4.0 Flashcards
Volatile
Temporary memory or data that is lost when power is turned off or the system is restarted.
COOP
Continuity of Operations Planning
Process ensuring essential functions continue during and after disasters
Stakeholder Management
Engaging with individuals/groups that have an interest in a process or the outcome of a process.
Communication Plan
Provides direction on how to communicate issues related to an incident.
Tabletop Exercise
A discussion-based exercise where participants sit around a table and talk through one or more scenarios, such as a cyberattack or a natural disaster.
nmap
Network scanning tool for discovering hosts, services, and network information.
openssl
Open-source library for secure communication and cryptographic protocols.
grep
Command-line utility for searching text or patterns within files using regular expressions.
curl
Command-line tool for transferring data with URLs, supporting various protocols.
Head
Beginning or top part of a file or data stream, often used to display initial content.
Tail
Command-line utility displaying the last part of a file or data stream, often used for real-time log monitoring.
Scanless
command-line utility to perform port scans without active probing, aiming to avoid detection.
Reconstitution
Process of restoring systems/data to their original/functional state after a disruption or incident.
Precursors
Early indicators or warning signs preceding an event, used in identifying potential threats or vulnerabilities.
tracert
Command-line tool tracing data packet routes from source to destination, showing intermediate hops and response times.
netstat
Command-line utility displaying open network connections, routing tables, and interface statistics on a computer.
dig
Command-line tool querying DNS servers for domain information, IP addresses, DNS records, and name servers.
netcat
Command-line networking utility establishing TCP/UDP connections, sending/receiving data, and performing port scanning.
hping
Command-line utility for network packet manipulation and analysis, including sending custom packets like TCP, UDP, and ICMP packets from scratch and sending ping request with TCP, UDP packets
ipconfig/ifconfig
ipconfig-Displays network configuration information.
ifconfig-Displays and configures network interfaces.
ping
Sends echo requests to a designated machine to determine if communication is possible.
netcat
Command-line utility for networking tasks such as creating TCP or UDP connections, port scanning, transferring files, and debugging network protocols.
ARP command
Allows a system administrator the ability to see and manipulate the ARP cache on a system.
Cuckoo
A sandbox used for malware analysis
Dnsenum
Command-line utility for DNS enumeration and information gathering, including querying DNS records, identifying subdomains, and discovering DNS zone transfers.
route
Command-line utility to provide information on current routing parameters. Used to view and manipulate the IP routing table
Sn1per
an automated scanner designed to collect a large amount of information while scanning for vulnerabilities.
chmod
A Linux command used to change access permissions of a file.
logger
Command-line utility for logging messages to system logs, allowing users to record events, errors, and informational messages for troubleshooting and monitoring purposes.
PowerShell
Microsoft Windows-based task automation and configuration management framework, consisting of a command-line shell and scripting language.
dd
Data Dump
Command-line utility for data duplication, conversion, and manipulation, commonly used for creating disk images, copying data between devices, and performing low-level data operations.
WinHex
Software for hexadecimal editing, disk editing, and data recovery on Windows systems, offering tools for analyzing and manipulating binary data, disk structures, and file systems at a low level.
FTK Imager
Forensic software for acquiring and analyzing digital evidence, including imaging drives, extracting data, and examining file systems, used in forensic investigations and data recovery tasks.
Tcpreplay
As a suite, tcpreplay is a group of free, open source utilities for editing and replaying previously captured network traffic.
As a tool, it specifically replays a PCAP file on a network.
tcpdump
Command-line packet analyzer for capturing and displaying network packets in real time, enabling users to monitor network traffic, filter packets based on criteria, and troubleshoot network issues.
theHarvester
A useful tool for exploring what is publicly available about your organization on the web such as it can provide information on employees, e-mails, and subdomains. It performs open source intelligence (OSINT) gathering to help determine
a domain’s external threat landscape. The tool gathers names, emails, IPs, subdomains, and URLs by using multiple public resources
Preparation
The phase of incident response that occurs before a specific incident.
Identification
isthe process where a team member suspects that a problem is bigger than an isolated incident and notifies the incident response team for further investigation.
Containment
The set of actions taken to constrain the incident to a minimal number of machines.
Recovery
is the process of returning the asset into the business function and restoring normal business operations.
Eradication
Involves removing the problem, and in today’s complex system environment, this may mean rebuilding a clean machine.
Lessons learned
document what went wrong and allowed the incident to occur in the first place. Then examine the incident response process itself.
Walkthroughs
Examine the actual steps that take place associated with a process, procedure, or event.
Simulations
Allow personnel to go through the actual steps of an exercise but to perform response and recovery steps rather than just talk about them.
MITRE ATT&CK framework
A comprehensive matrix of attack elements, including the tactics and techniques used by attackers on a system.
Diamond Model of Intrusion Analysis
A cognitive model used by the threat intelligence community to describe a specific event
Cyber Kill Chain
A framework used to defend against the chain of events an attacker takes, from the beginning of an attack to the end of an attack.
DRP
Disaster Recovery Plan
The data and resources necessary, and the steps required to restore critical organizational processes.
BCP
Business Continuity Plan
Describes what is needed in order for the business to continue to operate
Data retention policy
Identifies how long data is retained, and sometimes specifies where it is stored.
Sensors
Agents placed on systems throughout a network to collect logs from devices and send these logs to the SIEM system.
Metadata
Data about data instead of the data itself; Information that describes other data.
NetFlow
A feature available on many routers and switches that can collect IP traffic statistics and send them to a NetFlow collector. Useful for intrusions.
Protocol analyzer
A piece of software or an integrated software/hardware system that can capture and decode network traffic.
Dump files
are copies of what was in memory at a point in time—typically a point when some failure occurred
The Session Initiation Protocol (SIP)
A text-based protocol used for signaling voice, video, and messaging applications over IP.
UDP port 5060
Syslog
System Logging Protocol
A standard protocol used in Linux systems to send system log or event messages to a specific server, called a syslog server.
Journalctl
The command to examine logs on a server.
Non-repudiation
A situation where a statement’s author cannot successfully dispute its authorship or the validity of an associated contract.
Checksums
a small piece of data, sometimes only 1 or 2 bits, and is used to quickly verify the integrity of data. The purpose of detecting errors that may have been introduced during its transmission or storage.
Provenance
Tracing something back to its origin, a reference to the origin of data.
Exploitation frameworks
Tools for discovering, developing, and executing exploits. Penetration testing, security research, and sometimes malicious activities.
Popular Frameworks: Metasploit, Core Impact, Canvas, Exploit Pack.
Data sanitization
The process of deliberately, permanently, and irreversibly removing or destroying data stored on a memory device to ensure that it cannot be recovered.
Sensitivity
Can monitor PII, PHI, and other sensitive information to ensure regulatory compliance (HIPAA, PCI DSS, GDPR)
Trends
Can identify trends in network traffic, event volume, or changes in activities/ activity levels across identities, endpoints, network and infrastructure.
Alerts
Provide information about events on hosts and network devices. Email notification and response automation (playbooks, SOAR) optional.
Correlation
Correlates, aggregates, and analyzes the log files from multiple sources can generate a broad, centralized view.
Bandwidth monitors
Tools that monitor and analyze network bandwidth usage to track data transfer rates, identify bottlenecks, and ensure efficient network performance.
NXLog
A multi-platform log collection and processing tool that can gather logs from different sources, process them, and forward them to various destinations.
Sflow
A packet sampling protocol that provides a scalable method of monitoring network traffic across high-speed networks.
IPFIX
IP Flow Information Export
A protocol standardized by the IETF for exporting IP flow information from routers, switches, and other network devices.
Legal hold
protecting any documents that can be used in evidence from being altered or destroyed. sometimes called litigation hold
Admissibility Evidence
Evidence must be relevant to a fact at issue in the case.
Time offset
where evidence is collected across multiple time zones, you must record offset based on time zone.
Swap/pagefile
A space on a hard drive used as the virtual memory extension of a computer’s RAM.
Cache
A small, high-speed storage layer that holds frequently accessed data to speed up future requests.
Right-to-audit clauses
Written into supply chain contracts, allow an auditor can visit the premises to inspect and ensure that the contractor is complying with contractual obligations.
Tags
Are virtual ‘sticky notes’ or labels attached to documents, making them easier to search/find.
Strategic intelligence/
counterintelligence
Information that is vital for formulating and implementing policies, strategies, and decisions, often related to national security, defense, or business strategies.
E-discovery
The process of identifying, collecting, and producing electronically stored information (ESI) in response to a request for production in a lawsuit or investigation.
Just gathering, no analyzation.