Chapter 4 - Operations and Incident Response Flashcards

1
Q

tracert (Windows)

A

Determines the route a packet takes to a destination by mapping the route
Time to Live (TTL) is counted in hops

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

traceroute (POSIX)

A

Determines the route a packet takes to a destination by mapping the route
Time to Live (TTL) is counted in hops

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

nslookup

A

Lookup information from DNS servers
Examples: canonical names, IP addresses, cache timers, etc.
Deprecated - used dig instead

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

dig

A

Lookup information from DNS servers
More advanced domain information - use instead of nslookup
Examples: canonical names, IP addresses, cache timers, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

ipconfig

A

Displays all current Windows TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol and Domain Name System settings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

ifconfig

A

View and change the configuration of the network interfaces on your system for Linux

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Network Mapper (nmap)

A

Find and learn more about network devices by doing port scans, operating system scans, service scans, and running additional scripts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

ping

A

Tests reachability and can determine the round-trip time
Uses Internet Control Message Protocol (ICMP)
Primary troubleshooting tool

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

pathping

A

Combining ping and traceroute and is divided into two phases
Phase 1: runs a traceroute to build a map
Phase 2: Measures the round-trip time and packet loss at each hop

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

hping

A

Open-source packet generator and analyzer for the TCP/IP protocol
Used for security auditing and testing of firewalls and networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Network Statistics (netstat)

A

Generates displays that show network status and protocol statistics used in many different operating systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

IP Scanners

A

Searching the network for IP addresses - locate active devices and avoid doing work on an IP address that isn’t there

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Address Resolution Protocol (arp)

A

Determines a MAC address based on an IP address
Need the hardware address to communicate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

arp -a

A

Is able to view the local ARP table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

route

A

View a devices routing table to find out which way packets will go

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Client URL (curl)

A

Can retrieve data using a URL such as web pages, FTP, emails, databases, etc.
Grab the raw data by searching, parsing, and automating

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

theHarvester

A

Gathers OSINT by scraping information from different web pages like google and bing
Examples: list of people from LinkedIn, a list of email contacts, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

sn1per

A

Combines many recon tools into a single framework
Examples: dnsenum, metasploit, nmap, theHarvester, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

scanless

A

Running port scans from a different host by doing a port scan proxy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

dnsenum

A

Viewing host information (names) from DNS servers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Nessus

A

Industry leading in vulnerability scanning
Identifying known vulnerabilties before they can be exploited
Can provide a checklist or issues and filter out false positives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Cuckoo

A

A sandbox for malware and testing a file in a safe environment
Can track and trace API calls, network traffic, memory analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

netstat -a

A

Show all active connections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

netstat -b

A

Show binaries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

netstat -n

A

Do not resolve names

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

netcat

A

“Read” and “write” to the network
Can open a port and send or receive some traffic
Listen on a port number, transfer data, scan ports and send data to a port
Can become a back door and run a shell from a remote device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

head

A

Being able to view the first part of a file (the head or beginning)
head [OPTION] … [FILE] …
Can use -n to specify number of lines
head -n 5 syslog - first 5 lines of file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

tail

A

Being able to view the last part of a file (the tail or end)
tail [OPTION] … [FILE] …
Can use -n to specify number of lines
tail -n 5 syslog - last 5 lines of file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Concatenate (cat)

A

Link together in a series
Copy a file/ files to the screen - cat file1.txt file2.txt
Copy a file/ files to another file - cat file1.txt file2.txt > both.txt

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

grep

A

File text in a file - search through many file names at a time
grep PATTERN [FILE]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Change Mode (chmod)

A

Change mode of a file system object - r; read, w; write, x; execute
Set for the file owner - u; owner, g; group, o; others, a; all
SEE SLIDE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

logger

A

Add entries to the system log (syslog)
logger “This information os added to syslog”
Useful for including information in a local or remote syslog file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Secure Shell (SSH)

A

Encrypted consoel communication - tcp/22

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Windows PowerShell

A

Commmand line for system administrators
.ps1 file extension

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Python

A

General-purpose scripting language
.py file extension

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

OpenSSL

A

A toolkit and crypto library for SSL/ TLS
Create X.509 certificates and manages others
Message digest
Encryption and decryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Tcpreplay

A

A suite of replay utilities
Test security devices
Test and tune IP Flow/ NetFlow devices
Evaluate the performance of security devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Tcpdump

A

Capture packets from the command line that can display and write packets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Wireshark

A

Analyze packets by viewing traffic patterns, identifying unknown traffic, and verifying packet filtering and security controls
Gather frames on the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

dd

A

Used to create disk images and destroy data by overwriting the contents of a file or a disk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Memdump

A

Copy information in system memory to the standard output stream
Can be copied to another host across the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

WinHex

A

A universal hexadecimal editor for Windows 10 that can edit disks, files, and RAM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

FTK imager

A

Allows you to perform memory capture or registry capture on a live device, to recover passwords or other data stored in memory on the active device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Autopsy

A

Allow you to perform digital forensics of hard drives, smart phones by viewing and recovering data from storage devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Exploitation Frameworks

A

A pre-built toolkit used to find exploitations that can add more tools when vulnerabilities are found
Metasploit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Password Crackers

A

Finding passwords either online or offline by brute forcing a hash file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Data Sanitization

A

Completely removing data making sure no data can be recovered and no useable information remains

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Incidence Response Lifecycle

A

Preparation
Detection and analysis
Containment, eradication, and recovery
Post-incident activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Incident Response Process: Preparation

A

Make sure to have good communication, updated software and hardware, incident analysis resources, incident mitagtion software, and policies needed to handle an incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Incident Response Process: Identification

A

There can be many precursors to an incident as well as some indicators - attack attempt, anti-virus identifies malware, a configuration change, traffic flows deviate from the norm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Incident Response Process: Containment/ Isolation

A

Can use sandboxes to isolate an OS and help you run the malware to analyze it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Incident Response Process: Eradication

A

Cannot wait - remove the threat and restore affected systems to their previous state, ideally while minimizing data loss as quickly as possible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Incident Response Process: Recovery

A

Restore backups, rebuild from scratch, replace compromised files, and tighten down the perimeter/ security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Incident Response Process: Lessons Learned

A

Learn what happened and improve on it for next
Have a meeting asap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Tabletop Exercise

A

Logistics of a diaster can be determined through analysis with key players of an organization so you do not physically have to go through a disaster

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Walkthrough Exercises

A

Testing processes and procedures before an event by walking through each step, involving all the groups, and referring actual response materials

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Simulation Exercises

A

Test with an actual simulated event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

MITRE ATT&CK

A

A guideline for classifying and describing cyberattacks and intrusions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

The Diamond Model of Intrusion Analysis

A

An adversary deploys a capability over some infrastructure against a victim - used when an intrusion occurs
Defines an event as the central element necessary for four key aspects of malicious activity to occur
Adversary, victim, infrastructure, and capability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Cyber Kill Chain

A

A military concept that used seven phases of a cyber attack
Reconnaissance, weaponization, delivery, exploit, installation, command and control, and actions on objectives

61
Q

Stakeholder Management

A

Keeping a good ongoing relationship with customers of IT
Exercises for future disasters should involve customers and communication

62
Q

Communication Plan

A

Getting your contact list together because everyone is in the loop for a disaster
Corporate, internal non-IT, external contacts

63
Q

Disaster Recovery Plan

A

A comprehensive plan that is made and initiated after a disaster takes place
Keeps the organization up and running

64
Q

Business Continuity Plan

A

A comprehensive plan that is made and initiated during a disaster

65
Q

Continuity of Operations Planning (COOP)

A

Alternative ways to keep the business up and running after a disaster if it disupts the organization from operating under the norm
Examples: paper receipts, manual transactions, phone calls

66
Q

Incident Response Team

A

A specialized group that is trained and tested to deal with any type of organizational emergency
IT security management, Compliance officers, technical staff, and user community

67
Q

Retention Policies

A

How long a business needs to keep a piece of information (record), where it’s stored and how to dispose of the record when its time

68
Q

Vulnerability Scan Output

A

The process of discovering, analyzing, and reporting on security flaws and vulnerabilities
Lack of security controls, misconfigurations, and real vulnerabilities

69
Q

False Positives

A

A vulnerability is identified that doesn’t really exist

70
Q

False Negatives

A

A vulnerability exists, but you didn’t detect it

71
Q

SIEM - Sensors

A

Operating systems, infrastructure devices

72
Q

SIEM - Sensitivity

A

Easy to be overwhelmed with data but some is unnecessary
Informatonal, warning, urgent

73
Q

SIEM - Trends

A

Identify changes over time
Easily view constant attack metrics

74
Q

SIEM - Alerts

A

Real-time information
Identify a security event

75
Q

SIEM - Correlation

A

Link diverse data types
View data in different ways

76
Q

Network Log Files

A

Physical network devices: switches, routers, APs, VPNs
Network changes: routing updates, authentication issues

77
Q

System Log Files

A

Operating system information and may also include security events

78
Q

Application Log Files

A

Specific to the application
Windows, Linux, MacOS

79
Q

Security Log Files

A

Detailed security related events: traffic flows, exploit attempts
Security devices: IPS, firewall

80
Q

Web Log Files

A

Web server access and access errors
Exploit attempts
Server activity

81
Q

DNS Log Files

A

DNS queries and requests to servers

82
Q

Authentication Log Files

A

Know who logged in and correlate with other events like file transfers

83
Q

Dump Files

A

A snapshot that shows the process that was executing and modules that were loaded for an app at a point in time

84
Q

VoIP and Call Managers Logs

A

View inbound and outbound call information

85
Q

Session Initiation Protocol (SIP) Traffic Logs

A

Call setup and management
Inbound and outbound calls
Alet on unusual numbers or country codes

86
Q

syslog

A

Standard for message logging
Diverse systems create a consolidated log

87
Q

rsyslog

A

Rocket-fast System for log processing

88
Q

syslog-ng

A

A popular syslog daemon with additional filtering and storage options

89
Q

journalctl

A

Provides a method for querying and displaying the system logs that were stored in a binary format

90
Q

NXLog

A

Collection from many diverse log types

91
Q

Bandwidth Monitors

A

Shows the percentage of network use over time

92
Q

Metadata

A

Data that describes other data sources

93
Q

Metadata - Email

A

Header details, sending servers, destination address

94
Q

Metadata - Mobile

A

Type of phone, GPS location

95
Q

Metadata - Web

A

Operating system, browser type, IP address

96
Q

Metadata - File

A

Name, address, phone number, title

97
Q

Netflow

A

Gathering traffic statistics from all traffic flows/ packets
Shared communication between devices

98
Q

Sampled Flow (sFlow)

A

Designed to perform flow-export by random sampling of packets and time-based sampling of network interfaces, and not by considering every packet

99
Q

IP Flow Information Export (IPFIX)

A

Newer NetFlow-based standard
Templates used to describe data

100
Q

Protocol Analyzer Output

A

Solves complex application issues by viewing detailed traffic information - helps idenfiy unkown traffic, verify packet filteirng and security controls, and view plain-language description of application data

101
Q

Endpoint Security

A

The end user device
Recognize and react to any malicious activity

102
Q

Application Approved List

A

Application does not run or execute on device/ endpoint unless it’s approved

103
Q

Application Blocklist/ Deny List

A

List of applications that cannot be run on endpoint/ device

104
Q

Quarantine

A

If an application is not on an allow or deny list - system can place application into a safe area where no applications are allowed to run until further investigated

105
Q

Firewall Rules

A

Managing application flows and blocking dangerous applications

106
Q

Mobile Device Management

A

Enabling or disabling phone and tablet functionality regardless of physical location

107
Q

Data Loss Prevention

A

Block transfer of perosnally identifiable information (PII) or sensitive data
Examples: credit card #’s, social security #’s, etc.

108
Q

Content Filter/ URL Filter

A

Limit access to untrusted websites and block know malicious sites
Large blocklists are used to share suspicious URLs

109
Q

Update or Revoke Certificates

A

Manage device certificates to verify trust
Revoking a certificate effectively removes access

110
Q

Isolation

A

Isolate compromised device from everything else in order to prevent the spread of malicious software

111
Q

Containment

A

Limit interaction with host of operating system and other applications by running each application in it own sandbox

112
Q

Segmentation

A

Separate the network to prevent unauthorized movement and limit the scope of a breach

113
Q

Security Orchestration, Automation, and Response (SOAR)

A

Integrate third party tools and data sources to make the security teams more effective

114
Q

Runbooks

A

A linear checklist or a step-by-step approach to automation
Examples: reset a password, create a website certificate, back up application data

115
Q

Playbooks

A

Conditional steps to follow; a broad process
Examples: investigate data breach, recover from ransomeware

116
Q

Documentation/ Evidence - Legal Hold

A

A legal technique to preserve relavant information
Often stored in separate respository for electronically stored information (ESI)

117
Q

Documentation/ Evidence - Video

A

A moving record of the event that gathers information external to the computer and network

118
Q

Documentation/ Evidence - Admissibility

A

Not all data can be used in the court of law
Must make sure data is legally authorized and collected correctly

119
Q

Documentation/ Evidence - Chain of Custody

A

Documentation that shows integrity of data

120
Q

Documentation/ Evidence - Time Stamps

A

Gives an electronic document a ‘certain date’ with probative value
Allows to associate the document with a legally certain date and time that can be enforced against third parties

121
Q

Documentation/ Evidence - Time Offset

A

Record the time offset from the operating system

122
Q

Documentation/ Evidence - Tags

A

A phsyical tag that can be put on the evidence that provides a detailed description of everything about it

123
Q

Documentation/ Evidence - Reports

A

Document the finding for internal use, legal proceedings, etc.
Summary and overview of the security event
Detailed explanation of data acquisition

124
Q

Documentation/ Evidence - Event Logs

A

Documents important operating system and application events that can be exported or stored for future reference

125
Q

Documentation/ Evidence - Interviews

A

Can ask what others saw and can document what they say - they might have different information

126
Q

Acquisition - Order of Volatility

A

Certain data being stored on a system for a certain period of time compared to data that will only be stored for a few minutes

127
Q

Acquisition - Disk

A

Copy everything onto a storage device

128
Q

Acquisition - Random-access Memory

A

Difficult to gather because information changes constantly but important
Memory dump

129
Q

Acquisition - Swap/ Pagefile

A

A place to store RAM when memory is depleted and can also contain portions of an application

130
Q

Acquisition - OS

A

Can help gain information and data for a security event
Users, open ports, processes running, device list

131
Q

Acquisition - Device

A

Capture data by using an existing backup file or image over USB
calls, contact info, messages, email, images and video

132
Q

Acquisition - Firmware

A

Rootkits and exploited hardware device
Investigate how the firmware functions

133
Q

Acquisition - Snapshot

A

A point-in-time system image
Incremental updates from each snapshot
Contains all files and information about a VM

134
Q

Acquisition - Cache

A

Store data for use later
Can speed up performance or application or OS

135
Q

Acquisition - Network

A

Gather information about and from the network
Network connections, packet captures

136
Q

Acquisition - Artifacts

A

Digital items left behind
Log info, flash memory, cache files, recycle bin, bookmarks

137
Q

Right-to-audit Clauses

A

An agreement on how data can be accessed - data sharing and outsourcing
Permission to know where the data is being held, how the data is managed over the internet, and what security features is being used to protect the data

138
Q

Regulatory/ Jurisdiction

A

Data in a different jurisdiction may be bound by very different regulations

139
Q

Data Breach Notifications Laws

A

If consumer data is breached, the consumer must be informed
Type of data breached, who gets notified, and how quickly

140
Q

Integrity - Hashing

A

Cryptographic integrity verification
A digital “fingerprint”

141
Q

Integrity - Checksums

A

Makes sure information sent from one side to another has shown up without any corruption

142
Q

Integrity - Provenance

A

Original documentation of the source of the data
Data handling and block chain technology

143
Q

Preservation

A

Handling evidence by isolating, protecting, and copying the data

144
Q

Electronic Discovery (E-discovery)

A

Collect, prepare, review, interpret, and produce electronic documents/ data

145
Q

Data Recovery

A

Extract missing data without affecting the integrity of the data
Deleted files, hidden data, hardware/ software corruption, storage device damaged

146
Q

Non-repudiation

A

Proof of data integrity and the origin of the data
The data is unchanged and really did come from the sender
MAC and digital signature

147
Q

Strategic Intelligence

A

A focus in key threat activity for a domain
Internal threat reports, 3rd party data sources, and other data inputs

148
Q

Counterintelligence (CI)

A

Preventing hostile intelligence operations
Discover and disrupt foreign intelligence threats