Blueprint Flashcards

1
Q

CVSS Attack Vector

A

Attacker proximity.

Local, Adjacent, Network, Physical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

CVSS Attack Complexity

A

Special skill needed or not

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

CVSS Privileges required

A

Permissions attacker needs (None, Low, High)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

CVSS User Interaction

A

Whether user must participate for attack to succeed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

CVSS Scope

A

Ability to go beyond authorization of vulnerability to other parts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

CVSS Rating Scale

A
0.0 None
.1-3.9 Low
4-6.0 Medium
7-8.9 High
9-10 Critical
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

CVSS Temporal Score

A

Time based - Vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

CVSS Enviro score

A

Environmental specifics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

FAT32 Max Size

A

2TB

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

NTFS supports

A

Disk Quota
Security & Encryption
Permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ADS

A

Alternative Data Streams
Files stored as attributes. $DATA.
Can hide malicious code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

MACE

A

Modify, Access, Create, Entry modified attributes of NTFS

Entry modified in MFT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

EFI (Extensible Firmware Interface)

A

When computer boots, EFI loads files store on the ESP to start OS and utilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

ESP (part of EFI)

A

Needs to be formatted with a FAT file system. (Maintained by UEFI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Timestamps on a filesystem

A

Time event is recorded on a computer (not the time of the event itself).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

EXT4

A

Journaling file system for Linux

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Journaling

A

Changes to file system recorded in a log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

MBR

A

Partition list and boot loader

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

MAC (Message authentication code)

A

Confirms authenticity of a message (Integrity and authenticity)

(Could be talking about Mandatory access control. not clear)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Best evidence

A

Best available evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Corroborative evidence

A

Evidence that supports an assertion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Indirect evidence (Circumstantial)

A

Inference required to support conclusion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Altered disk image

A

Image with compromised integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Unaltered disk image

A

Image not tampered with and will provide same hash

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Attribution
Enough evidence to assign a source
26
Assets priority
Critical, Important, Sensitive
27
Asset priority allows analyst to...
Prioritize responses
28
DM Adversary
Threat actor. (Likely not known)
29
DM Capability
Tools/Techniques used
30
DM Infrastructure
Physical/Logical comms structures used by adversary
31
DM Direction
Where event actions are started from (adversary to victim, etc.)
32
DM Methodology
Class of attack (DOS, Phishing, etc.)
33
DM Resources
SW, HW, money
34
IR Policy elements
Scope, Definition of incidents, Org structure, Prioritization/ratings of incidents, Performance measures, Reporting forms
35
IR Steps (4)
Preperation Detection and Analysis Containment, Eradication, and Recovery Lessons learned
36
Preparation elements
Awareness training Documentation (CMDB) RACI
37
Detection and Analysis Elements (3)
Identification (Monitoring and Hunting) Analysis (Validate the incident following process) Prioritization
38
Analysis questions (4)
Which systems are affected? Who/what originated the incident? Tools or attack methods used? Vulns exploited?
39
Containment
Hardest and most important decision. Scope, Device, network reach, speed of containment, speed required
40
Eradication and Recovery
Find root cause of incident and clean it up. Possible restores, Hardening, Monitoring, other changes.
41
Lessons learned
How and why it happened. Perform FMEA.
42
IH Identification
Monitoring, Hunting, IR activation, contact CERT
43
IH Scoping
Analysis, Prioritization
44
IH Remediation
Eradication and Recovery | Hardening!!!
45
Hardening is part of which IR phase?
E and R
46
IH Reporting
Reporting to internal and external teams.
47
Evidence collection order (3 steps)
Develop plan to acquire data Acquire the data Verifying integrity of the data
48
Forensics: When do you prioritize sources to acquire?
During Plan development.
49
Tools needed to collect volatile data?
Forensic tools.
50
Bit stream images
Bit for bit copy that preserves file times
51
Data preservation factors (4)
Legal Chain of Custody Examine copy Preservation
52
Data normalization
Manipulating security event data and fitting it into a common schema
53
Retrospective analysis
Research when outcome is already known
54
Deterministic assessment
Analyst bases assessment on small set of assigned values. Known data-Single Outcome Minimum speculation required.
55
Probabilistic assessment
Wide range of probably scenarios of all possible outcomes. Determines likelihood of an exploit will impact a network. Less accurate than deterministic.
56
Dynamic analysis (malware)
Study of malware running in controlled environment
57
exFat Facts (3)
Allocation bitmap used FAT based file system exFat older than NTFS
58
Data carving
Recovering files from unallocated space
59
Default location for Linux Bootloader
MBR
60
Who can run PCI compliance vulnerability scans?
Qualified employee or vendor with proper creds to perform scan.