Chapter 4 - Operations and Incident Response Flashcards

1
Q

tracert (Windows)

A

Determines the route a packet takes to a destination by mapping the route
Time to Live (TTL) is counted in hops

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

traceroute (POSIX)

A

Determines the route a packet takes to a destination by mapping the route
Time to Live (TTL) is counted in hops

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

nslookup

A

Lookup information from DNS servers
Examples: canonical names, IP addresses, cache timers, etc.
Deprecated - used dig instead

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

dig

A

Lookup information from DNS servers
More advanced domain information - use instead of nslookup
Examples: canonical names, IP addresses, cache timers, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

ipconfig

A

Displays all current Windows TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol and Domain Name System settings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

ifconfig

A

View and change the configuration of the network interfaces on your system for Linux

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Network Mapper (nmap)

A

Find and learn more about network devices by doing port scans, operating system scans, service scans, and running additional scripts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

ping

A

Tests reachability and can determine the round-trip time
Uses Internet Control Message Protocol (ICMP)
Primary troubleshooting tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

pathping

A

Combining ping and traceroute and is divided into two phases
Phase 1: runs a traceroute to build a map
Phase 2: Measures the round-trip time and packet loss at each hop

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

hping

A

Open-source packet generator and analyzer for the TCP/IP protocol
Used for security auditing and testing of firewalls and networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Network Statistics (netstat)

A

Generates displays that show network status and protocol statistics used in many different operating systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

IP Scanners

A

Searching the network for IP addresses - locate active devices and avoid doing work on an IP address that isn’t there

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Address Resolution Protocol (arp)

A

Determines a MAC address based on an IP address
Need the hardware address to communicate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

arp -a

A

Is able to view the local ARP table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

route

A

View a devices routing table to find out which way packets will go

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Client URL (curl)

A

Can retrieve data using a URL such as web pages, FTP, emails, databases, etc.
Grab the raw data by searching, parsing, and automating

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

theHarvester

A

Gathers OSINT by scraping information from different web pages like google and bing
Examples: list of people from LinkedIn, a list of email contacts, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

sn1per

A

Combines many recon tools into a single framework
Examples: dnsenum, metasploit, nmap, theHarvester, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

scanless

A

Running port scans from a different host by doing a port scan proxy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

dnsenum

A

Viewing host information (names) from DNS servers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Nessus

A

Industry leading in vulnerability scanning
Identifying known vulnerabilties before they can be exploited
Can provide a checklist or issues and filter out false positives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Cuckoo

A

A sandbox for malware and testing a file in a safe environment
Can track and trace API calls, network traffic, memory analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

netstat -a

A

Show all active connections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

netstat -b

A

Show binaries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
netstat -n
Do not resolve names
26
netcat
"Read" and "write" to the network Can open a port and send or receive some traffic Listen on a port number, transfer data, scan ports and send data to a port Can become a back door and run a shell from a remote device
27
head
Being able to view the first part of a file (the head or beginning) head [OPTION] ... [FILE] ... Can use -n to specify number of lines head -n 5 syslog - first 5 lines of file
28
tail
Being able to view the last part of a file (the tail or end) tail [OPTION] ... [FILE] ... Can use -n to specify number of lines tail -n 5 syslog - last 5 lines of file
29
Concatenate (cat)
Link together in a series Copy a file/ files to the screen - cat file1.txt file2.txt Copy a file/ files to another file - cat file1.txt file2.txt > both.txt
30
grep
File text in a file - search through many file names at a time grep PATTERN [FILE]
31
Change Mode (chmod)
Change mode of a file system object - r; read, w; write, x; execute Set for the file owner - u; owner, g; group, o; others, a; all SEE SLIDE
32
logger
Add entries to the system log (syslog) logger "This information os added to syslog" Useful for including information in a local or remote syslog file
33
Secure Shell (SSH)
Encrypted consoel communication - tcp/22
34
Windows PowerShell
Commmand line for system administrators .ps1 file extension
35
Python
General-purpose scripting language .py file extension
36
OpenSSL
A toolkit and crypto library for SSL/ TLS Create X.509 certificates and manages others Message digest Encryption and decryption
37
Tcpreplay
A suite of replay utilities Test security devices Test and tune IP Flow/ NetFlow devices Evaluate the performance of security devices
38
Tcpdump
Capture packets from the command line that can display and write packets
39
Wireshark
Analyze packets by viewing traffic patterns, identifying unknown traffic, and verifying packet filtering and security controls Gather frames on the network
40
dd
Used to create disk images and destroy data by overwriting the contents of a file or a disk
41
Memdump
Copy information in system memory to the standard output stream Can be copied to another host across the network
42
WinHex
A universal hexadecimal editor for Windows 10 that can edit disks, files, and RAM
43
FTK imager
Allows you to perform memory capture or registry capture on a live device, to recover passwords or other data stored in memory on the active device
44
Autopsy
Allow you to perform digital forensics of hard drives, smart phones by viewing and recovering data from storage devices
45
Exploitation Frameworks
A pre-built toolkit used to find exploitations that can add more tools when vulnerabilities are found Metasploit
46
Password Crackers
Finding passwords either online or offline by brute forcing a hash file
47
Data Sanitization
Completely removing data making sure no data can be recovered and no useable information remains
48
Incidence Response Lifecycle
Preparation Detection and analysis Containment, eradication, and recovery Post-incident activity
49
Incident Response Process: Preparation
Make sure to have good communication, updated software and hardware, incident analysis resources, incident mitagtion software, and policies needed to handle an incident
50
Incident Response Process: Identification
There can be many precursors to an incident as well as some indicators - attack attempt, anti-virus identifies malware, a configuration change, traffic flows deviate from the norm
51
Incident Response Process: Containment/ Isolation
Can use sandboxes to isolate an OS and help you run the malware to analyze it
52
Incident Response Process: Eradication
Cannot wait - remove the threat and restore affected systems to their previous state, ideally while minimizing data loss as quickly as possible
53
Incident Response Process: Recovery
Restore backups, rebuild from scratch, replace compromised files, and tighten down the perimeter/ security
54
Incident Response Process: Lessons Learned
Learn what happened and improve on it for next Have a meeting asap
55
Tabletop Exercise
Logistics of a diaster can be determined through analysis with key players of an organization so you do not physically have to go through a disaster
56
Walkthrough Exercises
Testing processes and procedures before an event by walking through each step, involving all the groups, and referring actual response materials
57
Simulation Exercises
Test with an actual simulated event
58
MITRE ATT&CK
A guideline for classifying and describing cyberattacks and intrusions
59
The Diamond Model of Intrusion Analysis
An adversary deploys a capability over some infrastructure against a victim - used when an intrusion occurs Defines an event as the central element necessary for four key aspects of malicious activity to occur Adversary, victim, infrastructure, and capability
60
Cyber Kill Chain
A military concept that used seven phases of a cyber attack Reconnaissance, weaponization, delivery, exploit, installation, command and control, and actions on objectives
61
Stakeholder Management
Keeping a good ongoing relationship with customers of IT Exercises for future disasters should involve customers and communication
62
Communication Plan
Getting your contact list together because everyone is in the loop for a disaster Corporate, internal non-IT, external contacts
63
Disaster Recovery Plan
A comprehensive plan that is made and initiated after a disaster takes place Keeps the organization up and running
64
Business Continuity Plan
A comprehensive plan that is made and initiated during a disaster
65
Continuity of Operations Planning (COOP)
Alternative ways to keep the business up and running after a disaster if it disupts the organization from operating under the norm Examples: paper receipts, manual transactions, phone calls
66
Incident Response Team
A specialized group that is trained and tested to deal with any type of organizational emergency IT security management, Compliance officers, technical staff, and user community
67
Retention Policies
How long a business needs to keep a piece of information (record), where it's stored and how to dispose of the record when its time
68
Vulnerability Scan Output
The process of discovering, analyzing, and reporting on security flaws and vulnerabilities Lack of security controls, misconfigurations, and real vulnerabilities
69
False Positives
A vulnerability is identified that doesn't really exist
70
False Negatives
A vulnerability exists, but you didn't detect it
71
SIEM - Sensors
Operating systems, infrastructure devices
72
SIEM - Sensitivity
Easy to be overwhelmed with data but some is unnecessary Informatonal, warning, urgent
73
SIEM - Trends
Identify changes over time Easily view constant attack metrics
74
SIEM - Alerts
Real-time information Identify a security event
75
SIEM - Correlation
Link diverse data types View data in different ways
76
Network Log Files
Physical network devices: switches, routers, APs, VPNs Network changes: routing updates, authentication issues
77
System Log Files
Operating system information and may also include security events
78
Application Log Files
Specific to the application Windows, Linux, MacOS
79
Security Log Files
Detailed security related events: traffic flows, exploit attempts Security devices: IPS, firewall
80
Web Log Files
Web server access and access errors Exploit attempts Server activity
81
DNS Log Files
DNS queries and requests to servers
82
Authentication Log Files
Know who logged in and correlate with other events like file transfers
83
Dump Files
A snapshot that shows the process that was executing and modules that were loaded for an app at a point in time
84
VoIP and Call Managers Logs
View inbound and outbound call information
85
Session Initiation Protocol (SIP) Traffic Logs
Call setup and management Inbound and outbound calls Alet on unusual numbers or country codes
86
syslog
Standard for message logging Diverse systems create a consolidated log
87
rsyslog
Rocket-fast System for log processing
88
syslog-ng
A popular syslog daemon with additional filtering and storage options
89
journalctl
Provides a method for querying and displaying the system logs that were stored in a binary format
90
NXLog
Collection from many diverse log types
91
Bandwidth Monitors
Shows the percentage of network use over time
92
Metadata
Data that describes other data sources
93
Metadata - Email
Header details, sending servers, destination address
94
Metadata - Mobile
Type of phone, GPS location
95
Metadata - Web
Operating system, browser type, IP address
96
Metadata - File
Name, address, phone number, title
97
Netflow
Gathering traffic statistics from all traffic flows/ packets Shared communication between devices
98
Sampled Flow (sFlow)
Designed to perform flow-export by random sampling of packets and time-based sampling of network interfaces, and not by considering every packet
99
IP Flow Information Export (IPFIX)
Newer NetFlow-based standard Templates used to describe data
100
Protocol Analyzer Output
Solves complex application issues by viewing detailed traffic information - helps idenfiy unkown traffic, verify packet filteirng and security controls, and view plain-language description of application data
101
Endpoint Security
The end user device Recognize and react to any malicious activity
102
Application Approved List
Application does not run or execute on device/ endpoint unless it's approved
103
Application Blocklist/ Deny List
List of applications that cannot be run on endpoint/ device
104
Quarantine
If an application is not on an allow or deny list - system can place application into a safe area where no applications are allowed to run until further investigated
105
Firewall Rules
Managing application flows and blocking dangerous applications
106
Mobile Device Management
Enabling or disabling phone and tablet functionality regardless of physical location
107
Data Loss Prevention
Block transfer of perosnally identifiable information (PII) or sensitive data Examples: credit card #'s, social security #'s, etc.
108
Content Filter/ URL Filter
Limit access to untrusted websites and block know malicious sites Large blocklists are used to share suspicious URLs
109
Update or Revoke Certificates
Manage device certificates to verify trust Revoking a certificate effectively removes access
110
Isolation
Isolate compromised device from everything else in order to prevent the spread of malicious software
111
Containment
Limit interaction with host of operating system and other applications by running each application in it own sandbox
112
Segmentation
Separate the network to prevent unauthorized movement and limit the scope of a breach
113
Security Orchestration, Automation, and Response (SOAR)
Integrate third party tools and data sources to make the security teams more effective
114
Runbooks
A linear checklist or a step-by-step approach to automation Examples: reset a password, create a website certificate, back up application data
115
Playbooks
Conditional steps to follow; a broad process Examples: investigate data breach, recover from ransomeware
116
Documentation/ Evidence - Legal Hold
A legal technique to preserve relavant information Often stored in separate respository for electronically stored information (ESI)
117
Documentation/ Evidence - Video
A moving record of the event that gathers information external to the computer and network
118
Documentation/ Evidence - Admissibility
Not all data can be used in the court of law Must make sure data is legally authorized and collected correctly
119
Documentation/ Evidence - Chain of Custody
Documentation that shows integrity of data
120
Documentation/ Evidence - Time Stamps
Gives an electronic document a 'certain date' with probative value Allows to associate the document with a legally certain date and time that can be enforced against third parties
121
Documentation/ Evidence - Time Offset
Record the time offset from the operating system
122
Documentation/ Evidence - Tags
A phsyical tag that can be put on the evidence that provides a detailed description of everything about it
123
Documentation/ Evidence - Reports
Document the finding for internal use, legal proceedings, etc. Summary and overview of the security event Detailed explanation of data acquisition
124
Documentation/ Evidence - Event Logs
Documents important operating system and application events that can be exported or stored for future reference
125
Documentation/ Evidence - Interviews
Can ask what others saw and can document what they say - they might have different information
126
Acquisition - Order of Volatility
Certain data being stored on a system for a certain period of time compared to data that will only be stored for a few minutes
127
Acquisition - Disk
Copy everything onto a storage device
128
Acquisition - Random-access Memory
Difficult to gather because information changes constantly but important Memory dump
129
Acquisition - Swap/ Pagefile
A place to store RAM when memory is depleted and can also contain portions of an application
130
Acquisition - OS
Can help gain information and data for a security event Users, open ports, processes running, device list
131
Acquisition - Device
Capture data by using an existing backup file or image over USB calls, contact info, messages, email, images and video
132
Acquisition - Firmware
Rootkits and exploited hardware device Investigate how the firmware functions
133
Acquisition - Snapshot
A point-in-time system image Incremental updates from each snapshot Contains all files and information about a VM
134
Acquisition - Cache
Store data for use later Can speed up performance or application or OS
135
Acquisition - Network
Gather information about and from the network Network connections, packet captures
136
Acquisition - Artifacts
Digital items left behind Log info, flash memory, cache files, recycle bin, bookmarks
137
Right-to-audit Clauses
An agreement on how data can be accessed - data sharing and outsourcing Permission to know where the data is being held, how the data is managed over the internet, and what security features is being used to protect the data
138
Regulatory/ Jurisdiction
Data in a different jurisdiction may be bound by very different regulations
139
Data Breach Notifications Laws
If consumer data is breached, the consumer must be informed Type of data breached, who gets notified, and how quickly
140
Integrity - Hashing
Cryptographic integrity verification A digital "fingerprint"
141
Integrity - Checksums
Makes sure information sent from one side to another has shown up without any corruption
142
Integrity - Provenance
Original documentation of the source of the data Data handling and block chain technology
143
Preservation
Handling evidence by isolating, protecting, and copying the data
144
Electronic Discovery (E-discovery)
Collect, prepare, review, interpret, and produce electronic documents/ data
145
Data Recovery
Extract missing data without affecting the integrity of the data Deleted files, hidden data, hardware/ software corruption, storage device damaged
146
Non-repudiation
Proof of data integrity and the origin of the data The data is unchanged and really did come from the sender MAC and digital signature
147
Strategic Intelligence
A focus in key threat activity for a domain Internal threat reports, 3rd party data sources, and other data inputs
148
Counterintelligence (CI)
Preventing hostile intelligence operations Discover and disrupt foreign intelligence threats