4.0

Question 1

Volatile

Answer 1

Temporary memory or data that is lost when power is turned off or the system is restarted.

Question 2

COOP

Answer 2

Continuity of Operations Planning
Process ensuring essential functions continue during and after disasters

Question 3

Stakeholder Management

Answer 3

Engaging with individuals/groups that have an interest in a process or the outcome of a process.

Question 4

Communication Plan

Answer 4

Provides direction on how to communicate issues related to an incident.

Question 5

Tabletop Exercise

Answer 5

A discussion-based exercise where participants sit around a table and talk through one or more scenarios, such as a cyberattack or a natural disaster.

Question 6

nmap

Answer 6

Network scanning tool for discovering hosts, services, and network information.

Question 7

openssl

Answer 7

Open-source library for secure communication and cryptographic protocols.

Question 8

grep

Answer 8

Command-line utility for searching text or patterns within files using regular expressions.

Question 9

curl

Answer 9

Command-line tool for transferring data with URLs, supporting various protocols.

Question 10

Head

Answer 10

Beginning or top part of a file or data stream, often used to display initial content.

Question 11

Tail

Answer 11

Command-line utility displaying the last part of a file or data stream, often used for real-time log monitoring.

Question 12

Scanless

Answer 12

command-line utility to perform port scans without active probing, aiming to avoid detection.

Question 13

Reconstitution

Answer 13

Process of restoring systems/data to their original/functional state after a disruption or incident.

Question 14

Precursors

Answer 14

Early indicators or warning signs preceding an event, used in identifying potential threats or vulnerabilities.

Question 15

tracert

Answer 15

Command-line tool tracing data packet routes from source to destination, showing intermediate hops and response times.

Question 16

netstat

Answer 16

Command-line utility displaying open network connections, routing tables, and interface statistics on a computer.

Question 17

dig

Answer 17

Command-line tool querying DNS servers for domain information, IP addresses, DNS records, and name servers.

Question 18

netcat

Answer 18

Command-line networking utility establishing TCP/UDP connections, sending/receiving data, and performing port scanning.

Question 19

hping

Answer 19

Command-line utility for network packet manipulation and analysis, including sending custom packets like TCP, UDP, and ICMP packets from scratch and sending ping request with TCP, UDP packets

Question 20

ipconfig/ifconfig

Answer 20

ipconfig-Displays network configuration information.
ifconfig-Displays and configures network interfaces.

Question 21

ping

Answer 21

Sends echo requests to a designated machine to determine if communication is possible.

Question 22

netcat

Answer 22

Command-line utility for networking tasks such as creating TCP or UDP connections, port scanning, transferring files, and debugging network protocols.

Question 23

ARP command

Answer 23

Allows a system administrator the ability to see and manipulate the ARP cache on a system.

Question 24

Cuckoo

Answer 24

A sandbox used for malware analysis

Question 25

Dnsenum

Answer 25

Command-line utility for DNS enumeration and information gathering, including querying DNS records, identifying subdomains, and discovering DNS zone transfers.

Question 26

route

Answer 26

Command-line utility to provide information on current routing parameters. Used to view and manipulate the IP routing table

Question 27

Sn1per

Answer 27

an automated scanner designed to collect a large amount of information while scanning for vulnerabilities.

Question 28

chmod

Answer 28

A Linux command used to change access permissions of a file.

Question 29

logger

Answer 29

Command-line utility for logging messages to system logs, allowing users to record events, errors, and informational messages for troubleshooting and monitoring purposes.

Question 30

PowerShell

Answer 30

Microsoft Windows-based task automation and configuration management framework, consisting of a command-line shell and scripting language.

Question 31

dd

Answer 31

Data Dump
Command-line utility for data duplication, conversion, and manipulation, commonly used for creating disk images, copying data between devices, and performing low-level data operations.

Question 32

WinHex

Answer 32

Software for hexadecimal editing, disk editing, and data recovery on Windows systems, offering tools for analyzing and manipulating binary data, disk structures, and file systems at a low level.

Question 33

FTK Imager

Answer 33

Forensic software for acquiring and analyzing digital evidence, including imaging drives, extracting data, and examining file systems, used in forensic investigations and data recovery tasks.

Question 34

Tcpreplay

Answer 34

As a suite, tcpreplay is a group of free, open source utilities for editing and replaying previously captured network traffic.
As a tool, it specifically replays a PCAP file on a network.

Question 35

tcpdump

Answer 35

Command-line packet analyzer for capturing and displaying network packets in real time, enabling users to monitor network traffic, filter packets based on criteria, and troubleshoot network issues.

Question 36

theHarvester

Answer 36

A useful tool for exploring what is publicly available about your organization on the web such as it can provide information on employees, e-mails, and subdomains. It performs open source intelligence (OSINT) gathering to help determine
a domain’s external threat landscape. The tool gathers names, emails, IPs, subdomains, and URLs by using multiple public resources

Question 37

Preparation

Answer 37

The phase of incident response that occurs before a specific incident.

Question 38

Identification

Answer 38

isthe process where a team member suspects that a problem is bigger than an isolated incident and notifies the incident response team for further investigation.

Question 39

Containment

Answer 39

The set of actions taken to constrain the incident to a minimal number of machines.

Question 40

Recovery

Answer 40

is the process of returning the asset into the business function and restoring normal business operations.

Question 41

Eradication

Answer 41

Involves removing the problem, and in today’s complex system environment, this may mean rebuilding a clean machine.

Question 42

Lessons learned

Answer 42

document what went wrong and allowed the incident to occur in the first place. Then examine the incident response process itself.

Question 43

Walkthroughs

Answer 43

Examine the actual steps that take place associated with a process, procedure, or event.

Question 44

Simulations

Answer 44

Allow personnel to go through the actual steps of an exercise but to perform response and recovery steps rather than just talk about them.

Question 45

MITRE ATT&CK framework

Answer 45

A comprehensive matrix of attack elements, including the tactics and techniques used by attackers on a system.

Question 46

Diamond Model of Intrusion Analysis

Answer 46

A cognitive model used by the threat intelligence community to describe a specific event

Question 47

Cyber Kill Chain

Answer 47

A framework used to defend against the chain of events an attacker takes, from the beginning of an attack to the end of an attack.

Question 48

DRP

Answer 48

Disaster Recovery Plan
The data and resources necessary, and the steps required to restore critical organizational processes.

Question 49

BCP

Answer 49

Business Continuity Plan
Describes what is needed in order for the business to continue to operate

Question 50

Data retention policy

Answer 50

Identifies how long data is retained, and sometimes specifies where it is stored.

Question 51

Sensors

Answer 51

Agents placed on systems throughout a network to collect logs from devices and send these logs to the SIEM system.

Question 52

Metadata

Answer 52

Data about data instead of the data itself; Information that describes other data.

Question 53

NetFlow

Answer 53

A feature available on many routers and switches that can collect IP traffic statistics and send them to a NetFlow collector. Useful for intrusions.

Question 54

Protocol analyzer

Answer 54

A piece of software or an integrated software/hardware system that can capture and decode network traffic.

Question 55

Dump files

Answer 55

are copies of what was in memory at a point in time—typically a point when some failure occurred

Question 56

The Session Initiation Protocol (SIP)

Answer 56

A text-based protocol used for signaling voice, video, and messaging applications over IP.
UDP port 5060

Question 57

Syslog

Answer 57

System Logging Protocol
A standard protocol used in Linux systems to send system log or event messages to a specific server, called a syslog server.

Question 58

Journalctl

Answer 58

The command to examine logs on a server.

Question 59

Non-repudiation

Answer 59

A situation where a statement’s author cannot successfully dispute its authorship or the validity of an associated contract.

Question 60

Checksums

Answer 60

a small piece of data, sometimes only 1 or 2 bits, and is used to quickly verify the integrity of data. The purpose of detecting errors that may have been introduced during its transmission or storage.

Question 61

Provenance

Answer 61

Tracing something back to its origin, a reference to the origin of data.

Question 62

Exploitation frameworks

Answer 62

Tools for discovering, developing, and executing exploits. Penetration testing, security research, and sometimes malicious activities.

Popular Frameworks: Metasploit, Core Impact, Canvas, Exploit Pack.

Question 63

Data sanitization

Answer 63

The process of deliberately, permanently, and irreversibly removing or destroying data stored on a memory device to ensure that it cannot be recovered.

Question 64

Sensitivity

Answer 64

Can monitor PII, PHI, and other sensitive information to ensure regulatory compliance (HIPAA, PCI DSS, GDPR)

Question 65

Trends

Answer 65

Can identify trends in network traffic, event volume, or changes in activities/ activity levels across identities, endpoints, network and infrastructure.

Question 66

Alerts

Answer 66

Provide information about events on hosts and network devices. Email notification and response automation (playbooks, SOAR) optional.

Question 67

Correlation

Answer 67

Correlates, aggregates, and analyzes the log files from multiple sources can generate a broad, centralized view.

Question 68

Bandwidth monitors

Answer 68

Tools that monitor and analyze network bandwidth usage to track data transfer rates, identify bottlenecks, and ensure efficient network performance.

Question 69

NXLog

Answer 69

A multi-platform log collection and processing tool that can gather logs from different sources, process them, and forward them to various destinations.

Question 70

Sflow

Answer 70

A packet sampling protocol that provides a scalable method of monitoring network traffic across high-speed networks.

Question 71

IPFIX

Answer 71

IP Flow Information Export
A protocol standardized by the IETF for exporting IP flow information from routers, switches, and other network devices.

Question 72

Legal hold

Answer 72

protecting any documents that can be used in evidence from being altered or destroyed. sometimes called litigation hold

Question 73

Admissibility Evidence

Answer 73

Evidence must be relevant to a fact at issue in the case.

Question 74

Time offset

Answer 74

where evidence is collected across multiple time zones, you must record offset based on time zone.

Question 75

Swap/pagefile

Answer 75

A space on a hard drive used as the virtual memory extension of a computer’s RAM.

Question 76

Cache

Answer 76

A small, high-speed storage layer that holds frequently accessed data to speed up future requests.

Question 77

Right-to-audit clauses

Answer 77

Written into supply chain contracts, allow an auditor can visit the premises to inspect and ensure that the contractor is complying with contractual obligations.

Question 78

Tags

Answer 78

Are virtual ‘sticky notes’ or labels attached to documents, making them easier to search/find.

Question 79

Strategic intelligence/
counterintelligence

Answer 79

Information that is vital for formulating and implementing policies, strategies, and decisions, often related to national security, defense, or business strategies.

Question 80

E-discovery

Answer 80

The process of identifying, collecting, and producing electronically stored information (ESI) in response to a request for production in a lawsuit or investigation.

Just gathering, no analyzation.