Cybersäkerhet

Question 1

What are the seven phases in the cyber kill chain?

Answer 1

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control
7. Action on Objective

Question 2

Reconnaissance

Answer 2

Identify and select a target. Often includes both OSINT and network
scanning.

Question 3

Weaponization

Answer 3

Preparation of the attack payload. Create or get a tool for the attack.

Question 4

Delivery

Answer 4

Find a way to deliver the payload to the target. This can be done through phishing and drive-by download.

Question 5

Exploitation

Answer 5

Trigger the payload

Question 6

Installation

Answer 6

Installation of a backdoor or Remote access trojan to maintain access

Question 7

Command and Control

Answer 7

Establish infrastructure to enable C2 access to the compromised host

Question 8

Actions on objectives

Answer 8

You have access to your target device and can now fulfill your goal. Ransom and data exfiltration.

Question 9

Information gathering

Answer 9

Gather information from open sources (OSINT).

Question 10

Enumeration

Answer 10

Scan the target to get more information about its technical properties:
* Look for open ports.
* Trying to figure out what software targets are running.

Question 11

Exploitation

Answer 11

About finding and using vulnerabilities. You try to access the systems, which often involves using or building exploits.

Question 12

Privilege Escalation

Answer 12

Expanding your access to the system.

• Horizontal: You gain access to another account with similar permissions.
• Vertical: You gain access to accounts with other different permissions.

Question 13

Post-exploitation

Answer 13

When an attacker would realize their attack objective.

Question 14

Black-box pentest

Answer 14

When the pentester have no knowledge about the attack target.

• Most similar to a real attack
• Able to capture ” reconnaissance” aspects of an attack
• Often time-consuming, and expensive
• Since the pentester is unaware of how the target works, attack
  surfaces may be missed

Question 15

Grey-box pentest

Answer 15

Pentester has some knowledge about the attack target.

• Can speed up the test and therefore limit costs
• Can target certain aspects of the test target

Question 16

White-box pentest

Answer 16

Pentester has access to full knowledge about the target’s inner workings.

• Typically used for detailed testing of the functionality of the target
  and expected behavior
• Allows for the entire attack surface to be evaluated

Question 17

Disclosure ethics

Answer 17

To maximize both interest, it is typical to work under a responsible
disclosure policy comprising the following steps

• Discovery of a vulnerability
• Report the vulnerability to the concerned vendor or organization
• Verification of the vulnerability by the recipient
• Remediation of the vulnerability by the vendor
• Disclosure of the vulnerability once the fix is ready

Question 18

What is Shodan?

Answer 18

Online tool for searching for devices connected to the internet

Question 19

MAPE-K

Answer 19

• Monitor
• Analyze
• Plan
• Execute

Question 20

What are the two broad methods for data analysis?

Answer 20

• Misuse detection
• Anomaly detection

Question 21

Misuse Detection

Answer 21

Will match signature of bad, and report when a hit is found.

• It’s cheap and easy to implement.
• Has a hard time identifying new events.

Question 22

Anomaly detection

Answer 22

About finding deviations from normal system operations.

• Anomaly detection relies on models (often statistical) that define
  normal and anomalous behavior
• Events will be given a score that reflect how normal they are

Question 23

False positive

Answer 23

Alert is raised for benign event

Question 24

False negative

Answer 24

Alert is not raised for malicious event

Question 25

True positive

Answer 25

Alert is raised for malicious event

Question 26

True negative

Answer 26

Alert is not raised for benign event

Question 27

What are the incident response phases?

Answer 27

• Establishing capabilities
• Handling
• Post-incident activities

Question 28

Establishing capabilities

Answer 28

How to act when an incident happens. Develop a policy that outlines the rules for incident response work. And have resources available when something happens.

• What an incident is.
• CSIRST contact list
• Contingency plan
• Communication plan
• Resources that the CSIRT can use and allocate

Question 29

Handling

Answer 29

• Analysis: Investigate the incident
• Mitigation: Containing the incident
• Communication: Legal and compliance, warn others, and maintain trust.

Question 30

Post-incident activities

Answer 30

Return to normal operation

• Measure the performance of the incident handling and learn from that
• Legal aftermath
• Communication
• Possible long-term business impacts

Question 31

What is a honeypot?

Answer 31

A system or set of systems offered as bait to attackers

Question 32

Playbook

Answer 32

A document which outlines the steps for handling a specific type of incident

Question 33

Contingency plan

Answer 33

A document that outlines the what’s, how’s, and who’s of an incident response in general.

Question 34

Someone working in a SOC with analysis of threats and incidents is called a?

Answer 34

Security analyst

Question 35

What is Snort?

Answer 35

An IDPS

Question 36

What is a technique used by malware to avoid detection?

Answer 36

• Encryption
• Polymorphism or Metamorphism
• Memory-resident (file-less)

Question 37

What is a reason why memory analysis can be powerful?

Answer 37

The data is in its true and recent form of data.

Question 38

What is in metadata?

Answer 38

Time stamps and permissions

Question 39

Dictionary Attack

Answer 39

A password-cracking attack where you collect a list of words and try them one by one

Question 40

What is cyber-dependent crime?

Answer 40

A crime that depends on cyber for its execution

Question 41

What is cyber-enabled crime?

Answer 41

A traditional crime that utilizes cyber

Question 42

What tool is used to prohibit a computer from writing anything to a disk?

Answer 42

Write blocker

Question 43

What is SPLUNK?

Answer 43

A SIEM

Question 44

What is a tool for exploiting vulnerable systems?

Answer 44

Metasploit

Question 45

Rules of Engagement

Answer 45

• Explicit permission to perform the test
• The scope of the test (machines and systems)
• Rules, such as permitted or forbidden techniques or what the pentester
  should do upon upon certain discoveries