Cisco Updated 350-201 Exam Questions and Answers by lucie

 To review packet overviews of SNORT alerts without including all the packet headers, which can result in excessively large files, the engineer should modify the output module rule to use the “alert_fast” option. This option allows SNORT to log alerts in a ‘fast’ format, which includes the timestamp, alert message, and the IP addresses and ports involved, but omits the packet headers. The correct syntax for this action would be output alert_fast: output filename, where ‘filename’ is the desired name for the alert log file.

The Wireshark traffic capture exhibits a pattern where a single source IP address is sending a series of SYN packets to a single destination IP address. This pattern is indicative of a SYN flood attack, which is a form of Denial-of-Service (DoS) attack. In a SYN flood attack, the attacker exploits the TCP handshake mechanism by sending a flood of SYN packets to the target’s IP address. Theattacker does not complete the handshake with an ACK after receiving a SYN-ACK from the server, leaving connections half-open and eventually exhausting the server’s resources, which can lead to denial of service.

References:

The Cisco CyberOps curriculum, particularly the courses on Performing CyberOps Using Cisco Security Technologies (CBRCOR), would cover the identification and analysis of network threats, including SYN flood attacks.

Cisco’s official certification resources for the CyberOps Associate level would provide detailed information on various network threats and how to mitigate them, including the mechanisms of a SYN flood attack.

When an incident response team receives a report of unexpected changes within software, the immediate steps involve classifying the attack vector, understanding the scope of the event, and identifying the vulnerabilities being exploited. This is a critical part of the incident response workflow as it helps in determining the nature of the attack and the appropriate containment and eradication strategies3.

Implementing a confirmation step in the SOAR (Security Orchestration, Automation, and Response) workflow can significantly reduce false positives and improve the accuracy of threat detection. By adding a mechanism that informs the affected user of the detected activity and asks for their confirmation, the system can distinguish between legitimate and malicious actions more effectively. This approach respects the user’s context and behavior patterns, allowing for a more nuanced response to security alerts. It also reduces the inconvenience caused to legitimate users by avoiding unnecessary account blocks or credential resets.

The other options, while potentially useful in certain contexts, do not address the immediate issue of distinguishing between false positives and actual threats as effectively as a confirmation step does. Meeting with privileged users (option A) and increasing incorrect login tries (option D) may help to some extent but do not provide an immediate verification mechanism. Changing the SOAR configuration flow (option B) could reduce automatic remediation, but it might also reduce the system’s ability to respond to actual threats promptly.

Therefore, adding a confirmation step is the most direct and effective way to improve the workflow and resolve the issues described. It enhances the precision of the SOAR system and maintains a balance between security and user convenience.