Alllllll

Question 1

Windows Registry

Answer 1

Information about files and services, locations of deleted files, evidence of applications being run

Question 2

Autorun Keys

Answer 2

Programs set to run at startup (often associated with malware or compromise)

Question 3

Master File Table (MFT)

Answer 3

Details of inactive/removed records

Question 4

Event Logs

Answer 4

Logins, service start/stop, evidence of applications being run

Question 5

INDX files and change logs

Answer 5

Evidence of deleted files, MAC timestamps

Question 6

Volume Shadow Copies

Answer 6

Point-in-time information from prior actions

Question 7

Recycle bin contents

Answer 7

Files that were intended to be deleted but forgotten

Question 8

Hibernation files and memory dumps

Answer 8

Memory artifacts of commands run

Question 9

Temporary Directories

Answer 9

Artifacts of software installation, user temporary file storage, or other limited lifespan data

Question 10

Removable Drives

Answer 10

System logs may indicate drives were plugged in; data may be relevant to investigations

Question 11

POP3 Port

Answer 11

Port 110

Question 12

NTP Port

Answer 12

Port 123

Question 13

SQL Server (2 Ports)

Answer 13

Port 1433 & 1443

Question 14

Oracle Port

Answer 14

Port 1521

Question 15

RADIUS (2 Ports)

Answer 15

Port 1812 & 1813

Question 16

MySQL Port

Answer 16

Port 3306

Question 17

STIX Protocol

Answer 17

XML Language. Current version includes things like attack patterns, identities, malware, threat actors and tools. Conveys data so humans and security technologies can understand

Question 18

OpenIOC Protocol

Answer 18

Includes metadata like the author, the name of the IOC, and a description; references to the investigation or case and information about the maturity of the IOC

Question 19

TAXII Protocol

Answer 19

Is intended to allow cyberthreat information to be communicated at the application layer via HTTPS, specifically designed to support STIX data exchange

Question 20

3 Criteria for Intelligence

Answer 20

Timeliness, Relevancy and Accuracy

Question 21

Requirements Gathering

Answer 21

Assess what security breaches or compromises you have faced, Assess what information could have prevented or limited the impact of the breach, assess what controls and security measures were not in place that would have mitigated the breach

Question 22

Data Collection

Answer 22

Collect data from threat intelligence source to meet those requirements. Phase may repeat as additional requirements are added or as requirements are refined based on available data and data sources

Question 23

Threat Data Analysis

Answer 23

Allow for data to be consumed by the tools or processes that are used and then analyze the data itself. Output from this stage could be data fed into automated systems or other tools or written reports to distribute to leadership or others across your organization

Question 24

Intelligence Dissemination

Answer 24

Data is distributed to leadership and operational personnel who will use the data as part of their security operations role

Question 25

Feedback

Answer 25

Gathering feedback about the reports and data you have gathered. Continuous improvement is a critical element in the process and should be used to improve overall output of threat intelligence program

Question 26

Reconnaissance (Cyber Kill Chain)

Answer 26

Identifies the target

Question 27

Weaponization (CKC)

Answer 27

Building or acquiring a weaponizer that combines malware and an exploit into a payload that can be delivered to the target

Question 28

Delivery (CKC)

Answer 28

When the adversary either deploys their tool directly against targets or via release that relies on staff at the target interacting with it such as in an email payload, on a USB stick, or via websites that they visit

Question 29

Exploitation (CKC)

Answer 29

Uses a software, hardware, or human vulnerability to gain access.

Question 30

Installation (CKC)

Answer 30

Focuses on persistent backdoor access for attackers

Question 31

C2 (CKC)

Answer 31

Access allows two-way communication and continued control of the remote system

Question 32

Action on Objectives (CKC)

Answer 32

When mission’s goal is complete. Adversaries will collect credentials, escalate privileges, pivot and move laterally through the environment, and gather and exfiltrate information

Question 33

Common Configuration Enumeration (CCE)

Answer 33

Provides a standard nomenclature for discussing system configuration issues

Question 34

Common Platform Enumeration (CPE)

Answer 34

Provides a standard nomenclature for describing product names and versions

Question 35

Common Vulnerability Exposures (CVE)

Answer 35

Provides a standard nomenclature for describing security-related software flaws

Question 36

Common Vulnerability Scoring System (CVSS)

Answer 36

Provides a standardized approach for measuring and describing the severity of security-related software flaws

Question 37

Extensible Configuration Checklist Description Format (XCCDF)

Answer 37

A language for specifying checklists and reporting checklist results

Question 38

Open Vulnerability and Assessment Language (OVAL)

Answer 38

A language for specifying low-level testing procedures used by checklists

Question 39

Race Condition

Answer 39

Vulnerability is a defect in code that creates an unstable quality in the operation of a program arising from timing variances produced by programming logic. Time of Check (TOC)/Time of Use (TOU) Attacks vulnerability attacks occur

Question 40

Dereferencing

Answer 40

Common flaw that occurs when software attempts to access a value stored in memory that does not exist. This type of error almost always leads to a crash unless caught by an error handler

Question 41

Data Retention

Answer 41

Deliberate preservation and protection of digital data in order to satisfy business or legal requirements

Question 42

Data Minimization

Answer 42

Principle that you can acquire and retain only the minimum amount of data required to satisfy the specific pupose for which the owner has authorized use of that data

Question 43

Output Encoding

Answer 43

Translates special characters into an equivalent but safe version before a target application or interpreter reads it. Helps to prevent XSS attacks by preventing special characters from being inserted that cause the target application to perform an action

Question 44

Data Classification

Answer 44

That describes the classification structure used by the organization and the process used to properly assign classifications to data