Cisco 200-201 Practice Test - Questions Answers, Page 17

A denial-of-service attack represents the evasion technique of resource exhaustion, where the attacker overwhelms a system's resources, making the system unusable and unable to handle legitimate requests.Reference:=Cisco Cybersecurity Source Documents

The 5-tuple approach consists of protocol, source IP address, source port number, destination IP address, and destination port number to uniquely identify sessions between endpoints on a network.Reference:=Cisco Cybersecurity Source Documents

Vishing is an attack where fraudsters impersonate legitimate entities via phone calls to deceive individuals into providing sensitive information or performing actions that compromise security.Reference:=Cisco Cybersecurity Source Documents

Protocol 41 is used to encapsulate IPv6 packets in IPv4 headers for transmission over an IPv4 network. This is one of the methods to implement IPv6 transition mechanisms for hosts and routers that are located on IPv4 networks. An increase in IPv4 traffic carrying protocol 41 may indicate that some hosts or routers are trying to tunnel IPv6 traffic through an IPv4 network, which could be a legitimate or malicious activity depending on the network policy.Reference:=Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 177; [IPv6 Transition Mechanisms for IPv4 Domains]

False-positive alerts are alerts that are triggered by benign or normal network traffic and are mistakenly identified as malicious. False positives can have a negative impact on business as they may consume the resources and time of the security team that need to analyze and verify them. True-positive alerts are alerts that correctly identify malicious traffic or activity and require proper incident response procedures. True positives can help the security team to quickly detect and mitigate threats and minimize the damage to the organization.Reference:=Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 92; [Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide], page 98

To isolate the suspicious host that is performing intensive network scanning, the analyst should collect the traffic by most active source IP. This will help to identify the IP address of the host that is generating the most traffic and sending the most packets or bytes. The analyst can then apply filters or queries to analyze the traffic from that source IP and determine the nature and scope of the scanning activity.Reference:=Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 72; [Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide], page 468

An incident response plan is a document that defines the roles and responsibilities, procedures, and processes for detecting, analyzing, containing, eradicating, recovering, and learning from security incidents. The purpose of an incident response plan is to minimize the impact of incidents on the organization's assets, operations, and reputation, and to restore normal operations as quickly as possible. An incident response plan is not the same as a security management plan, a disaster recovery plan, or a backup and archiving plan, although they may be related or complementary.Reference:=Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 92;NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide, page 2-3

A TCP handshake is a three-way exchange of messages between a client and a server to establish a TCP connection. The client initiates the handshake by sending a SYN packet with a sequence number to the server. The server responds with a SYN-ACK packet with its own sequence number and an acknowledgment number that is the client's sequence number plus one. The client completes the handshake by sending an ACK packet with an acknowledgment number that is the server's sequence number plus one. If the remote server is not receiving an SYN-ACK packet from the local server, it means that the TCP handshake is not completed and the connection is not established. This could be caused by various factors, such as network congestion, firewall rules, packet filtering, or misconfiguration of the TCP parameters on either end.Reference:=Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 177;TCP 3-Way Handshake Process - GeeksforGeeks

A threat actor is a person or entity that is responsible for an incident that impacts or has the potential to impact an organization's security. A threat actor can have various motivations, such as financial gain, espionage, sabotage, or activism. A threat actor can use various methods, such as malware, phishing, denial-of-service, or social engineering, to perform an attack. A threat actor is not the same as a malware author, a bug bounty hunter, or a direct competitor, although they may be related or associated. A malware author is someone who creates malicious software that can be used by threat actors. A bug bounty hunter is someone who finds and reports vulnerabilities in software or systems for a reward. A direct competitor is someone who offers similar products or services as the organization and may seek to gain an advantage over it.Reference:=Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, page 87;CNSSI 4009-2015, page 77