Analyzing Indicators of Compromise Flashcards

1
Q

Which of the following Linux commands will show you how much disk space is in use?

A. top

B. df

C. lsof

D. ps

A

Answer:

B. The df command will show you a system’s current disk utilization. Both the top command and the ps command will show you information about processes, CPU, and memory utilization, whereas lsof is a multifunction tool for listing open files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What Windows tool provides detailed information including information about USB host controllers, memory usage, and disk transfers?

A. statmon

B. resmon

C. perfmon

D. winmon

A

Answer:

C. Perfmon, or Performance Monitor, provides the ability to gather detailed usage statistics for many items in Windows. Resmon, or Resource Monitor, monitors CPU, memory, and disk usage, but does not provide information about things like USB host controllers and other detailed instrumentation. Statmon and winmon are not Windows built-in tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What type of network information should you capture to be able to provide a report about how much traffic systems in your network sent to remote systems?

A. Syslog data

B. WMI data

C. Resmon data

D. Flow data

A

Answer:

D. Flow data provides information about the source and destination IP address, protocol, and total data sent and would provide the detail needed. Syslog, WMI, and resmon data is all system log information and would not provide this information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following technologies is best suited to prevent wired rogue devices from connecting to a network?

A. NAC

B. PRTG

C. Port security

D. NTP

A

Answer:

A. Network access control (NAC) can be set up to require authentication. Port security is limited to recognizing MAC addresses, making it less suited to preventing rogue devices. PRTG is a monitoring tool, and NTP is the network time protocol.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

As part of her job, Danielle sets an alarm to notify her team via email if her Windows server uses 80 percent of its memory and to send a text message if it reaches 90 percent utilization. What is this setting called?

A. A monitoring threshold

B. A preset notification level

C. Page monitoring

D. Perfmon calibration

A

Answer:

A. A monitoring threshold is set to determine when an alarm or report action is taken. Thresholds are often set to specific values or percentages of capacity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Chris wants to use an active monitoring approach to test his network. Which of the following techniques is appropriate?

A. Collecting NetFlow data

B. Using a protocol analyzer

C. Pinging remote systems

D. Enabling SNMP

A

Answer:

C. Active monitoring is focused on reaching out to gather data using tools like ping and iPerf. Passive monitoring using protocol analyzers collects network traffic and router-based monitoring using SNMP, and flows gather data by receiving or collecting logged information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What term describes a system sending heartbeat traffic to a botnet command and control server?

A. Beaconing

B. Zombie ping

C. CNCstatus

D. CNClog

A

Answer:

A. Beaconing activity (sometimes called heartbeat traffic) occurs when traffic is sent to a botnet command and control system. The other terms are made up.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Cameron wants to be able to detect a denial-of-service attack against his web server. Which of the following tools should he avoid?

A. Log analysis

B. Flow monitoring

C. iPerf

D. IPS

A

Answer:

C. Log analysis, flow monitoring, and deploying an IPS are all appropriate solutions to help detect denial-of-service attacks. iPerf is a performance testing tool used to establish the maximum bandwidth available on a network connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What can the MAC address of a rogue device tell you?

A. Its operating system version

B. The TTL of the device

C. What type of rogue it is

D. The manufacturer of the device

A

Answer:

D. Hardware vendor ID codes are part of MAC addresses and can be checked for devices that have not had their MAC address changed. It is possible to change MAC addresses, so relying on only the MAC address is not recommended.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How can Jim most effectively locate a wireless rogue access point that is causing complaints from employees in his building?

A. Nmap

B. Signal strength and triangulation

C. Connecting to the rogue AP

D. NAC

A

Answer:

B. Locating a rogue AP is often best done by performing a physical survey and triangulating the likely location of the device by checking its signal strength. If the AP is plugged into the organization’s network, nmap may be able to find it, but connecting to it is unlikely to provide its location (or be safe!). NAC would help prevent the rogue device from connecting to an organizational network but won’t help locate it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following tools does not provide real-time drive capacity monitoring for Windows?

A. Microsoft Endpoint Configuration Manager

B. Resmon

C. SCOM

D. Perfmon

A

Answer:

A. Microsoft Endpoint Configuration Manager provides non-real-time reporting for disk space. Resmon, perfmon, and SCOM can all provide real-time reporting, which can help to identify problems before they take a system down.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What three options are most likely to be used to handle a memory leak?

A. Memory management, patching, and buffer overflow prevention

B. Patching, service restarts, and system reboots

C. Service restarts, memory monitoring, and stack smashing prevention

D. System reboots, memory management, and logging

A

Answer:

B. The best way to deal with memory leaks is to patch the application or service. If a patch is not available, restarting the service or the underlying operating system is often the only solution. Buffer overflow and stack smashing prevention both help deal with memory-based attacks rather than memory leaks, and monitoring can help identify out-of-memory conditions but don’t directly help deal with a memory leak.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Sayed is planning to prohibit a variety of files, including games, from being installed on the Windows workstations he manages. What technology is his best option to prevent known, unwanted files from being installed or copied to machines?

A. Blacklisting

B. Microsoft Endpoint Configuration Manager

C. SCOM

D. Whitelisting

A

Answer:

A. A blacklisting application or tool can allow Sayed to specifically prevent specific files or applications from being installed. Microsoft Endpoint Configuration Manager could be used to uninstall files, and SCOM could be used to monitor machines for files, but neither is as well suited. Whitelisting works in the opposite manner by listing allowed files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

While Susan is monitoring a router via network flows, she sees a sudden drop in network traffic levels to zero, and the traffic chart shows a flat line. What has likely happened?

A. The sampling rate is set incorrectly.

B. The router is using SNMP.

C. The monitored link failed.

D. A DDoS attack is occurring.

A

Answer:

C. The most likely answer is that the link has failed. Incorrectly set sampling rates will not provide a good view of traffic, and a DDoS attack is more likely to show large amounts of traffic. SNMP is a monitoring tool and would not result in flow data changing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are SNMP alert messages called?

A. SNMP launches

B. SNMP traps

C. SNMP bolts

D. SNMP packets

A

Answer:

B. SNMP alerts are called SNMP traps, and they are sent from endpoints to a central management system or collector where they are typically stored and analyzed. The rest of the answers were made up for this question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following options is not a valid way to check the status of a service in Windows?

A. Use sc at the command line

B. Use service ––status at the command line

C. Use services.msc

D. Query service status via PowerShell

A

Answer:

B. The service –status command is a Linux command. Windows service status can be queried using sc, the Services snap-in for the Microsoft Management Console, or via a PowerShell query.

17
Q

Avik has been asked to identify unexpected traffic on her organization’s network. Which of the following is not a technique she should use?

A. Protocol analysis

B. Heuristics

C. Baselining

D. Beaconing

A

Answer:

D. Protocol analysis, using heuristic (behavior)-based detection capabilities, and building a network traffic baseline are all common techniques used to identify unexpected network traffic. Beaconing occurs when a system contacts a botnet command and control system, and it is likely to be a source of unexpected traffic.

18
Q

Sofia suspects that a system in her datacenter may be sending beaconing traffic to a remote system. Which of the following is not a useful tool to help verify her suspicions?

A. Flows

B. A protocol analyzer

C. SNMP

D. An IDS or IPS

A

Answer:

C. SNMP will not typically provide specific information about a system’s network traffic that would allow you to identify outbound connections. Flows, sniffers (protocol analyzers), and an IDS or IPS can all provide a view that would allow the suspect traffic to be captured.

19
Q

Alex wants to prohibit software that is not expressly allowed by his organization’s desktop management team from being installed on workstations. What type of tool should he use?

A. Whitelisting

B. Heuristic

C. Blacklisting

D. Signature comparison

A

Answer:

A. Whitelisting software prevents software that is not on a preapproved list from being installed. Blacklists prevent specific software from being installed, whereas heuristic and signature-based detection systems focus on behavior and specific recognizable signatures, respectively.

20
Q

Juan wants to see a list of processes along with their CPU utilization in an interactive format. What built-in Linux tool should he use?

A. df

B. top

C. tail

D. cpugrep

A

Answer:

B. The top command in Linux provides an interactive interface to view CPU utilization, memory usage, and other details for running processes. df shows disk usage, tail displays the end of a file, and cpugrep is a made-up command.