




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This study guide focuses on cloud-based cyber range operations and defensive simulations. Topics include cloud security fundamentals, threat emulation, blue-team tactics, monitoring, detection, and incident response in simulated environments. Hands-on concepts, scenario-based learning, and exam-aligned content prepare candidates for the CRCB certification with confidence.
Typology: Exams
1 / 108
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. In an IaaS environment, which component is typically the customer's responsibility for security? A) Physical data center access controls B) Hypervisor patching C) Guest operating system hardening D) Network backbone encryption Answer: C Explanation: In IaaS, the provider secures the physical infrastructure and hypervisor, while the customer must secure the guest OS, applications, and data.
Question 2. Which of the following best describes a key security advantage of using PaaS over IaaS for a blue-team exercise? A) Complete control over hardware firmware B) Reduced surface area for OS-level vulnerabilities C) Ability to modify the underlying container runtime D) Direct access to the host’s kernel Answer: B Explanation: PaaS abstracts the OS layer, limiting the blue team’s exposure to OS-level attacks and reducing the number of patches they must manage.
Question 3. A hypervisor vulnerability that allows a guest VM to execute code on the host is known as: A) VM sprawl B) VM escape C) VM snapshot D) VM migration Answer: B Explanation: VM escape is when malicious code breaks out of a virtual machine to compromise the hypervisor or host.
Question 4. Which container breakout technique exploits the default Docker socket mounted inside a container? A) Namespace hijacking B) Cgroup exhaustion C) Docker socket abuse D) Image layering Answer: C Explanation: If the Docker socket (/var/run/docker.sock) is mounted, a compromised container can control the Docker daemon and break out.
Question 7. Which of the following is a common method for bypassing MFA in a cloud environment? A) Using a hardware token that never expires B) Exploiting a vulnerable time-based OTP algorithm C) Disabling MFA on the root account via the console D) Leveraging a compromised refresh token Answer: D Explanation: Attackers can reuse stolen refresh tokens to obtain new access tokens without re-authenticating, effectively bypassing MFA.
Question 8. Service accounts in cloud IAM should be managed using which practice? A) Assigning them the “Owner” role for convenience B) Rotating their credentials regularly and limiting scopes C) Sharing a single service account across all applications D) Storing credentials in plaintext on public repositories Answer: B Explanation: Service accounts need frequent credential rotation and minimal permissions to reduce risk.
Question 9. When designing a VPC for a cyber range, which subnet configuration enhances isolation of red-team and blue-team assets? A) Placing all assets in a single public subnet B) Using separate private subnets with distinct security groups for each team C) Allowing unrestricted inbound traffic from the internet D) Disabling network ACLs Answer: B Explanation: Separate private subnets with tailored security groups limit lateral movement between teams.
Question 10. Which security group rule would most effectively restrict inbound traffic to a bastion host used by the blue team? A) Allow all inbound TCP ports from 0.0.0.0/ B) Allow SSH (port 22) only from the blue-team management IP range C) Allow HTTP (port 80) from any source D) Allow all inbound traffic from the red-team subnet Answer: B Explanation: Limiting SSH to known management IPs reduces attack surface while still providing access.
Question 13. When configuring a detection rule for VPC Flow Logs, which attribute should be inspected to spot port-scanning activity? A) DestinationPort values ranging across many ports from a single source IP within a short interval B) Constant source IP with a single destination port C) Zero-byte payload sizes D) Encrypted traffic on port 443 Answer: A Explanation: Port scanning manifests as a source IP contacting many destination ports quickly.
Question 14. An effective method to reduce false positives in SIEM alerts for IAM role changes is to: A) Disable all role-change alerts B) Correlate role-change events with privileged user logins from known admin IPs C) Trigger alerts on every role modification regardless of context D) Increase the alert threshold to 100 changes per hour Answer: B Explanation: Correlation with legitimate admin activity helps differentiate normal changes from suspicious ones.
Question 15. Which of the following is a primary advantage of deploying an EDR agent on each cloud instance in a cyber range? A) Guarantees zero false positives B) Provides continuous process, file, and memory monitoring for rapid detection C) Replaces the need for network-based IDS D) Eliminates the need for log collection Answer: B Explanation: EDR agents collect detailed host-level telemetry, enabling detection of malicious behavior that network tools may miss.
Question 16. In a cloud environment, memory forensics is most effectively performed on: A) Snapshots of the hypervisor’s host memory B) Live RAM captures from compromised VM instances using tools like Volatility C) Encrypted EBS volumes without decryption keys D) Network flow logs Answer: B Explanation: Volatility and similar tools analyze live or captured VM memory dumps to uncover malicious artifacts.
Question 19. Which phase of the NIST Incident Response Lifecycle focuses on preserving volatile data before containment? A) Identification B) Containment C) Eradication D) Preparation Answer: B Explanation: During containment, responders isolate the system while ensuring volatile data (memory, logs) is captured for analysis.
Question 20. When isolating a compromised EC2 instance without losing volatile data, the recommended approach is to: A) Terminate the instance immediately B) Stop the instance, create a snapshot of the root volume, and capture a memory dump via the hypervisor API C) Reboot the instance to clear memory D) Change the instance’s security group to allow all traffic Answer: B Explanation: Stopping preserves the disk state; a snapshot plus a memory dump preserves both persistent and volatile evidence.
Question 21. In cloud forensics, reconstructing an attack timeline most commonly relies on which data source? A) Instance CPU utilization graphs B) Provider audit logs (e.g., CloudTrail, IAM Access Analyzer) C) Public DNS records D) Application source code Answer: B Explanation: Audit logs record timestamps of API calls and actions, enabling timeline reconstruction.
Question 22. Which of the following is a typical Indicator of Compromise (IoC) found during static malware analysis of a cloud-native binary? A) Hard-coded AWS access key IDs and secret keys B) High CPU usage on the host C) Large inbound network traffic D) Frequent DNS queries to internal domains Answer: A Explanation: Embedded credentials are strong IoCs indicating potential unauthorized cloud access.
Question 25. Which patch management strategy minimizes downtime for critical web servers in a multi-AZ deployment? A) Apply patches simultaneously to all instances B) Use rolling updates, patching one AZ at a time while traffic is routed to healthy instances C) Disable health checks during patching D) Reboot all instances immediately after patch download Answer: B Explanation: Rolling updates ensure continuous availability by patching in stages across AZs.
Question 26. Hardening a Linux AMI according to CIS Benchmarks includes which of the following actions? A) Disabling SELinux/AppArmor B) Enabling password authentication for SSH C) Removing unnecessary packages and services, and configuring auditd D) Allowing root login via SSH Answer: C Explanation: CIS hardening removes unused software and enables auditing to improve security.
Question 27. Configuration drift detection is best achieved by: A) Manually checking each instance weekly B) Using infrastructure-as-code tools (e.g., Terraform) with drift detection features and periodic compliance scans C) Ignoring changes after initial deployment D) Relying solely on OS patch levels Answer: B Explanation: IaC tools can compare the current state against the declared configuration, flagging drift.
Question 28. During a red-vs-blue exercise, a blue-team playbook for DDoS mitigation should start with which action? A) Immediately shutting down all inbound traffic B) Enabling auto-scaling and configuring rate-limiting on load balancers C) Deleting the target application D) Disabling CloudWatch alarms Answer: B Explanation: Auto-scaling and rate-limiting absorb traffic spikes while maintaining service availability.
Question 31. Which IAM policy condition can be used to enforce MFA for privileged actions? A) "StringEquals": {"aws:username": "admin"} B) "Bool": {"aws:MultiFactorAuthPresent": "true"} C) "IpAddress": {"aws:SourceIp": "0.0.0.0/0"} D) "NumericLessThan": {"aws:CurrentTime": "2025-01-01T00:00:00Z"} Answer: B Explanation: The aws:MultiFactorAuthPresent condition ensures the request includes a valid MFA token.
Question 32. A VPC Flow Log entry shows traffic from a private IP to the metadata service (169.254.169.254) on port 80. What is the most likely interpretation? A) Legitimate instance metadata retrieval B) Attempted exfiltration of credentials via the metadata API C) DNS resolution request D) External internet access Answer: B Explanation: Access to the metadata service can be abused to retrieve temporary credentials; monitoring such calls is critical.
Question 33. Which log type is essential for detecting privilege escalation via AWS IAM role assumption? A) Application error logs B) VPC Flow Logs C) CloudTrail event logs for AssumeRole API calls D) S3 access logs Answer: C Explanation: CloudTrail records AssumeRole events, revealing when a principal obtains elevated permissions.
Question 34. When writing a SIEM query to detect possible EC2 instance termination by an unauthorized user, which field should be examined? A) eventName = RunInstances B) eventName = TerminateInstances and userIdentity.type != "IAMRole" C) sourceIPAddress = 127.0.0.1 D) eventSource = s3.amazonaws.com Answer: B Explanation: Filtering TerminateInstances events by non-role users helps spot unexpected terminations.
Question 37. Which of the following best describes a “snapshot” in the context of cloud forensics? A) A real-time video of user activity B) A point-in-time copy of a virtual disk that can be mounted for analysis C) A backup of IAM policies only D) A DNS query log Answer: B Explanation: Snapshots capture the state of a virtual disk at a specific moment, useful for forensic analysis.
Question 38. A blue-team analyst notices that a newly created IAM role has the AdministratorAccess policy attached but no human user is listed as the creator. Which response action is most appropriate? A) Delete the role immediately without investigation B) Isolate the role, review CloudTrail for the creating principal, and revoke the policy until validated C) Grant additional permissions to the role to expedite remediation D) Ignore it, assuming it is a legitimate automation Answer: B Explanation: Isolating and investigating the creation source prevents potential abuse while preserving evidence.
Question 39. Which of the following is a recommended hardening step for Amazon S3 buckets used to store forensic images? A) Enable public read access for easy retrieval B) Apply server-side encryption with AWS KMS and restrict access via bucket policies to specific IAM roles C) Disable versioning to save storage costs D) Store the bucket in the us-east-1 region only Answer: B Explanation: Encryption and strict bucket policies protect sensitive forensic data from unauthorized access.
Question 40. In a continuous vulnerability scanning program, what frequency is generally recommended for scanning critical cloud assets? A) Once a year B) Monthly C) Weekly or after any configuration change D) Never, only manual checks Answer: C Explanation: Frequent scanning (weekly or post-change) ensures new vulnerabilities are promptly identified.