Free Cisco 300-215 Practice Questions 2026 | Conducting Forensic Analysis and Incident Response Using Cisco CyberOps Technologies (CBRFIR)

Refer to the exhibit.

An engineer is analyzing a .LNK (shortcut) file recently received as an email attachment and blocked by email security as suspicious. What is the next step an engineer should take?

A. Delete the suspicious email with the attachment as the file is a shortcut extension and does not represent any threat.

B. Upload the file to a virus checking engine to compare with well-known viruses as the file is a virus disguised as a legitimate extension.

C. Quarantine the file within the endpoint antivirus solution as the file is a ransomware which will encrypt the documents of a victim.

D. Open the file in a sandbox environment for further behavioral analysis as the file contains a malicious script that runs on execution.

Refer to the exhibit.

What should an engineer determine from this Wireshark capture of suspicious network traffic?

A. There are signs of SYN flood attack, and the engineer should increase the backlog and recycle the oldest half-open TCP connections.

B. There are signs of a malformed packet attack, and the engineer should limit the packet size and set a threshold of bytes as a countermeasure.

C. There are signs of a DNS attack, and the engineer should hide the BIND version and restrict zone transfers as a countermeasure.

D. There are signs of ARP spoofing, and the engineer should use Static ARP entries and IP address-to-MAC address mappings as a countermeasure.

An engineer must advise on how YARA rules can enhance detection capabilities. What can YARA rules be used to identify?

A. suspicious web requests

B. suspicious files that match specific conditions

C. suspicious emails and possible phishing attempts

D. network traffic patterns

An organization experienced a sophisticated phishing attack that resulted in the compromise of confidential information from thousands of user accounts. The threat actor used a land and expand approach, where initially accessed account was used to spread emails further. The organization's cybersecurity team must conduct an in-depth root cause analysis to uncover the central factor or factors responsible for the success of the phishing attack. The very first victim of the attack was user with email 500236186@test.com. The primary objective is to formulate effective strategies for preventing similar incidents in the future. What should the cybersecurity engineer prioritize in the root cause analysis report to demonstrate the underlying cause of the incident?

A. investigation into the specific vulnerabilities or weaknesses in the organization's email security systems that were exploited by the attackers

B. evaluation of the organization's incident response procedures and the performance of the incident response team

C. examination of the organization's network traffic logs to identify patterns of unusual behavior leading up to the attack

D. comprehensive analysis of the initial user for presence of an insider who gained monetary value by allowing the attack to happen

Refer to the exhibit.

A security analyst notices that a web application running on NGINX is generating an unusual number of log messages. The application is operational and reachable. What is the cause of this activity?

A. botnet infection

B. directory fuzzing

C. DDoS attack

D. SQL injection

Refer to the exhibit.

Which two actions should be taken based on the intelligence information? (Choose two.)

A. Block network access to all .shop domains

B. Add a SIEM rule to alert on connections to identified domains.

C. Use the DNS server to block hole all .shop requests.

D. Block network access to identified domains.

E. Route traffic from identified domains to block hole.

A cybersecurity analyst must identify an unknown service causing high CPU on a Windows server. What tool should be used?

A. Volatility to analyze memory dumps for forensic investigation

B. Process Explorer from the Sysinternals Suite to monitor and examine active processes

C. TCPdump to capture and analyze network packets

D. SIFT (SANS Investigative Forensic Toolkit) for comprehensive digital forensics

What is the goal of an incident response plan?

A. to identify critical systems and resources in an organization

B. to ensure systems are in place to prevent an attack

C. to determine security weaknesses and recommend solutions

D. to contain an attack and prevent it from spreading

Which technique is used to evade detection from security products by executing arbitrary code in the address space of a separate live operation?

A. process injection

B. privilege escalation

C. GPO modification

D. token manipulation

Drag and drop the cloud characteristic from the left onto the challenges presented for gathering evidence on the right.