Chapter 2: Analyzing the Results of Reconnaissance

Question 1

Which of the following data sources would offer the least diverse, most precise kind
of information?

A. Syslogs
B. Firewalls logs
C. Packet captures
D. Nmap results

Answer 1

D is correct. Nmap results are particularly focused as port scans and only contain the
information asked for, depending on the command-line switches the operator uses.

A, B, and C are incorrect. A is incorrect because syslogs can include a very wide variety of events, such as an application faulting, a security event, or something pertaining to the system itself. B is incorrect because firewall logs are also more diverse than nmap results. Although only related to traffic-related events, the logs are quite a diverse mix. C is incorrect because the traffic seen on any network can be wide ranging.

Question 2

What device combines the functionality of a traditional firewall and an IPS?
A. Next-Generation Firewall
B. DSN firewall
C. Enterprise firewall
D. Discovery firewall

Answer 2

A is correct. Next-Generation Firewall combines a traditional firewall with intrusion
detection and prevention.

B, C, and D are incorrect. There are no such devices as a DSN firewall, enterprise firewall, and discovery firewall.

Question 3

Which of the following are the two types of approaches to analyzing data?
A. Compare and contrast
B. Correlation
C. Patterned
D. Point-in-time

Answer 3

B and D are correct. Point-in-time analysis describes examining data around a snapshot in time, whereas correlation analysis focuses on anomalies or changes over time, whether you’re searching for abnormal behavior, some outlier, or a trend.

A and C are incorrect. A is incorrect because “compare and contrast” is not the term coined for such analysis. Although you could say it describes one type of analysis,
it wouldn’t include all aspects of correlation analysis. C is incorrect for similar reasons. “Patterned” analysis is not the term used to describe a standard approach for analyzing data.

Question 4

In an IP packet header, what field value is decremented with each interface the packet goes through?
A. Fragment offset
B. ToS
C. TTL
D. IHL

Answer 4

C is correct. TTL stands for Time To Live, the value set for how many hops a packet has to go through before ending and expiring. The starting value for TTL varies based on operating system, but the more popular OSs use a value of either 255
or 128.

A, B, and D are incorrect. A is incorrect because the fragment offset facilitates breaking up a packet into smaller, individually transmitted units. B is incorrect because the Type of Service field helps set a priority for or quality to the packet.
D is incorrect because the Internet Header Length value just denotes the length of the header.

Question 5

Which of the following is an example of point-in-time analysis?
A. Anomaly analysis
B. Behavioral analysis
C. Availability analysis
D. Traffic analysis

Answer 5

D is correct. Traffic analysis is an example of point-in-time analysis.

A, B, and C are incorrect. These are all forms of correlation analysis.

Question 6

Recently, a few users have been complaining that their workstations are exhibiting some strange behavior. However, you find no obvious events showing up in system logs, and the application logs show nothing out of the ordinary. You suspect the issue could be new malware and decide to delve deeper.

You inspect logs from multiple sources. Your hope is to find some odd behavior. What type of analysis are you performing now?
A. Trend
B. Heuristics
C. Packet capture
D. Spatial trend

Answer 6

B is correct. The scenario portrays a new, unknown behavior. From that, you know
you cannot rely on known threats. This will require heuristics analysis.

A, C, and D are incorrect. A is incorrect because careful trend analysis might only show effects of the malware, but won’t disclose the malware itself. C is incorrect because packet capture analysis is helpful after you know what you’re looking for, but searching for anomalies in a packet capture is looking for the proverbial “needle in a haystack.” D is incorrect because spatial trend analysis deals with correlating between different geographical areas.

Question 7

Recently, a few users have been complaining that their workstations are exhibiting some strange behavior. However, you find no obvious events showing up in system logs, and the application logs show nothing out of the ordinary. You suspect the issue could be new malware and decide to delve deeper.

Based on your assumptions, how will you likely discover the malware?
A. The packet trace will reveal a port famous for malware.
B. The IDS log will show a matched signature.
C. Your experience will guide your analysis.
D. The long-term degradation in availability.

Answer 7

C is correct. Heuristic analysis can’t rely on a signature or known behavior. Instead,
experience best guides your analysis.

A, B, and D are incorrect. A and B are incorrect because the answer suggests a known signature (famous malware port or an IDS signature). D is incorrect because although trend analysis might possibly point out symptomatic differences, it will not discover and identify the malware.

Question 8

Recently, a few users have been complaining that their workstations are exhibiting some strange behavior. However, you find no obvious events showing up in system logs, and the application logs show nothing out of the ordinary. You suspect the issue could be new malware and decide to delve deeper.

Select the most valuable data sources in this analysis. (Choose two.)
A. IDS/IPS
B. Router logs
C. Security logs of affected servers
D. Next-Generation Firewall

Answer 8

A and D are correct. The intrusion detection/prevention system very likely logged information relevant for your analysis. Similarly, the firewall might show if or when malicious traffic passed through to the affected systems.

B and C are incorrect. The router log is unlikely to reveal any information specific to the suspected malware. The security logs of affected systems might yield valuable information. However, if the system is compromised, you cannot trust its logs as complete or accurate.

Question 9

Recently, a few users have been complaining that their workstations are exhibiting some strange behavior. However, you find no obvious events showing up in system logs, and the application logs show nothing out of the ordinary. You suspect the issue could be new malware and decide to delve deeper.

Which of the following would be the most valued SIEM tool in this scenario? A. Bro
B. Snort
C. Splunk
D. ELK

Answer 9

A is correct. Bro is both signature- and anomaly-based. Bro will watch sessions, monitoring for strange behavior. Bro is also able to extract executables from network traffic, retaining them for forensic analysis.

B, C, and D are incorrect. B is incorrect because Snort as an IDS would be signature- based, and as such not likely to catch the new malware. C is incorrect because although Splunk is incredible as a SIEM, it wouldn’t necessarily be the tool able to discover and identify new malware. D is incorrect because ELK is a package of three open source tools (Elasticsearch, Logstash, and Kibana), which together operate similarly to the commercial product Splunk.

Question 10

Your company has used Splunk over many years, during a large growth in infrastructure. Lately, network engineers are complaining that Splunk requires a significant share of the network bandwidth. What might be the best course of action to resolve the network issue?
A. Eliminate the “noisy” SIEM.
B. Make use of heavy forwarders to index data at the source.
C. Have the network engineer run a separate path for the Splunk data.
D. Make the indexers fault tolerant.

Answer 10

B is correct. Splunk normally sends raw data onto the universal forwarder to be indexed. Using heavy forwarders instead at each source can accomplish preprocessing, before the event data is forwarded.

A, C, and D are incorrect. A is incorrect because eliminating the SIEM causes much more harm to the company’s ability to monitor security information. C is incorrect because running a separate network path is far more work than necessary. D is incorrect because fault tolerance is not a solution to the problem of heavy network usage.

Question 11

Given an IP address, a security analyst seeks to identify and locate a system. Comparing Figures 2-1 and 2-2, select the most relevant difference between the two scans.
A. The system represented in Figure 2-1 has several unknown services listening on dynamic ports.
B. The system represented in Figure 2-2 is behind a firewall.
C. The system represented in Figure 2-1 is behind a firewall.
D. The scan shown in Figure 2-1 positively identifies the OS.

Answer 11

C is correct. Figure 2-1 shows a system that’s likely behind a firewall. This is determined by noticing that the ports are reported as “filtered,” as compared to “closed” in Figure 2-2.

A, B, and D are incorrect. A is incorrect because the additional ports reported
in the dynamic range (49152 to 65535) are likely not services that are listening.
B is incorrect because Figure 2-2 reports closed ports. If the system were behind a firewall, the ports would be reported as filtered. D is incorrect because neither scan conclusively identifies the operating system.

Question 12

Which of the following is not a valid Event Log category in Windows desktop systems?
A. Application
B. System
C. Security
D. Storage
E. Audit

Answer 12

D is correct. Storage is not an actual Event Log category.

A, B, C, and E are incorrect. All of these answers—Application, System, Security, and
Audit—are valid Event Log categories.

Question 13

You are viewing the Event Log and you list the warnings from a Windows 10 machine. Referring to Figure 2-3, select the log category from which the warning came, as well as the Event ID and the machine name.
A. Security, 1014, DNS Client
B. Security, 1014, XERXES
C. System, 268435456, XERXES
D. System, 1014, XERXES

Answer 13

D is correct. The log name is shown as System, with an event ID of 1014. Also, the
system name is shown as COMPUTER: XERXES.

A, B, and C are incorrect. A and B are incorrect because of they have the wrong log category. Additionally, A has an incorrect system name. C is incorrect because it shows a numeric string from Keywords, which is not the same as the event ID (1014).

Question 14

An analyst has launched nmap to scan an unknown machine. From the ports shown in Figure 2-4, what can the analyst assume is the operating system?
A. Linux
B. Windows
C. Ubuntu
D. OpenVMS
E. Cisco IOS

Answer 14

B is correct. The scanned system is Windows. The revealing evidence is the
discovered TCP ports 135 and 139.

A, C, D, and E are incorrect. Those operating systems would not show TCP ports 135 and 139 as open.

Question 15

A cybersecurity analyst scans the network for servers with TCP port 636 open. What other port can the analyst expect to find open on each of those servers?
A. 22
B. 111
C. 53
D. 389
E. 5000

Answer 15

D is correct. Port 636 is open for LDAP over SSL (LDAPS). Any server that has port 636 listening very likely also has LDAP listening on port 389.

A, B, C, and E are incorrect. A is incorrect because port 22 is typically for SSH. B is incorrect because port 111 is for MSRPC (Microsoft Remote Procedure Call). C is incorrect because port 53 is for DNS. Lastly, E is incorrect because port 5000 could be for several services, but nothing specifically associated with port 636.

Question 16

What tool presents a graphical user interface for nmap? A. Nessus
B. Zenmap C. TShark D. Qualys

Answer 16

B is correct. Zenmap is the GUI version of nmap.

A, C, and D are incorrect. A is incorrect because although Nessus is a GUI tool, it’s a vulnerability scanner, not a port scanner. C is incorrect because TShark is the CLI version of Wireshark. Lastly, D is incorrect because Qualys is a GUI vulnerability scanner.

Question 17

An analyst is having trouble viewing the logs of a Cisco ASA firewall. What should the analyst type at the command line to verify what logging is enabled?
A. # show running-config logging
B. # log full show
C. # log show all
D. # show run all logging

Answer 17

A is correct. The command show running-config logging is the proper one to start with, in order to continue with a specific command for logging onto a Cisco ASA firewall.

B, C, and D are incorrect. None of these commands is the correct one.

Question 18

After running tcpdump, an analyst reviews the output, which includes the following line:
16:35:39.834754 > badguy.org.1289 > target.net.8008: FP 2921:4105(1184) ack 1 win 32120 (DF)
What does the “FP” represent?
A. Final Packet
B. First Packet
C. Fin Push
D. Forward Packet

Answer 18

C is correct. The “F” stands for Fin, and the “P” for Push. The words Fin and Push
denote what TCP flags were set (for example, Fin, Push, Urg, Syn, Reset, or Ack).

A, B, and D are incorrect. The “P” in FP does not stand for “Packet.”

Question 19

The director of technology has decided that the company requires an IDS. As the senior security analyst, you recommend Snort. The director requests that you flag any SSH request traffic coming from a known competitor’s network. Examine the following rules and select the one that alerts if traffic originates from the network at 12.34.56.x/24 and is destined for the company’s own web server (IP address 210.67.79.89).
A. alert tcp 210.67.78.89 -> 12.34.56.0/24 80
B. alert tcp 12.34.56.0 24 -> 210.67.79.89 21
C. alert tcp 210.67.78.89 80 -> 12.34.56.0/24 any
D. alert tcp 12.34.56.0 24 -> 210.67.79.89 22

Answer 19

D is correct. The Snort rule correctly alerts if an SSH request (over 22/TCP) comes
from the network 12.34.56.0/24 to the company web server at 210.67.79.89.

A, B, and C are incorrect. A is incorrect because the Snort rule has the source and destination addresses reversed and is monitoring port 80 (HTTP), when the question stated SSH traffic. B is incorrect because the Snort rule is monitoring for port 21 (FTP). C is incorrect because the Snort rule has the source and destination addresses reversed and is monitoring for traffic going to all TCP ports, not just port 22.

Question 20

Users inform a security analyst that network performance is poor. The security analyst takes a quick look at a packet capture to determine if anything is obvious. Based on Figure 2-5, what should be the security analyst’s first impression?

A. B. C. D.
ARP storm DDoS
DoS
Broadcast storm

Answer 20

A is correct. The displayed packet list reveals a barrage of ARP packets. The ARP protocol resolves the hardware or MAC address to an IP address. ARP storms can be caused by malicious tools or by misconfigured network connections (for example, a bridging loop).

B, C, and D are incorrect. B and C are incorrect because there is not enough evidence to believe that that many ARP packets were intended maliciously. Additionally, there are more effective ways to disrupt service than with an ARP storm. D is incorrect because although ARP is a protocol restricted to a broadcast domain, the more correct answer is ARP storm.

Question 21

What would be an appropriate tool for analyzing bandwidth consumption on the network? A. Wireshark
B. TShark C. NetFlow D. IDS

Answer 21

C is correct. NetFlow Analyzer shows network bandwidth consumption, along with other metrics concerning the network utilization and health.

A, B, and D are incorrect. A and B are packet analyzers and would illustrate the volume of packets in great detail, but would not give much insight on bandwidth consumption versus capacity. D is incorrect because an intrusion detection system gives very little information about the network’s bandwidth, with the exception of an ongoing denial of service (DoS) attack.

Question 22

Which of the following are key challenges to analyzing wireless networks? (Choose all that apply.)
A. High confidence in the hardware addresses of wireless devices
B. Recognizing what devices are authorized
C. Having an inventory of all WAPs
D. Determining whether the network is in ad-hoc or infrastructure mode

Answer 22

A and B are correct. A is correct because the hardware or MAC addresses of wireless devices are fairly simple to modify. Most operating systems provide this ability without requiring special software. B is correct because wireless devices are so commonplace that the number of connected devices changes constantly—especially in an environment with a bring-your-own-device (BYOD) policy.

C and D are incorrect. C is incorrect because having an inventory of the company’s wireless access points (WAPs) should be fairly simple. It’s assumed that the company installed the access points, so having that baseline is far more straightforward than having a comprehensive list of all wireless devices connected to the WAPs. D is incorrect because the administrator will (or should) know how the wireless network is set up.