CyberOps Associate Host-based Analysis Questions

Correct Answer: ICMP type and code fields in ICMP header
Explanation: For ICMP flood, type/code helps differentiate echo requests, unreachable etc.

Correct Answer: When an actual attack is not detected
Explanation: False negative means malicious activity passes through undetected.

Correct Answer: Source IP, destination IP, source port, destination port, protocol
Explanation: The 5-tuple defines a connection or flow; essential in identifying and isolating hosts or suspicious flows.

Correct Answer: A malicious individual or group performing attacks (e.g. nation-state, hacktivist, insider)
Explanation: Threat actor is party responsible for carrying out attack; vulnerability/exploit are conditions or tools.

Correct Answer: Differences in logging formats, lack of centralized logs, “blind spots” in cloud workloads
Explanation: Host, cloud, network data may be siloed or inconsistent; visibility requires aggregation, proper instrumentation.

Correct Answer: Cipher suite
Explanation: Cipher suite includes algorithm for symmetric encryption, key exchange, and hash/signature method.

Correct Answer: Continuously compare recent behavior to baseline windows to detect anomalies
Explanation: Sliding window model uses moving windows of time/data to detect deviations from expected behavior.

Correct Answer: The environment where an attacker needs to be to exploit (e.g., local, adjacent, network)
Explanation: Attack vector indicates how remote or direct the attacker must be.

Correct Answer: Proactively looking for Indicators of Attack (IoAs) or anomalous behavior that hasn't triggered alerts yet
Explanation: Threat hunting is proactive, searching for threats; not just reacting to existing alerts.

Correct Answer: Stateful firewall maintains information about active connections; packet filtering treats each packet independently
Explanation: Stateful firewall understands context (e.g. whether a packet is part of an existing connection) while stateless packet filter does not.