Analyzing Network IOCs Flashcards

1
Q

A sign that an asset or network has been attacked or is currently under attack
▪ Port scan or sweep
▪ Non-standard port usage
▪ Covert channels

A

Indicator of Compromise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A sharp increase in connection requests in comparison with a given baseline

A

Traffic Spikes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

An attack that uses multiple compromised hosts (a botnet) to overwhelm a
service with request or response traffic

A

Distributed Denial of Service (DDoS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Causing a website to crash when a smaller website becomes popular quickly due
to exposure on social sharing sites like Slashdot, Reddit, and Twitter

A

Slashdot Effect (slashdotting)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A means for a network node to advertise its presence and establish a link with
other nodes

A

Beaconing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An adversary’s use of a random delay to frustrate indicators based on regular
connection attempt intervals

A

Jitter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A group communication protocol with networks divided into discrete channels
that are the individual forums used by clients to chat

A

Internet Relay Chat (IRC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A set of data that describes and gives information about other data

A

Metadata

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

P2P is the predominant type of user traffic is to and from clients and servers within most networks

A

P2P

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

o Attack indicator where hosts within a network establish connections over
unauthorized ports or data transfers
o Attacker’s commonly use Server Message Block (SMB) since it is typical within
Windows File/Printer sharing environments

A

Irregular Peer-to-Peer (P2P) Communication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Occurs when an attacker redirects an IP address to a MAC address that was not its
intended destination

A

ARP Spoofing or ARP Poisoning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

An unauthorized device or service, such as a wireless access point, DHCP server,
or DNS server, on a corporate or private network that allows unauthorized
individuals to connect to the network

A

Rogue Devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A process of identifying (and removing) machines on the network that are not
supposed to be there

A

Rogue System Detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A physical device that is attached to cabling to record packets passing over that
network segment

A

Network Tap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Rogue devices often begin their attack by scanning and sweeping to find other hosts and vulnerabilities

A

Scans and Sweeps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Enumerating the status of TCP and UDP ports on a target system using software
tools

A

Port Scan

17
Q

Identifying the type and version of an operating system (or server application) by
analyzing its responses to network scans

A

Fingerprinting

18
Q

A scan directed at multiple IP addresses to discover whether a host responds to
connection requests for particular ports

A

Sweep

19
Q

Phase of an attack or penetration test in which the attacker or tester gathers
information about the target before attacking it

A

Footprinting

20
Q

The Internet Assigned Numbers Authority (IANA) maintains a list of well-known
and registered TCP and UDP port mappings

A

Nonstandard Port Usage

21
Q

Ports 0 to 1023

A

Well-known Ports

22
Q

Ports 1024 to 49151

A

Registered Ports

23
Q

Ports 49152 to 65535

A

Dynamic Ports

24
Q

Communicating TCP/IP application traffic, such as HTTP, FTP, or DNS, over a port
that is not the well-known or registered port established for that protocol

A

Non-standard Port

25
Q

An attacker opens a listening port that exposes the command prompt on the local
host and connects to that port from a remote host

A

Shell

26
Q

An attacker opens a listening port on the remote host and causes the infected
host to connect to it

A

Reverse Shell

27
Q

The process by which an attacker takes data that is stored inside of a private
network and moves it to an external network

A

Data Exfiltration

28
Q

An attacker uses commercial file sharing services to upload the exfiltrated data
from a victim

A

HTTP or HTTPS Transfers

29
Q

An adversary may use SQL injection or similar techniques to copy records from
the database to which they should not have access

A

HTTP Requests to Database Service

30
Q

Use of DNS queries to transmit data out of a network enclave

A

DNS

31
Q

Use of FTP, instant messaging, peer-to-peer, email, and other obvious file and
data sharing tools

A

Overt Channels

32
Q

Use of SSH or VPNs to create a tunnel to transmit the data across a given network

A

Explicit Tunnels