4.0 - Operations & Incident Response

Question 1

Explain this command:

traceroute

Answer 1

• determine the route a packet tackes to a destination

• maps the entire path

• In Unix/Linux: traceroute

• In Windows: tracert

Question 2

Explain this command:

nslookup

Answer 2

• Query a DNS server to look up names and IP addresses

• deprecated (use dig instead)

• Found in both Windows and Linux/Unix

Question 3

Explain this command:

dig

Answer 3

• Domain Information Groper

• replaced nslookup

• More advanced domain information

• Not included in Windows but can be installed

Question 4

Explain this command:

pathping

Answer 4

• Included in Windows NT and later

• combines ping and traceroute

• first builds a map via traceroute

• then measures each hop’s round trip time and packet loss

• takes a number of minutes to run

Question 5

Explain this command:

netstat

Answer 5

• Network Statistics

• -a shows all active connections

• -b shows binaries (in Windows)

• -n prevents resolving names; shows IP addresses only

• present in many different OSs

Question 6

Explain this command:

arp -a

Answer 6

• view local ARP table

Question 7

Command to view device’s routing table?

Answer 7

• Windows: route print

• Linux / Unix: netstat -r

Question 8

Explain this command:

curl

Answer 8

• “Client URL”

• Grabs raw data from web pages, FTP, emails, databases, etc.

Question 9

Explain this command:

hping

Answer 9

• A ping that can be customized to send almost anything

• Can modify all IP, TCP, UDP, and ICMP values

Question 10

Define

Nmap

Answer 10

• Network Mapper

• Port scan to find devices and identify open ports

• Discover OS without logging into device

• Scan services available, with name, version, and details

• NSE (Nmap Scripting Engine) provides extended capabilities via additional scripts

Question 11

Explain

theHarvester

Answer 11

• Command line tool for gathering OSINT

• Scarpes information from search engines

• Find associated IP addresses, e-mail addresses, names, titles, etc.

• DNS brute force assists in finding unknown hosts

Question 12

Explain

sn1per

Answer 12

• Combines multiple reconnaissance tools into a single framework

• Allows you to search a single query and receive a single output that combines various tools’ results

• including dnsenum, metasploit, nmap, theHarvester, and much more

• Can run in non-intrusive or very intrusive modes, and anything in-between

Question 13

Explain

scanless

Answer 13

• command line tool for running port scans from a different host (port scan proxy)

• allows your own device to not be detected as the source of the scan

• You specify the scan origination, and your IP is hidden as the scan source

Question 14

Define

dnsenum

Answer 14

• Enumerate DNS information

• view host and service information from DNS servers

• Find host names in Google

○ (more hosts can probably be found in the index than what is listed on a DNS server)

Question 15

Define

Nessus

Answer 15

• Industry leader in vulnerability scanning tools

• Extensive support; both free and commercial options

• Scans system, identifies known vulnerabilities, provides extensive reporting

• Graphic interface

Question 16

Define

Cuckoo

Answer 16

• A sandbox for malware

• test a file in a safe, virtualized sandbox environment

• Environment can be Windows, Linux, macOS, Android, etc.

• Tracks and trace activity of the executable you are running in it.

Question 17

Explain this command:

head

Answer 17

• like cat, but views only the first part / beginning of a file

• use -n to specify the number of lines

Question 18

Explain this command:

tail

Answer 18

• like cat, but views only the last part / ending of a file

• use -n to specify the number of lines

Question 19

Explain this command:

grep

Answer 19

• finds text in a file and displays all lines that contain it

• can search through multiple files at a time

Question 20

Explain this command:

chmod

Answer 20

• “Change Mode” of permissions on a file or folder

• r=read, w=write, e=execute

• permissions are displayed in order for owner (u), the group (g), others (o), or all (a)

Question 21

How are file/folder permissions displayed in CLI?

Answer 21

• if the first character is a d, it is a directory.

• if the first character is a -, it is a file

• the next set of three characters indicate user permissions.

• the following three characters indicate group permissions.

• the last three characters indicate permissions for all others.

• Ex: -rwe-r—- indicates a file, where a user as Read/WriteExecute, the group as read-only, and all others have no permissions.

Question 22

What are the octal notations for setting permissions?

Answer 22

7. read, write, and execute (rwx)
8. read and write (rw-)
9. read and execute (r-x)
10. read only (r–)
11. write and execute (-wx)
12. write only (-w-)
13. execute only (–x)
14. none (—)

Question 23

Explain this command:

logger

Answer 23

• adds entries to the system log

• either the local or a remote syslog file

Question 24

Explain

OpenSSL

Answer 24

• A library of utilities for SSL/TLS communication

• Create X.509 certificates

• Manage CSRs and CRLs

• Has crypto librarys to perform hashing functions, encryption/decryption

• Extensively used today

Question 25

Explain this command:

tcpdump

Answer 25

• Captures packets, like a CLI version of WireShark

• Can display packets on screen and/or write to a file

• Included in most Linux distributions

Question 26

Explain this command:

tcpreplay

Answer 26

• A suite of packet replay utilizies

• can take (and edit) info from tcpdump, and replay it on the network

• Usefuly for checking IPS signatures and firewall rules, testing IP Flow / NetFlow devices, stress testing, etc.

• Open source

Question 27

Explain this command:

dd

Answer 27

• “Data Definition”

• Linux command to create and restore disk images

• Creates a bit-by-bit copy of a drive or directory

• Used by many forensic tools

Question 28

Explain this command:

memdump

Answer 28

• Copies information in system memory to the standard output stream

• Many third-party tools can read a memory dump

• Often used in conjunction with netcat, stunnel, openssl, etc., to send the memdump to another host

• Useful for forensics

Question 29

Define

WinHex

Answer 29

• A third-party utility for Windows

• a universal hexadecimal editor

• Edit disks, files, RAM, etc.

• Includes data recovery features

• Disk cloning

• secure drive wipes

• Many more features, useful for forensics

Question 30

Explain

FTK imager

Answer 30

• disk imaging tool for Windows that can mount or image drives and perform utilities

• wide third-party support to analyze these images

• Can import other disk image formats

• Useful for forensics, wide third-party support

Question 31

Define

Autopsy

Answer 31

• a graphical tool to perform digital forensics of hard drives, smartphones, image files, etc.

• View and recover data from storage devices

• Extract covers many data types, including:

○ downloaded files

○ browser history and cache

○ email messages

○ databases

• Can potentially recover data from drives that have been re-formatted

Question 32

Explain

Exploitation Framework

Answer 32

• A type of pre-built toolkit for exploitations, useful to perform tests against your own systems

• Build custom attacks.

• Adds more tools as vulnerabilities are found

Question 33

Name two Exploitation Framework tools

Answer 33

• Metasploit is a popular one; attacks known vulnerabilities with new ones being added all the time

• SET (Social-Engineer Toolkit)

Question 34

Explain

NIST SP800-61

Answer 34

• National Institute of Standards and Technology

• Special Publication 800-61 Revision 2

• Titled “Computer Security Incident Handling Guide”

Question 35

What are the phases of a security incident lifecycle, according to NIST’s Computer Security Incident Handling Guide?

Answer 35

• Preparation

• Detection and Analysis

• Containment, Eradication, and Recovery

• Post-Incident Activity

Question 36

What are three types of Exercises?

Answer 36

• Tabletop - responders talking through and analyzing a hypothetical situation

• Walkthrough - responders testing process and procedures, walking through each step, and identifying anything found out of place

• Simulation - testing users and systems with a simulated event, such as a sending a phishing e-mail through your own systems and to your own users as a test.

Question 37

Define

COOP

Answer 37

• Continuity of Operations Planning

• Made in preparation for disaster, so you know what to do

• Outlines how to perform essential job functions during a systems outage

• May include manual transactions, paper receipts, phone calls for transaction approvals, etc.

• Must be well documented and tested before a problem occurs

Question 38

Define

MITRE ATT&CK Framework

Answer 38

• Documentation to help determine actions of an attacker

• Developed by MITRE corp, which supports several U.S. government agencies

• Assist identifying point of intrusion, understand methods used to move around, and identify potential security techniques and block future attacks

Question 39

Explain:

Diamond Model of Intrusion Analysis

Answer 39

• Designed by U.S. intelligence community

• A model to guide analysts in understanding intrusions

• Applies scientific principles to intrusion analysis

Question 40

What are the four points of the Diamond Model of Intrusion Analysis?

Answer 40

• Four points of diamond are (clockwise from the top)

○ Adversary

○ Capability

○ Victim

○ Infrastructure

Question 41

Explain

Cyber Kill Chain

Answer 41

• A framework that outlines the 7 phases of a cyber attack:

• Reconnaissance (gather intel)

• Weaponization (build a deliverable payload)

• Delivery (Send the weapon, such as an .exe over e-mail)

• Exploit (execute code on victim’s device)

• Installation (malware is installed)

• Command and Control (channel is created for remote access)

• Actions on objectives (attacker carries out objectives)

Question 42

Explain:

Dump files

Answer 42

• A dump file stores all contents of memory (usually just for a specific application) into a diagnostic file

• Can be provided to developers for troubleshooting

• In Windows Task Manager, just right-click the process and select “create dump file”

• Some applications have their own processes for creating dump files

Question 43

Explain:

syslog

Answer 43

• Standard for message logging, used by diverse systems to create a consolidated log

• Usually sent to a central logging server (SIEM)

• Each log entry is labelled with a facility code and severity level

Question 44

Define

rsyslog

Answer 44

• Rocket-fast Syslog

• A syslog daemon

Question 45

Define

syslog-ng

Answer 45

• A popular syslog daemon with additional filtering and storage options

Question 46

Define

NXLog

Answer 46

• a syslog daemon

• Collection from many diverse log types and consolidate it on a single machine

Question 47

Define

facility code

Answer 47

• Every syslog entry is labelled with a facility code

• It indicates the program that created the log

Question 48

Explain:

journalctl

Answer 48

• Linux system logs are stored in binary for optimization

• But they are not human-readable

• Journalctl provides tools to query the system journal, search, filter, and view as plain text

Question 49

Explain:

Netflow

Answer 49

• Gathers traffic statistics from all traffic flows

• This data is usually collected by “probes,” then sent and consolidated onto a central Netflow “collector” server

• Very common, standard tool with a lot of support from vendors

Question 50

Explain:

IPFIX

Answer 50

• IP Flow Information Export

• A newer, Netflow-based standard

• Allows for customization of what data to collect, and to send to centralized server

Question 51

Explain:

sFlow

Answer 51

• Sampled Flow

• Similar to Netflow, but takes only a portion of the actual network traffic

• It is therefore not technically a flow

• The sample can still provide relatively accurate statistics

• Usually embedded in infrastructure devices such as switches and routers, since it has low resource requirements

Question 52

Define

Runbook

Answer 52

• A linear checklist of steps to perform

• Useful for automation; the steps can be carried out automatically

• Used in SOAR

Question 53

Define

Playbook

Answer 53

• Like a runbook, but broader in process

• allows for conditional steps and may contain multiple runbooks

• Useful for automation of response with these processes

• Used in SOAR

Question 54

What are the three phases of Digital Forensics described in RFC 3227?

Answer 54

• Acquisition

• Analysis

• Reporting

Question 55

Define

ESI

Answer 55

• Electronically Stored Information

• Legal term for data that is held in a separate repository for legal purposes

Question 56

How are timestamps recorded in an OS?

Answer 56

• Different file systems store timestamps differently

• In FAT, time is stored in local time

• In NTFS, time is stored in GMT

• Windows Registry and other OS settings may also influence time offsets (Daylight Savings Time, etc.

• Understanding time offsets is important for Digital Forensics

Question 57

List 7 types of data in order of volatility (Most to least)

Answer 57

• CPU registers and cache

• Router table, ARP cache, process table, kernel statistics, memory

• Temporary File Systems

• Disk

• Remote Logging and monitoring data

• Physical configuration; network topology

• Archival media

Question 58

Define and list examples of:

Artifact

Answer 58

• Digital items left behind in sometimes less-than-obvious places, considered during data acquisition

• May include:

 ○ log information

 ○ flash memory

 ○ prefetch cache files

 ○ Recycle Bin

 ○ browser bookmarks and logins

Question 59

Define

Right-to-Audit Clause

Answer 59

• Grants permission for you to know where the data is being held, how it is being accessed over the Internet, and what security features are in place to protect it

• Can be added to a contract with cloud providers

Question 60

Define

E-Discovery

Answer 60

• The gathering of data required by the legal process

• Does not generally involve analysis or make any consideration of intent

Question 61

What is the functional difference between MAC and Digital Signature?

Answer 61

• Message Authentication Code (MAC) provides non-repudiation that can be verified between the two parties in communication

• With a Digital Signature, the non-repudiation can be publicly verified using the public key