4.0 - Operations & Incident Response Flashcards
Explain this command:
traceroute
• determine the route a packet tackes to a destination
• maps the entire path
• In Unix/Linux: traceroute
• In Windows: tracert
Explain this command:
nslookup
• Query a DNS server to look up names and IP addresses
• deprecated (use dig instead)
• Found in both Windows and Linux/Unix
Explain this command:
dig
• Domain Information Groper
• replaced nslookup
• More advanced domain information
• Not included in Windows but can be installed
Explain this command:
pathping
• Included in Windows NT and later
• combines ping and traceroute
• first builds a map via traceroute
• then measures each hop’s round trip time and packet loss
• takes a number of minutes to run
Explain this command:
netstat
• Network Statistics
• -a shows all active connections
• -b shows binaries (in Windows)
• -n prevents resolving names; shows IP addresses only
• present in many different OSs
Explain this command:
arp -a
• view local ARP table
Command to view device’s routing table?
• Windows: route print
• Linux / Unix: netstat -r
Explain this command:
curl
• “Client URL”
• Grabs raw data from web pages, FTP, emails, databases, etc.
Explain this command:
hping
• A ping that can be customized to send almost anything
• Can modify all IP, TCP, UDP, and ICMP values
Define
Nmap
• Network Mapper
• Port scan to find devices and identify open ports
• Discover OS without logging into device
• Scan services available, with name, version, and details
• NSE (Nmap Scripting Engine) provides extended capabilities via additional scripts
Explain
theHarvester
• Command line tool for gathering OSINT
• Scarpes information from search engines
• Find associated IP addresses, e-mail addresses, names, titles, etc.
• DNS brute force assists in finding unknown hosts
Explain
sn1per
• Combines multiple reconnaissance tools into a single framework
• Allows you to search a single query and receive a single output that combines various tools’ results
• including dnsenum, metasploit, nmap, theHarvester, and much more
• Can run in non-intrusive or very intrusive modes, and anything in-between
Explain
scanless
• command line tool for running port scans from a different host (port scan proxy)
• allows your own device to not be detected as the source of the scan
• You specify the scan origination, and your IP is hidden as the scan source
Define
dnsenum
• Enumerate DNS information
• view host and service information from DNS servers
• Find host names in Google
○ (more hosts can probably be found in the index than what is listed on a DNS server)
Define
Nessus
• Industry leader in vulnerability scanning tools
• Extensive support; both free and commercial options
• Scans system, identifies known vulnerabilities, provides extensive reporting
• Graphic interface
Define
Cuckoo
• A sandbox for malware
• test a file in a safe, virtualized sandbox environment
• Environment can be Windows, Linux, macOS, Android, etc.
• Tracks and trace activity of the executable you are running in it.
Explain this command:
head
• like cat, but views only the first part / beginning of a file
• use -n to specify the number of lines
Explain this command:
tail
• like cat, but views only the last part / ending of a file
• use -n to specify the number of lines
Explain this command:
grep
• finds text in a file and displays all lines that contain it
• can search through multiple files at a time
Explain this command:
chmod
• “Change Mode” of permissions on a file or folder
• r=read, w=write, e=execute
• permissions are displayed in order for owner (u), the group (g), others (o), or all (a)
How are file/folder permissions displayed in CLI?
• if the first character is a d, it is a directory.
• if the first character is a -, it is a file
• the next set of three characters indicate user permissions.
• the following three characters indicate group permissions.
• the last three characters indicate permissions for all others.
• Ex: -rwe-r—- indicates a file, where a user as Read/WriteExecute, the group as read-only, and all others have no permissions.
What are the octal notations for setting permissions?
- read, write, and execute (rwx)
- read and write (rw-)
- read and execute (r-x)
- read only (r–)
- write and execute (-wx)
- write only (-w-)
- execute only (–x)
- none (—)
Explain this command:
logger
• adds entries to the system log
• either the local or a remote syslog file
Explain
OpenSSL
• A library of utilities for SSL/TLS communication
• Create X.509 certificates
• Manage CSRs and CRLs
• Has crypto librarys to perform hashing functions, encryption/decryption
• Extensively used today
Explain this command:
tcpdump
• Captures packets, like a CLI version of WireShark
• Can display packets on screen and/or write to a file
• Included in most Linux distributions
Explain this command:
tcpreplay
• A suite of packet replay utilizies
• can take (and edit) info from tcpdump, and replay it on the network
• Usefuly for checking IPS signatures and firewall rules, testing IP Flow / NetFlow devices, stress testing, etc.
• Open source
Explain this command:
dd
• “Data Definition”
• Linux command to create and restore disk images
• Creates a bit-by-bit copy of a drive or directory
• Used by many forensic tools
Explain this command:
memdump
• Copies information in system memory to the standard output stream
• Many third-party tools can read a memory dump
• Often used in conjunction with netcat, stunnel, openssl, etc., to send the memdump to another host
• Useful for forensics
Define
WinHex
• A third-party utility for Windows
• a universal hexadecimal editor
• Edit disks, files, RAM, etc.
• Includes data recovery features
• Disk cloning
• secure drive wipes
• Many more features, useful for forensics
Explain
FTK imager
• disk imaging tool for Windows that can mount or image drives and perform utilities
• wide third-party support to analyze these images
• Can import other disk image formats
• Useful for forensics, wide third-party support
Define
Autopsy
• a graphical tool to perform digital forensics of hard drives, smartphones, image files, etc.
• View and recover data from storage devices
• Extract covers many data types, including:
○ downloaded files
○ browser history and cache
○ email messages
○ databases
• Can potentially recover data from drives that have been re-formatted
Explain
Exploitation Framework
• A type of pre-built toolkit for exploitations, useful to perform tests against your own systems
• Build custom attacks.
• Adds more tools as vulnerabilities are found
Name two Exploitation Framework tools
• Metasploit is a popular one; attacks known vulnerabilities with new ones being added all the time
• SET (Social-Engineer Toolkit)
Explain
NIST SP800-61
• National Institute of Standards and Technology
• Special Publication 800-61 Revision 2
• Titled “Computer Security Incident Handling Guide”
What are the phases of a security incident lifecycle, according to NIST’s Computer Security Incident Handling Guide?
• Preparation
• Detection and Analysis
• Containment, Eradication, and Recovery
• Post-Incident Activity
What are three types of Exercises?
• Tabletop - responders talking through and analyzing a hypothetical situation
• Walkthrough - responders testing process and procedures, walking through each step, and identifying anything found out of place
• Simulation - testing users and systems with a simulated event, such as a sending a phishing e-mail through your own systems and to your own users as a test.
Define
COOP
• Continuity of Operations Planning
• Made in preparation for disaster, so you know what to do
• Outlines how to perform essential job functions during a systems outage
• May include manual transactions, paper receipts, phone calls for transaction approvals, etc.
• Must be well documented and tested before a problem occurs
Define
MITRE ATT&CK Framework
• Documentation to help determine actions of an attacker
• Developed by MITRE corp, which supports several U.S. government agencies
• Assist identifying point of intrusion, understand methods used to move around, and identify potential security techniques and block future attacks
Explain:
Diamond Model of Intrusion Analysis
• Designed by U.S. intelligence community
• A model to guide analysts in understanding intrusions
• Applies scientific principles to intrusion analysis
What are the four points of the Diamond Model of Intrusion Analysis?
• Four points of diamond are (clockwise from the top)
○ Adversary
○ Capability
○ Victim
○ Infrastructure
Explain
Cyber Kill Chain
• A framework that outlines the 7 phases of a cyber attack:
• Reconnaissance (gather intel)
• Weaponization (build a deliverable payload)
• Delivery (Send the weapon, such as an .exe over e-mail)
• Exploit (execute code on victim’s device)
• Installation (malware is installed)
• Command and Control (channel is created for remote access)
• Actions on objectives (attacker carries out objectives)
Explain:
Dump files
• A dump file stores all contents of memory (usually just for a specific application) into a diagnostic file
• Can be provided to developers for troubleshooting
• In Windows Task Manager, just right-click the process and select “create dump file”
• Some applications have their own processes for creating dump files
Explain:
syslog
• Standard for message logging, used by diverse systems to create a consolidated log
• Usually sent to a central logging server (SIEM)
• Each log entry is labelled with a facility code and severity level
Define
rsyslog
• Rocket-fast Syslog
• A syslog daemon
Define
syslog-ng
• A popular syslog daemon with additional filtering and storage options
Define
NXLog
• a syslog daemon
• Collection from many diverse log types and consolidate it on a single machine
Define
facility code
• Every syslog entry is labelled with a facility code
• It indicates the program that created the log
Explain:
journalctl
• Linux system logs are stored in binary for optimization
• But they are not human-readable
• Journalctl provides tools to query the system journal, search, filter, and view as plain text
Explain:
Netflow
• Gathers traffic statistics from all traffic flows
• This data is usually collected by “probes,” then sent and consolidated onto a central Netflow “collector” server
• Very common, standard tool with a lot of support from vendors
Explain:
IPFIX
• IP Flow Information Export
• A newer, Netflow-based standard
• Allows for customization of what data to collect, and to send to centralized server
Explain:
sFlow
• Sampled Flow
• Similar to Netflow, but takes only a portion of the actual network traffic
• It is therefore not technically a flow
• The sample can still provide relatively accurate statistics
• Usually embedded in infrastructure devices such as switches and routers, since it has low resource requirements
Define
Runbook
• A linear checklist of steps to perform
• Useful for automation; the steps can be carried out automatically
• Used in SOAR
Define
Playbook
• Like a runbook, but broader in process
• allows for conditional steps and may contain multiple runbooks
• Useful for automation of response with these processes
• Used in SOAR
What are the three phases of Digital Forensics described in RFC 3227?
• Acquisition
• Analysis
• Reporting
Define
ESI
• Electronically Stored Information
• Legal term for data that is held in a separate repository for legal purposes
How are timestamps recorded in an OS?
• Different file systems store timestamps differently
• In FAT, time is stored in local time
• In NTFS, time is stored in GMT
• Windows Registry and other OS settings may also influence time offsets (Daylight Savings Time, etc.
• Understanding time offsets is important for Digital Forensics
List 7 types of data in order of volatility (Most to least)
• CPU registers and cache
• Router table, ARP cache, process table, kernel statistics, memory
• Temporary File Systems
• Disk
• Remote Logging and monitoring data
• Physical configuration; network topology
• Archival media
Define and list examples of:
Artifact
• Digital items left behind in sometimes less-than-obvious places, considered during data acquisition
• May include:
○ log information ○ flash memory ○ prefetch cache files ○ Recycle Bin ○ browser bookmarks and logins
Define
Right-to-Audit Clause
• Grants permission for you to know where the data is being held, how it is being accessed over the Internet, and what security features are in place to protect it
• Can be added to a contract with cloud providers
Define
E-Discovery
• The gathering of data required by the legal process
• Does not generally involve analysis or make any consideration of intent
What is the functional difference between MAC and Digital Signature?
• Message Authentication Code (MAC) provides non-repudiation that can be verified between the two parties in communication
• With a Digital Signature, the non-repudiation can be publicly verified using the public key
