ExamTopics Logo
Mail Us[email protected]
Menu
Cisco Discussions
exam questions

Exam 300-215 All Questions

View all questions & answers for the 300-215 exam
Go to Exam

Exam 300-215 topic 1 question 12 discussion

Actual exam question from Cisco's 300-215
Question #: 12
Topic #: 1
[All 300-215 Questions]

A security team detected an above-average amount of inbound tcp/135 connection attempts from unidentified senders. The security team is responding based on their incident response playbook. Which two elements are part of the eradication phase for this incident? (Choose two.)

  • A. anti-malware software
  • B. data and workload isolation
  • C. centralized user management
  • D. intrusion prevention system
  • E. enterprise block listing solution
Show Suggested Answer Hide Answer
Suggested Answer: CD 🗳️
by Bobster02 at July 20, 2021, 7:50 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
galliaj
10 months, 1 week ago
Selected Answer: CD
The goal is to eliminate the entry point(s) that the threat actor used to obtain access to the network [1], so adding rules to the IPS and centralized user management seem reasonable. TCP 135 is the MSRPC endpoint mapper. You can bind that port on a remote computer, anonymously, and either enumerate all the services (endpoints) available on that computer, or you can request what port a specific service is running on [2]. References: [1] https://cipher.com/blog/the-core-phases-of-incident-response-remediation/ [2] https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago