Chapter 4 - Operations and Incident Response Flashcards

Question

netstat -n

Answer 1

Do not resolve names

Answer 2

"Read" and "write" to the network Can open a port and send or receive some traffic Listen on a port number, transfer data, scan ports and send data to a port Can become a back door and run a shell from a remote device

Answer 3

Being able to view the first part of a file (the head or beginning) head [OPTION] ... [FILE] ... Can use -n to specify number of lines head -n 5 syslog - first 5 lines of file

Answer 4

Being able to view the last part of a file (the tail or end) tail [OPTION] ... [FILE] ... Can use -n to specify number of lines tail -n 5 syslog - last 5 lines of file

Answer 5

Link together in a series Copy a file/ files to the screen - cat file1.txt file2.txt Copy a file/ files to another file - cat file1.txt file2.txt > both.txt

Answer 6

File text in a file - search through many file names at a time grep PATTERN [FILE]

Answer 7

Change mode of a file system object - r; read, w; write, x; execute Set for the file owner - u; owner, g; group, o; others, a; all SEE SLIDE

Answer 8

Add entries to the system log (syslog) logger "This information os added to syslog" Useful for including information in a local or remote syslog file

Answer 9

Encrypted consoel communication - tcp/22

Answer 10

Commmand line for system administrators .ps1 file extension

Answer 11

General-purpose scripting language .py file extension

Answer 12

A toolkit and crypto library for SSL/ TLS Create X.509 certificates and manages others Message digest Encryption and decryption

Answer 13

A suite of replay utilities Test security devices Test and tune IP Flow/ NetFlow devices Evaluate the performance of security devices

Answer 14

Capture packets from the command line that can display and write packets

Answer 15

Analyze packets by viewing traffic patterns, identifying unknown traffic, and verifying packet filtering and security controls Gather frames on the network

Answer 16

Used to create disk images and destroy data by overwriting the contents of a file or a disk

Answer 17

Copy information in system memory to the standard output stream Can be copied to another host across the network

Answer 18

A universal hexadecimal editor for Windows 10 that can edit disks, files, and RAM

Answer 19

Allows you to perform memory capture or registry capture on a live device, to recover passwords or other data stored in memory on the active device

Answer 20

Allow you to perform digital forensics of hard drives, smart phones by viewing and recovering data from storage devices

Answer 21

A pre-built toolkit used to find exploitations that can add more tools when vulnerabilities are found Metasploit

Answer 22

Finding passwords either online or offline by brute forcing a hash file

Answer 23

Completely removing data making sure no data can be recovered and no useable information remains

Answer 24

Preparation Detection and analysis Containment, eradication, and recovery Post-incident activity

Answer 25

Make sure to have good communication, updated software and hardware, incident analysis resources, incident mitagtion software, and policies needed to handle an incident

Answer 26

There can be many precursors to an incident as well as some indicators - attack attempt, anti-virus identifies malware, a configuration change, traffic flows deviate from the norm

Answer 27

Can use sandboxes to isolate an OS and help you run the malware to analyze it

Answer 28

Cannot wait - remove the threat and restore affected systems to their previous state, ideally while minimizing data loss as quickly as possible

Answer 29

Restore backups, rebuild from scratch, replace compromised files, and tighten down the perimeter/ security

Answer 30

Learn what happened and improve on it for next Have a meeting asap

Answer 31

Logistics of a diaster can be determined through analysis with key players of an organization so you do not physically have to go through a disaster

Answer 32

Testing processes and procedures before an event by walking through each step, involving all the groups, and referring actual response materials

Answer 33

Test with an actual simulated event

Answer 34

A guideline for classifying and describing cyberattacks and intrusions

Answer 35

An adversary deploys a capability over some infrastructure against a victim - used when an intrusion occurs Defines an event as the central element necessary for four key aspects of malicious activity to occur Adversary, victim, infrastructure, and capability

Answer 36

A military concept that used seven phases of a cyber attack Reconnaissance, weaponization, delivery, exploit, installation, command and control, and actions on objectives

Answer 37

Keeping a good ongoing relationship with customers of IT Exercises for future disasters should involve customers and communication

Answer 38

Getting your contact list together because everyone is in the loop for a disaster Corporate, internal non-IT, external contacts

Answer 39

A comprehensive plan that is made and initiated after a disaster takes place Keeps the organization up and running

Answer 40

A comprehensive plan that is made and initiated during a disaster

Answer 41

Alternative ways to keep the business up and running after a disaster if it disupts the organization from operating under the norm Examples: paper receipts, manual transactions, phone calls

Answer 42

A specialized group that is trained and tested to deal with any type of organizational emergency IT security management, Compliance officers, technical staff, and user community

Answer 43

How long a business needs to keep a piece of information (record), where it's stored and how to dispose of the record when its time

Answer 44

The process of discovering, analyzing, and reporting on security flaws and vulnerabilities Lack of security controls, misconfigurations, and real vulnerabilities

Answer 45

A vulnerability is identified that doesn't really exist

Answer 46

A vulnerability exists, but you didn't detect it

Answer 47

Operating systems, infrastructure devices

Answer 48

Easy to be overwhelmed with data but some is unnecessary Informatonal, warning, urgent

Answer 49

Identify changes over time Easily view constant attack metrics

Answer 50

Real-time information Identify a security event

Answer 51

Link diverse data types View data in different ways

Answer 52

Physical network devices: switches, routers, APs, VPNs Network changes: routing updates, authentication issues

Answer 53

Operating system information and may also include security events

Answer 54

Specific to the application Windows, Linux, MacOS

Answer 55

Detailed security related events: traffic flows, exploit attempts Security devices: IPS, firewall

Answer 56

Web server access and access errors Exploit attempts Server activity

Answer 57

DNS queries and requests to servers

Answer 58

Know who logged in and correlate with other events like file transfers

Answer 59

A snapshot that shows the process that was executing and modules that were loaded for an app at a point in time

Answer 60

View inbound and outbound call information

Answer 61

Call setup and management Inbound and outbound calls Alet on unusual numbers or country codes

Answer 62

Standard for message logging Diverse systems create a consolidated log

Answer 63

Rocket-fast System for log processing

Answer 64

A popular syslog daemon with additional filtering and storage options

Answer 65

Provides a method for querying and displaying the system logs that were stored in a binary format

Answer 66

Collection from many diverse log types

Answer 67

Shows the percentage of network use over time

Answer 68

Data that describes other data sources

Answer 69

Header details, sending servers, destination address

Answer 70

Type of phone, GPS location

Answer 71

Operating system, browser type, IP address

Answer 72

Name, address, phone number, title

Answer 73

Gathering traffic statistics from all traffic flows/ packets Shared communication between devices

Answer 74

Designed to perform flow-export by random sampling of packets and time-based sampling of network interfaces, and not by considering every packet

Answer 75

Newer NetFlow-based standard Templates used to describe data

Answer 76

Solves complex application issues by viewing detailed traffic information - helps idenfiy unkown traffic, verify packet filteirng and security controls, and view plain-language description of application data

Answer 77

The end user device Recognize and react to any malicious activity

Answer 78

Application does not run or execute on device/ endpoint unless it's approved

Answer 79

List of applications that cannot be run on endpoint/ device

Answer 80

If an application is not on an allow or deny list - system can place application into a safe area where no applications are allowed to run until further investigated

Answer 81

Managing application flows and blocking dangerous applications

Answer 82

Enabling or disabling phone and tablet functionality regardless of physical location

Answer 83

Block transfer of perosnally identifiable information (PII) or sensitive data Examples: credit card #'s, social security #'s, etc.

Answer 84

Limit access to untrusted websites and block know malicious sites Large blocklists are used to share suspicious URLs

Answer 85

Manage device certificates to verify trust Revoking a certificate effectively removes access

Answer 86

Isolate compromised device from everything else in order to prevent the spread of malicious software

Answer 87

Limit interaction with host of operating system and other applications by running each application in it own sandbox

Answer 88

Separate the network to prevent unauthorized movement and limit the scope of a breach

Answer 89

Integrate third party tools and data sources to make the security teams more effective

Answer 90

A linear checklist or a step-by-step approach to automation Examples: reset a password, create a website certificate, back up application data

Answer 91

Conditional steps to follow; a broad process Examples: investigate data breach, recover from ransomeware

Answer 92

A legal technique to preserve relavant information Often stored in separate respository for electronically stored information (ESI)

Answer 93

A moving record of the event that gathers information external to the computer and network

Answer 94

Not all data can be used in the court of law Must make sure data is legally authorized and collected correctly

Answer 95

Documentation that shows integrity of data

Answer 96

Gives an electronic document a 'certain date' with probative value Allows to associate the document with a legally certain date and time that can be enforced against third parties

Answer 97

Record the time offset from the operating system

Answer 98

A phsyical tag that can be put on the evidence that provides a detailed description of everything about it

Answer 99

Document the finding for internal use, legal proceedings, etc. Summary and overview of the security event Detailed explanation of data acquisition

Answer 100

Documents important operating system and application events that can be exported or stored for future reference

Answer 101

Can ask what others saw and can document what they say - they might have different information

Answer 102

Certain data being stored on a system for a certain period of time compared to data that will only be stored for a few minutes

Answer 103

Copy everything onto a storage device

Answer 104

Difficult to gather because information changes constantly but important Memory dump

Answer 105

A place to store RAM when memory is depleted and can also contain portions of an application

Answer 106

Can help gain information and data for a security event Users, open ports, processes running, device list

Answer 107

Capture data by using an existing backup file or image over USB calls, contact info, messages, email, images and video

Answer 108

Rootkits and exploited hardware device Investigate how the firmware functions

Answer 109

A point-in-time system image Incremental updates from each snapshot Contains all files and information about a VM

Answer 110

Store data for use later Can speed up performance or application or OS

Answer 111

Gather information about and from the network Network connections, packet captures

Answer 112

Digital items left behind Log info, flash memory, cache files, recycle bin, bookmarks

Answer 113

An agreement on how data can be accessed - data sharing and outsourcing Permission to know where the data is being held, how the data is managed over the internet, and what security features is being used to protect the data

Answer 114

Data in a different jurisdiction may be bound by very different regulations

Answer 115

If consumer data is breached, the consumer must be informed Type of data breached, who gets notified, and how quickly

Answer 116

Cryptographic integrity verification A digital "fingerprint"

Answer 117

Makes sure information sent from one side to another has shown up without any corruption

Answer 118

Original documentation of the source of the data Data handling and block chain technology

Answer 119

Handling evidence by isolating, protecting, and copying the data

Answer 120

Collect, prepare, review, interpret, and produce electronic documents/ data

Answer 121

Extract missing data without affecting the integrity of the data Deleted files, hidden data, hardware/ software corruption, storage device damaged

Answer 122

Proof of data integrity and the origin of the data The data is unchanged and really did come from the sender MAC and digital signature

Answer 123

A focus in key threat activity for a domain Internal threat reports, 3rd party data sources, and other data inputs

Answer 124

Preventing hostile intelligence operations Discover and disrupt foreign intelligence threats