Analyzing Network IOCs

Question 1

A sign that an asset or network has been attacked or is currently under attack
▪ Port scan or sweep
▪ Non-standard port usage
▪ Covert channels

Answer 1

Indicator of Compromise

Question 2

A sharp increase in connection requests in comparison with a given baseline

Answer 2

Traffic Spikes

Question 3

An attack that uses multiple compromised hosts (a botnet) to overwhelm a
service with request or response traffic

Answer 3

Distributed Denial of Service (DDoS)

Question 4

Causing a website to crash when a smaller website becomes popular quickly due
to exposure on social sharing sites like Slashdot, Reddit, and Twitter

Answer 4

Slashdot Effect (slashdotting)

Question 5

A means for a network node to advertise its presence and establish a link with
other nodes

Answer 5

Beaconing

Question 6

An adversary’s use of a random delay to frustrate indicators based on regular
connection attempt intervals

Answer 6

Jitter

Question 7

A group communication protocol with networks divided into discrete channels
that are the individual forums used by clients to chat

Answer 7

Internet Relay Chat (IRC)

Question 8

A set of data that describes and gives information about other data

Answer 8

Metadata

Question 9

P2P is the predominant type of user traffic is to and from clients and servers within most networks

Answer 9

P2P

Question 10

o Attack indicator where hosts within a network establish connections over
unauthorized ports or data transfers
o Attacker’s commonly use Server Message Block (SMB) since it is typical within
Windows File/Printer sharing environments

Answer 10

Irregular Peer-to-Peer (P2P) Communication

Question 11

Occurs when an attacker redirects an IP address to a MAC address that was not its
intended destination

Answer 11

ARP Spoofing or ARP Poisoning

Question 12

An unauthorized device or service, such as a wireless access point, DHCP server,
or DNS server, on a corporate or private network that allows unauthorized
individuals to connect to the network

Answer 12

Rogue Devices

Question 13

A process of identifying (and removing) machines on the network that are not
supposed to be there

Answer 13

Rogue System Detection

Question 14

A physical device that is attached to cabling to record packets passing over that
network segment

Answer 14

Network Tap

Question 15

Rogue devices often begin their attack by scanning and sweeping to find other hosts and vulnerabilities

Answer 15

Scans and Sweeps

Question 16

Enumerating the status of TCP and UDP ports on a target system using software
tools

Answer 16

Port Scan

Question 17

Identifying the type and version of an operating system (or server application) by
analyzing its responses to network scans

Answer 17

Fingerprinting

Question 18

A scan directed at multiple IP addresses to discover whether a host responds to
connection requests for particular ports

Answer 18

Sweep

Question 19

Phase of an attack or penetration test in which the attacker or tester gathers
information about the target before attacking it

Answer 19

Footprinting

Question 20

The Internet Assigned Numbers Authority (IANA) maintains a list of well-known
and registered TCP and UDP port mappings

Answer 20

Nonstandard Port Usage

Question 21

Ports 0 to 1023

Answer 21

Well-known Ports

Question 22

Ports 1024 to 49151

Answer 22

Registered Ports

Question 23

Ports 49152 to 65535

Answer 23

Dynamic Ports

Question 24

Communicating TCP/IP application traffic, such as HTTP, FTP, or DNS, over a port
that is not the well-known or registered port established for that protocol

Answer 24

Non-standard Port

Question 25

An attacker opens a listening port that exposes the command prompt on the local
host and connects to that port from a remote host

Answer 25

Shell

Question 26

An attacker opens a listening port on the remote host and causes the infected
host to connect to it

Answer 26

Reverse Shell

Question 27

The process by which an attacker takes data that is stored inside of a private
network and moves it to an external network

Answer 27

Data Exfiltration

Question 28

An attacker uses commercial file sharing services to upload the exfiltrated data
from a victim

Answer 28

HTTP or HTTPS Transfers

Question 29

An adversary may use SQL injection or similar techniques to copy records from
the database to which they should not have access

Answer 29

HTTP Requests to Database Service

Question 30

Use of DNS queries to transmit data out of a network enclave

Answer 30

DNS

Question 31

Use of FTP, instant messaging, peer-to-peer, email, and other obvious file and
data sharing tools

Answer 31

Overt Channels

Question 32

Use of SSH or VPNs to create a tunnel to transmit the data across a given network

Answer 32

Explicit Tunnels