4.0 - Operations & Incident Response Flashcards

1
Q

Explain this command:

traceroute

A
  • determine the route a packet tackes to a destination
  • maps the entire path
  • In Unix/Linux: traceroute
  • In Windows: tracert
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Explain this command:

nslookup

A
  • Query a DNS server to look up names and IP addresses
  • deprecated (use dig instead)
  • Found in both Windows and Linux/Unix
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Explain this command:

dig

A
  • Domain Information Groper
  • replaced nslookup
  • More advanced domain information
  • Not included in Windows but can be installed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Explain this command:

pathping

A
  • Included in Windows NT and later
  • combines ping and traceroute
  • first builds a map via traceroute
  • then measures each hop’s round trip time and packet loss
  • takes a number of minutes to run
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Explain this command:

netstat

A
  • Network Statistics
  • -a shows all active connections
  • -b shows binaries (in Windows)
  • -n prevents resolving names; shows IP addresses only
  • present in many different OSs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Explain this command:

arp -a

A

• view local ARP table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Command to view device’s routing table?

A
  • Windows: route print

* Linux / Unix: netstat -r

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Explain this command:

curl

A
  • “Client URL”

* Grabs raw data from web pages, FTP, emails, databases, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Explain this command:

hping

A
  • A ping that can be customized to send almost anything

* Can modify all IP, TCP, UDP, and ICMP values

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Define

Nmap

A
  • Network Mapper
  • Port scan to find devices and identify open ports
  • Discover OS without logging into device
  • Scan services available, with name, version, and details
  • NSE (Nmap Scripting Engine) provides extended capabilities via additional scripts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Explain

theHarvester

A
  • Command line tool for gathering OSINT
  • Scarpes information from search engines
  • Find associated IP addresses, e-mail addresses, names, titles, etc.
  • DNS brute force assists in finding unknown hosts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Explain

sn1per

A
  • Combines multiple reconnaissance tools into a single framework
  • Allows you to search a single query and receive a single output that combines various tools’ results
  • including dnsenum, metasploit, nmap, theHarvester, and much more
  • Can run in non-intrusive or very intrusive modes, and anything in-between
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Explain

scanless

A
  • command line tool for running port scans from a different host (port scan proxy)
  • allows your own device to not be detected as the source of the scan
  • You specify the scan origination, and your IP is hidden as the scan source
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Define

dnsenum

A
  • Enumerate DNS information
  • view host and service information from DNS servers
  • Find host names in Google○ (more hosts can probably be found in the index than what is listed on a DNS server)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Define

Nessus

A
  • Industry leader in vulnerability scanning tools
  • Extensive support; both free and commercial options
  • Scans system, identifies known vulnerabilities, provides extensive reporting
  • Graphic interface
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Define

Cuckoo

A
  • A sandbox for malware
  • test a file in a safe, virtualized sandbox environment
  • Environment can be Windows, Linux, macOS, Android, etc.
  • Tracks and trace activity of the executable you are running in it.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Explain this command:

head

A
  • like cat, but views only the first part / beginning of a file
  • use -n to specify the number of lines
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Explain this command:

tail

A
  • like cat, but views only the last part / ending of a file

* use -n to specify the number of lines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Explain this command:

grep

A
  • finds text in a file and displays all lines that contain it
  • can search through multiple files at a time
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Explain this command:

chmod

A
  • “Change Mode” of permissions on a file or folder
  • r=read, w=write, e=execute
  • permissions are displayed in order for owner (u), the group (g), others (o), or all (a)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How are file/folder permissions displayed in CLI?

A
  • if the first character is a d, it is a directory.
  • if the first character is a -, it is a file
  • the next set of three characters indicate user permissions.
  • the following three characters indicate group permissions.
  • the last three characters indicate permissions for all others.
  • Ex: -rwe-r—- indicates a file, where a user as Read/WriteExecute, the group as read-only, and all others have no permissions.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the octal notations for setting permissions?

A
  1. read, write, and execute (rwx)
  2. read and write (rw-)
  3. read and execute (r-x)
  4. read only (r–)
  5. write and execute (-wx)
  6. write only (-w-)
  7. execute only (–x)
  8. none (—)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Explain this command:

logger

A
  • adds entries to the system log

* either the local or a remote syslog file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Explain

OpenSSL

A
  • A library of utilities for SSL/TLS communication
  • Create X.509 certificates
  • Manage CSRs and CRLs
  • Has crypto librarys to perform hashing functions, encryption/decryption
  • Extensively used today
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Explain this command:

tcpdump

A
  • Captures packets, like a CLI version of WireShark
  • Can display packets on screen and/or write to a file
  • Included in most Linux distributions
26
Q

Explain this command:

tcpreplay

A
  • A suite of packet replay utilizies
  • can take (and edit) info from tcpdump, and replay it on the network
  • Usefuly for checking IPS signatures and firewall rules, testing IP Flow / NetFlow devices, stress testing, etc.
  • Open source
27
Q

Explain this command:

dd

A
  • “Data Definition”
  • Linux command to create and restore disk images
  • Creates a bit-by-bit copy of a drive or directory
  • Used by many forensic tools
28
Q

Explain this command:

memdump

A
  • Copies information in system memory to the standard output stream
  • Many third-party tools can read a memory dump
  • Often used in conjunction with netcat, stunnel, openssl, etc., to send the memdump to another host
  • Useful for forensics
29
Q

Define

WinHex

A
  • A third-party utility for Windows
  • a universal hexadecimal editor
  • Edit disks, files, RAM, etc.
  • Includes data recovery features
  • Disk cloning
  • secure drive wipes
  • Many more features, useful for forensics
30
Q

Explain

FTK imager

A
  • disk imaging tool for Windows that can mount or image drives and perform utilities
  • wide third-party support to analyze these images
  • Can import other disk image formats
  • Useful for forensics, wide third-party support
31
Q

Define

Autopsy

A
  • a graphical tool to perform digital forensics of hard drives, smartphones, image files, etc.
  • View and recover data from storage devices
  • Extract covers many data types, including:○ downloaded files○ browser history and cache○ email messages○ databases

• Can potentially recover data from drives that have been re-formatted

32
Q

Explain

Exploitation Framework

A
  • A type of pre-built toolkit for exploitations, useful to perform tests against your own systems
  • Build custom attacks.
  • Adds more tools as vulnerabilities are found
33
Q

Name two Exploitation Framework tools

A
  • Metasploit is a popular one; attacks known vulnerabilities with new ones being added all the time
  • SET (Social-Engineer Toolkit)
34
Q

Explain

NIST SP800-61

A
  • National Institute of Standards and Technology
  • Special Publication 800-61 Revision 2
  • Titled “Computer Security Incident Handling Guide”
35
Q

What are the phases of a security incident lifecycle, according to NIST’s Computer Security Incident Handling Guide?

A
  • Preparation
  • Detection and Analysis
  • Containment, Eradication, and Recovery
  • Post-Incident Activity
36
Q

What are three types of Exercises?

A
  • Tabletop - responders talking through and analyzing a hypothetical situation
  • Walkthrough - responders testing process and procedures, walking through each step, and identifying anything found out of place
  • Simulation - testing users and systems with a simulated event, such as a sending a phishing e-mail through your own systems and to your own users as a test.
37
Q

Define

COOP

A
  • Continuity of Operations Planning
  • Made in preparation for disaster, so you know what to do
  • Outlines how to perform essential job functions during a systems outage
  • May include manual transactions, paper receipts, phone calls for transaction approvals, etc.
  • Must be well documented and tested before a problem occurs
38
Q

Define

MITRE ATT&CK Framework

A
  • Documentation to help determine actions of an attacker
  • Developed by MITRE corp, which supports several U.S. government agencies
  • Assist identifying point of intrusion, understand methods used to move around, and identify potential security techniques and block future attacks
39
Q

Explain:

Diamond Model of Intrusion Analysis

A
  • Designed by U.S. intelligence community
  • A model to guide analysts in understanding intrusions
  • Applies scientific principles to intrusion analysis
40
Q

What are the four points of the Diamond Model of Intrusion Analysis?

A

• Four points of diamond are (clockwise from the top)

○ Adversary

○ Capability

○ Victim

○ Infrastructure

41
Q

Explain

Cyber Kill Chain

A
  • A framework that outlines the 7 phases of a cyber attack:
  • Reconnaissance (gather intel)
  • Weaponization (build a deliverable payload)
  • Delivery (Send the weapon, such as an .exe over e-mail)
  • Exploit (execute code on victim’s device)
  • Installation (malware is installed)
  • Command and Control (channel is created for remote access)
  • Actions on objectives (attacker carries out objectives)
42
Q

Explain:

Dump files

A
  • A dump file stores all contents of memory (usually just for a specific application) into a diagnostic file
  • Can be provided to developers for troubleshooting
  • In Windows Task Manager, just right-click the process and select “create dump file”
  • Some applications have their own processes for creating dump files
43
Q

Explain:

syslog

A
  • Standard for message logging, used by diverse systems to create a consolidated log
  • Usually sent to a central logging server (SIEM)
  • Each log entry is labelled with a facility code and severity level
44
Q

Define

rsyslog

A
  • Rocket-fast Syslog

* A syslog daemon

45
Q

Define

syslog-ng

A

• A popular syslog daemon with additional filtering and storage options

46
Q

Define

NXLog

A
  • a syslog daemon

* Collection from many diverse log types and consolidate it on a single machine

47
Q

Define

facility code

A
  • Every syslog entry is labelled with a facility code

* It indicates the program that created the log

48
Q

Explain:

journalctl

A
  • Linux system logs are stored in binary for optimization
  • But they are not human-readable
  • Journalctl provides tools to query the system journal, search, filter, and view as plain text
49
Q

Explain:

Netflow

A
  • Gathers traffic statistics from all traffic flows
  • This data is usually collected by “probes,” then sent and consolidated onto a central Netflow “collector” server
  • Very common, standard tool with a lot of support from vendors
50
Q

Explain:

IPFIX

A
  • IP Flow Information Export
  • A newer, Netflow-based standard
  • Allows for customization of what data to collect, and to send to centralized server
51
Q

Explain:

sFlow

A
  • Sampled Flow
  • Similar to Netflow, but takes only a portion of the actual network traffic
  • It is therefore not technically a flow
  • The sample can still provide relatively accurate statistics
  • Usually embedded in infrastructure devices such as switches and routers, since it has low resource requirements
52
Q

Define

Runbook

A
  • A linear checklist of steps to perform
  • Useful for automation; the steps can be carried out automatically
  • Used in SOAR
53
Q

Define

Playbook

A
  • Like a runbook, but broader in process
  • allows for conditional steps and may contain multiple runbooks
  • Useful for automation of response with these processes
  • Used in SOAR
54
Q

What are the three phases of Digital Forensics described in RFC 3227?

A
  • Acquisition
  • Analysis
  • Reporting
55
Q

Define

ESI

A
  • Electronically Stored Information

* Legal term for data that is held in a separate repository for legal purposes

56
Q

How are timestamps recorded in an OS?

A
  • Different file systems store timestamps differently
  • In FAT, time is stored in local time
  • In NTFS, time is stored in GMT
  • Windows Registry and other OS settings may also influence time offsets (Daylight Savings Time, etc.
  • Understanding time offsets is important for Digital Forensics
57
Q

List 7 types of data in order of volatility (Most to least)

A
  • CPU registers and cache
  • Router table, ARP cache, process table, kernel statistics, memory
  • Temporary File Systems
  • Disk
  • Remote Logging and monitoring data
  • Physical configuration; network topology
  • Archival media
58
Q

Define and list examples of:

Artifact

A
  • Digital items left behind in sometimes less-than-obvious places, considered during data acquisition
  • May include:○ log information○ flash memory○ prefetch cache files○ Recycle Bin○ browser bookmarks and logins
59
Q

Define

Right-to-Audit Clause

A
  • Grants permission for you to know where the data is being held, how it is being accessed over the Internet, and what security features are in place to protect it
  • Can be added to a contract with cloud providers
60
Q

Define

E-Discovery

A
  • The gathering of data required by the legal process

* Does not generally involve analysis or make any consideration of intent

61
Q

What is the functional difference between MAC and Digital Signature?

A
  • Message Authentication Code (MAC) provides non-repudiation that can be verified between the two parties in communication
  • With a Digital Signature, the non-repudiation can be publicly verified using the public key