4.0 - Operations & Incident Response

Question 1

Explain this command:

traceroute

Answer 1

• determine the route a packet tackes to a destination
• maps the entire path
• In Unix/Linux: traceroute
• In Windows: tracert

Question 2

Explain this command:

nslookup

Answer 2

• Query a DNS server to look up names and IP addresses
• deprecated (use dig instead)
• Found in both Windows and Linux/Unix

Question 3

Explain this command:

dig

Answer 3

• Domain Information Groper
• replaced nslookup
• More advanced domain information
• Not included in Windows but can be installed

Question 4

Explain this command:

pathping

Answer 4

• Included in Windows NT and later
• combines ping and traceroute
• first builds a map via traceroute
• then measures each hop’s round trip time and packet loss
• takes a number of minutes to run

Question 5

Explain this command:

netstat

Answer 5

• Network Statistics
• -a shows all active connections
• -b shows binaries (in Windows)
• -n prevents resolving names; shows IP addresses only
• present in many different OSs

Question 6

Explain this command:

arp -a

Answer 6

• view local ARP table

Question 7

Command to view device’s routing table?

Answer 7

• Windows: route print

* Linux / Unix: netstat -r

Question 8

Explain this command:

curl

Answer 8

• “Client URL”

* Grabs raw data from web pages, FTP, emails, databases, etc.

Question 9

Explain this command:

hping

Answer 9

• A ping that can be customized to send almost anything

* Can modify all IP, TCP, UDP, and ICMP values

Question 10

Define

Nmap

Answer 10

• Network Mapper
• Port scan to find devices and identify open ports
• Discover OS without logging into device
• Scan services available, with name, version, and details
• NSE (Nmap Scripting Engine) provides extended capabilities via additional scripts

Question 11

Explain

theHarvester

Answer 11

• Command line tool for gathering OSINT
• Scarpes information from search engines
• Find associated IP addresses, e-mail addresses, names, titles, etc.
• DNS brute force assists in finding unknown hosts

Question 12

Explain

sn1per

Answer 12

• Combines multiple reconnaissance tools into a single framework
• Allows you to search a single query and receive a single output that combines various tools’ results
• including dnsenum, metasploit, nmap, theHarvester, and much more
• Can run in non-intrusive or very intrusive modes, and anything in-between

Question 13

Explain

scanless

Answer 13

• command line tool for running port scans from a different host (port scan proxy)
• allows your own device to not be detected as the source of the scan
• You specify the scan origination, and your IP is hidden as the scan source

Question 14

Define

dnsenum

Answer 14

• Enumerate DNS information
• view host and service information from DNS servers
• Find host names in Google○ (more hosts can probably be found in the index than what is listed on a DNS server)

Question 15

Define

Nessus

Answer 15

• Industry leader in vulnerability scanning tools
• Extensive support; both free and commercial options
• Scans system, identifies known vulnerabilities, provides extensive reporting
• Graphic interface

Question 16

Define

Cuckoo

Answer 16

• A sandbox for malware
• test a file in a safe, virtualized sandbox environment
• Environment can be Windows, Linux, macOS, Android, etc.
• Tracks and trace activity of the executable you are running in it.

Question 17

Explain this command:

head

Answer 17

• like cat, but views only the first part / beginning of a file
• use -n to specify the number of lines

Question 18

Explain this command:

tail

Answer 18

• like cat, but views only the last part / ending of a file

* use -n to specify the number of lines

Question 19

Explain this command:

grep

Answer 19

• finds text in a file and displays all lines that contain it
• can search through multiple files at a time

Question 20

Explain this command:

chmod

Answer 20

• “Change Mode” of permissions on a file or folder
• r=read, w=write, e=execute
• permissions are displayed in order for owner (u), the group (g), others (o), or all (a)

Question 21

How are file/folder permissions displayed in CLI?

Answer 21

• if the first character is a d, it is a directory.
• if the first character is a -, it is a file
• the next set of three characters indicate user permissions.
• the following three characters indicate group permissions.
• the last three characters indicate permissions for all others.
• Ex: -rwe-r—- indicates a file, where a user as Read/WriteExecute, the group as read-only, and all others have no permissions.

Question 22

What are the octal notations for setting permissions?

Answer 22

7. read, write, and execute (rwx)
8. read and write (rw-)
9. read and execute (r-x)
10. read only (r–)
11. write and execute (-wx)
12. write only (-w-)
13. execute only (–x)
14. none (—)

Question 23

Explain this command:

logger

Answer 23

• adds entries to the system log

* either the local or a remote syslog file

Question 24

Explain

OpenSSL

Answer 24

• A library of utilities for SSL/TLS communication
• Create X.509 certificates
• Manage CSRs and CRLs
• Has crypto librarys to perform hashing functions, encryption/decryption
• Extensively used today

Question 25

Explain this command:

tcpdump

Answer 25

• Captures packets, like a CLI version of WireShark
• Can display packets on screen and/or write to a file
• Included in most Linux distributions

Question 26

Explain this command:

tcpreplay

Answer 26

• A suite of packet replay utilizies
• can take (and edit) info from tcpdump, and replay it on the network
• Usefuly for checking IPS signatures and firewall rules, testing IP Flow / NetFlow devices, stress testing, etc.
• Open source

Question 27

Explain this command:

dd

Answer 27

• “Data Definition”
• Linux command to create and restore disk images
• Creates a bit-by-bit copy of a drive or directory
• Used by many forensic tools

Question 28

Explain this command:

memdump

Answer 28

• Copies information in system memory to the standard output stream
• Many third-party tools can read a memory dump
• Often used in conjunction with netcat, stunnel, openssl, etc., to send the memdump to another host
• Useful for forensics

Question 29

Define

WinHex

Answer 29

• A third-party utility for Windows
• a universal hexadecimal editor
• Edit disks, files, RAM, etc.
• Includes data recovery features
• Disk cloning
• secure drive wipes
• Many more features, useful for forensics

Question 30

Explain

FTK imager

Answer 30

• disk imaging tool for Windows that can mount or image drives and perform utilities
• wide third-party support to analyze these images
• Can import other disk image formats
• Useful for forensics, wide third-party support

Question 31

Define

Autopsy

Answer 31

• a graphical tool to perform digital forensics of hard drives, smartphones, image files, etc.
• View and recover data from storage devices
• Extract covers many data types, including:○ downloaded files○ browser history and cache○ email messages○ databases

• Can potentially recover data from drives that have been re-formatted

Question 32

Explain

Exploitation Framework

Answer 32

• A type of pre-built toolkit for exploitations, useful to perform tests against your own systems
• Build custom attacks.
• Adds more tools as vulnerabilities are found

Question 33

Name two Exploitation Framework tools

Answer 33

• Metasploit is a popular one; attacks known vulnerabilities with new ones being added all the time
• SET (Social-Engineer Toolkit)

Question 34

Explain

NIST SP800-61

Answer 34

• National Institute of Standards and Technology
• Special Publication 800-61 Revision 2
• Titled “Computer Security Incident Handling Guide”

Question 35

What are the phases of a security incident lifecycle, according to NIST’s Computer Security Incident Handling Guide?

Answer 35

• Preparation
• Detection and Analysis
• Containment, Eradication, and Recovery
• Post-Incident Activity

Question 36

What are three types of Exercises?

Answer 36

• Tabletop - responders talking through and analyzing a hypothetical situation
• Walkthrough - responders testing process and procedures, walking through each step, and identifying anything found out of place
• Simulation - testing users and systems with a simulated event, such as a sending a phishing e-mail through your own systems and to your own users as a test.

Question 37

Define

COOP

Answer 37

• Continuity of Operations Planning
• Made in preparation for disaster, so you know what to do
• Outlines how to perform essential job functions during a systems outage
• May include manual transactions, paper receipts, phone calls for transaction approvals, etc.
• Must be well documented and tested before a problem occurs

Question 38

Define

MITRE ATT&CK Framework

Answer 38

• Documentation to help determine actions of an attacker
• Developed by MITRE corp, which supports several U.S. government agencies
• Assist identifying point of intrusion, understand methods used to move around, and identify potential security techniques and block future attacks

Question 39

Explain:

Diamond Model of Intrusion Analysis

Answer 39

• Designed by U.S. intelligence community
• A model to guide analysts in understanding intrusions
• Applies scientific principles to intrusion analysis

Question 40

What are the four points of the Diamond Model of Intrusion Analysis?

Answer 40

• Four points of diamond are (clockwise from the top)

○ Adversary

○ Capability

○ Victim

○ Infrastructure

Question 41

Explain

Cyber Kill Chain

Answer 41

• A framework that outlines the 7 phases of a cyber attack:
• Reconnaissance (gather intel)
• Weaponization (build a deliverable payload)
• Delivery (Send the weapon, such as an .exe over e-mail)
• Exploit (execute code on victim’s device)
• Installation (malware is installed)
• Command and Control (channel is created for remote access)
• Actions on objectives (attacker carries out objectives)

Question 42

Explain:

Dump files

Answer 42

• A dump file stores all contents of memory (usually just for a specific application) into a diagnostic file
• Can be provided to developers for troubleshooting
• In Windows Task Manager, just right-click the process and select “create dump file”
• Some applications have their own processes for creating dump files

Question 43

Explain:

syslog

Answer 43

• Standard for message logging, used by diverse systems to create a consolidated log
• Usually sent to a central logging server (SIEM)
• Each log entry is labelled with a facility code and severity level

Question 44

Define

rsyslog

Answer 44

• Rocket-fast Syslog

* A syslog daemon

Question 45

Define

syslog-ng

Answer 45

• A popular syslog daemon with additional filtering and storage options

Question 46

Define

NXLog

Answer 46

• a syslog daemon

* Collection from many diverse log types and consolidate it on a single machine

Question 47

Define

facility code

Answer 47

• Every syslog entry is labelled with a facility code

* It indicates the program that created the log

Question 48

Explain:

journalctl

Answer 48

• Linux system logs are stored in binary for optimization
• But they are not human-readable
• Journalctl provides tools to query the system journal, search, filter, and view as plain text

Question 49

Explain:

Netflow

Answer 49

• Gathers traffic statistics from all traffic flows
• This data is usually collected by “probes,” then sent and consolidated onto a central Netflow “collector” server
• Very common, standard tool with a lot of support from vendors

Question 50

Explain:

IPFIX

Answer 50

• IP Flow Information Export
• A newer, Netflow-based standard
• Allows for customization of what data to collect, and to send to centralized server

Question 51

Explain:

sFlow

Answer 51

• Sampled Flow
• Similar to Netflow, but takes only a portion of the actual network traffic
• It is therefore not technically a flow
• The sample can still provide relatively accurate statistics
• Usually embedded in infrastructure devices such as switches and routers, since it has low resource requirements

Question 52

Define

Runbook

Answer 52

• A linear checklist of steps to perform
• Useful for automation; the steps can be carried out automatically
• Used in SOAR

Question 53

Define

Playbook

Answer 53

• Like a runbook, but broader in process
• allows for conditional steps and may contain multiple runbooks
• Useful for automation of response with these processes
• Used in SOAR

Question 54

What are the three phases of Digital Forensics described in RFC 3227?

Answer 54

• Acquisition
• Analysis
• Reporting

Question 55

Define

ESI

Answer 55

• Electronically Stored Information

* Legal term for data that is held in a separate repository for legal purposes

Question 56

How are timestamps recorded in an OS?

Answer 56

• Different file systems store timestamps differently
• In FAT, time is stored in local time
• In NTFS, time is stored in GMT
• Windows Registry and other OS settings may also influence time offsets (Daylight Savings Time, etc.
• Understanding time offsets is important for Digital Forensics

Question 57

List 7 types of data in order of volatility (Most to least)

Answer 57

• CPU registers and cache
• Router table, ARP cache, process table, kernel statistics, memory
• Temporary File Systems
• Disk
• Remote Logging and monitoring data
• Physical configuration; network topology
• Archival media

Question 58

Define and list examples of:

Artifact

Answer 58

• Digital items left behind in sometimes less-than-obvious places, considered during data acquisition
• May include:○ log information○ flash memory○ prefetch cache files○ Recycle Bin○ browser bookmarks and logins

Question 59

Define

Right-to-Audit Clause

Answer 59

• Grants permission for you to know where the data is being held, how it is being accessed over the Internet, and what security features are in place to protect it
• Can be added to a contract with cloud providers

Question 60

Define

E-Discovery

Answer 60

• The gathering of data required by the legal process

* Does not generally involve analysis or make any consideration of intent

Question 61

What is the functional difference between MAC and Digital Signature?

Answer 61

• Message Authentication Code (MAC) provides non-repudiation that can be verified between the two parties in communication
• With a Digital Signature, the non-repudiation can be publicly verified using the public key