Based Security

Question 1

are two different types of programs that mitigate exposure to viruses and other types of malicious software. As we already know, all viruses are malware, but not all malware is a virus. This is an important fact, because these programs perform different things

Answer 1

Anti-virus and Anti-malware

Question 2

is software utility that is designed to specifically defend AGAINST viruses, and prevents viruses from infecting corrupting the system. Antivirus software will frequently scan the system that it is installed on in search of viruses that may have infected it. If any viruses are identified by the antivirus software, it will then take action by quarantining the virus and removing it from the system.

Answer 2

Anti-virus

Question 3

software however, is VERY similar to antivirus software, though as the name suggests it’s main goal is to defend against ALL MALWARE, this includes viruses, as well as trojans, rootkits, bots, spyware, ransomware, etc.

Answer 3

Anti-malware

Question 4

McAfee Internet Security (Anti-Malware Software)

Answer 4

• McAfee provides continuous protection against threats like viruses, ransomware, and even phishing attacks (more accurately, some of the malware that the exists within the links and attachments of phishing emails).
• We can use common processes that are associated with McAfee, in order to identify when it is running on a targeted device.

Question 5

are indicators of McAfee running on a targeted device: Processes

Answer 5

• McScript.exe
• UpdaterUI.exe/UdateUI.exe
• naPrsMgr.exe
• FrameworkService.exe
• Cleanup.exe
• CmdAgent.exe
• McScrip_InUse.exe
• McTray.exe

Question 6

are indicators of McAfee running on a targeted device: Registry Keys

Answer 6

HKLM\SOFTWARE\McAfee

Question 7

are indicators of McAfee running on a targeted device: DIR structures / Associated Ports

Answer 7

Directory Structures Associated Ports
C:\Program Files\McAfee\ Port 6646

C:\Program Files\Common Files\McAfeeData Port 8081 (Open if sending
logs to ePO server)

C:\Program Files\Common Files\McAfee

Question 8

is an anti-malware and firewall solution, designed specifically for servers and workstations

Answer 8

Symantec Endpoint Protection (SEP)

Question 9

The main goal for ________ is to reduce attack surfaces, prevent attacks and breaches, as well as detect and respond to attacks

Answer 9

Symantec Endpoint Protection

Question 10

_______ provides flexibility through the ability to be configured as a cloud-based, on-premise or hybrid implementation

Answer 10

Symantec Endpoint Protection

Question 11

______________ provides intrusion prevention, file behavior monitoring and defends servers and workstations against malware, to include Zero-Day Attacks

Answer 11

Symantec Endpoint Protection

Question 12

indicators of SEP (Anti-Malware Software) running on a targeted device: Processes

Answer 12

• SymCorpUI.exe
• Semsvc.exe
• ccSvcHst.exe
• ccApp.exe
• LUALL.exe
• SMC.exe
• SMCgui.exe
• Rtvscan.exe
• LuComServer.exe
• ProtectionUtilSurrogate.exe

Question 13

SEP DIR structures / Registry Key

Answer 13

Directory Structures :

C:\Program Files\Common Files\Symantec Endpoint

Registry Key :

HKLM\SOFTWARE\Symantec\Symantec Endpoint

Question 14

_______ opens various ports depending on enabled features, making it difficult to ID via port scan

Answer 14

SEP

Question 15

_______________ is endpoint security software developed by Kaspersky Lab, that protects against viruses, trojans, works, rootkits, keyloggers, man-in-the-middle attacks, sophisticated botnets and other threats to endpoint devices

Answer 15

Kaspersky Internet Security

Question 16

_____________ provides proactive detection through frequent scanning, blocks threats before they occur and if it detects an immediate threat, it will then quarantine and remove it from the system. __________________ also prevents email spam, phishing attempts and data leaks

Answer 16

Kaspersky Internet Security

Question 17

indicators of Kaspersky Internet Security (Anti-Malware Software) running on a targeted device: Processes

Answer 17

Processes:
avp.exe

Kaspersky Internet Security is known to open a port listener on:
Port 1110

Question 18

indicators of Kaspersky Internet Security (Anti-Malware Software) running on a targeted device: Directory / Registry Keys

Answer 18

Directory Structure:
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security

Registry Keys:
HKLM\SOFTWARE\KasperskyLab

Question 19

indicators of Kaspersky Internet Security (Anti-Malware Software) running on a targeted device: Internet Security is known to open a port listener on _____

Answer 19

Port 1110

Question 20

What type of software protects against viruses, rootkits, trojans, worms and other harmful software?

Answer 20

Anti-Malware

Question 21

(True or False)Malware and Viruses are synonymous?

Answer 21

false

Question 22

______ is any type of hardware that is capable of permitting access to a network. A host can provide this capability through a user interface, specialized software, network address, protocol stack or other means.

Answer 22

Host

Question 23

Because of the increase in attack surfaces, network engineers and administrators, and the network security/cybersecurity industry as a whole, on hosts; yo protect against these threats, today many host devices on a network utilize ___________ and ____________

Answer 23

Host-Based Intrusion Detection Systems (HIDS) and Host-Based Intrusion Prevention Systems (HIPS)

Question 24

monitor and analyze the internal operations of the system that it is installed on, analyzes the traffic on its network interfaces and logs any malicious behavior that it identifies. HIDS provide deep visibility into the happenings of critical systems.

Answer 24

Host-Based Intrusion Detection Systems

Question 25

______ solely identify malicious behavior and DO NOT act on this information in a capacity that would prevent an attack from occurring, hence the name “Intrusion Detection”

Answer 25

HIDS

Question 26

(also sometimes referred to as end-point security) essentially play a very similar role to their HIDS counterparts, and that is for good reason.

Answer 26

Host-Based Intrusion Prevention Systems

Question 27

______ will also monitor, log and alert malicious behavior that occurs on a system like a HIDS would; the key difference though is that the HIPS attempts to block intrusions and limits damage to the system and then reports intrusion attempts

Answer 27

HIPS

Question 28

Is a type of software security solution that aggregates log and event data that is generated from live IDS and IPS data, organization applications, security devices and host systems, and brings it into a centralized location.

Answer 28

Security Information and Event Management (SIEM)

Question 29

The ______ sorts this aggregated information into various categories, such as malware activity and failed/successful logins.

When the _____ identifies anything that deviates from normal behavior, it will send an alert and suggests appropriate actions to remediate the possible threat.

Numerous functions built into _____, like incident management, reporting and dashboards provide a comprehensive view of the overall security of the environment.

Answer 29

SIEM

Question 30

What security device or application provides management, reporting and dashboards provide a comprehensive view of the overall security of the environment?

Answer 30

SIEM

Question 31

(True or False) Host-Based Intrusion Detection Systems include threat remediation countermeasures?

Answer 31

false

Question 32

To defend the network against threats, network engineers and administrators utilize ____________ and ___________

Answer 32

Network-Based Intrusion Detection Systems(NIDS) and Network-Based Intrusion Prevention Systems(NIPS).

Question 33

_______________________ are passive devices that typically require a promiscuous network and monitor and analyze all traffic, to include unicast traffic, that is on a network, searching for any malicious activity.

Answer 33

Network-Based Intrusion Detection Systems (NIDS)

Question 34

Because ______ are passive in their security role they might sit on the inner side of the network firewall, on the DMZ, or on the WAN side.

When placed either on the DMZ or the inner network, it will make less noise.

On a typical network _____ sniffs the internal interface of the firewall in a read-only mode and sends an alert to the _____server on a different network interface if it detects malicious or suspicious activity. It does NOT act on this information.

Answer 34

NIDS

Question 35

are far more active in their approach to network security.

Answer 35

Network-Based Intrusion Prevention Systems(NIPS)

Question 36

Upon detecting malicious or suspicious activity, ______ will take an active role in effort to secure the network.

______ is considered an inline security solution because it sits between the firewall and the rest of the network.

The _____ provides a defensive layer of protection, in addition to the firewall, not instead of it.

If the ____ identifies suspicious or malicious activity matches a signature or anomaly the ____ will then shoot down the traffic by forging TCP RST segments to the source destination, or sending ICMP port, host or network unreachable to the source.

Answer 36

NIPS

Question 37

(True or False) NIDS are considered an inline network security solution?

Answer 37

false

Question 38

What type of network security device sits between the firewall and the rest of the network?

Answer 38

either

Question 39

Most IDSs utilize central monitoring systems and network sensors that will communicate over various ports. These ports are key to enumerating IDSs and to possibly identify different types of IDS that are implemented within a target device or operate on a target network.

Answer 39

Intrusion Detection System Enumeration

Question 40

The known associated/common port numbers for an IDS, can provide great insight as to what IDSs a target may be using on their devices and/or network.

When you run a port scan on a target, the results can be cross-referenced with these known associated ports in order to enumerate and identify the IDS that is running on the targets infrastructure.

Answer 40

Intrusion Detection System Enumeration

Question 41

Intrusion Detection System Enumeration (image)

Answer 41

Note: Everything to the left of the firewall is considered to be “Public Facing”. Everything to the left is the private network. The Internal security devices, on both the network and

Question 42

What can be used to enumerate IDSs that may be used by a target?

Answer 42

ports

Question 43

Conducting what activity can allow for the enumeration and identification of the type of IDS used by a target?

Answer 43

port scanning

Question 44

IDS Evasion Techniques:

• First evasion technique is a basic one, ________.
• The basic core function of any _____ attack is to simply deny service. The goal specifically for evading IDS/IPS devices is to overload and ideally crash the device, rendering ineffective and no longer being able to identify or prevent an intrusion.
• If it doesn’t work, it can’t find us!

Answer 44

Denial of Service (DoS)

Question 45

___________ takes place when a malicious packet is accepted by the target host but is rejected by the IDS. There are multiple types of evasion attacks, namely Fragmentation, Established, Pattern Change, Out-of-Order Sequencing, and Obfuscation.

Answer 45

Evasion

gets to the host; IDS didn’t catch it, but the IDS would have rejected

Question 46

• IDS’ compare exploits with a well known exploit signature. In order to evade the IDS, an attacker can break up an exploit into fragmented frames.
• IDS’ do not typically have enough memory storage to adequately store the packets and/ or reassemble them when comparing against a known signature. This vulnerability allows packets to get through

Answer 46

Fragmentation

Question 47

IDS Evasion Techniques:

• This technique manipulates a three-way handshake when establishing a connection with a target. The attacker will initiate the handshake with a SYN flag set, while also including part of the attack payload. When the attacker completes the handshake, the rest of the payload is then sent in the next packet.
• In this example, the IDS did not pick up the data in the initial packet, instead the target host stored it. The target then receives the rest of the payload and then reassembles the attack payload in its entirety.
  This allows for the payload to reach the target without tripping the IDS

Answer 47

Established

Question 48

IDS Evasion Techniques:

• IDS’ store pieces of known exploit signatures that they use to compare against and match any exploits that they may detect.
• The rules for these known exploit signatures are usually open-source.
• Attackers can use this information to modify these known signatures in such a way that will allow the exploit to be undetectable when the IDS compares it against a known signature, while still carrying out the effects of the original exploit.

Answer 48

Pattern Change

Question 49

IDS Evasion Techniques:

• The TCP sequence and the acknowledgment numbers let the IDS know that packets are received and are reassembled in the appropriate order.
• The _____________ technique seeks to evade the IDS by sending the exploit out of order.
• If the IDS is unable to reassemble the out of sequence packets into the appropriate order, it is not able to compare the exploit with a known signature.

Answer 49

Out-of-Order Sequencing

Question 50

IDS Evasion Techniques:

• The goal of obfuscation is to encapsulate an exploit with Unicode, encryption, or ASCII shellcode and masks it within the application.
• This method is typically used in web server attacks, where the exploit is submitted through the URL.
• IDS’ cannot decode hex equivalent characters within the URL, effectively masking the exploit and allowing it to go undetected.

Answer 50

Obfuscation

Question 51

Obfuscation works as an evasion technique because IDS’ cannot decode what?

Answer 51

hex equivalent characters within the URL

Question 52

What type of attack takes place when a malicious packet is accepted by the target host, but is then rejected by the IDS ?

Answer 52

evasion