What is the second stage of an Advanced Persistent Threat (APT) attack?
A. Exfiltration
B. Incursion
C. Discovery
D. Capture
Which SEP technologies are used by ATP to enforce the blacklisting of files?
A. Application and Device Control
B. SONAR and Bloodhound
C. System Lockdown and Download Insight
D. Intrusion Prevention and Browser Intrusion Prevention
What is the role of Insight within the Advanced Threat Protection (ATP) solution?
A. Reputation-based security
B. Detonation/sandbox
C. Network detection component
D. Event correlation
Which stage of an Advanced Persistent Threat (APT) attack does social engineering occur?
A. Capture
B. Incursion
C. Discovery
D. Exfiltration
Why is it important for an Incident Responder to review Related Incidents and Events when analyzing an incident for an After Actions Report?
A. It ensures that the Incident is resolved, and the responder can clean up the infection.
B. It ensures that the Incident is resolved, and the responder can determine the best remediation method.
C. It ensures that the Incident is resolved, and the threat is NOT continuing to spread to other parts of the environment.
D. It ensures that the Incident is resolved, and the responder can close out the incident in the ATP manager.
How can an Incident Responder generate events for a site that was identified as malicious but has NOT triggered any events or incidents in ATP?
A. Assign a High-Security Antivirus and Antispyware policy in the Symantec Endpoint Protection Manager (SEPM).
B. Run an indicators of compromise (IOC) search in ATP manager.
C. Create a firewall rule in the Symantec Endpoint Protection Manager (SEPM) or perimeter firewall that blocks traffic to the domain.
D. Add the site to a blacklist in ATP manager.
An Incident Responder runs an endpoint search on a client group with 100 endpoints. After one day, the responder sees the results for 90 endpoints.
What is a possible reason for the search only returning results for 90 of 100 endpoints?
A. The search expired after one hour
B. 10 endpoints are offline
C. The search returned 0 results on 10 endpoints
D. 10 endpoints restarted and cancelled the search
Which National Institute of Standards and Technology (NIST) cybersecurity function includes Risk Assessment or Risk Management Strategy?
A. Recover
B. Protect
C. Respond
D. Identify
Which two questions can an Incident Responder answer when analyzing an incident in ATP? (Choose two.)
A. Does the organization need to do a healthcheck in the environment?
B. Are certain endpoints being repeatedly attacked?
C. Is the organization being attacked by this external entity repeatedly?
D. Do ports need to be blocked or opened on the firewall?
E. Does a risk assessment need to happen in the environment?
What is a benefit of using Microsoft SQL as the Symantec Endpoint Protection Manager (SEPM) database in regard to ATP?
A. It allows for Microsoft Incident Responders to assist in remediation
B. ATP can access the database using a log collector on the SEPM host
C. It allows for Symantec Incident Responders to assist in remediation
D. ATP can access the database without any special host system requirements
