Cybersecurity Apprentice Advanced Practice Exam: Hard Questions 2025

A remote employee reports: "Some websites work, but others hang forever." The user is connected through a VPN that assigns 10.10.10.25/24 with gateway 10.10.10.1. The internal web portal (small pages) loads, but large external sites time out intermittently. Packet capture shows repeated TCP retransmissions and occasional ICMP "Fragmentation needed" messages from an intermediate router. Which is the MOST likely root cause and best corrective action?

A company has three VLANs: Users (10.1.10.0/24), Servers (10.1.20.0/24), and Voice (10.1.30.0/24). They added a new firewall between the core switch and upstream router. After cutover, Users can reach the internet, but cannot reach Servers. Voice phones can reach the call manager in Servers. The firewall shows sessions from Users to Servers with SYNs but no SYN-ACK returning. The switch ARP tables look normal. Which troubleshooting step MOST directly validates the suspected issue?

An attacker sends a phishing email that convinces a user to run a malicious script. The script uses PowerShell to download a payload from a legitimate cloud storage domain over HTTPS and then communicates with a command-and-control server using DNS over HTTPS (DoH). From a defensive perspective, which layered control combination is MOST effective against this kill chain while minimizing disruption to legitimate encrypted traffic?

A SOC analyst sees an internal host rapidly scanning many internal IPs on TCP/445 and then authenticating to multiple systems using the same username. Shortly after, several endpoints begin encrypting files. The organization has EDR, network security controls, and standard backups. Which action sequence BEST balances containment speed with evidence preservation and recovery success?

A company wants to reduce risk from credential theft. They currently use passwords only and have seen successful phishing. They are considering: (1) SMS-based MFA, (2) app-based TOTP, (3) push-based MFA, and (4) phishing-resistant FIDO2/WebAuthn security keys. For high-value administrative access, which choice is the MOST resilient against modern phishing techniques (including real-time proxy phishing) and why?

A security engineer is designing access control for a new internal application. Requirements: only managed devices can access it, user identity must be verified, and access should be limited to only the application (not broad network access). The company also wants consistent policy enforcement for remote and on-prem users. Which architecture best meets these requirements?

A company enables SSL/TLS inspection on outbound traffic to detect malware. Immediately, several business-critical SaaS apps fail, and some endpoints show certificate warnings. The security team wants to maintain inspection where possible while minimizing business disruption and reducing the chance of creating blind spots attackers can exploit. What is the BEST approach?

An organization is choosing between two network security designs for a branch office with limited IT staff: (1) a flat network with a single perimeter firewall, or (2) segmentation into user, server, IoT, and guest zones with inter-zone policy control. They are concerned about operational complexity and outages. Which argument BEST supports segmentation despite the added complexity?

Your SOC receives an alert: a user account logged in from an unfamiliar country, then immediately accessed internal resources and attempted to create new email forwarding rules. The user claims they are traveling but cannot confirm the forwarding change. Which set of actions is MOST appropriate as an initial response to balance security and business continuity?

A company centralizes logs from endpoints, network devices, and cloud services. During an investigation, analysts notice inconsistent timestamps across sources, making it difficult to build a reliable timeline. Some systems are off by several minutes; others by hours. What is the BEST corrective action to improve investigation quality and detection accuracy going forward?