Obscuring payload content from passive sensors C) Disabling NAT traversal D) Disabling flow record generation Answer: B Explanation: Encrypted TLS hides the payload, limiting content inspection.
Question 22. NAT/PAT can hinder visibility because: A) They encrypt traffic end‑to‑end B) They change source IP/port, obscuring original host C) They compress packets making them unreadable D) They block all inbound connections Answer: B Explanation: NAT rewrites addresses, making it harder to map traffic to original hosts. Question 23. Rule‑based detection differs from behavioral detection in that it: A) Learns patterns over time B) Relies on static signatures or thresholds C) Uses machine learning models D) Detects zero‑day exploits automatically Answer: B Explanation: Rule‑based systems trigger on predefined conditions, not on learned behavior. Question 24. A sliding‑window anomaly detection technique is used to: A) Correlate events across different time zones B) Compare recent data against a moving baseline C) Encrypt log files for storage D) Generate long‑term trend reports Answer: B Explanation: Sliding windows continuously update the baseline to detect deviations.
Question 28. Host‑Based Intrusion Detection Systems (HIDS) differ from NIDS by: A) Monitoring network traffic only B) Analyzing host‑level events such as file changes C) Blocking traffic at the firewall D) Providing encryption services Answer: B Explanation: HIDS focuses on local host activities, not just network packets. Question 29. Which EDR capability allows an analyst to revert a compromised endpoint to a known good state? A) Threat hunting B] Automated patching C) Live response with rollback D) Log aggregation Answer: C Explanation: EDR can execute commands to restore files or system state. Question 30. In forensic analysis, the “chain of custody” ensures: A) Encryption of evidence files B) Proper documentation of evidence handling C) Automatic deletion after 30 days D) Immediate public disclosure of findings Answer: B Explanation: Chain of custody records who handled evidence and when, preserving integrity.
Question 31. Which command-line history file is used by Bash to record user commands? A) .bashrc B) .bash_history C) .profile D) .bash_logout Answer: B Explanation: .bash_history stores the commands entered in Bash sessions. Question 32. The TCP three‑way handshake consists of which packet sequence? A) SYN, FIN, ACK B) SYN, SYN‑ACK, ACK C) ACK, PSH, RST D) SYN, ACK, FIN Answer: B Explanation: SYN initiates, SYN‑ACK acknowledges, ACK completes the connection. Question 33. Which protocol is commonly used for DNS zone transfers? A) TCP port 53 B) UDP port 53 C) TCP port 80 D) ICMP echo request Answer: A Explanation: Zone transfers use TCP to ensure reliable delivery of large DNS data.
Question 37. Which type of DDoS attack targets the application layer (Layer 7)? A) SYN flood B) UDP amplification C) HTTP GET flood D) ICMP ping flood Answer: C Explanation: HTTP GET floods overwhelm web servers with legitimate‑looking requests. Question 38. The 5‑tuple used to identify a network flow includes all EXCEPT: A) Source IP B) Destination MAC address C) Source port D) Protocol Answer: B Explanation: MAC addresses are not part of the 5‑tuple; IP, ports, and protocol are. Question 39. In regular expressions, the pattern “\d{3,5}” matches: A) Exactly three digits B) Any number of digits between three and five inclusive C) Three to five alphabetic characters D) A digit followed by three to five spaces Answer: B Explanation: \d denotes a digit; {3,5} specifies the allowed repetition range.
Question 40. According to NIST SP 800‑61, the first phase of incident response is: A) Containment B) Eradication C) Preparation D) Recovery Answer: C Explanation: Preparation establishes policies, tools, and training before an incident occurs. Question 41. The “Containment” phase aims to: A) Identify the root cause of the breach B) Stop the attacker’s progress while preserving evidence C) Restore services to normal operation D) Conduct post‑mortem analysis Answer: B Explanation: Containment isolates the threat to limit impact and maintain forensic data. Question 42. In the Cyber Kill Chain, the “Delivery” stage corresponds to: A) Reconnaissance of the target B) Transmission of the malicious payload to the victim C) Execution of the payload on the host D) Exfiltration of data Answer: B Explanation: Delivery is the step where the attacker transmits malware or exploits.
Question 46. A false positive in a detection system is: A) An undetected attack B) An alert that correctly indicates malicious activity C) An alert generated for benign activity D) A missed log entry Answer: C Explanation: False positives flag legitimate behavior as malicious. Question 47. Which regulation specifically protects health‑related information? A) GDPR B) PCI‑DSS C) HIPAA D) SOX Answer: C Explanation: HIPAA governs the privacy and security of Protected Health Information. Question 48. Personally Identifiable Information (PII) is defined as: A) Any data that can be used to identify a specific individual B) Only financial account numbers C) Medical records exclusively D) Publicly available phone directories Answer: A Explanation: PII includes any information that can uniquely identify a person.
Question 49. Which PCI‑DSS requirement focuses on protecting cardholder data during transmission? A) Requirement 3 – Encrypt stored cardholder data B) Requirement 4 – Encrypt transmission of cardholder data across open, public networks C) Requirement 6 – Develop secure systems and applications D) Requirement 12 – Maintain an information security policy Answer: B Explanation: Requirement 4 mandates strong encryption for data in transit. Question 50. In a SOC, the metric “False Negative Rate” indicates: A) Percentage of alerts that are harmless B) Ratio of missed attacks to total attacks C) Time taken to close an incident ticket D) Number of duplicate alerts generated Answer: B Explanation: False negatives are incidents that occur but are not detected. Question 51. Which of the following best describes a “signature‑based” detection method? A) Detects anomalies based on statistical deviations B) Matches known patterns of malicious code or traffic C) Uses AI to predict future attacks D) Relies on user‑behavior analytics Answer: B Explanation: Signature‑based detection compares data against known threat patterns.
Question 55. Which of the following is a common indicator that a host may be compromised? A) Consistent CPU usage at 5% B) Unexpected outbound connections to unknown IPs C) Regular system reboots scheduled by admin D) Presence of a VPN client installed by IT Answer: B Explanation: Unusual outbound traffic often signals data exfiltration or C2 communication. Question 56. The “Principle of Least Privilege” dictates that users should: A) Have administrative rights on all systems B) Receive only the permissions necessary to perform their job C) Share credentials for convenience D) Be granted root access by default Answer: B Explanation: Limiting privileges reduces the attack surface if an account is compromised. Question 57. Which of the following best defines “defense in depth”? A) Using a single firewall for all traffic B) Implementing multiple overlapping security controls across layers C) Relying solely on antivirus software D) Disabling all remote access Answer: B Explanation: Defense in depth layers protections so that if one fails, others remain.
Question 58. An “indicator of attack” (IoA) differs from an IoC by focusing on: A) Specific malicious files only B) Tactics, techniques, and procedures that suggest an ongoing attack C) Only network‑level events D) Static hashes of malware binaries Answer: B Explanation: IoAs describe behaviors or patterns that imply an attack is in progress. Question 59. Which protocol is most commonly used for secure remote administration of network devices? A) Telnet B) FTP C) SSH D) HTTP Answer: C Explanation: SSH provides encrypted command‑line access. Question 60. What does the “Temporal” metric in CVSS capture? A) The inherent severity of a vulnerability B) The current exploitability and remediation status C) The impact on confidentiality, integrity, and availability D) The environment‑specific modifiers Answer: B Explanation: Temporal scores adjust the Base score based on exploit code availability and patches.