Cybersec

Question 1

Info gathering; OSINT

Answer 1

OSINT: Open Source Intelligence

Gather information from open sources (Google, job adverts, social media etc.)

Question 2

Enumeration

Answer 2

Scanning a target to know more about technical properties (Scanning IP range for responding hosts, Look for open ports etc.)

Question 3

Exploitation

Answer 3

-Try to get access to systems
-Often involves using or building exploits

Question 4

Priv Esc - Horizontal - Vertical

Answer 4

Privilege Escalation - expanding system access

Horizontal - you gain access to another account with similar permissions

Vertical - gain access to accounts with different permissions (often higher)

Question 5

Post-explotation

Answer 5

When a true attacker realise their attack objective

Evaluate if you can use your access to target other hosts (pivoting)
Any additional information we can gather
Cover tracks
Report

Question 6

Black-box

Answer 6

Pentester have no knowledge about the attack target

Similar to real attack
Able to capture “reconnaissance” aspects of an attack
Time-consuming and expensive

Question 7

Grey-box

Answer 7

Pentester have some knowledge about the attack target

Performed as an attack from the outside, but some knowledge given to the Pentester

Speeds up the test, cheaper

Can target certain aspects of the test target

Question 8

White-box

Answer 8

Pentester have access to full knowledge such as internal documentation

Used for detailed testing

Allows for the entire attack surface to be evaluated

Question 9

Describe the 3 Hacker hats

Answer 9

• A white-hat is someone who use their skills for good and stay within the law
• A gray-hat typically use their skill for their perception of good. They do not follow laws or ethical standards if that conflicts with their objectives
• A black-hat is a criminal who seek some kind of gain, typically at the expense of others

Question 10

Pentest - ROE

Answer 10

Rules of engagement

• Permission to perform the test
• Scope of the test (machine, system)
• Rules (permitted or forbidden techniques or what the Pentester should do upon certain discoveries)

Question 11

Attack tree

Answer 11

You model all possible ways to compromise a target

Allows you to create a map to try all possible attacks one by one

Neat way to report your pentest

Question 12

Cyber kill chain

Answer 12

A model which outlines the phases of an attack

Developed by company Lockheed Martin

7 steps involved

Question 13

Cyber kill chain step 1

Answer 13

Reconnaissance: Identify and select target, often includes OSINT and network scanning

Question 14

Cyber kill chain step 2

Answer 14

Weaponization: Preparation of attack payload

Get or create weapons for the attack, such as downloading or develop a tool

Question 15

Cyber kill chain step 3

Answer 15

Delivery: Find a way to deliver payload to target

Can be phishing, drive by download or direct network communication

Question 16

Cyber kill chain step 4

Answer 16

Exploitation: Trigger payload

Have it run somehow, can be dependent on a user action (phishing) or using vulnerability in target

Question 17

Cyber kill chain step 5

Answer 17

Installation: Installation of a backdoor or Remote Access Trojan to maintain access

Question 18

Cyber kill chain step 6

Answer 18

Command and control(C2) : Establish infrastructure to enable C2 access to the compromised host

Question 19

Cyber kill chain step 7

Answer 19

Actions on objectives: With access to target device the attacker can fulfil their original objectives

Ransom, data exfiltration etc.

Question 20

MITRE ATT&CK

Answer 20

Described as a knowledge base and model for cyber adversary behaviour

Aims to reflect the phases and actions an attack may include

3 technology domains: Enterprise, Mobile, Industrial Control System (ICS)

Question 21

Pentesting - Infection vectors

Answer 21

Paths taken to infect victims

The approach used to expose victims, or victim machines, to malicious content or actions

Question 22

Malicious attachment

Answer 22

Deliver your payload as a message attachment

Question 23

Black hat Search Engine Optimization (SEO)

Answer 23

You create malicious websites and make them appear high in search lists for tending keywords

Question 24

Drive-By download

Answer 24

Exploit users web browsers to make them automatically download malicious content when visiting a web site

Question 25

Shodan

Answer 25

Online tool for searching for devices connected to the internet

Collects information from devices connected to the internet by asking them

Question 26

NMAP/ZENMAP

Answer 26

Network scanning tool:
Scanning for active hosts
Open ports
And sometimes identify OS and service software

Question 27

Active Reconnaissance

Answer 27

Interacting directly with the target system

NMAP

Question 28

Passive Reconnaissance

Answer 28

Not directly interacting with the target system

Shodan and other OSINT

Question 29

Scanning intensity

Answer 29

Even with active scanning you decide upon the level of intensity/aggression

Typically, a more intense scan will yield more data and be quicker, but is also easier to detect

One typically starts carefully and then intensify as needed to yield results

Question 30

Metasploit

Answer 30

Penetration testing framework

Can do some searching, but is primarily a tool for exploiting vulnerable systems

Question 31

Exploit

Answer 31

A code which uses a system vulnerabililty

Question 32

Vulnerability

Answer 32

A flaw in code, design, or logic which can be exploited

Question 33

Payload

Answer 33

Code which will run on the targeted system (the actions carried out after using the exploit)

Question 34

Hydra

Answer 34

Online password-cracking tool

Allows you to automate password guessing attacks on websites

Question 35

Password Guessing

Answer 35

Password guessing is all about trying to guess account passwords to get account access

Brute Force
Dictionary
Mask

Question 36

Password Guessing - Offline Attack

Answer 36

Means that a password hash is extracted and the attack is carried out offline

Question 37

Password Guessing - Online Attack

Answer 37

Means that the password guessing is launched at a running system

Question 38

Security Operations and Incident Response (SOIM)

Answer 38

Assumes that we can’t, or won’t fully protect our cyber environment. We acknowledge that there will be incidents.

SOIM can be described as the process and capability for handling that reality.

Question 39

SOIM - MAPE-K

Answer 39

SOIM can be seen as an application of the MAPE-K model for cybersecurity
* Monitor, Analyze, Plan, Execute - Knowledge

Question 40

MAPE-K Model

Answer 40

MAPE-K is an architecture for adaptive systems

*An event-driven loop
*Events, or the result of events, provide feedback to the system
*Feedback is used to change the system behavior

Question 41

SOIM Workflows

Answer 41

• Intrusion Detection and Prevention Systems (IDPS)
• Security Information and Event Management (SIEM)
• Security Orchestration, Automation, and Response (SOAR)

Question 42

MAPE-K Components

Answer 42

• Monitor (IDPS)
• Analyze (IDPS and SIEM)
• Plan (SIEM and SOAR)
• Execute (SOAR)

Question 43

CTI - Cyber Threat Intelligence

Answer 43

Detailed knowledge of threats against an organization

Question 44

ISAC- Information Sharing and Analysis Centers

Answer 44

Organization that gather data on cyber threats

Question 45

Honeypot

Answer 45

A system or set of systems offered as bait to attackers

Question 46

Security Operations - Incident Handling

Answer 46

• Avoid bad events as far as possible
• Detect bad events when they occur
• Handle them when they occur

Question 47

Incident Response

Answer 47

When an incident occurs, we need to minimize its impact by following an incident response plan

Incident response is basically about managing incidents and includes the practices of responding to identified incidents

Question 48

Incident Response - How?

Answer 48

Roughly divided into two tasks:
* Establishing capabilities
* Incident handling

Question 49

Establishing Capabilities

Answer 49

The task of getting ready, knowing how to act and what to do.

Content to include:
* What an incident is: Incident classification and how various incidents should be handled
* CSIRT contact list: Members and their contact info
* Contingency plan: Prioritization
* Communication plan: Who to talk to and when
* Resources that the CSIRT can use and allocate

Question 50

Incident Response - Handling

Answer 50

• Analysis
• Mitigation
• Communication

Question 51

Incident Response - Handling - Analysis

Answer 51

Investigate the incident
* Type
* Scope

This a difficult task that aims to understand the nature of the incident and the (potential) damage caused

Question 52

Incident Response – Handling - Mitigation

Answer 52

Focus on containing the incident
* Isolate infected hosts
* Isolate hosts critical to the organization

Question 53

Incident Response – Handling - Communication

Answer 53

Communication is important for several reasons
* Legal and compliance
* Warn others
* Maintain trust, both internally and externally

Question 54

Incident Response – Post

Answer 54

Return to normal operation
* Purge the incident from the system