4.0 - Operations & Incident Response Flashcards
1
Q
Explain this command:
traceroute
A
- determine the route a packet tackes to a destination
- maps the entire path
- In Unix/Linux: traceroute
- In Windows: tracert
2
Q
Explain this command:
nslookup
A
- Query a DNS server to look up names and IP addresses
- deprecated (use dig instead)
- Found in both Windows and Linux/Unix
3
Q
Explain this command:
dig
A
- Domain Information Groper
- replaced nslookup
- More advanced domain information
- Not included in Windows but can be installed
4
Q
Explain this command:
pathping
A
- Included in Windows NT and later
- combines ping and traceroute
- first builds a map via traceroute
- then measures each hop’s round trip time and packet loss
- takes a number of minutes to run
5
Q
Explain this command:
netstat
A
- Network Statistics
- -a shows all active connections
- -b shows binaries (in Windows)
- -n prevents resolving names; shows IP addresses only
- present in many different OSs
6
Q
Explain this command:
arp -a
A
• view local ARP table
7
Q
Command to view device’s routing table?
A
- Windows: route print
* Linux / Unix: netstat -r
8
Q
Explain this command:
curl
A
- “Client URL”
* Grabs raw data from web pages, FTP, emails, databases, etc.
9
Q
Explain this command:
hping
A
- A ping that can be customized to send almost anything
* Can modify all IP, TCP, UDP, and ICMP values
10
Q
Define
Nmap
A
- Network Mapper
- Port scan to find devices and identify open ports
- Discover OS without logging into device
- Scan services available, with name, version, and details
- NSE (Nmap Scripting Engine) provides extended capabilities via additional scripts
11
Q
Explain
theHarvester
A
- Command line tool for gathering OSINT
- Scarpes information from search engines
- Find associated IP addresses, e-mail addresses, names, titles, etc.
- DNS brute force assists in finding unknown hosts
12
Q
Explain
sn1per
A
- Combines multiple reconnaissance tools into a single framework
- Allows you to search a single query and receive a single output that combines various tools’ results
- including dnsenum, metasploit, nmap, theHarvester, and much more
- Can run in non-intrusive or very intrusive modes, and anything in-between
13
Q
Explain
scanless
A
- command line tool for running port scans from a different host (port scan proxy)
- allows your own device to not be detected as the source of the scan
- You specify the scan origination, and your IP is hidden as the scan source
14
Q
Define
dnsenum
A
- Enumerate DNS information
- view host and service information from DNS servers
- Find host names in Google○ (more hosts can probably be found in the index than what is listed on a DNS server)
15
Q
Define
Nessus
A
- Industry leader in vulnerability scanning tools
- Extensive support; both free and commercial options
- Scans system, identifies known vulnerabilities, provides extensive reporting
- Graphic interface
16
Q
Define
Cuckoo
A
- A sandbox for malware
- test a file in a safe, virtualized sandbox environment
- Environment can be Windows, Linux, macOS, Android, etc.
- Tracks and trace activity of the executable you are running in it.
17
Q
Explain this command:
head
A
- like cat, but views only the first part / beginning of a file
- use -n to specify the number of lines
18
Q
Explain this command:
tail
A
- like cat, but views only the last part / ending of a file
* use -n to specify the number of lines
19
Q
Explain this command:
grep
A
- finds text in a file and displays all lines that contain it
- can search through multiple files at a time
20
Q
Explain this command:
chmod
A
- “Change Mode” of permissions on a file or folder
- r=read, w=write, e=execute
- permissions are displayed in order for owner (u), the group (g), others (o), or all (a)
21
Q
How are file/folder permissions displayed in CLI?
A
- if the first character is a d, it is a directory.
- if the first character is a -, it is a file
- the next set of three characters indicate user permissions.
- the following three characters indicate group permissions.
- the last three characters indicate permissions for all others.
- Ex: -rwe-r—- indicates a file, where a user as Read/WriteExecute, the group as read-only, and all others have no permissions.
22
Q
What are the octal notations for setting permissions?
A
- read, write, and execute (rwx)
- read and write (rw-)
- read and execute (r-x)
- read only (r–)
- write and execute (-wx)
- write only (-w-)
- execute only (–x)
- none (—)
23
Q
Explain this command:
logger
A
- adds entries to the system log
* either the local or a remote syslog file
24
Q
Explain
OpenSSL
A
- A library of utilities for SSL/TLS communication
- Create X.509 certificates
- Manage CSRs and CRLs
- Has crypto librarys to perform hashing functions, encryption/decryption
- Extensively used today
25
Q
Explain this command:
tcpdump
A
- Captures packets, like a CLI version of WireShark
- Can display packets on screen and/or write to a file
- Included in most Linux distributions
26
Q
Explain this command:
tcpreplay
A
- A suite of packet replay utilizies
- can take (and edit) info from tcpdump, and replay it on the network
- Usefuly for checking IPS signatures and firewall rules, testing IP Flow / NetFlow devices, stress testing, etc.
- Open source
27
Q
Explain this command:
dd
A
- “Data Definition”
- Linux command to create and restore disk images
- Creates a bit-by-bit copy of a drive or directory
- Used by many forensic tools
28
Q
Explain this command:
memdump
A
- Copies information in system memory to the standard output stream
- Many third-party tools can read a memory dump
- Often used in conjunction with netcat, stunnel, openssl, etc., to send the memdump to another host
- Useful for forensics
29
Q
Define
WinHex
A
- A third-party utility for Windows
- a universal hexadecimal editor
- Edit disks, files, RAM, etc.
- Includes data recovery features
- Disk cloning
- secure drive wipes
- Many more features, useful for forensics
30
Q
Explain
FTK imager
A
- disk imaging tool for Windows that can mount or image drives and perform utilities
- wide third-party support to analyze these images
- Can import other disk image formats
- Useful for forensics, wide third-party support
31
Q
Define
Autopsy
A
- a graphical tool to perform digital forensics of hard drives, smartphones, image files, etc.
- View and recover data from storage devices
- Extract covers many data types, including:○ downloaded files○ browser history and cache○ email messages○ databases
• Can potentially recover data from drives that have been re-formatted
32
Q
Explain
Exploitation Framework
A
- A type of pre-built toolkit for exploitations, useful to perform tests against your own systems
- Build custom attacks.
- Adds more tools as vulnerabilities are found
33
Q
Name two Exploitation Framework tools
A
- Metasploit is a popular one; attacks known vulnerabilities with new ones being added all the time
- SET (Social-Engineer Toolkit)
34
Q
Explain
NIST SP800-61
A
- National Institute of Standards and Technology
- Special Publication 800-61 Revision 2
- Titled “Computer Security Incident Handling Guide”
35
Q
What are the phases of a security incident lifecycle, according to NIST’s Computer Security Incident Handling Guide?
A
- Preparation
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-Incident Activity
36
Q
What are three types of Exercises?
A
- Tabletop - responders talking through and analyzing a hypothetical situation
- Walkthrough - responders testing process and procedures, walking through each step, and identifying anything found out of place
- Simulation - testing users and systems with a simulated event, such as a sending a phishing e-mail through your own systems and to your own users as a test.
37
Q
Define
COOP
A
- Continuity of Operations Planning
- Made in preparation for disaster, so you know what to do
- Outlines how to perform essential job functions during a systems outage
- May include manual transactions, paper receipts, phone calls for transaction approvals, etc.
- Must be well documented and tested before a problem occurs
38
Q
Define
MITRE ATT&CK Framework
A
- Documentation to help determine actions of an attacker
- Developed by MITRE corp, which supports several U.S. government agencies
- Assist identifying point of intrusion, understand methods used to move around, and identify potential security techniques and block future attacks
39
Q
Explain:
Diamond Model of Intrusion Analysis
A
- Designed by U.S. intelligence community
- A model to guide analysts in understanding intrusions
- Applies scientific principles to intrusion analysis
40
Q
What are the four points of the Diamond Model of Intrusion Analysis?
A
• Four points of diamond are (clockwise from the top)
○ Adversary
○ Capability
○ Victim
○ Infrastructure
41
Q
Explain
Cyber Kill Chain
A
- A framework that outlines the 7 phases of a cyber attack:
- Reconnaissance (gather intel)
- Weaponization (build a deliverable payload)
- Delivery (Send the weapon, such as an .exe over e-mail)
- Exploit (execute code on victim’s device)
- Installation (malware is installed)
- Command and Control (channel is created for remote access)
- Actions on objectives (attacker carries out objectives)
42
Q
Explain:
Dump files
A
- A dump file stores all contents of memory (usually just for a specific application) into a diagnostic file
- Can be provided to developers for troubleshooting
- In Windows Task Manager, just right-click the process and select “create dump file”
- Some applications have their own processes for creating dump files
43
Q
Explain:
syslog
A
- Standard for message logging, used by diverse systems to create a consolidated log
- Usually sent to a central logging server (SIEM)
- Each log entry is labelled with a facility code and severity level
44
Q
Define
rsyslog
A
- Rocket-fast Syslog
* A syslog daemon
45
Q
Define
syslog-ng
A
• A popular syslog daemon with additional filtering and storage options
46
Q
Define
NXLog
A
- a syslog daemon
* Collection from many diverse log types and consolidate it on a single machine
47
Q
Define
facility code
A
- Every syslog entry is labelled with a facility code
* It indicates the program that created the log
48
Q
Explain:
journalctl
A
- Linux system logs are stored in binary for optimization
- But they are not human-readable
- Journalctl provides tools to query the system journal, search, filter, and view as plain text
49
Q
Explain:
Netflow
A
- Gathers traffic statistics from all traffic flows
- This data is usually collected by “probes,” then sent and consolidated onto a central Netflow “collector” server
- Very common, standard tool with a lot of support from vendors
50
Q
Explain:
IPFIX
A
- IP Flow Information Export
- A newer, Netflow-based standard
- Allows for customization of what data to collect, and to send to centralized server
51
Q
Explain:
sFlow
A
- Sampled Flow
- Similar to Netflow, but takes only a portion of the actual network traffic
- It is therefore not technically a flow
- The sample can still provide relatively accurate statistics
- Usually embedded in infrastructure devices such as switches and routers, since it has low resource requirements
52
Q
Define
Runbook
A
- A linear checklist of steps to perform
- Useful for automation; the steps can be carried out automatically
- Used in SOAR
53
Q
Define
Playbook
A
- Like a runbook, but broader in process
- allows for conditional steps and may contain multiple runbooks
- Useful for automation of response with these processes
- Used in SOAR
54
Q
What are the three phases of Digital Forensics described in RFC 3227?
A
- Acquisition
- Analysis
- Reporting
55
Q
Define
ESI
A
- Electronically Stored Information
* Legal term for data that is held in a separate repository for legal purposes
56
Q
How are timestamps recorded in an OS?
A
- Different file systems store timestamps differently
- In FAT, time is stored in local time
- In NTFS, time is stored in GMT
- Windows Registry and other OS settings may also influence time offsets (Daylight Savings Time, etc.
- Understanding time offsets is important for Digital Forensics
57
Q
List 7 types of data in order of volatility (Most to least)
A
- CPU registers and cache
- Router table, ARP cache, process table, kernel statistics, memory
- Temporary File Systems
- Disk
- Remote Logging and monitoring data
- Physical configuration; network topology
- Archival media
58
Q
Define and list examples of:
Artifact
A
- Digital items left behind in sometimes less-than-obvious places, considered during data acquisition
- May include:○ log information○ flash memory○ prefetch cache files○ Recycle Bin○ browser bookmarks and logins
59
Q
Define
Right-to-Audit Clause
A
- Grants permission for you to know where the data is being held, how it is being accessed over the Internet, and what security features are in place to protect it
- Can be added to a contract with cloud providers
60
Q
Define
E-Discovery
A
- The gathering of data required by the legal process
* Does not generally involve analysis or make any consideration of intent
61
Q
What is the functional difference between MAC and Digital Signature?
A
- Message Authentication Code (MAC) provides non-repudiation that can be verified between the two parties in communication
- With a Digital Signature, the non-repudiation can be publicly verified using the public key
