Free Cisco 200-201 Practice Exam with Questions & Answers | Set: 9

 TOR, or The Onion Router, is designed to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis. Using TOR makes it more difficult to trace internet activity, including “visits to Web sites, online posts, instant messages, and other communication forms,” back to the user1. It is intended to protect the personal privacy of users, as well as their freedom and ability to conduct confidential communication by keeping their internet activities unmonitored. Within an organization, the use of TOR can decrease visibility into data traffic because it encrypts the data multiple times and routes it through a series of servers operated by volunteers around the globe. This makes network monitoring and data visibility challenging for cybersecurity professionals within the organization. References: Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)

Persistence mechanisms allow attackers to maintain access to a compromised system across reboots, logoffs, or security events. In Windows environments, two of the most common and well-documented persistence techniques involve Registry Run keys and scheduled tasks.

The exhibit highlights several indicators of compromise, including new Registry entries under the Run key and newly created scheduled tasks that execute during non-business hours. Registry Run keys enable programs to execute automatically when the system or user starts, making them a frequent target for malware and attackers seeking long-term access. Similarly, Task Scheduler allows attackers to execute malicious code at predefined times or events, often designed to evade detection.

Analyzing both the Windows Registry changes and Task Scheduler tasks directly targets these persistence mechanisms. This aligns with host-based analysis best practices, which prioritize startup execution points and scheduled execution artifacts when persistence is suspected.

The other options are incomplete or misaligned. Windows Defender status and login attempts may indicate security tampering or brute-force activity, but they do not directly reveal persistence techniques. User account logins alone do not explain automated re-execution of malicious code, and deleting Run keys without full analysis risks destroying forensic evidence.

Therefore, focusing on Registry changes and Task Scheduler tasks provides the most accurate and operationally sound method for uncovering attacker persistence.

Trafshow is a network monitoring tool that provides real-time monitoring of network traffic. It displays the current connections and the amount of data being transferred over those connections. It is particularly useful in a Security Operations Center (SOC) for identifying unusual traffic patterns or connections that may indicate a security incident.

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS)

A regular expression (regex) is a sequence of characters that defines a search pattern for text. A regex can be used to extract custom properties from log messages or events in a SIEM platform. In this case, the regex that matches the phrase “File: Clean” exactly is ^File: Clean$. The ^ symbol indicates the beginning of the line and the $ symbol indicates the end of the line. The regex ensures that no other characters are before or after the phrase. References:

Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, Module 5: Security Policies and Procedures, Lesson 5.3: Data and Event Analysis

200-201 CBROPS - Cisco, Exam Topics, 5.0 Security Policies and Procedures, 5.3 Analyze data as part of security monitoring activities

Cisco Certified CyberOps Associate Overview - Cisco Learning Network, Videos, 5.3 Analyze data as part of security monitoring activities

 To investigate the callouts made post infection, it’s essential to know where the callouts were made to (domain names) and from which host IP addresses they originated. This information can help trace back the source and destination, aiding in understanding the nature of the callouts. References: https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Working_with_Indicators_of_Compromise.html

A host-based intrusion detection system (HIDS) is designed to detect malicious activity on individual hosts by monitoring system behavior, logs, file integrity, and processes. Unlike firewalls or antivirus tools, a HIDS focuses on detecting suspicious or unauthorized activity rather than blocking traffic or enforcing access rules.

HIDS solutions typically use a combination of signature-based detection, which identifies known attack patterns, and anomaly-based detection, which identifies deviations from normal system behavior. This dual approach allows a HIDS to detect both known threats and previously unseen attacks.

Option A describes antivirus functionality rather than intrusion detection. Option B refers to firewall behavior, which is network-focused, not host-based. Option D describes intrusion prevention, not detection.

Cybersecurity operations fundamentals clearly distinguish HIDS as a detection technology, often paired with host-based intrusion prevention systems (HIPS) for blocking capabilities.

Therefore, the purpose of a HIDS is to detect threats using both signature-based and anomaly-based techniques, making Option C the correct answer.

An Nmap scan can provide detailed information about a network including the functionality and purpose of servers on that network as well as any services that are currently running on those servers. This information can be used by an attacker to identify potential vulnerabilities or targets for exploitation during a cyber attack. References := Cisco Cybersecurity Training

 The communication channel established from a compromised machine back to the attacker is known as a command and control (C2) channel. This channel allows attackers to maintain communication with the compromised system, issue commands, and potentially exfiltrate data. The C2 channel can be established using various protocols and methods to evade detection and maintain persistence.