Ch 14, 15, 17, 18

Question 1

Your log shows that the Notepad process on a workstation running as the local administrator
account has started an unknown process on an application server running as the SYSTEM account.
What type of attack(s) are represented in this intrusion event?

Answer 1

The Notepad process has been compromised, possibly using buffer overflow or a DLL/process injection attack.
The threat actor has then performed lateral movement and privilege escalation, gaining higher privileges through remote code execution on the application server.

Question 2

You are providing security advice and training to a customer’s technical team. One asks how they can identify when a buffer overflow occurs.

Answer 2

Real time detection of a buffer overflow is difficult, and is typically only achieved by security monitoring software (antivirus, endpoint detection and response, or user and entity behavior analytics) or by observing the host closely within a sandbox. An unsuccessful attempt is likely to cause the process to crash with an error message.
If the attempt is successful, the process is likely to show anomalous behavior, such as starting another process,
opening network connections or writing to AutoRun keys in the registry. These indicators can be recorded using
logging and system monitoring tools.

Question 3

What is the effect of a memory leak?

Answer 3

A process claims memory locations but never releases them, reducing the amount of memory available to other processes. This will damage performance, could prevent other processes from starting, and if left unchecked could crash the OS.

Question 4

How can DLL injection be exploited to hide the presence of malware?

Answer 4

Various OS system functions allow one process to manipulate another and force it to load a dynamic link library (DLL). This means that the malware code can be migrated from one process to another, evading detection.

Question 5

Other than endpoint protection software, what resource can provide indicators of pass the hash attacks?

Answer 5

These attacks are revealed by use of certain modes of NTLM authentication within the security (audit) log of the source and target hosts. These indicators can be prone to false positives, however, as many services use NTLM authentication legitimately

Question 6

You are reviewing access logs on a web server and notice repeated requests for URLs containing the
strings %3C and %3E. Is this an event that should be investigated further, and why?

Answer 6

Those strings represent percent encoding for HTML tag delimiters (< and >). This could be an XSS attempt to inject a script so should be investigated.

Question 7

You have been asked to monitor baseline API usage so that a rate limiter value can be set. What is
the purpose of this?

Answer 7

A rate limiter will mitigate denial of service (DoS) attacks on the API, where a malicious entity generates millions of spurious requests to block legitimate ones. You need to establish a baseline to ensure continued availability for legitimate users by setting the rate limit at an appropriate level.

Question 8

How does a replay attack work in the context of session hijacking?

Answer 8

The attacker captures some data, such as a cookie, used to log on or start a session legitimately. The attacker then resends the captured data to re-enable the connection.

Question 9

How does a clickjacking attack work?

Answer 9

The attacker inserts an invisible layer into a trusted web page that can intercept or redirect input without the user realizing.

Tricks a user into clicking a webpage element which is invisible or disguised as another element

Question 10

What is a persistent (stored) XSS attack?

Answer 10

Where the attacker inserts malicious code into the back-end (server-side) database used to serve content to the trusted site.

The injected script is stored permanently on the target servers. The victim then retrieves this malicious script from the server when the browser sends a request for data.

Question 11

How might an attacker exploit a web application to perform a shell injection attack (aka OS command injection)?

Answer 11

The attacker needs to find a vulnerable input method, such as a form control or URL or script parser, that will
allow the execution of OS shell commands.

Question 12

You are improving back-end database security to ensure that requests deriving from front-end web servers are authenticated. What general class of attack is this designed to mitigate?

Answer 12

Server-side request forgery (SSRF) causes a public server to make an arbitrary request to a back-end server. This is made much harder if the threat actor has to defeat an authentication or authorization mechanism between the web server and the database server.

Question 13

What type of programming practice defends against injection-style attacks, such as inserting SQL commands into a database application from a site search form?

Answer 13

Input validation provides some mitigation against this type of input being passed to an application via a user form.

Output encoding could provide another layer of protection by checking that the query that the script passes to the database is safe.
(replacing HTML control characters (e.g. , “, &, etc) into their encoded representatives)

Question 14

What coding practice provides specific mitigation against XSS?

Answer 14

Output encoding ensures that strings are made safe for the context they are being passed to, such as when a JavaScript variable provides output to render as HTML. Safe means that the string does not contain unauthorized syntax elements, such as script tags.

Question 15

You are discussing execution and validation security for DOM scripting with the web team. A junior team member wants to know if this relates to client-side or server-side code. What is your response?

Answer 15

The document object model (DOM) is the means by which a script (JavaScript) can change the way a page is rendered. As this change is rendered by the browser, it is client-side code.

Question 16

Which response header provides protection against SSL (downgrade) stripping attacks?

Answer 16

HTTP Strict Transport Security (HSTS).

Question 17

What vulnerabilities might default error messages reveal?

Answer 17

A default error message might reveal platform information and the workings of the code to an attacker.

Question 18

What is an SDK and how does it affect secure development?

Answer 18

A software development kit (SDK) contains tools and code examples released by a vendor to make developing applications within a particular environment (framework, programming language, OS, and so on) easier. Any element in the SDK could contain vulnerabilities that could then be transferred to the developer’s code or application.

Question 19

What type of dynamic testing tool would you use to check input validation on a web form?

Answer 19

A fuzzer can be used to submit known unsafe strings and randomized input to test whether they are made safe by input validation or not.

Question 20

Which tools can you use to restrict the use of PowerShell on Windows 10 clients?

Answer 20

There are various group policy-based mechanisms, but for Windows 10, the Windows Defender Application Control (WDAC) framework provides the most powerful toolset for execution control policies.

Question 21

What is secure staging?

Answer 21

Creating secure development environments for the different phases of a software development project (initial development server, test/integration server, staging [user test] server, production server).

Question 22

What feature is essential for managing code iterations within the provisioning and deprovisioning
processes?

Answer 22

Version control is an ID system for each iteration of a software product.

Question 23

Which life cycle process manages continuous release of code to the production environment?

Answer 23

Continuous deployment.

Question 24

How does a specially configured compiler inhibit attacks through software diversity?

Answer 24

The compiler can apply obfuscation routines to make the code difficult for a threat actor to reverse engineer and analyze for vulnerabilities

Question 25

Describe some key considerations that should be made when hosting data or systems via a cloud
solutions provider.

Answer 25

Integrate auditing and monitoring procedures and systems with on-premises detection, identify responsibility for implementing security controls (such as patching or backup), identify performance metrics in an SLA, and assess risks to privacy and confidentiality from breaches at the service provider.

Question 26

True or false? The account with which you register for the CSP services is not an account with root
privileges.

Answer 26

False—this account is the root account and has full privileges. It should not be used for day-to-day administration or configuration.

Question 27

Which security attribute is ensured by monitoring API latency and correcting any problems quickly?

Answer 27

This ensures the availability of services.

Question 28

What format is often used to write permissions statements for cloud resource policies?

Answer 28

JavaScript Object Notation (JSON).

Question 29

What feature allows you to filter traffic arriving at an instance?

Answer 29

This is accomplished by assigning the instance to a security group with the relevant policy configured.

Question 30

What is a cloud access security broker (CASB)?

Answer 30

Enterprise management software mediating access to cloud services by users to enforce information and access policies and audit usage.

Question 31

A company has been using a custom-developed client-server application for customer management,
accessed from remote sites over a VPN. Rapid overseas growth has led to numerous complaints from employees that the system suffers many outages and cannot cope with the increased number of users and access by client devices such as smartphones. What type of architecture could produce a solution that is more scalable?

Answer 31

Microservices is a suitable architecture for replacing monolithic client-server applications that do not meet
the needs of geographically diverse, mobile workforces. By breaking the application up into microservice components and hosting these in cloud containers, performance can scale to demand. Web-based APIs are better suited to browser-based access on different device types.

Question 32

You have been asked to produce a summary of pros and cons for the products Chef and Puppet.
What type of virtualization or cloud computing technology do these support?

Answer 32

These are orchestration tools. Orchestration facilitates “automation of automation,” ensuring that scripts and API calls are made in the right order and at the right time to support an overall workflow.

Question 33

True or false? Serverless means running computer code on embedded systems.

Answer 33

False. With serverless, the provision of functions running in containers is abstracted from the underlying server hardware. The point is that as a consumer, you do not perform any server management. The servers are still present, but they are operated and maintained by the cloud service provider.

Question 34

A company’s web services are suffering performance issues because updates keep failing to run on certain systems. What type of architecture could address this issue?

Answer 34

Infrastructure as Code (IaC) means that provisioning is performed entirely from standard scripts and
configuration data. The absence of manual configuration adjustments or ad hoc scripts to change settings is designed to eliminate configuration drift so that updates run consistently between the development and production environments

Question 35

What is SDV?

Answer 35

Software-defined visibility (SDV) gives API-based access to network infrastructure and hosts so that configuration and state data can be reported in near real-time. This facilitates greater automation in models and technologies such as zero trust, inspection of east/west data center traffic, and use of security orchestration and automated response (SOAR) tools.

Question 36

What are the six phases of the incident response life cycle?

Answer 36

Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned

Question 37

True or false? It is important to publish all security alerts to all members of staff.

Answer 37

False—security alerts should be sent to those able to deal with them at a given level of security awareness and on a need-to-know basis

Question 38

You are providing security consultancy to assist a company with improving incident response
procedures. The business manager wants to know why an out-of-band contact mechanism for
responders is necessary. What do you say?

Answer 38

The response team needs a secure channel to communicate over without alerting the threat actor. There may also be availability issues with the main communication network, if it has been affected by the incident.

Question 39

Which attack framework provides descriptions of specific TTPs?

Answer 39

MITRE’s ATT&CK framework.

Question 40

Your consultancy includes a training segment. What type of incident response exercise will best represent a practical incident handling scenario?

Answer 40

A simulation exercise creates an actual intrusion scenario, with a red team performing the intrusion and a blue team attempting to identify, contain, and eradicate it.

Question 41

True or false? The “first responder” is whoever first reports an incident to the CIRT.

Answer 41

False—the first responder would be the member of the CIRT to handle the report.

Question 42

You need to correlate intrusion detection data with web server log files. What component must you
deploy to collect IDS alerts in a SIEM?

Answer 42

You need to deploy a sensor to send network packet captures or intrusion detection alerts to the SIEM.

Question 43

Which software tool is most appropriate for forwarding Windows event logs to a Syslog-compatible server?

Answer 43

NXlog is designed as a multi-platform logging system.

Question 44

A technician is seeing high volumes of 403 Forbidden errors in a log. What type of network appliance
or server is producing these logs?

Answer 44

403 Forbidden is an HTTP status code, so most likely a web server. Another possibility is a web proxy or gateway.

Question 45

What type of data source(s) would you look for evidence of a suspicious MTA in?

Answer 45

A Message Transfer Agent (MTA) is an SMTP server. You might inspect an SMTP log or the Internet header metadata of an email message.

Question 46

You are supporting a SIEM deployment at a customer’s location. The customer wants to know whether flow records can be ingested. What type of data source is a flow record?

Answer 46

Flow records are generated by NetFlow or IP Flow Information Export (IPFIX) probes. A flow record is data that matches a flow record, which is a particular combination of keys (IP endpoints and protocol/port types).

Question 47

What low-level networking feature will facilitate a segmentation-based approach to containing
intrusion events?

Answer 47

Network segmentation is primarily achieved by virtual LANs (VLANs). A VLAN can be isolated from the rest of the network.

Question 48

What configuration change could you make to prevent misuse of a developer account?

Answer 48

Disable the account.

Question 49

Following a loss of critical IP exfiltrated from the local network to a public cloud storage network, you decide to implement a type of outbound filtering system. Which technology is most suitable for implementing the filter?

Answer 49

This task is suited to data loss prevention (DLP), which can block the transfer of tagged content over unauthorized channels.

Question 50

A threat actor gained access to a remote network over a VPN. Later, you discover footage of
the user of the hacked account being covertly filmed while typing their password. What type of endpoint security solution might have prevented this breach?

Answer 50

A mobile device management (MDM) suite can prevent use of the camera function of a smartphone.

Question 51

True or false? SOAR is intended to provide wholly automated incident response solutions.

Answer 51

False—incident response is too complex to be wholly automated. SOAR assists the provision of runbooks, which orchestrates the sequence of response and automate parts of it, but still requires decision-making from a human responder.

Question 52

You are investigating a client workstation that has not obtained updates to its endpoint protection software for days. On the workstation you discover thousands of executable files with random names. The local endpoint log reveals that all of them have been scanned and identified as malware.
You can find no evidence of any further intrusion on the network. What is the likely motive of the threat actor?

Answer 52

This could be an offline tainted data attack against the endpoint software’s identification engine