Book 3 Flashcards

Question 1

Q

Active Directory Users and Computers Definition

Answer

A

stores users and accounts

Question 2

Q

Certificates Definition

Answer

A

Used with CAC, allows access to certain sites

Question 3

Q

Event Viewer Definition

Answer

A

Monitor events on local computer such as logon, open applications, etc

Question 4

Q

Computer Management Definition

Answer

A

Create local user, groups look at logs, shared folders

Question 5

Q

Security Templates Definition

Answer

A

Security templates provide standard security settings to use as a model for your security policies. They help you troubleshoot computers whose security policies are not in compliance with policy or are unknown. Security templates are inactive until imported into a Group Policy object or the Security Configuration and Analysis snap-in to MMC.

Question 6

Q

IP Security Policies Definition

Answer

A

Internet Protocol Security (IPSec) is a framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks, through the use of cryptographic security services. IPSec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. The Microsoft implementation of IPSec is based on standards developed by the Internet Engineering Task Force (IETF) IPSec working group.

Question 7

Q

Describe Group Policy in Active Directory. (FIX)

Answer

A

Exchange Server, “New Distro Group”, “Add Members” Security Group (settings, file access) vs. Distro Group (mailing list)
a. Group Policy Applications for security
b. Group Policy applications to local, global, and universal security groups
c. Recommended security structure for group policy design
d. Use of the “No Over-ride” option for group policy

Question 8

Q

Describe the importance of enforcing a strong password policy.

Answer

A

Given enough encrypted data, time, and computing power, attackers can compromise almost any cryptographic system. You can prevent such attackers from succeeding by making the task of cracking the password as difficult as possible. Two key strategies to accomplish this are to require users to set complex passwords and to require users to change their passwords periodically, so that attackers do not have sufficient time to crack the complex encryption code.

Question 9

Q

Complex Passwords

Answer

A

You should set password policy to require complex passwords, which contain a combination of uppercase and lowercase letters, numbers, and symbols, and are typically a minimum of seven characters long or more for all accounts, including administrative accounts, such as local administrator, domain administrator, and enterprise administrator.

Question 10

Q

Discuss the configuration of password policy through Group Policy, including, minimum password length, maximum password age, password history, length, minimum password age, and password complexity requirements.

Answer

A

NCDOC utilizes Active Directory Users and Computers (ADUC) which allows administrators to set the password policy for the entire command. NCDOC currently requires the use of 15 characters to include upper case, lower case, numbers and special characters.

Question 11

Q

Define “Account Lockout Policy”.

Answer

A

Stays locked until manually unlocked by Systems. Three incorrect tries and your password “locks out” your account.

Question 12

Q

Describe the issues surrounding an account lockout policy.

Answer

A

The main issue surrounding an account lockout policy is if your account is locked out after N61 working hours and you are deemed essential personnel, you will have to contact the BWC and have he or she call the duty I.T. to come in and unlock your account. If your account is locked out during working hours a coworker will have to submit a trouble ticket for you to have your account unlocked

Question 13

Q

Discuss the configuration account lockout policy through Group Policy, including lockout threshold, lockout duration, and bad password count reset interval.

Answer

A

The configuration account lockout policy is automatically carried out by Group Policy. If you enter the wrong password in 3 times your account will automatically be locked out and require a technician to manually unlock it.
Lockout threshold refers to the number of failed sign-in attempts that will cause a user account to be locked.
Lockout duration refers determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it.

Question 14

Q

Network redundancy

Answer

A

process through which additional or alternate instances of network devices, equipment and communication mediums are installed within network infrastructure. It is a method for ensuring network availability in case of a network device or path failure and unavailability. As such, it provides a means of network failover.

Question 15

Q

File Servers

Answer

A

In computing, a fileserver is a computer attached to a network that has the primary purpose of providing a location for shared disk access, i.e. shared storage of computer files (such as documents, sound files, photographs, movies, images, databases, etc.) that can be accessed by the workstations.

Question 16

Q

Exchange

Answer

A

Microsoft Exchange Server is a calendaring and mail server developed by Microsoft that runs exclusively on the Microsoft Windows Server product line

Question 17

Q

Domain controllers

Answer

A

On Microsoft Servers, a domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within a Windows domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.

Question 18

Q

Differential Backup:

Answer

A

Differential backups are completed nightly.

Question 19

Q

Incremental Backup:

Answer

A

Not completed at NCDOC.

Question 20

Q

Full Backup:

Answer

A

Weekly with the exception of SQL(Daily) and Exchange (2 times a week).

Question 21

Q

Network media used at NCDOC:
Fiber optic and the type of associated connectors:

Answer

A

Fiber optic for classified
SC Duplex (Standard Connector x 2), ST (Straight tip), LC Duplex (Lucent Connector x 2), MTRJ (Mechanical Transfer Register Jack)

Question 22

Q

Network media used at NCDOC:
Cat 6

Answer

A

Unclassified

Question 23

Q

Network media used at NCDOC:
RJ45

Answer

A

Used for phones. An 8-pin/8-position plug or jack that is commonly used to connect computers onto Ethernet-based local area networks (LAN). Two wiring schemes–T568A and T568B–are used to terminate the twisted-pair cable onto the connector interface. RJ45 is the medium often used for unclassified use.

Question 24

Q

What is the IEEE standard associated with PNAC?

Question 25

Q

What layer does it work on?

Question 26

Q

Explain how Persistent MAC Learning (Sticky MAC) works.

Answer

A

Persistent MAC learning, also known as sticky MAC, is a port security feature that enables an interface to retain dynamically learned MAC addresses when the switch is restarted or if the interface goes down and is brought back online.

Question 27

Q

What is an ISP?

Answer

A

Internet Service Provider. NCDOC ISP is COX

Question 28

Q

What is VPN?

Answer

A

Virtual Private Network

Question 29

Q

State the purpose of the following Enclaves (Non Attrib (COX))

Answer

A

Non Attrib (Cox) – Research and development

Question 30

Q

State the purpose of the following Enclaves Poison & Forensics

Answer

A

Investigate

Question 31

Q

State the purpose of the following Enclaves (SIPR)

Answer

A

Classified

Question 32

Q

State the purpose of the following Enclaves (NIPR)

Answer

A

Unclassified

Question 33

Q

How do you authenticate over VPN?

Answer

A

RSA Token

Question 34

Q

What is a STIG?

Answer

A

Security Technical Implementation Guide is a configuration standard consisting of cybersecurity requirements for a specific product. The use of STIGs enables a methodology for securing protocols within networks, servers, computers, and logical designs to enhance overall security.

Question 35

Q

Explain the purpose and location of COOP.

Answer

A

COOP planning is an effort to assure that the capability exists to continue essential agency functions across a wide range of potential emergencies. Washington DC

Question 36

Q

Describe the process for creating a PBI/PKE ticket.

Answer

A

a. AS&W create CER.
b. IH verifies the CER’s validity and generates a PBI or PKE in ITSM based on the exploit.

Question 37

Q

List the different types of Incident Report Record Messages and state the purpose of each

Answer

A

a. General
b. IP Resolution
c. DCO Open/Close
d. Ship’s Update
e. DINQ
f. Phishing w/ Attachment

Question 38

Q

Incident Handling Methodology Phases.
Post Incident Activity

Answer

A

Lessons learned

Question 39

Q

Incident Handling Methodology Phases.
Recovery

Answer

A

Restore to baseline

Question 40

Q

Incident Handling Methodology Phases.
Eradication

Answer

A

Re-provision asset, delete email from Exchange server

Question 41

Q

Incident Handling Methodology Phases
Containment

Answer

A

Remove media from network, disable account

Question 42

Q

Incident Handling Methodology Phases
Analysis

Answer

A

Log/Media/Malware RFI’s, PCAP

Question 43

Q

Incident Handling Methodology Phases
Preparation

Answer

A

Secure/Patch Network

Question 44

Q

Incident Handling Methodology Phases
Detection

Answer

A

IDS/IPS, Scans

Question 45

Q

Explain the information contained in CER Reports:
Early Indicator & Warning Report (EI&W)

Answer

A

Activity that could lead to further issues

Question 46

Q

Explain the information contained in CER Reports:
Intrusion Detection System (IDS)

Answer

A

Alerts received from IDS

Question 47

Q

Explain the information contained in CER Reports.
NSA/CSS Threat Operations Center (NTOC)

Answer

A

Activity seen around the GIG.

Question 48

Q

Define the three Mission Assurance Categories (MAC levels).
MAC 1(Vital)

Answer

A

Loss of primary mission capability (mission critical)

Question 49

Q

Define the three Mission Assurance Categories (MAC levels)
MAC 2 (Important)

Answer

A

Loss of secondary mission capability (redundancy/services

Question 50

Q

Define the three Mission Assurance Categories (MAC levels)
MAC 3 (Necessary)

Answer

A

Loss of End-User Access (workstation

Question 51

Q

Containment

Answer

A

the host(s) have been identified and need to be removed from the network, logically isolated, re-imaged or otherwise restricted

Question 52

Q

Incident Response Plan

Answer

A

This plan is provided as a tool to assist commands with detection, analysis, containment, eradication, and recovery from possible computer compromise during a Category 1 or 2 incident.

Question 53

Q

NCDOC Timeline for investigation updates

Answer

A

Update message on SIPR within 24 hours, next 24 hours: DINQ to ISIC, following 24 hours: go up chain of command, Report to DCOWO.

Question 54

Q

State the importance of containment measures/procedures.

Answer

A

Knowledge of the type of malware or exploit being employed on a host or user account that is compromised to determine the mitigation measures necessary.

Question 55

Q

Identify the difference in containment measures for Category 7 incidents compared to Category 2 Incidents.

Answer

A

Cat 2 must be mitigated faster because it grants unauthorized privileges.

Question 56

Q

Discuss what should be considered when determining the best method to eradicate a threat.

Answer

A

a. Type of system.
b. Type of malicious logic.

Question 57

Q

Explain why different types of incidents will have different eradication procedures.

Answer

A

Recovery of servers differs from recovery of workstations.

Question 58

Q

Describe several factors that should be considered during the recovery phase.

Answer

A

Whether to patch, wipe, image, reset accounts, etc.

Question 59

Q

List the steps necessary after receiving the final report from a Command.

Answer

A

a. Review target IP and source IP
b. Host affected seek required information updates
c. Antivirus updated within the last 7 days
d. Make ready for lead
e. Lead QCs
f. Ready for QC
g. QC closes or fixes ticket

Question 60

Q

List possible reasons a Navy command may be disconnected from the Department of Defense Information Network (DODIN).

Answer

A

Non-compliance, Non-Responsiveness, Outbreak (>30% of network affected)

Question 61

Q

Describe the following Cat Event:
DNS Beaconing

Question 62

Q

Describe the following Cat Event:
TOR/Proxy Routers

Question 63

Q

Describe the following Cat Event :
P2P

Question 64

Q

Describe the following Cat Event :
Unauthorized Software

Answer 59

A

Review status log.

Answer 60

A

a. Event – An observable occurrence on a network (logins, open applications, etc.)
b. Incident – An observable occurrence on a network that’s malicious in nature.

Answer 61

A

Overloads memory causing crashes

Answer 62

A

Self-replicating

Answer 63

A

Set to go off at a set time or after a set event

Answer 64

A

Social engineering

Answer 65

A

Hidden in other application

Answer 66

A

Stops network usage

Answer 67

A

Grants Admin privileges

Answer 68

A

Virus requires a program to execute, worm is self-replicating.

Answer 69

A

a. Removable storage – USB
b. Email – Attachments
c. Instant Messaging – Links/URLs
d. Network – Worms

Answer 70

A

a. Polymorphism – Changes characteristics to avoid detection
b. Metamorphism – Change their code to an equivalent one, but never remains constant.
c. Macro Virus – Embedded within scripts
d. Companion Virus – Virus which replaces a program and is executed when the user executes the program
e. Antivirus Deactivation – Disables the antivirus on the host.

Answer 71

A

Disables the antivirus on the host.

Answer 72

A

Virus which replaces a program and is executed when the user executes the program

Answer 73

A

Change their code to an equivalent one, but never remains constant.

Answer 74

A

Embedded within scripts

Answer 75

A

Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates.

Answer 76

A

a. Media-based Vulnerabilities – USB, External Hard Drive, etc.
b. Network Device Vulnerabilities – IDS, Routers, etc.

Answer 77

A

Grade IH Technicians, Quality Control, Close out tickets, fix mistakes

Answer 78

A

Category (MANDATORY FIELD): The category field assigns a category to the incident IAW CJCSM 6510.01B Enclosure B Appendix A. Click on the dropdown arrow and select the appropriate category for the incident. Refer to the Table 3-1 to determine which category an incident will be assigned. Incident Status (MANDATORY FIELD): The incident status field offers four choices. All new tickets have “Investigating” selected as the default choice. The other three choices are only used when closing a ticket.
b. PLA (MANDATORY FIELD): The Plain Language Address (PLA) of the command can be selected by clicking on the dropdown arrow. The field next to the PLA is the COCOM for the selected PLA. This field is automatically filled in by NCD.
c. Assigned To (MANDATORY FIELD): This field assigns the ticket to a specific individual or group. Newly created tickets will be assigned to the Initial QC (IQC) queue for Mission Management QC. Mission Management (MM) personnel will perform IQC, and assign the ticket to the appropriate IH Journeyman (Lead)/Assistant of an IH Watch Cell, based on preferred contact time and equal distribution of tickets. Reference IH SOP-02-3 Appendix “N”.
d. Status (MANDATORY FIELD): Defines the current status of the NCD ticket.
e. Exploit (MANDATORY FIELD): This field is automatically filled out after the Exploit Name is selected.
f. Exploit Name (MANDATORY FIELD): Selecting the dropdown arrow will bring up a list of exploit categories. Further selecting a category will bring up a list of specific exploits for that category. Next to the exploit name field is the view mitigation button. This button will bring up a pop-up window that lists the mitigated actions that must be completed for that ticket prior to closure. Once an exploit name is selected the Exploit field and the Mitigated Actions field will be populated.
g. Name Set Related / Webmail Related? (MANDATORY FIELD): Denotes whether or not the reported activity may be related to previous activity attributed to name set actors. The original report should state if the activity is PNS.

Answer 79

A

3.0 Locate the correct message template on the share drive.
3.1 Once the correct message template has been located, open the document, copy the message, and paste it into notepad for editing, review and transfer to the IH Journeyman and CTF 1020 BWC/ABWC. IMPORTANT No line of text can be longer than 69 characters.
3.2 Complete the message by filling in the following information in the message template:
3.2.1 Fill in the command’s PLA in the “To:” line. If you do not know the PLA you can verify it in Navy CIRT (Computer Incident Response Team) Database (NCD), Distributed Plain Language Verification System (DPVS) or the Standard Navy Distribution List (SNDL). DPVS can be located on SIPRNet in the Incident Handling Division folder.
3.2.2 Fill in the PLA for command’s ISIC. Again, if you are not sure of the PLA for the command’s ISIC, you can verify it in VRAM.
3.2.3 If necessary, fill in the PLA for the command’s Carrier Strike Group or Expeditionary Strike Group. This will be placed above the command’s ISIC.
3.2.4 Complete the subject line by adding the exploit and exploit name for the activity. This information can be found in the NCD ticket.
3.2.5 Complete REF D by adding the following information:
3.2.5.1 Ensure the proper reference type is selected. By default, it should be DOC. But if the activity was reported in a message, ensure that the reference type is changed to GENADMIN.
3.2.5.2 Insert the PLA of the originator of the report (e.g., for NCDOC CER’s insert NAVCYBERDEFOPSCOM SUFFOLK VA; for a NETWARCOM (NNWC) Initial Incident Report (IIR), insert COMNAVNETWARCOM SUFFOLK VA.)
3.2.5.3 Insert the date the report was produced in DDMMMYYYY format.
3.2.5.4 Insert the report number in the designated area.
3.2.6 If more than one REF is needed, add the information for the additional refs in new lines, starting with REF E.
3.2.7 At the end of the narrative (NARR) ensure the information for REF D (and any additional references) is complete and correct.
3.2.8 In paragraph 2 of the message body, add all pertinent information about the activity to include: Command PLA, NCD number, Navy Host IP, Navy Host Port, Date/Time of Activity (DDMMMYYYY/HHMMZ format), Non-DoD IP, Non-DoD Port, and Associated Activity.
3.2.9 For standard messages, insert the verbiage of the opening statement into paragraph 3 of the message body.
3.2.10 Once the message has been drafted it is required to be reviewed by the IH Apprentice who drafted to ensure accuracy.

Answer 80

A

4.1 Start by opening the ticket and the final report, then go to the incident tab and open up the incident window for that ticket. Ensure each field is filled out as described below.
1) Attack Vector: When closing a ticket, select the correct option for identifying how the activity occurred
2) Why: When closing a ticket, select the options which correlate to the ticket by referring to Table 4-2. Although one option from each category can be selected, only one option from one category needs to be selected. Unsuccessful attempt tickets must be marked “N/A” for each category
3) Impact: Use Table 4-3 to determine what impact level will be selected. This will be based off of the man hours lost portion of the final report submitted by the command.
4) Action Taken: Use Table 4-4 for guidance on selecting the correct option while a ticket is in the process of closure.
5) Operational Impact: Operational impact should correspond with the MAC level of the affected host. For attempted access (CAT-3) and/or any NCD tickets where host(s) are unaffected, the operational impact will always remain Low in the NCD Ticket.
6) Incident Start Date: Remedy uses ZULU for the Incident Start Date, if the report does not list the time in ZULU, convert accordingly.
7) Incident Stop Date: Remedy uses ZULU for the Incident Stop Date, if the report does not list the time in ZULU, convert accordingly.
8) Additional Comments: Ensure the closing statement is added to the additional comments field. Refer to SOP OPS 02-5 Appendix B Enclosure 3 for information on writing closing statements.
9) Command Hours Lost: Refer to the command hours lost field of the final report to get this number. A minimum value of 1.00 must be entered.
10) Additional Comments: Ensure that the opening statement is here. The closing statement will also be placed in this field.
Once the Incident Tab has been completed, click “Save”, then “Close”. You are now ready to complete all fields under the Source IP Tab.
4.2 SOURCE IP TAB CLOSURE
Verify that all information was inserted into the source IP tab IAW Section 3.5. Once all of these fields have been completed, click “Save” and “Close” to ensure all information has been saved in the ticket. Now the IH Apprentice must complete all fields listed under the “Target IP” Tab.
4.3 TARGET IP TAB CLOSURE
Verify all information in the Target IP tab. Any information about an IP reported in a command’s final report must be updated in the tab. Any additional IP’s included in the final report must have new Target IP tabs added. When these fields are filled out, click on the “SAVE” button.
4.4 POC TAB CLOSUREOnce the POC Tab has been selected, there should be at least one entry in this field. Verify the POC on the final report form matches this entry. If the entry does not match, the POC listed on the final report will need to be added to this field.
To add a POC:
1) Select “Add/Edit POC” from the NCD Home page.
2) Insert the POC information provided. At a minimum, Last Name, First Name, Email, Phone Number, and PLA must be added.
3) Click “Save” to add POC to NCD.
4) Within the NCD ticket, select the POC tab and click on “Add POC”.
5) From the dropdown list on the right, scroll to the last name of the POC. Once the last name has been reached, select the first name of the POC.
6) Click “Save” and then “Close”.
4.5 Ticket CLOSURE
Once all Tabs have had the information added and updated, the main page of the NCD ticket can be prepared for closure.
Ensure that the ticket currently has no RFI’s pending resolution and the Action required is completed.
1) Draft a closing statement that describes the mitigated actions that the command conducted to remediate the issue. Guidance on closing statements can be found in SOP OPS 02-5 Appendix B Enclosure 3. The closing statement will then be placed into the “Status Log” and “Logs” fields, then click on the save button. Open the incident tab and place the closing statement into the “Additional Comments” field also, then save and close the incident tab. IAVM Status comments covers the affected box only, and the Anti-Virus statement must be verified current within 7 days.
2) Back on the main page of the ticket, section the appropriate “Category” that corresponds to the final results of the investigation.
3) Next, select the appropriate “Incident Status” for the closing of the ticket. The only statuses that can be selected for closing a ticket are “Explained Anomaly”, “Confirmed”, and “Unsuccessful Attempt”. A ticket can never be closed as “Investigating”.
4) Ensure all other fields on the page are correctly marked. After all fields are properly marked and filled in, select the “Ready For Lead” option in the “Status” field. Once this has been completed, click “Save” and the ticket will be reviewed by the Team Lead.

Answer 81

A

For demonstration purposes – be able to create a PBI/PKE based off an internal NCDOC report (i.e. CER, CEL, IIR, etc.).

Answer 82

A

This manual describes the Department of Defense (DoD) Cyber Incident Handling Program and specifies its major processes, implementation requirements, and related U.S. government interactions. The manual also applies to the Joint Staff and to Combatant Commands, Services, Defense agencies, DoD field activities, and joint and combatant activities.

Answer 83

A

Establish Department of the Navy (DON) incident response policy consistent with reference (a) to align and integrate DON computer incident response and reporting requirements. This instruction applies to:
(1) All Commands, Components, and activities within the Department of the Navy.
(2) All DON owned, DON controlled, and DON-contractor owned information systems that receive, process, store, display, or transmit DOD information, regardless of mission assurance category, classification, or sensitivity.

Answer 84

A

This document designates Navy Cyber Defense Operations Command as the Computer Network Service Provider for the Navy.

Answer 85

A

a. Category 0: Training and Exercise (Incident/Event): Operations performed for training purposes and support for exercises.
b. Category 1: Root Level Intrusion (Incident): Unauthorized privileged access (administrative or root access) to an Information System (IS). Privileged access provides unrestricted access to the IS.
c. Category 2: User Level Intrusion (Incident): Unauthorized non-privileged access (user-level permissions) to an IS. Allows restricted access to the IS based on the privileges granted to the user.
d. Category 3: Unsuccessful Activity Attempt (Event): Deliberate attempts to gain unauthorized access to an IS that are defeated by normal defensive mechanisms. Attempt fails to gain access to the system (i.e., attacker attempt valid or potentially valid username and password combinations) and the activity cannot be characterized as exploratory scanning. This category includes reporting of quarantined malicious code. Note: The above CAT 3 explanation does not cover the “run-of-the-mill” virus that is defeated/deleted by Anti-Virus (AV) software. “Run-of-the-mill” viruses that are defeated/deleted by AV software are not reportable events or incidents and should not be annotated in JIMS. (This note refers to the point of view of a ship having malware being detected in real-time, quarantined and deleted. These events do not have to be reported to NCDOC.) Note: This category will only be used when closing a ticket.
e. Category 4: Denial of Service (Incident): Activity that denies, degrades, or disrupts normal functionality of an IS or DoD information network.
f. Category 5: Non-Compliance Activity (Poor Security) (Event): Activity that potentially exposes ISs to increased risk as a result of the action or inaction of authorized users. This includes administrative and user actions such as failure to apply security patches, connections across security domains, installation of vulnerable applications, and other breaches of existing DoD policy. Reporting of these events is critical for the gathering of useful effects-based metrics for commanders.
g. Category 6: Reconnaissance (Event): Activity that seeks to gather information used to characterize ISs, applications, DoD information networks, and users that may be useful in formulating an attack. This includes activity such as mapping DoD information networks, IS devices and applications, interconnectivity, and their users or reporting structure. This activity does not directly result in a compromise.
h. Category 7: Malicious Logic (Incident): Installation of software designed and/or deployed by adversaries with malicious intentions for the purpose of gaining access to resources or information without the consent or knowledge of the user. This ONLY includes malicious code that DOES NOT provide remote interactive control of the compromised IS. Malicious code that has allowed interactive access should be categorized as Category 1 or Category 2 incidents, not Category 7.
i. Category 8: Investigating (Event): Events that are potentially malicious or anomalous activity deemed suspicious and warrant, or are undergoing, further review. No event will be closed out as a Category 8. Note: NCDOC will not open tickets as Category 8.
j. Category 9: Explained Anomaly (Event): Suspicious events that after further investigation are determined to be non-malicious activity and do not fit the criteria for any other categories. This includes events such as IS malfunctions and false alarms. When reporting these events, the reason for which it cannot be otherwise categorized must be clearly specified. Note: This category will only be used when closing a ticket.

Answer 86

A

Metric and Trending Analysis perform current, historical, and statistical trends and data analysis, for cyber incidents and events to assist in identifying incident trends

Answer 87

A

Fields in bold replicate to JIMS every 15 minutes.

Answer 88

A

Command (PLA), Date/time of Activity, Source and target IPs, Type of activity (Exploit)

Answer 89

A

Open browser and type in the address bar https://www.iava.navy.mil.
Automatically logs into your account
On the left-hand side click the link for IAVA Report

Answer 90

A

The purpose of VRAM is to monitor IAVM compliance for the US Navy based on vulnerability scans uploaded to the site. SPAWAR is responsible for maintaining the site, but NCDOC is responsible for tracking compliance.

Answer 91

A

NCDOC obtains their information for IAVA/B MSG from the site below. Select the current year and the IAVA/B’s are order by most recent IAVA’s and then most recent IAVB’s. https://www.cybercom.mil/J3/IAVM/default.aspx

Answer 92

A

IAVA/B messages are located under the tab on the main page labeled “Cyber Directives” under the Workspace section
of the site. After selecting “Cyber Directives”, select “IAVs” under Directive Type.

Answer 93

A

POCs for specific commands/PORs are located under the Administration section of the site, select either “System” or “Site” on the main page. After selecting either of these, search for the Command / Program of Record that you wish to find and select it. POCs are located in Box 6 (Site Users).

Answer 94

A

The Navy tracks compliance through an honor system called VRAM.

Answer 95

A

In VRAM, compliance dates are as follows:
IAVA – 21 Days
IAVB – 45 Days

Answer 96

A

Vulnerabilities are added one of two ways:
1. SPAWAR uploads the regular series IAVA/Bs every Thursday and they are updated and transmitted by the NCDOC VAAP Team.
2. VAAP manually adds the 5000 series IAVAs when they are released via SAILOR 2.1.

Answer 97

A

Realistically no command will be fully compliant in VRAM, but the possibility exists. You can become fully compliant by correctly patching every system for every IAV that applies to it, and uploading a scan to VRAM that reflects this

Answer 98

A

A “Site” is any Command or detachment that reports or can report in VRAM. A “System” is a Program of Record (POR). These are leased assets that are used by Sites

Answer 99

A

Pre-Coordination through compliance using DISA’s web based tool, VMS.

Answer 100

A

a. VRAM: https://vram.spawar.navy.(smil).mil
b. CYBERCOM IAVM: https://iavm.csd.disa.mil
c. SAILOR: https://sailor.nmci.navy.mil

Answer 101

A

IAVA/Bs are released by the VAAP team using the VRAM mass e-mail functionality.

Answer 102

A

Using the process earlier to access Command POCs, under Box 1 there is a drop-down menu labeled “Reporting
Status”. This is how the status is physically changed, but there must be a reason to change it. (eg. Complete cutover to
NMCI, disestablishment of the command, ISIC / Superior reporting on behalf of the command) Along with the reason,
there is a message (Covered under OPS-02-6-1, Appendix C, Enclosure 1) that outlines the message that must be sent
by the requesting command / their superior via Naval message traffic to properly document the change.

Answer 103

A

Unless a command has a CA (Corporate Asset, meaning an owned asset such as NCDOC’s network), there is no need for them to acknowledge any vulnerability in VRAM. This is the responsibility of the Systems under VRAM. If the
command did need to acknowledge because they possess a CA, they would utilize the “Cyber Directives” tab, using the “IAVs” button. They would then double click on any IAVA/B that says “Action Required” and Acknowledge in the tab that opens from there.

Answer 104

A

Mitigation plans are a plan submitted by the command in the event that the command is unable to patch their system in time for the delinquency date. These plans contain preventative actions (eg security doors, badge access, logical security like firewalls and ACLs, and whether the system is on SIPRnet or a completely separate network (not attached to the GIG)). They also include a future plan for the patching schedule and expected compliance dates. NCDOC has authority to approve any and all mitigation plans that fall on or below a 30 day window outside of the delinquency date, anything beyond that is the authority of the ODAA (Officer of Designated Approving Authority).

Answer 105

A

Detailed account of what the item is, who owns it, serial numbers, and any other amplifying information that goes along with it to include everyone who has handled it. Provides legal foothold for prosecution

Answer 106

A

ONLY authorized carrier is USPS (DCS)—double-wrapped brown paper, two line address with no classification markings on the outer wrapper, only on the inner wrapper.

Answer 107

A

Forensic images are acquired with software tool. Forensic image is not bootable and is an exact physical copy vice a clone which is a bootable form of evidence

Answer 108

A

Hash-based verification ensures that a file has not been corrupted by comparing the file’s hash value to a previously calculated value (MD5—Message Digest Algorithm 5, SHA-1—NSA Secure Hash Algorithm)

Answer 109

A

a. Hardware:
-Falcon
-Talon
-Write Blocker
-Gizmo
b. Software:
-FTK Imager
-Helix
-Encase

Answer 110

A

Central requirement for sound forensic examination of digital evidence is that the original evidence must not be modified.

Answer 111

A

a. CD-ROMs and Printouts – decades
b. Discs – years
c. Floppies Disks and Backup Media - years
d. Main Memory – nanoseconds
e. Network State - milliseconds
f. Registers, Peripheral Memory and Caches – nanoseconds
g. Running processes – seconds

Answer 112

A

a. HKEY_LOCAL_MACHINE\Security
b. HKEY_LOCAL_MACHINE\Software
c. HKEY_LOCAL_MACHINE\System

Answer 113

A

a. IDE – oldest, 39 pins, 4 power prongs, rectangle shape, slow data transmission
b. SCSI – similar shape to parallel, faster, used on servers
c. SATA – newest since 2002, two slots data/power, fastest data transmission

Answer 114

A

Documents and Settings folder (temp files, cookies, etc.)

Answer 115

A

A virtual machine is a software program implementation of a machine that executes a complete operating system and applications. Malicious files/actions cannot break out of virtual world if executed. Isolates malware from the larger network & other systems

Answer 116

A

Algorithm ran against file that verifies the integrity. MD5 is used by NCDOC.

Answer 117

A

Without proper chain of custody, you can’t prove that evidence has not been tampered with.

Answer 118

A

a. Unallocated – Space on hard disk that potentially contains intact files that were created and then deleted. Data remains behind for discovery by forensics
b. Slack space – File system creates a cluster, but does not necessarily use entire fixed space that was allocated. File information from previous use is still available long after deletions and rewrites.

Answer 119

A

a. Format – deletes bookkeeping portion, does not delete actual files.
b. Wiping clearing or purging – All files are sanitized and are non-recoverable. Use multiple overwrites.

Answer 120

A

a. Image – recreates the files saved on the hard drive
b. Clone – bit for bit copy of the entire drive (bootable)

Answer 121

A

a. Sector – Smallest physical storage unit on disk (512 bytes)
b. Cluster – Collection of multiple sectors. Space is reserved for data contents. *How data is stored

Answer 122

A

ADS – Ability to fork file data into existing files without affecting functionality, size, or display – almost impossible to detect using command line or explorer.

Answer 123

A

Keeps browsing history and personal information private on public terminals. Makes forensics more difficult

Answer 124

A

EFS – Stores information on hard drive in encrypted format. Only affects specific folders/files. XP ONLY. Bitlocker – Encrypts entire drive that Windows and data files reside on.

Answer 125

A

Tracks users’ activity on web sites and saves preferences for faster loading.

Answer 126

A

Binds a pair of electronic keys that are used to sign and encrypt data

Answer 127

A

Software – Public and private key combination. Both can be moved
Hardware – Private keys NEVER leave, but public certificate can be exported.

Answer 128

A

For Media and Malware Analysis to take control of evidence the Chain of Custody must contain NCD,RFI, PLA, Classification, Serial Number, number of drives, and make/model.

Answer 129

A

Data At Rest (DAR) is hardware encryption utility for hard drives. To be able to conduct media forensics the drive has to be imaged, decrypted and reimaged to create a readable working copy.

Answer 130

A

Within a packet capture there is a field Size which indicates the expected size of the file. Once a file is carved out from a packet capture Strings can be ran which shows the current size of the file. Compare the current size to the expected size and if the sizes match there is a complete download. Also can check for “magic numbers” that indicate end of file for specific file types.

Answer 131

A

Four report published are:
a. Forensic Summary Reports (FSR), target audience is NCDOC and the affected command if requested
b.Cyber Tactical Report (CTR) target audience is the Intelligence Community
c. Quick Look Report (QLR) target audience is the BWC/DCOWO and the affected command if requested
d.Network Activity Report (NAR) target audience is the Intelligence Community.

Answer 132

A

Evidence Control Number (ECN) is the MMA internal tracking number for evidence.

Answer 133

A

BLUF Recommendations/Directions include Return to Baseline, See analysts’ comments, and awaiting additional information.Return to Baseline is recommended when a submitted malware sample has been identified as malicious and/or it is unauthorized software. See Analyst Comments is recommended when the malware sample has produced network indicators that can be used in countermeasure signatures. Awaiting Additional Information is recommended when the sample calls out to domain(s) and warrants further investigation by network analysts, the sample did not contain enough information or was an incomplete download.

Answer 134

A

Host based vs. Network based
a. Host based – software
b. Network based – monitors traffic on all devices on network
Signature based vs. Anomaly based
a. Signature based – compares packets against known malicious threats
b. Anomaly based – compares traffic against “normal” baseline

Answer 135

A

Cannot detect zero days, lag time between detection and implementation of signature, limited to signatures already deployed.

Answer 136

A

Prone to false positives, based on the accuracy of the baseline.

Answer 137

A

a. False Positive – Alert that turns out to be normal traffic
b. False Negative – Alert that was not seen but is actual malicious activity

Answer 138

A

a. Inline – filters/reads all information on network segment
b. Span – views all traffic being sent via span port. If device goes down, traffic still flows. Hawkeye sensors, passive.

Answer 139

A

a. IDS – detects, passive, does not block
b. IPS – prevents, active, host/network/wireless/network behavior based, blocks

Answer 140

A

Defense in depth is the methodology of protect locally, defend globally - that as you move further down in the layers of security, you essentially harden that system to vulnerabilities.

Answer 141

A

Switches filter MAC addresses, Routers route based on IP address.

Answer 142

A

a. XNET –Legacy
b. IT21 – Ships
c. ONENET – Oversea Shore
d. BUMED – Medical Networks

Answer 143

A

a. UARNOC – Atlantic (Norfolk)
b. PRNOC – Pacific Rim (Hawaii)
c. ECRNOC – Europe Central Region (Naples)
d. IORNOC – Indian Ocean Region (Bahrain)
e. JRNOC – Japanese Region (Yokosuka)

Answer 144

A

a. North America – ARIN
b. Europe – RIPE
c. Asia –APNIC
d. Latin America – LACNIC
e. Africa – AFNIC

Answer 145

A

a. Source port
b. Destination port
c. Data Field
a. IP header is 32 bits and includes Source IP, followed by Destination IP.

Answer 146

A

PDF Detected by IDS, IP Resolution, Alert Date/Time are annotated, Open-source research, Query system for sensor coverage, Netflow, Malware database, Request PCAP, Retrieve PCAP and perform forensic analysis, RFI complete, Add results to CER.

Answer 147

A

Depends on situation. User training/awareness and/or callback IP or Domain added to block list.

Answer 148

A

a. Splunk: NCDOC SIEM
b. Hawkeye: NCDOC Tactical sensor (IDS).
c. Intrushield(McAfee)/Sourcefire: NCDOC IPS
d. JIRA: NCDOC report processing/tracking system.

Answer 149

A

a. OCM- Operations Collection Management in JIRA. Every Internal and External report is analyzed and processed into
b. CERs- Cyber Event Reports, outline events and incidents on Navy networks
c. NCD Tickets- Navy CIRT Database, created and submitted to Incident Handling for Incidents and actionable events on Navy networks, record messages are generated and commands are notified.

Answer 150

A

Mission: To establish real-time global network awareness and threat characterization capabilities in order to forecast, alert, and attribute malicious activity and enable Computer Network Operations (CNO) in accordance with NSA/CSS authorities.

· Discover and report malicious behavior on networks of interest

· Monitor, characterize, and report network structures, changes, and configurations

· Analyze network intrusions and attribute activity to perpetrators

· Profile adversary computer network attacks and exploitations and assess threats

· Identify, enable and provide mitigation and response action options.

Answer 151

A

a. Advisory

b. CAR

c. Email

d. IAD

e. ICD

f. Malware

g. PKI

h. DNS

i. MAR

j. PAR

Answer 152

A

AT LEAST once per hour.

Answer 153

A

a. USTRANSCOM

b. DEFENSE SECURITY SERVICE

c. CENTCOM

d. EUCOM

e. SOCOM

f. DEFENSE CYBER CRIME CENTER (DC3)

g. NCIS

h. PENTCIRT

i. US CERT

j. AFRICOM

k. ARMY CYBER/ACERT

l. USCYBERCOM

m. FAA

n. DISA

o. GNSC

p. COLS-NA

q. DEPARTMENT OF STATE

r. DEPARTMENT OF HOMELAND SECURITY

s. 1ST IO INTSUM

t. AUSTRALIAN DEFENSE FORCE CYBER INCIDENT REPORT (ADFCIRT)

u. CANADIAN FORCES NETWORK OPERATIONS CENTRE (CFNOC)

v. OFFICE SECRETARY OF DEFENSE (OSD)

w. NSA THREAT OPERATIONS CENTER (NTOC)

Answer 154

A

A Cyber Alert will be issued to notify Navy commands of imminent or ongoing significant cyber threats with Navy-wide implications (several commands). Significant threats include but are not limited to:

a. Impending cyber-attacks against Navy/US govt networks.

b. Newly discovered adversary TTPs

c. Attacks targeting newly discovered or exploited vulnerabilities in Navy hardware, software or network components. (zero-days

Answer 155

A

JIRA is used for report processing/tracking.

Create issue in JIRA: classification field, component (problem set), activity type, activity summary, and input all. Navy impact?? Commands involved?? Intel analysts note field (most important) be as detailed as indicators and submitted countermeasures possible to cut down rework of report. All numbers, indicators ran, actions taken etc.

Answer 156

A

Provide indications and warnings in support of NCDOC operations, and provide threat intelligence, staying “left of the boom”.

Answer 157

A

The two watch cells are Current Intel and Fusion Intel. Fusion manages high side reporting and external RFIs, current Intel performs similar activity on SIPR.

Answer 158

A

a. Perform QC of Intelligence Watch products.

b. Receive pass down from the off going section.

c. Prepare brief slides.

d. Ensure proper training of UI watchstanders.

e. Ensure proper passing of information to the BWC and DCOWO.

Answer 159

A

C10F maintains OPCON over NCDOC. By staying in contact with the watchstanders, we can maintain situational awareness on new activity. Also, prior to the CUB and OPS brief, it gives NCDOC’s CO a heads-up on any significant incidents not found by our Intel watch.

Answer 160

A

Create issue in JIRA: classification field, component (problem set), activity type, activity summary, and input all. Navy impact?? Commands involved?? Intel analysts note field (most important) be as detailed as indicators and submitted countermeasures possible to cut down rework of report. All numbers, indicators ran, actions taken etc.

Answer 161

A

To garner additional information or to request supplemental information on indicators within a specific report.

Submit for indicators, IDENTs (unmasking identity), follow up information.

Answer 162

A

NSAnet database contains reporting information, indicators, and actions that are logged on (similar to JIRA) NSAnet due to classification.

Answer 163

A

Any report that cannot be logged on SIPR/JIRA due to the classification.

Answer 164

A

The User Agent search tool searches for specific user agents, found in PCAP headers. If a specific User agent is used (NOT generic such as firefox, chrom, IE), it can be quickly searched across the IDSs.

Answer 165

A

This tool can search specific header information such as sender, recipient, subject, attachment/file name of specific emails. It is highly useful in detecting email phishing campaigns on Navy networks.

Answer 166

A

JIRA is used for SIPR report processing. It allows analysts to track what reports have been completed, and document the indicators present and actions taken. This also allows for longer term analysis on adversary reporting, or for specific indicators.

Answer 167

A

The most common data sources in JIRA are CERs (Intel watch and Network Forensics), OCMs (Intel), and CRC (Countermeasure request Control).

Answer 168

A

a. The benefits: long term analysis is possible, DCOWOs/BWCs can track analysts’ workflow, integration of watchfloor workflow (except IH NCDs).

b. Limitations: learning curve, JIRA can be overly complex for simple reports, can be difficult to search for specific items due to removal of SQL search capability (specific searches require highly technical JIRA experience)

Answer 169

A

Splunk can quickly and easily search several data sources across multiple databases.

Answer 170

A

a. NIDS
b. Hawkeye: DNS, IPC, UserAgent, PKI, Portstats, Wolverine
c. NAVMED
d. Sentinel: HBSS, NMCI SIPR HBSS, Snort
e. Sourcefire
f. Strategic ACL

Answer 171

A

Benefit: very easy to learn to use, searches can be very broad or very specific and still return results quickly.
Limits: Splunk isn’t real-time, it refreshes data periodically. The largest lag is seen with Hawkeye data. Difficult to see same-day activity.

Answer 172

A

Conducts advanced internet-based research for DCO Indications & Warnings (I&W) in direct support of defense for Navy networks.

Answer 173

A

OSR Tasking can originate from anywhere, but primarily comes from the watch floor

Answer 174

A

OSR customers are primarily NCDOC, C10F, and FCC, U.S. Coast Guard.

Answer 175

A

a. Internal advisories are information that is beneficial to implementation of countermeasures at NCDOC, or for awareness of emerging threats.

b. External advisories are written on emerging threats that have a wide range of impact to the Fleet and other branches of the military. Release of external advisories is authorized by the N2 Department head, Deputy or a designated representative.

Answer 176

A

OSR workstations do not have a hard drive to ensure they do not receive a persistent threat while navigating to malicious domains.

Answer 177

A

The OSRD operating system is a customized version of Ubuntu designed to run out of RAM.

Answer 178

A

A non-attributable system is a computer that is unable to be tracked back to its source

Answer 179

A

a. UDS – User Defined Signature (Signatures created by Countermeasures Personnel)

b. Vendor signature – (VDS) Signatures that are created and applied from the vendor (McAfee/Sourcefire)

c. Snort – another way to create signatures in the Manager. See limitations below.

Answer 180

A

a. NSM Provides limited snort rule capability. IP and Port variables are not available, and some pcre’s will completely break the managers and/or sensors.

Answer 181

A

a. IPs, Ports, timeframe, sensor that covers traffic.

Answer 182

A

a. Put in request for permanent filter.

b. For personal use, use Boolean logic with different variables to develop filter.

Answer 183

A

a. /home/ncdoc/scripts/snortreport: Provides a method to run custom snort rules against a timeframe of packet capture files on a sensor.

Includes files:

I. Snortreport.pl – perl script used to run custom rules.

II. Focused_default.conf – config for the snort report instance of snort.

III. Classification.config – allows alerts to be classified and prioritized.

IV. Focused.rules – rules to be tested.

b. /home/ncdoc/dev/test_rules: Proveds a method to test snort rules against user provided PCAP.

Includes files:

I. snort.conf – config for the testing instance of snort

II. classification.config – classifies and prioritizes alerts

III. test.rules – rules to be tested.

Answer 184

A

a. Add signature to ncdoc.rules and ncdoc-new.rules file and save in the location: P:\OperationsDirectorate\TANF\SCOUT\Hawkeye_Tactical_Sensors\Hawkeye_Admin\scripts\global_defaults\Change “LAST UPDATE OCCURRED ON” line with your initials and date.

b. Send out an Email before pushing out Signatures (send to IPS and CM distro)

c. Login to the Hawkeye (IDS) Manager and complete Signature addition

Open an SSH Client (Tunnelier)
Set the Host field to nhawkeye
Set the port field to 22
Sign in with personal account and password
Switch to NCDOC account

a. su ncdoc

b. Enter NCDOC password

For SIGTEST

a. Vi /home/ncdoc/manage/evt2pcap_v2.4.pl

b. Add the SID for the signature to the pipe separated list on the line beginning with “my $SIGSID_IGNORE”

c. Save and close the file.

d. Wait minimum of 24 hours.

e. Undo the above steps.

Secure FTP the ncdoc.rules file to /tmp on the Hawkeye IDS Manager.

a. Simply drag and drop the file from its location in “Local Files” (P:\Operations Directorate\TANF\SCOUT\Hawkeye_Tactical_Sensors\Hawkeye_Admin\scripts\global_defaults) to the /tmp folder in “Remote Files”.

b. If file already exists, go to the /tmp directory via cmd prompt and manually delete the existing copy of the file, then transfer the new one over.

Switch to NCDOC account on the command prompt.

a. Su – ncdoc

Change ownership of the rules files.

a. Sudo chown ncdoc:ncdoc /tmp/ncdoc.rules

Cd to /home/ncdoc/manage
Run the python script to populate the sid-msg.map file based off of the rules file, test the ncdoc.rules and sid-msg.map files for validity, move them into the /home/ncdoc/scripts/global_defaults directory, SCP both files to each sensor, and update the running rules config. The script will copy the updated rules and map files to the /etc/snort/external directory that is up, change the file ownership, and restart the running instance of Snort and barnyard2.

a. Python update_snort_rules.py –parallel –up –sensor all –osversion 5

Now we have to do it for the new version of snort.
Use the SFTP clinet to transfer the ncdoc-new.rules file to /tmp on the manager.
Rename the file ncdoc-new.rules to ncdoc.rules

a. Sudo mv /tmp/ncdoc-new.rules /tmp/ncdoc.rules

Change the ownership of the file

a. Sudo chown ncdoc:ncdoc /tmp/ncdoc.rules

b. Verify you are in /home/ncdoc/manage directory

Run the python script to populate the sid-msg.map file based off of the rules file, test the ncdoc.rules and sid-msg.map files for validity, move them into the /home/ncdoc/scripts/global_defaults directory, SCP both files to each sensor, and update the running rules config. The script will copy the updated rules and map files to the /etc/snort/external directory that is up, change the file ownership, and restart the running instance of Snort and barnyard2.

a. Python update_snort_rules.py –parallel –up –sensor all –osversion 6

After completing the update, monitor the sensor status page for “DOWN” IDS feeds.
If you applied a SIGTEST signature, go back after 24 hours and remove the SID from /home/ncdoc/manage/evt2pcap_v2.4.pl on the manager to enable PCAP capture.

Answer 185

A

Every Thursday.

Answer 186

A

Check with intel to see if IP or domain is still in use, check to see if the IP/domain has been blocked recently and for valid reasoning. Verify the domain no longer poses a threat to Navy Networks.

Answer 187

A

Mrs. Zita Beck

Answer 188

A

Document appropriate reasoning as to why.

Answer 189

A

Documentation. Export signature set to appropriate file directory, send email to IPS team requesting permission to push signature set. Wait for response from IPS team, notify BWC of the push about to occur so he/she can send an email out to the NOCs. As soon as you receive email from IPS team granting permission, and BWC has sent out the email to the NOCS, you can push the new signature set.

Answer 190

A

Pull up the NSM. Select the Policy tab. Select “IPS Policies” on the left hand side. Then select “Default Inline IPS” in the center of the screen and click “View/Edit”. Policy Editor will pop up, then you can search for specific signature. If a shield displays in the “Responses” tab, then the signature is set to block.

Answer 191

A

Obsolete.

Answer 192

A

As soon as you qualify Countermeasures you are allowed access to Wolverine. You will be granted admin privileges in Hawkeye, where you can edit and add users. There, you can select a user and give them permissions to Wolverine.

Answer 193

A

a. The only thing CM personnel are permitted to do is restart the IDS.

b. The following is the steps for that process.

c. Login to Hawkeye Manager

d. Ssh into appropriate sensor

e. Search for a running instance of snort and barnyard

Ps –elf | grep snort

f. If either are not running, run the following script to update the rules configuration (this will also restart snort and barnyard)

Sudo ./scripts/snort_update.sh

g. Search again for running instances of snort and barnyard.

h. If still down, search /var/log/messages file for rule errors.

Sudo grep –I fatal /var/log/messages

i. Correct lines with errors if any are found.

j. Document all work.

Brainscape's Knowledge GenomeTM

Book 3 Flashcards

Enlisted Information Warfare Specialist Command Specific

Brainscape's Knowledge Genome^TM