Blueprint

Question 1

CVSS Attack Vector

Answer 1

Attacker proximity.

Local, Adjacent, Network, Physical

Question 2

CVSS Attack Complexity

Answer 2

Special skill needed or not

Question 3

CVSS Privileges required

Answer 3

Permissions attacker needs (None, Low, High)

Question 4

CVSS User Interaction

Answer 4

Whether user must participate for attack to succeed

Question 5

CVSS Scope

Answer 5

Ability to go beyond authorization of vulnerability to other parts.

Question 6

CVSS Rating Scale

Answer 6

0.0 None
.1-3.9 Low
4-6.0 Medium
7-8.9 High
9-10 Critical

Question 7

CVSS Temporal Score

Answer 7

Time based - Vulnerability

Question 8

CVSS Enviro score

Answer 8

Environmental specifics

Question 9

FAT32 Max Size

Answer 9

2TB

Question 10

NTFS supports

Answer 10

Disk Quota
Security & Encryption
Permissions

Question 11

ADS

Answer 11

Alternative Data Streams
Files stored as attributes. $DATA.
Can hide malicious code

Question 12

MACE

Answer 12

Modify, Access, Create, Entry modified attributes of NTFS

Entry modified in MFT

Question 13

EFI (Extensible Firmware Interface)

Answer 13

When computer boots, EFI loads files store on the ESP to start OS and utilities.

Question 14

ESP (part of EFI)

Answer 14

Needs to be formatted with a FAT file system. (Maintained by UEFI)

Question 15

Timestamps on a filesystem

Answer 15

Time event is recorded on a computer (not the time of the event itself).

Question 16

EXT4

Answer 16

Journaling file system for Linux

Question 17

Journaling

Answer 17

Changes to file system recorded in a log

Question 18

MBR

Answer 18

Partition list and boot loader

Question 19

MAC (Message authentication code)

Answer 19

Confirms authenticity of a message (Integrity and authenticity)

(Could be talking about Mandatory access control. not clear)

Question 20

Best evidence

Answer 20

Best available evidence

Question 21

Corroborative evidence

Answer 21

Evidence that supports an assertion

Question 22

Indirect evidence (Circumstantial)

Answer 22

Inference required to support conclusion

Question 23

Altered disk image

Answer 23

Image with compromised integrity

Question 24

Unaltered disk image

Answer 24

Image not tampered with and will provide same hash

Question 25

Attribution

Answer 25

Enough evidence to assign a source

Question 26

Assets priority

Answer 26

Critical, Important, Sensitive

Question 27

Asset priority allows analyst to…

Answer 27

Prioritize responses

Question 28

DM Adversary

Answer 28

Threat actor. (Likely not known)

Question 29

DM Capability

Answer 29

Tools/Techniques used

Question 30

DM Infrastructure

Answer 30

Physical/Logical comms structures used by adversary

Question 31

DM Direction

Answer 31

Where event actions are started from (adversary to victim, etc.)

Question 32

DM Methodology

Answer 32

Class of attack (DOS, Phishing, etc.)

Question 33

DM Resources

Answer 33

SW, HW, money

Question 34

IR Policy elements

Answer 34

Scope, Definition of incidents, Org structure, Prioritization/ratings of incidents, Performance measures, Reporting forms

Question 35

IR Steps (4)

Answer 35

Preperation
Detection and Analysis
Containment, Eradication, and Recovery
Lessons learned

Question 36

Preparation elements

Answer 36

Awareness training
Documentation (CMDB)
RACI

Question 37

Detection and Analysis Elements (3)

Answer 37

Identification (Monitoring and Hunting)

Analysis (Validate the incident following process)

Prioritization

Question 38

Analysis questions (4)

Answer 38

Which systems are affected?
Who/what originated the incident?
Tools or attack methods used?
Vulns exploited?

Question 39

Containment

Answer 39

Hardest and most important decision.

Scope, Device, network reach, speed of containment, speed required

Question 40

Eradication and Recovery

Answer 40

Find root cause of incident and clean it up. Possible restores,

Hardening, Monitoring, other changes.

Question 41

Lessons learned

Answer 41

How and why it happened. Perform FMEA.

Question 42

IH Identification

Answer 42

Monitoring, Hunting, IR activation, contact CERT

Question 43

IH Scoping

Answer 43

Analysis, Prioritization

Question 44

IH Remediation

Answer 44

Eradication and Recovery

Hardening!!!

Question 45

Hardening is part of which IR phase?

Answer 45

E and R

Question 46

IH Reporting

Answer 46

Reporting to internal and external teams.

Question 47

Evidence collection order (3 steps)

Answer 47

Develop plan to acquire data
Acquire the data
Verifying integrity of the data

Question 48

Forensics: When do you prioritize sources to acquire?

Answer 48

During Plan development.

Question 49

Tools needed to collect volatile data?

Answer 49

Forensic tools.

Question 50

Bit stream images

Answer 50

Bit for bit copy that preserves file times

Question 51

Data preservation factors (4)

Answer 51

Legal
Chain of Custody
Examine copy
Preservation

Question 52

Data normalization

Answer 52

Manipulating security event data and fitting it into a common schema

Question 53

Retrospective analysis

Answer 53

Research when outcome is already known

Question 54

Deterministic assessment

Answer 54

Analyst bases assessment on small set of assigned values.

Known data-Single Outcome

Minimum speculation required.

Question 55

Probabilistic assessment

Answer 55

Wide range of probably scenarios of all possible outcomes.

Determines likelihood of an exploit will impact a network.

Less accurate than deterministic.

Question 56

Dynamic analysis (malware)

Answer 56

Study of malware running in controlled environment

Question 57

exFat Facts (3)

Answer 57

Allocation bitmap used
FAT based file system
exFat older than NTFS

Question 58

Data carving

Answer 58

Recovering files from unallocated space

Question 59

Default location for Linux Bootloader

Answer 59

MBR

Question 60

Who can run PCI compliance vulnerability scans?

Answer 60

Qualified employee or vendor with proper creds to perform scan.