6.0 Resiliency and Site Security

Question 1

Special tools that allow a network administrator to scan the entire network to find all connected devices and their IP addresses.

Answer 1

IP scanners

Question 2

The act of capturing data packets transmitted across the network and analyzing them for important information.

Answer 2

Packet sniffing

Question 3

The process of gathering information by interacting with the target in some manner.

Answer 3

Active reconnaissance

Question 4

The process of gathering information about a target with no direct interaction with the target.

Answer 4

Passive reconnaissance

Question 5

The act of driving around with a wireless device looking for open vulnerable wireless networks.

Answer 5

War driving

Question 6

The act of using drones or unmanned aerial vehicles to find open wireless networks.

Answer 6

War flying

Question 7

The act of covertly listening in on a communication between other people.

Answer 7

Eavesdropping

Question 8

Any data that is collected from publicly available sources such as social media, search engines, company websites, media sources, or public government sources.

Answer 8

Open-Source Intelligence (OSINT)

Question 9

ping

Answer 9

Ping is a command line tool that is used to perform a connection test between two network devices. Ping works by sending ICMP packets to a specified device on the network and waiting for a response. This shows if there is a connection issue or not. The syntax for the ping command is:
ping <target>
The following switches are the more common switches that can be used to modify the ping command:
-t sends ICMP packets until manually stopped.
-a resolves addresses to hostnames.
-n <count> specifies the number of ICMP packets to send. Ping sends 4 packets by default
-l <size> specifies the packet size in bytes. ping sends 32-byte packets by default</size></count></target>

Question 10

tracert/traceroute

Answer 10

The tracert tool shows the path a packet takes to reach its destination. Every device the packet passes through is known as a hop. Use tracert to locate network devices that are down or causing latency issues.
tracert is the Windows version and sends ICMP packets.
traceroute is used in Linux and sends UDP packets.

Question 11

pathping

Answer 11

The pathping Windows command line tool combines the tracert and ping tools. Use pathping to locate network devices that are down or causing latency issues.

Question 12

netstat

Answer 12

Use the netstat command to display a variety of network statistics in both Windows and Linux, including:
Connections for different protocols
Open ports
Running programs
Some of the common switches used to specify the information shown in Windows are:
-a displays all connections and listening ports.
-b displays the executable involved in creating each connection or listening port.
-f displays the FQDN for the foreign address if possible.
-r displays the routing table
-p <protocol> shows the connections for a specified protocol (TCP, UDP, TCPv6, UDPv6)</protocol>

Question 13

route

Answer 13

The route command is used in both Windows and Linux to show the routing table and to make manual changes to the table.

Question 14

arp

Answer 14

The arp command is used in both Windows and Linux. ARP stands for Address Resolution Protocol and is used to match IP addresses to MAC addresses. The arp command displays, adds, and removes arp information from network devices. Some of the common switches used with the arp command are:
-a displays current ARP entries.
inet_addr specifies an internet address
-d deletes the host specified by inet_addr

Question 15

nslookup/dig

Answer 15

The nslookup and dig commands are used to view and modify DNS settings. These tools can be used to look up DNS server information and also give IP addresses and domain names for a network server.
nslookup is used in Windows.
dig is used in Linux.

Question 16

ipconfig/ifconfig

Answer 16

The ipconfig command (Windows) and the ifconfig command (Linux) are used to display the IP configuration on the local computer. Information such as the following can be shown using these commands:
Adapter name
Adapter MAC address
If DHCP is enabled or not
IPv6 address
IPv4 address
Subnet mask
IP lease information
Default gateway
DHCP server
DNS server

Question 17

hping

Answer 17

Hping is a security tool that can check connectivity and also analyze the target to gather information. Hping can send ICMP, TCP. UDP, and RAW-IP packets. Hping is primarily designed for Linux but can be installed in Windows.

Question 18

netcat

Answer 18

The netcat security tool can read and write data across both TCP and UDP network connections. It opens a TCP connection between two devices and can be used to send packets, scan for open ports, and listen in on connections to specific ports. You can download netcat from the internet.

Question 19

are special tools that allow a network administrator to scan the entire network to find all connected devices and their IP addresses. Advanced scans can also display information such as:
Routes
Hostnames
Operating systems

Answer 19

IP scanners

Question 20

utility is a network security scanner. Use this to scan an entire network or specific IP addresses to discover all sorts of information such as:
Open ports
Running services
Operating system
This can use many different protocols and options depending on the network or device being scanned.

This is a command line tool, but a GUI version called Zenmap is available.

Answer 20

nmap

Question 21

IDS component that passes data from the source to the analyzer.

Answer 21

Sensor

Question 22

IDS component that analyzes sensor data and events, generates alerts, and logs all activity.

Answer 22

Engine

Question 23

A mode in which the NIC processes every frame it sees, not just those addressed to it.

Answer 23

Promiscuous mode

Question 23

False positive

Answer 23

A false positive traffic assessment means that the system identified harmless traffic as offensive and generated an alarm or stopped the traffic.

Question 23

False negative

Answer 23

A false negative traffic assessment means that harmful traffic was allowed to pass without any alerts being generated or any actions being taken to prevent or stop it. This is the worst possible scenario.

Question 24

Also referred to as pattern matching, dictionary recognition, or misuse-detection (MD-IDS). This detection method looks for patterns in network traffic and compares them to known attack patterns called signatures.

Answer 24

Signature-based detection

Question 24

Also referred to as behavior, anomaly, or statistical-based detection. This detection method first defines a baseline of normal network traffic and then monitors traffic looking for anything that falls outside that baseline.

Answer 24

Heuristic-based detection

Question 24

Hardware or software used for monitoring and analyzing digital traffic over a network. Protocol analyzers go by other names, such as packet sniffers, packet analyzers, network analyzers, network sniffers, or network scanners.

Answer 24

Protocol analyzer

Question 25

A switch mode in which all frames sent to all other switch ports will be forwarded on the mirrored port.

Answer 25

Port mirroring

Question 26

The network SecOps team can use the protocol analyzer during a vulnerability assessment. The protocol analyzer can help the SecOps team to:
Identify frames that might cause errors. For example, the network administrator can:
Determine which flags are set in a TCP handshake
Detect any malformed or fragmented packets. This would indicate that someone is trying to get around the firewall.
Discover passwords and other sensitive data being sent in cleartext.
Find any open network ports that should not be open.

Answer 26

Security operations Protocol Analyzer

Question 27

Monitor and log network traffic as it is transmitted over the network.
Check for specific protocols on the network, such as SMTP, DNS, POP3, and ICMP. Identifying the specific protocols helps to:
Identify devices that might be using unallowed protocols, such as ICMP, or legacy protocols, such as IPX/SPX or NetBIOS.
Identify traffic that might be sent by attackers.
Examine the data contained within a packet. For example, by looking at the packet data, the network administrator can identify users connecting to unauthorized websites.
Analyze network performance
Troubleshoot communication problems or investigate the source of heavy network traffic

Answer 27

Network administrator Protocol Analyzer

Question 28

An attack where the threat actor makes an independent connection between two victims and is able to read and possibly modify traffic.

Answer 28

On-path attack

Question 29

A malicious request to a legitimate server is created and sent as a link to the victim, so that a server-side flaw causes the malicious component to run on the target’s browser.

Answer 29

Distributed reflected DoS (DRDoS)

Question 30

An attack that uses a captured authentication token to start an unauthorized session without having to discover the plaintext password for an account.

Answer 30

Credential replay

Question 31

A type of reflected attack that targets weaknesses in specific application protocols to make the attack more effective at consuming target bandwidth. attacks exploit protocols that allow the attacker to manipulate the request in such a way that the target is forced to respond with a large amount of data.

Answer 31

Amplification attack

Question 32

An attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP address of the attacker’s choosing.

Answer 32

DNS poisoning

Question 33

An attack that involves the use of infected Internet-connected computers and devices to disrupt the normal flow of traffic of a server or service by overwhelming the target with traffic.

Answer 33

Distributed denial-of-service (DDoS)

Question 34

this is a minimal program designed to exploit a vulnerability in the OS or a legitimate app to gain privileges or to drop a backdoor on the host if run as a Trojan. Having gained a foothold, this type of attack will be followed by some type of network connection to download additional tools.

Answer 34

Shellcode

Question 35

the malware might try to access the credentials file (SAM on a local Windows workstation) or sniff credentials held in memory by the lsass.exe system process. Additionally, a DCSync attack attempts to trick a domain controller into replicating its user list along with its credentials with a rogue host.

Answer 35

Credential dumping

Question 36

the general procedure is to use the foothold to execute a process remotely, using a tool such as PsExec or PowerShell. The attacker might be seeking data assets or may try to widen access by changing the system security configuration, such as opening a firewall port or creating an account. If the attacker has compromised an account, these commands can blend in with ordinary network operations, though they could be anomalous behavior for that account.

Answer 36

Pivoting/lateral movement/insider attack

Question 37

this is a mechanism that allows the threat actor’s backdoor to restart if the host reboots or the user logs off. Typical methods are to use AutoRun keys in the registry, add a scheduled task, or use Windows Management Instrumentation (WMI) event subscriptions.

Answer 37

Persistence

Question 38

is a management framework that Microsoft developed to replace Command Prompt and give users more power and control over the Windows system. Cmdlets are tiny scripts that perform certain functions. Some cmdlets replace older commands and provide more advanced functions. Users can combine these cmdlets to develop scripts to automate tasks and configure just about anything in Windows.

Malicious scripts pose a major security threat. These scripts can run in the memory of the system, which means they do not need an executable to run.
An attacker can take advantage by running malicious scripts in the background.
This type of malware is known as fileless malware. Fileless malware is especially dangerous because many anti-virus programs are unable to detect it.

Answer 38

PowerShell

Question 39

is a command shell and scripting language used in most Linux distributions and MacOS versions prior to Catalina.
When a command is executed in Linux, this works in the background to execute the command using environment variables. Since many web servers run on Linux’s Apache platform, malware can be designed in to attack these systems.

A well-known malware called Shellshock uses commands to exploit a flaw within the shell. The flaw allows an attacker to inject malicious commands.

Answer 39

Bash