CySA+ Flashcards
Sysmon
System Monitor tool that is part of Sysinternals. Logs activity to Event Monitor, and incorporates XML config files to establish rules to alert on (exclude typical Microsoft activity, look for this malicious behavior, etc)
Stored or Reflected XSS
Cross-site Scripting attack where an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.
Example- script posted in a comment on a message board that then loads for any user that visits the page.
Blind XSS
A form of Stored XSS. Attacker injects the malicious script or payload ‘blindly’ on some web pages without having any assurance that it will be executing. Web pages that are likely to save their payload into the database are the most important carrier for Blind XSS attacks.
Example- script posted into a Reporting form on a website
Exact Data Match
EDM
Structured database of string values to match, used in DLP
Example- could store hashes of credit card numbers, then if DLP thinks a credit card number is being exported, hash it and see if the value matches in EDM.
SDL
Security Development Lifecycle
Microsoft’s security framework for application development that supports dynamic development processes
Rootkit
Class of malware that modifies system files (often at the kernel level) to conceal its presence and establish persistence
Buffer Overflow
Attack where data goes past the boundary of the destination buffer and begins to corrupt adjacent memory
Smash the Stack
Attacker fills up the buffer with NOP (No Operation) so that the return address may hit a NOP and continue on until it finds the attacker’s code to run
Heap Overflow
Vulnerability where software attempts to move data from one location in memory into a fixed-length buffer allocated on the heap, which is too small to hold the data.
Dereferencing
Software vulnerability that occurs when the code attempts to remove the relationship between a pointer and the thing it points to
How can we mitigate race conditions?
Develop applications to not process things sequentially if possible.
Implement a locking mechanism within the app to provide exclusive access to that resource- for example SharePoint files get “checked out” and can’t be edited by someone else
icacls
Windows command-line utility that IT admins can use to change access control lists on files and folders.
Which coding languages are especially vulnerable to buffer overflow attacks?
C and C++, as strcpy does not perform boundary checking of buffers
How can we mitigate overflow attacks?
Proper input validation
Proper boundary checking
Use ASLR (address space layout randomization)
Run programs with least privilege
SEV
Secure Encrypted Virtualization
AMD Processor Security Extension
SGX
Software Guard Extensions
Intel Processor Security Extension
ASLR
Address Space Layout Randomization
Technique that hinders some types of security attacks by making it more difficult for an attacker to predict target addresses by randomly arranging theaddress spacepositions of key data areas of aprocess, including the base of theexecutableand the positions of thestack,heapandlibraries.
SME
Secure Memory Encryption
AMD Processor Security Extension
TXT
Trusted Execution Technology
Intel Processor Security Extension
Modbus
Communications protocol used in OT networks
Vehicular Vulnerabilites
Exploit over onboard cellular
Exploit over onboard WiFi
Attach exploit to the OBD-II
Masquerading
Dropper replaces legitimate executable with a malicious one (malicious one masquerades as legitimate one)
DLL Injection
DLL injection is a method of executing arbitrary code in the address space of a separate live process.
DLL Sideloading
Malicious DLL is loaded as part of a legit program that has a vulnerability that was exploited
Process Hollowing
Dropper starts process in a suspended state, then rewrites the memory locations containing the process code with the malware code
Military Data Classifications
Unclassified- no restrictions
Classified- viewing restricted to authorized persons within organization or to third parties under NDA
Confidential- highly sensitive, only for approved persons within org (and MAYBE trusted third parties under NDA)
Secret- valuable info, viewing must be severely restricted
Top Secret- info that would cause grave danger if inadvertently disclosed
SOX
Sarbanes-Oxley Act
Law in regards to an organization’s financial and business operations- specifies what types of documents need to be kept and for how long (auditing)
GLBA
Gramm-Leach-Bliley Act
Sets forth requirements that help protect the privacy of an individual’s financial information that is held by financial institutions or others that may store it
FISMA
Federal Information Security Management Act
Sets forth requirements for federal organizations to adopt information assurance controls
Data Steward
Role focused on the quality of the data and associated metadata
ISA
Interconnection Security Agreement
Document that regulates security-relevant aspects of an intended connection between a government agency and an external system
PUF
Physically Unclonable Function
A physical entity embodied in a physical structure, usually implemented in integrated circuits. These physical variances can actually be used in cryptographic functions.
Secure Enclave
Provides CPU hardware-level isolation and memory encryption on every server, by isolating application code and data from anyone with privileges, and encrypting its memory. With additional software, secure enclaves enable the encryption of both storage and network data for simple full stack security. Secure enclave hardware support is built into all new CPUs from Intel and AMD.
EMM
Enterprise Mobility Management
MDM suite with broader capabilities such as IAM
Insecure Components
Any code that is used or invoked outside the main program development process-
Code Reuse
Using a third-party library
Software Development Kit
Field Bus
Digital serial data communications used in OT networks to link PLCs
TPM
Trusted Platform Module
Hardware in COMPUTER that assists with cryptographic functions
Trusted Execution
CPU’s security extensions invoke a TPM and secure boot attestation to ensure that a trusted OS is running
PLC
Programmable Logic Controller
Type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems
Firmware
Programming that is written directly to a hardware device’s static memory. It is used to run user programs on the device and can be thought of as the software that enables hardware to run.
Firmware has complete control over hardware and system memory, thereby making it a lucrative target
COSO
Committee of Sponsoring Organizations of the Treadway Commission
Provides guidance on a variety of governance related topics including fraud, controls, finance and ethics
Error Handler
Coding methods to anticipate and deal with exceptions thrown during execution of a process
When you find a suspicious process, what things should you consider?
Identify how the process interacts with the Registry and file system
How is it being launched?
Is the image file located in system folder or a temp folder?
What files are being manipulated by the process?
Does the process restore itself upon reboot after deletion?
Does a system privilege or service get blocked if you delete the process?
Is the process interacting with the network?
HTTP Response Codes- 4xx Range
These are client-side errors.
400- request couldn’t be parsed by server
401- request didn’t supply authentication credentials
403- insufficient permissions
404- requested resource doesn’t exist
Covert Channels
Transmitting data over nonstandard port
Encoding data in TCP/IP packet headers
Segmenting data into multiple packets and sending spread out
Obfuscation by using HEX
Transmitting encrypted data
Fileless Detection Techniques
Techniques that require analysis of the contents of system memory and of process behavior rather than scanning the file system
When analyzing firewall logs, what four types of useful security data can be provided?
Connections that are permitted or denied
Port and protocol usage within network
Bandwidth utilization with the duration and volume of usage
Audit log of all address translations that occurred
ALE and how to calculate
Annual Loss Expectancy
Multiply SLE (Single Loss Expectancy) by ARO (Annual Rate of Occurrence)
Example- if SLE is $2500, and it will likely happen 4 times, the ALE would be $10,000
NIST Cybersecurity Framework
Risk-based framework that is focused on IT security over IT service provision.
FRAMEWORK CORE identifies five key functions (Identify, Protect, Detect, Respond, Recover) with subcategories
IMPLEMENTATION TIERS see how closely the FRAMEWORK CORE functions are integrated with org’s overall risk management process
FRAMEWORK PROFILES show current/target outcomes to identify where it is best to invest to close the gap in any cybersecurity capabilities
Footprinting
Use of tools to map out layout of a NETWORK, usually in terms of
IP address usage
Routing topology
DNS namespace
Fingerprinting
Use of tools that perform HOST SYSTEM DETECTION to map out data like
Open ports
OS type and version
File shares
Running services/applications
System uptime
Other useful metadata
nmap -sV
Probe open ports to determine service/version info
nmap -A
Enable OS detection, version detection, script scanning and traceroute
Secure Erase
Sanitizing solid-state device using manufacturer provided software
ROSI
Return on Security Investment
Is a security control worth the cost of deploying and maintaining it?
((ALE-ALE with mitigation in place) - Cost of mitigation)/Cost of mitigation
nmap -f or –mtu
Fragmentation, splits TCP header of each probe between multiple IP datagrams to make it hard for IDS/IPS to detect
Reconstruction
Method of restoring a system that has been sanitized using scripted installation routines and templates
nmap -sS
TCP SYN scan, or “half open” scan
Sends a SYN packet to identify the port state without sending back an ACK afterwards
Requires root privileges on system you’re scanning from
WRT
Work Recovery Time
Length of time in addition to the RTO of individual systems to perform reintegration and testing of a restored or upgraded system following an event
Enterprise Security Architecture
Framework for defining the baseline, goals, and methods to secure a business
RPO
Recovery Point Objective
Goal for maximum amount of DATA organization can tolerate losing. Measured in time
RTO
Recovery Time Objective
Goal an organization sets for maximum length of time it should take to restore normal ops following an outage
CDM
Continuous Diagnostics and Mitigation
Provides US gov. agencies/departments with capabilities and tools to identify cybersecurity risks on ongoing basis, prioritize them based on potential impact, and enable cybersecurity personnel to mitigate the most significant problems
CVSS and Categories
Common Vulnerability Scoring System
Way to quantify vulnerability data and then take into account degree of risk to different types of system info
0- no risk
0.1-3.9- Low
4.0-6.9- Medium
7.0-8.9- High
9.0-10.0- Critical
RFC
Request for Change
Document that lists the reason for a change and the procedures to implement that change
hping
Spoofing tool that allows crafting of network packets to exploit vulnerable IDS/IPS
Reaver
Command line tool used to brute-force WPS enabled accessed points. WPS used 8 digit points so very easy to hack into
What can react unpredictably to any type of scanning?
Printers
VoIP phones
Embedded Systems
What accounts should perform credentialed scans?
SERVICE ACCOUNTS, not local admins
Responder
Command line tool used to poison responses to NetBIOS, LLMNR and MDNS name resolution requests in an attempt to perform a Man in the Middle attack.
Intercepts request and the returns attacker IP as the name record
Aircrack-ng Suite
Suite of utilities designed for wireless network security testing
airmon-ng
Utility in Aircrack-ng
Enable/disable monitor mode on cards
airodump-ng
Utility in Aircrack-ng
Capture wireless frames
aireplay-ng
Utility in Aircrack-ng
Deauth users and impersonate
aircrack-ng
Utility in Aircrack-ng
Extract auth key and retrieve plaintext password- only works on WEP networks
Hashcat and How it Works
Command line tool used to perform brute force and dictionary attacks against password hashes
Uses GPU to perform brute force cracking faster
Canonicalization Attack
Attack method where input characters are encoded in such a way as to evade vulnerable input validation measures
Example- using %2e%2e%2f in place of ../
Parameterized Queries
Technique that defends against SQL injection and insecure object references by incorporating placeholders in a SQL query
Basically says “only use these formats”
Cookie Poisoning
A type of session hijacking in which attacker alters, forges, hijacks an otherwise valid cookie sent back to a server to steal data, bypass security, or both
Remote File Inclusion
Attacker executes a script to inject a remote file INTO the web app or website. Example- embedding a hidden URL into the request to have it execute a script hosted on another site
Local File Inclusion
Attacker adds a file to the web app or website that already exists on the hosting server. Example- using directory traversal to try and get the web server to allow a command prompt
Insecure Object Reference and how to mitigate
Coding vulnerability where unvalidated input is used to select a resource object like a file or database
To mitigate, implement access control techniques in applications to verify a user is authorized to access a specific object
XML data submitted without ______ or ______ is vulnerable to spoofing, request forgery, and injection of arbitrary code
Encryption or Input Validation
Normalization
A string is stripped of illegal characters or substrings and converted to the accepted character set
Output Encoding
Coding method to sanitize output by converting untrusted output to a SAFE FORM where the input is DISPLAYED AS DATA to the user WITHOUT EXECUTING AS CODE in the browser
How can you prevent CSRF?
Request user-specific tokens in all form submissions
The Five Cookie Attributes
Secure- instructs client’s web browser to only send cookie if its over secure channel (HTTPS)
HTTP Only- disables access from client-side scripting to your cookie, can only access via HTTP
Domain- sets domain of server that cookie is valid for, limits who has access
Path- Specify URL path for which cookie is valid
Expires- specify when persistent cookie expires
How can you prevent clickjacking
Frame busting- a technique that removes the malicious iframe loaded on a site by forcing a specific page to the top frame. Can be implemented using Javascript or by setting X-FRAME-OPTIONS to DENY
XML Bomb
XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it.
Used in Billion Laughs Attack, which would define 10 entities that each defined as consisting of 10 of the previous entity, which eventually expands to one billion copies of the first entity. This would most likely exceed computer memory.
The first entity was LOL, by the way.
XXE
XML External Entity
Type of attack against an application that parses XML input
Occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser
Attack can lead to disclosure of confidential data, DoS, server side request forgery, etc
XSS
Cross-site Scripting
User trusts a badly implemented website
Attacker injects a script into the trusted website
User’s browser executes attacker’s script
CSRF/XSRF
Cross-Site Request Forgery
A badly implemented website trusts the user
Attacker tricks user’s browser into issuing requests
Website executes the attacker’s requests
How can you prevent an application from exposing sensitive data?
Applications should ONLY send data between authenticated hosts using encryption to protect the session
Do NOT use hardcoded credentials in the application
Disable use of client password autocomplete features, temporary files, and cookies
DOM XSS
Form of XSS that targets the Document Object Model on websites. Never reaches the server and instead executes in the user’s browser.
Example- a page designed to take a user’s name and display it on the webpage could have scripting executed in it if a malicious url was sent to the user. Then when they navigate to this page, it executes the script and makes the page look completely different
Vulnerability Discovery Scan
Creates and updates inventory of assets by conducting enumeration of network without scanning for vulnerabilities
XCCDF
Extensible Configuration Checklist Description Format
A structured collection of security configuration rules for some set of target systems. Written in XML
OVAL
Open Vulnerability and Assessment Language
XML schema for describing system security state and querying vulnerability reports and information
SCAP
Security Content Automation Protocol
NIST Framework that outlines acceptable practices for vulnerability scanning and standardizes the format and descriptive language with which software flaws and security configuration information is communicated, both to machines and humans.
sigcheck
Sysinternals utility that allows you to verify root certificates in the local store against Microsoft’s master trust list
CVE Categories: AC
Access Complexity
High or Low
CCE
Common Configuration Enumeration
Scheme for provisioning secure configuration checks across multiple sources
Continuous Delivery
Software development method where application and platform requirements are frequently tested and validated for immediate availability
Continuous Integration
Software development method where code updates are tested and committed to a dev or build server/code repository rapidly
PACU
Opensource cloud penetration testing framework to test the security configuration of an AWS account
Prowler
Auditing tool for AWS that evaluates the cloud infrastructure against AWS benchmarks, GDPR compliance, and HIPAA compliance
Scout Suite
Open-source tool written in Python that can audit instances and policies created on multicloud platforms
CORS Policy and risks
Cross Origin Resource Sharing Policy
A CDN policy that instructs the browser to treat requests from nominated domains as safe
Weak CORS policies can expose site to XSS vulnerabilities
API Security Best Practices
API must only be used over an encrypted channel
Data received by an API must pass server-side validation routines
Error messages should be sanitized
Implement throttling/rate limiting mechanisms to protect from a DoS
APIs should use secure authentication and authorization such as SAML or OAuth/OIDC before accessing data
FaaS
Function as a Service
Cloud service model that supports serverless software architecture by provisioning runtime containers in which code is executed in a particular programming language
“Run things and make applications without having our own servers”
Ansible
Automation tool that uses YAML files rather than user agents
curl
Command line tool to transfer data from or to a server, using protocols like HTTP, FTP, etc
SAML
Security Assertions Markup Language
XML-based data format used to exchange authentication info between a client and a service
Provides SSO and federated identity management
SOAP
Simple Object Access Protocol
XML-based web services protocol that is used to exchange messages between applications
ESB
Enterprise Service Bus
Common component of SOA (service oriented architecture) that facilitates decoupled service-to-service communication
SOA
Service Oriented Architecture
Software architecture where components of the solution are conceived as loosely coupled services not dependent on a single platform type or technology
Each piece can be produced/tested separately
Each service takes defined inputs and produces defined outputs
An overall architecture for mapping business workflows to the IT systems that support them
OWASP ZAP
Most widely used web app scanner. Free and open source.
Interception Proxy
Man in the middle software that sits between a client and server and allows requests/responses to be analyzed and modified
Burp Suite
Proprietary tool for performing security testing of web applications that supports the entire testing process, from initial mapping and analysis of attack surface to finding and exploiting security vulnerabilities
Arachni
Open source web application scanner with a GUI, makes findings a lot easier to take in
Nikto
Widely used vulnerability scanner that can identify known web server vulnerabilities and misconfigurations, identify web appliances running on a server, and identify potential known vulnerabilities in those web applications
Command-line only, so data can be challenging to digest
osquery
Open-source tool that converts an OS to a relational database so that you can perform easy analytics using SQL queries
Fuzzing
Dynamic code analysis technique that involves sending a running application random and unusual input to evaluate how the application responds
Debugger
Dynamic testing tool used to analyze software as it executes
Programmers make code more difficult to analyze by ____.
Using an obfuscator
IDA
Interactive Disassembler
Popular cross-platform disassembler and decompiler used by reverse engineers
_____ makes it easier to identify individual functions within the process, track variables, and to find branching logic
Pseudocode
Decompiler
Reverse engineering tool that converts machine code or assembly language to code in a specific higher-level language or psuedocode
Disassembler
Type of reverse engineering software that converts machine language code into assembly language code
UAT
User Acceptance Training
Beta testing by the end users that proves a program is usable and fit-for-purpose in real-world conditions
Formal verification method
Process of validating software design through mathematical modeling of expected inputs and outputs
Why is it not recommended to use regedit for registry analysis? What should we use instead?
regedit doesn’t display last modification time of a value by default. Changes to registry are a major IoC so not knowing when a change happened is not good.
Use regdump, which will dump contents of registry to a text file for analysis
The four severity categories for Windows Event Logs
Information- successful events
Warning- not necessarily a problem but could end up one
Error- significant problems which could inhibit functionality
Audit success/failure- only in security logs
winlogon.exe
Manages access to user desktop and loading user profile through userinit.exe
System (Windows process)
Special kind of process that hosts threads that only run in kernel mode
PID is ALWAYS 4
csrss.exe
Client Server Runtime Subsystem
User mode side of Windows subsystem, and responsible for process thread creation and deletion. Always running, CRITICAL to system operation. If terminated, will result in system failure.
wininit.exe
Windows Initialization Process
Responsible for launching services.exe, lsass.exe, and lsaiso.exe within session 0
smss.exe
Responsible for creating new sessions
services.exe
Service Control Manager (SCM)- handles system services like svchost.exe, dllhost.exe, and many others
svchost.exe
Service Host- responsible for hosting and managing Windows services.
These services are implemented as DLLs stored in the Registry.
When it calls upon a service it uses the -k flag.
lsass.exe
Local Security Authority Subsystem- enforces security policy on system. Handles authentication/authorization services for the system, and writes to Windows Security Log
File signatures for Windows Portable Executable files will always start with ____ in HEX.
4D 5A
File signatures for Windows Portable Executable files will always start with ____ in ASCII.
MZ
File signatures for Windows Portable Executable files will always start with ____ in Base64 encoding.
TV
Memory Analysis Tools allow us to _____.
Reverse engineer code used by the processes
Discover how processes interact with the file system and Registry
Examine network connections
Retrieve cryptographic keys
Extract strings
When service interruptions occur, to determine if this was malicious or an accident, you must consider ________
Are security services prevented from running?
Is the process running the service compromised?
Is the service disabled by a DDoS?
Is there excessive bandwidth usage?
Defensive Capabilities: The Six Ds
Detect
Destroy (probably only in a government agency, hack back is illegal)
Degrade
Disrupt
Deny
Deceive
explorer.exe
Windows Explorer
Gives users access to their folders and files
Provides functionality to start menu, task bar, etc
What are some reasons why an attacker may target the Windows Registry?
Achieve persistence- modifying Registry Key entries
Delete Registry Keys to clean up prior activity
Modify Registry Keys to conceal payloads/commands used to maintain persistence
In virtualized environments, process and memory analysis can be performed by ______ or _______.
Analyzing save state files
VM introspection
Mitigations for nonstandard port usage
Configure firewalls to allow only whitelisted ports to communicate on ingress/egress interfaces
Config documentation should also show which server ports are allowed on any given host type
Configure detection rules to alert on mismatched protocol usage over a standard port
Sysinternals
Suite of tools designed to assist with troubleshooting issues with Windows
Many of these tools are suited to investigating security issues
VM Introspection (VMI)
Uses tools installed to the hypervisor to retrieve pages of memory for analysis
Staging Areas
Place where an adversary begins to collect data in preparation for exfiltration. Data is often compressed and encrypted.
Temp files or folders
User profile locations
Data masked as logs
Alternate Data Streams
How can you detect and mitigate against a pass the hash attack?
Detecting these attacks can be very difficult as it can’t be differentiated from legitimate authentication
Most AV will block tools that allow this such as Mimikatz
Restrict and protect high privileged accounts (Domain admin, local admin)
Restrict inbound traffic to workstations using firewall
The Five Data Breach Categories
Data Exfiltration
Insider Data Exfiltration
Device Theft/Loss
Accidental Data Breach
Integrity/Availability Breach (corruption of data, destruction of system, etc)
who
Linux command that displays a list of users who are currently logged into the computer
Service Analysis Tools for Windows
Tools that can help identify suspicious service activity even when antimalware fails to identify it
Task Manager
Windows Services Manager (services.msc)
net start (command line)
Get-Service (Powershell)
net stat
Windows command to start a network service or list running network services.
Abnormal Process Behavior
Indicators that a legitimate process has been corrupted with malicious code
Process making changes to registry file without permission
Accessing data files in temp locations
Using the network for malicious activity
Data Plane
Responsible for:
Forwarding traffic
Encrypting traffic
NAT
Filtering traffic with ACLs
Control Plane
Makes decisions about how traffic should be prioritized and secured, and where it should be switched
Management Plane
Monitors traffic conditions and network status
Certificate Management
Install, update, validate trusted root certificates
Deploying, updating, revoking subject certificates
Preventing use of self-signed certificates
SSH Key Management
certutil
Windows utility that allows you to display certificate authority configuration info, configure certificate services, verify certificate’s key pair and certificate chains
OpenSSL
Library of software functions supporting the SSL/TLS protocol
Has commands to create/view digital certificates, generate private keys, test TLS/SSL functions
CIS
Center for Internet Security
Not-for-profit org that publishes well-known “Top 18 Critical Security Controls”
What are the five most critical security controls on the CIS Top 18?
1- Inventory and control of authorized devices
2- Inventory and control of authorized software
3- Data protection
4- Secure configuration of assets and software
5- Account management
CPE
Common Platform Enumeration
Scheme for identifying hardware devices, operating systems, and applications
CAPEC
Common Attack Pattern Enumeration and Classification
Knowledge base maintained by MITRE
How can you mitigate a DDoS attack?
Real time log analysis to ID suspicious traffic and redirect to sinkhole or black hole
Use geolocation/IP reputation data to redirect/ignore suspicious traffic
Aggressively close slower connections by reducing timeouts on affected servers
Use caching and backend infrastructure to offload processing to other servers
Utilize enterprise DDoS protection services
lsof
Linux tool that retrieves a list of all files currently open on the OS
Quickly get a list of all resources a process is currently using
When to investigate a process
Don’t recognize process name
Name similar to legit process (scvhost vs svchost)
Appears without an icon, version info, description, company name
Unsigned, especially if it claims to be from a well known company
Digital signature doesn’t match identified publisher
Doesn’t have parent/child relationship with principal Windows process
Hosted by utilities like Explorer, Notepad, Task Manager, etc
Packed or compressed (highlighted purple in Process Explorer)
Windows Registry
Contains info that Windows continually references during operation, which is necessary info for configuration:
User profiles
Installed applications
Types of documents users/apps can create
Hardware on system
Ports being used
Code review
Process of peer review of uncompiled source code by other developers
Malware injection on Windows vs on Linux
Windows- shimmed/injected into a host process by making it load the malicious code as a DLL
Linux- often injected into Shared Objects (.so files)
Vulnerability reports should include both ____ and ____ on the target network
Physical hosts AND virtual hosts
TLS
Transport Layer Security (TLS) is a widely adopted security protocol designed to facilitate privacy and data security for communications over the internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website.
SSL
Secure Sockets Layer; all three versions are considered obsolete and insecure
GPO
Group Policy Object
A group policy is used to manage Windows systems in a Windows network domain environment utilizing a Group Policy Object (GPO). GPOs can include many settings related to credentials, such as password complexity requirements, password history, password length, and account lockout settings. You can force a reset of the default administrator account password by using a group policy update.
An analyst suspects that a trojan has victimized a Linux system. Which command should be run to determine where the current bash shell is being executed from on the system?
which bash
By executing the “which bash” command, the system will report the file structure path to where the bash command is being run. If the directory where bash is running is different from the default directory for this Linux distribution, this would indicate a compromised machine.
What DLP remediation quarantines and replaces the original file with one describing the policy violation and how the user can release it?
Tombstone
eFuse
Intel-designed mechanism to allow software instructions to blow a transistor in the hardware chip. One use of this is to prevent firmware downgrades, implemented on some game consoles and smartphones. Each time the firmware is upgraded, the updater blows an eFUSE. When there is a firmware update, the updater checks that the number of blown eFUSEs is not less than the firmware version number.
The Seven Phases of Waterfall Method
planning
requirements
design
implementation
testing
deployment
maintenance
Which term defines the collection of all points from which an adversary could interact with a system and cause it to function in a way other than how it was designed?
Attack Surface
What is the best mitigation against an adversary using covert channels?
Advanced IDS and user behavior analytics tools are the best option, but they will not detect everything
Covert storage channel
A system feature that enables one system entity to signal information to another entity by directly or indirectly writing a storage location that is later directly or indirectly read by the second entity
What is the best mitigation against data exfiltration?
Strong encryption of data both at rest and in transit
Service Analysis Tools for Linux
cron
systemctl
ps
top
Session Layer
Layer 5
Establishes connection between source and destination
Data divided into packets
Sessions are unique- data cannot travel across different sessions
How does a Golden Ticket attack work?
Attacker accesses NTDS.DIT
Attacker dumps NTDS.DIT, exposing krbtgt
Uses krbtgt to craft Golden Ticket
Uses Golden Ticket to assume admin rights
PsExec
Tool developed for sys admins as alternative to Telnet and other remote access services. Can be used by attackers for privilege escalation
What are some IoCs that a C2 server is using DNS as a communication channel?
Same query repeated several times when a bot is checking into a control server for more orders
Commands sent within request or response queries will be longer and more complicated than normal
Atypical query types being used (TXT, MX, CNAME, NULL)
SPI
Sensitive Personal Information (opinions, beliefs, etc)
File System Viewer
Tool that allows you to search the file system for keywords quickly, including system areas such as Recycle Bin, NTFS shadow copy and system volume information
Port Forwarding as used by an attacker
Attacker uses a host as a pivot and is then able to access one of its open TCP/IP ports to send traffic to a port of a host on a different subnet
What is one of the best mitigation techniques to prevent rogue devices on a network?
Use digital certificates on endpoints and servers to authenticate, and encrypt traffic using IPSec or HTTPS
How can SSH be used to pivot by attackers
Using the -D flag sets up a local proxy and port forwarding
Attackers can chain proxy servers together in order to continue pivoting from host to host until they reach a mission critical host or server
df
Linux tool that retrieves how much disk space is being used by all mounted file systems and how much space is available for each
du
Linux tool that enables you to retrieve how much disk space each directory is using based on the specific directory
dir
Windows command with some advanced functionality for file system analysis
dir /A(x)
Filters all file/folder types that match (x), such as dir /AH displays only hidden files and folders
dir /Q
Shows who owns each file in addition to standard info
dir /R
Displays alternate data streams for a file
Network IoCs
Port scanning or sweeps
Non standard port usage
Covert channels
Rogue Devices
Traffic Spikes
nc
netcat
Swiss Army Knife of network administration
Made for reading from or writing to network connections
Port scanning
Remote administration
File transfer
Attackers can use for port listening or to create a backdoor
Pass the Hash
Network based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashes came from
Attacker could obtain cached hash of local admin that had previously signed in and use this hash for privilege escalation
Only works if hash is stored on target system (user has signed in there before)
How would you mitigate code injection against a web server?
Install a WAF to analyze inbound requests
Compliance scans
Scan based on compliance template or checklist
Ensure controls and configuration settings are properly applied to a given host
Full/Deep Assessment Scan
Comprehensive scan that forces the use of more plug-in types. Takes longer and there’s higher risk of causing service disruption
Fast/Basic Assessment Scan
Analyzes hosts for unpatched software vulnerabilities and configuration issues
ANN
Artificial Neural Network
Data Enrichment
Process of incorporating new updates and information to an organization’s existing database to improve accuracy
SOAR
Security Orchestration Automation and Response
Security tools that facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment
Primarily used for incident response
Next-Gen SIEM
SIEM with an integrated SOAR
Playbook
Checklist of actions to perform to detect and respond to a specific type of incident
Runbook
Automated version of a playbook that leaves clearly defined interaction points for human analysis
Data Owner
Senior executive w/ ultimate responsibility for maintaining CIA of the information asset
Data Custodian
Role responsible for handling the management of the system on which the data assets are stored
Privacy Officer
Responsible for the oversight of any PII/SPI/PHI assets managed by the company
Trusted Foundry
Microprocessor manufacturing utility that is part of a validated supply chain (one where hardware and software does not deviate from its documented function)
Trusted Firmware Updates
Firmware update that is digitally signed by the vendor and trusted by the system before installation
What two strategies are the most effective in reducing the risk to an embedded ICS from a network-based compromise?
Segmentation
Disabling unused services
You have been asked to conduct a forensic disk image on an internal 500 GB hard drive. You connect a write blocker to the drive and begin to image it using dd to copy the contents to an external 500 GB USB hard drive. Before completing the image, the tool reports that the imaging failed. What is most likely the reason for the image failure?
There are bad sectors on the destination drive
grep -i
Treats the specified search pattern as case insensitive
IdP
Identity Provider
Provides the validation of the user’s identity when using SAML for authentication
You just finished conducting a remote scan of a class C network block using the following command “nmap -sS 202.15.73.0/24”. The results only showed a single web server. What technique would allow you to gather additional information about the network?
Perform a scan from on-site
If the organization’s network is set up correctly, scanning from off-site will be much more difficult as many of the devices will be hidden behind the firewall. By conducting an on-site scan, you can conduct the scan from behind the firewall and receive more detailed information on the various servers and services running on the internal network.
Rory is about to conduct forensics on a virtual machine. What process should he conduct to ensure that all of the data is acquired forensically?
Suspend the machine and copy the contents of the directory it resides in
What are the UEFI boot phases?
SEC- Security
PEI- Pre-EFI Initialization
DXE- Driver Execution Environment
BDS- Boot Device Select
TSL- Transient System Load
RT- Runtime
Securing Management Interfaces on a Network
Should only be exposed to an isolated or dedicated network used for management and configuration
What are the two most important factors when determining a containment strategy?
Ensuring the safety and security of all personnel
Prevent further exfiltration of data or prevent the ongoing intrusion from spreading
Purging
Eliminates information from being feasibly recovered even in a laboratory environment
Includes degaussing, encryption of data with the destruction of its encryption key, and other non-destructive techniques
Why is a beacon’s protocol not typically used as a means of identifying a malware beacon?
A beacon can be sent over numerous protocols, including ICMP, DNS, HTTP, and numerous others. Unless you specifically knew the protocol being used by the suspected beacon, filtering out beacons by the protocol seen in the logs could lead you to eliminate malicious behavior prematurely.
Private IP address ranges
10.x.x.x
172.16-31.x.x
192.168.x.x
Once law enforcement is involved in an event, _________
Admins and analysts should not perform any actions on the network until they receive law enforcement guidance
Employees should receive guidance from law enforcement on what they should and should not say to people outside of the investigation
War walking
Walking around a building while attempting to locate wireless networks and devices
Banner Grabbing
Attacker establishes a connection with a remote machine first (telnet, nc, proprietary connection)
Then sends a bad request
Causes a vulnerable host to respond with a banner message that reveals compromising information such as OS type, software version, etc
Which technology can degrade an adversary’s effort during the C2 phase of the kill chain?
NIPS would either shut it down or block it
Cybersecurity analysts are experiencing some issues with their vulnerability scans aborting because the previous day’s scans are still running when the scanner attempts to start the current day’s scans. What could help resolve the issue?
Reduce the frequency of scans (once every 48 hours, once every week)
Reduce the scope of scans (scan less systems or vulnerability signatures)
Add additional vulnerability scanners to the process
Adversarial Attack Vectors according to MITRE
Cyber- use of hardware or software IT systems
Human- social engineering, coercion, impersonation, force
Physical- gaining local access
Jumpbox
System on a network used to access and manage devices in a separate security zone
What method should a cybersecurity analyst use to locate any instances on the network where passwords are being sent in cleartext?
Full packet capture
You have installed multiple VMs on a single physical server. You need to ensure that the traffic is logically separated between each VM. How can you implement this requirement?
Configure a virtual switch on the physical server and create VLANs
What type of malware changes its binary pattern in its code on specific dates or times to avoid detection by antimalware software?
Polymorphic virus
You have reason to believe that systems on the network have been compromised by an APT. You’ve noticed many file transfers outbound to a remote site via TLS-protected HTTPS sessions from unknown systems. What technique can be used to detect the APT?
Endpoint forensics
Cryptographic Erase
Sanitizes a self-encrypting drive by erasing the media encryption key and then reimaging the drive
What is the most efficient way to sanitize a self-encrypting drive?
Perform a cryptographic erase
Zero-Fill
Overwrites a storage device by setting all bits to the value of 0 but is not effective on SSDs or Hybrid Drives
Bus Encryption
Data is encrypted by an application prior to being placed on the data bus
Tokenization
Deidentification method where a unique token is substituted for real data
Aggregation/Banding
Deidentification technique where data is generalized to protect the individuals involved
“90% of subjects did not experience side effects”
SDLC
Software Development Lifecycle
Waterfall Method
Software development model where the phases of the SDLC cascade so that each phase will start only when all tasks from the previous phase are complete
Agile Method
Software development model that focuses on iterative and incremental development to account for evolving requirements and expectations
OWASP Software Security Assurance Process
Security framework for secure application development
Black Box Testing
Blind Testing
Security analyst receives no privileged information about the software
BIOS
Basic Input/Output System
The software used to start your computer
Initializes CPU and memory
Conducts a Power on Self Test (POST)
Looks for a boot loader and starts the OS
Tells the computer how to do its most basic functions (handle input from keyboard)
UEFI
Unified Extensible Firmware Interface
Defines a software interface between an OS and platform firmware
White Box Testing
Full Disclosure Testing
Security analyst receives privileged info about the software such as source code and credentials
Gray Box Testing
Security analyst receives partial disclosure of information about software
OWASP
Open Web Application Security Project
Charity and community that publishes a number of secure application development resources
SANS Institute
Sys Admin, Network, and Security Institute
Company specializing in cybersecurity and secure web application development training
Sponsors GIAC (Global Information Assurance Certification)
Arbitrary Code Execution
Vulnerability that allows attacker to run their own code
Remote Code Execution
Vulnerability that allows an attacker to transmit code from a remote host for execution on a target host over the internet
Buffer
Temporary storage area that a program uses to store data
Think of system memory as a table. There are glasses for water at each spot. Each glass can only contain so much water, and if it exceeds that, it can make a mess on the table. The glasses are buffers.
Integer overflow
An attack in which a computed result is too large to fit in its assigned storage space, which may lead to crashing or data corruption, and may trigger a buffer overflow
Race Conditions
Software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order/timing intended by the developer
TOCTTOU
Time of Check to Time of Use
Potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource
RTOS
Real Time Operating System
Prioritizes execution of operations to ensure consistent response for time-critical tasks
For systems that cannot tolerate reboots or crashes and must have response times that are predictable to within microsecond tolerances
HMI
Human Machine Interface
Input and output controls on a PLC to allow a user to configure and monitor the system
SCADA
Supervisory Control and Data Acquisition
Type of industrial control system that manages large scale, multisite devices and equipment spread over geographic region
BAS
Building Automation Systems
Components and protocols that facilitate the centralized configuration and monitoring of mechanical and electrical systems within offices and data centers
CAN
Controller Area Network
Digital serial data communications network used within vehicles
Syslog Severity Levels
0- Emergency
1- Alert
2- Critical
3- Error
4- Warning
5- Notice
6- Informational
7- Debug
“Everyone Always Complains Even When Nothing Is Different”
HTTP Response Codes- 5xx Range
Server-side issue
500- general error
502- bad gateway has occurred when the server is acting as a proxy
503- overloading of server is causing service unavailability
504- gateway timeout which means there’s an issue with the upstream server
A firmware exploit gives an attacker an opportunity to ______
Run any code at the highest level of CPU privilege
HSM
Hardware Security Module
High end cryptographic hardware used in large environments
Provides secured backup storage for keys
Uses cryptographic accelerators to offload CPU overhead from other devices
ROT
Hardware Root of Trust
TPM and HSM fall into this category
Designed to be difficult to change or avoid
What does UEFI do to provide better boot security?
Secure Boot
Measured Boot
Attestation
Secure Boot
UEFI checks booting programs for known-good digital signature, will not run it if they don’t match
Measured Boot
a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval and analysis by anti-malware software on a remote server.
Attestation
As part of UEFI, report is digitally signed using TPM’s private key, showing the data presented is valid
Atomic Execution
Certain operations that should only be performed once or not at all, such as initializing a memory location
SoC (not the team)
System-on-Chip
Type of embedded application commonly used in mobile devices which contains integrated CPU, memory, graphics, audio, network, storage controllers, and software on one chip
FPGA
Field Programmable Gate Array
A processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture
The Magic Number
A type of file signature, the first two bytes of a binary header that indicates its file type
WAF
Web Application Firewall
Designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks
Used to prevent things like injection attacks and XSS
UTC
Coordinated Universal Time
A time standard that is useful when your SIEM is collecting data from logs in multiple time zones
Behavioral Analysis
Network monitoring stem that detects changes in normal operating data sequences and identifies abnormal sequences
Generates alerts when there are deviations from a defined tolerance level from a given baseline
(Uses customer data)
Anomaly Analysis
Network monitoring system that uses a baseline of acceptable outcomes or event patterns to identify events that fall outside of the acceptable range
Generates alerts on any event or outcome that doesn’t follow a set pattern or rule.
(Uses prescribed patterns like an RFC or industry standard)
Regex- [ ]
Matches a single instance of a character within
[a-z], [A-Z], [0-9], [a-zA-Z0-9] for alphanumeric characters
Regex- +
Quantifier, matches one or more occurrences
Ex- /apples+/ would match apples and applessss
Regex- *
Matches zero or more occurrences
Ex- /apples*/ would match apples, applessss but also apple
DNS Harvesting
Using OSINT to gather info about a domain, such as subdomains, hosting provider, administrative contacts, etc
Regex- |
The OR logical operator
Regex- ( )
Defines a group
Regex- ^
Will only match at the start of a line when searching
Regex- $
Will only match at the end of a line when searching
Digital Forensics- Live Acquisition of Disk Image and drawbacks
Capturing contents of disk drive while computer is still running
Contents can be change during acquisition (ex- user is connected remotely and making changes at the same time as investigator)
Digital Forensics- Static Acquisition by Shutting Down and drawbacks
Computer shutdown through OS properly and then the disk is acquired
Malware may detect shutdown and perform anti-forensics
What command can be used on Linux systems to create a forensic copy? How is it formatted?
dd command- specify input file (if) and output file (of)
dd if =/dev/sda of=/mnt/flashdrive/evidence.dd
Scalpel
Open source command line tool for file carving that is used as part of The Sleuth Kit
NetFlow
Cisco developed means of reporting network flow information to a structured database
Creates flows and groupings for later review
Provides METADATA not FPC so will not provide a complete record of what happened
Intelligence Cycle
Requirements (Planning and Direction)
Collection and Processing
Analysis
Dissemination
Feedback
(repeat)
Regex- ?
Matches 0 or 1 occurrences
Ex- /apples?/ would match apple or apples but not applessss
UEBA
User and Entity Behavior Analytics
System that can provide automated identification of suspicious activity by user accounts and computer hosts
Compares against baseline data
Heavily reliant on AI or machine learning
Regex- { }
Matches the number of times within the curly braces such as
\d{3} matching 3 digits
\d{7-10} matching 7 to10 digits
Four Phases of Digital Forensics
Identification
Collection
Analysis
Reporting
File Carving
Extracting data from a computer when that data has no associated file system metadata (someone tried to delete it)
Attempts to piece together data fragments from slack space to reconstruct deleted files or at least parts of those files
Best practices for securing network appliances
Disable web admin interfaces and use SSH shells for access
Use ACLs to restrict access to designated host devices
Monitor the number of designated interfaces
Deny internet access for remote management (connect to VPN to get on LAN first)
Jitter
Adversary’s use of random delay to try and throw off detecting connection attempt intervals. Used in beaconing to C2 servers
A cybersecurity analyst is working at a college that wants to increase its network’s security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally managed through an enterprise console. What scanning topology would be best able to meet these requirements?
Active scanning engine installed on the enterprise console
SNMP Sweep
Scans a range of IP addresses, shows which IP addresses are in use, and provides the following information: DNS name. System Name. Location.
An SNMP sweep is being conducted, but the sweep receives no-response replies from multiple addresses that are believed to belong to active hosts. What does this indicate to a cybersecurity analyst?
This could mean:
The machines are unreachable
The community string being used is invalid
The machines are not running SNMP servers
You analyze a workstation suspected of being involved in an incident and discover several unknown processes running, but netflow analysis reveals no attempted lateral movement to other workstations on the network. Which containment strategy would be most effective to use in this scenario?
Isolate the workstation by disabling the switch port and resetting the user’s credentials
Workstation should be imaged for analysis and then remediated or reimaged
During which incident response phase is the preservation of evidence performed?
Containment, eradication, and recovery
Which of the following is the most difficult to confirm with an external vulnerability scan?
Unpatched web server
CSRF
Blind SQL Injection
XSS
Blind SQL injection
DEP
Data Execution Prevention
Windows built-in memory protection resource
This prevents code from being run in pages that are marked as nonexecutable. DEP, by default, only protects Windows programs and services classified as essential, but it can be used for all programs and services, or all programs and services except the ones on an exception list.
Why is reverse engineering used?
To determine how a piece of malware operates
To allow an attacker to spot vulnerabilities in an executable
To commit industrial espionage
secpol.msc
Security policy auditor in Windows
sc.exe
Service controller
Jorge and Marta are working on a programming project together. During a code review, Marta explains her code to Jorge while looking at the code on her computer. What code review technique is being used?
Over the shoulder
Pair programming
Alternates between programmers, with one strategizing and reviewing it while the other enters the computer’s code
Reviewing DNS logs, you see output for several domains that look like a random string of characters. What could be happening here?
Fast flux DNS is being used for an attacker’s C2
You are conducting a quick nmap scan of a target network. You want to conduct an SYN scan, but you don’t have raw socket privileges on your workstation. What should you use instead?
nmap -sT (TCP connect scan)
Cognitive password
a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity (high scool, pet’s name, etc)
While studying for your CompTIA CySA+ course at Dion Training, you decided to install a SIEM to collect data on your home network and its systems. You do not want to spend any money purchasing a license, so you decide to use an open-source option instead. Which SIEM solution uses an open-source licensing model?
OSSIM
Aymen is creating a procedure for the remediation of vulnerabilities discovered within his organization. He wants to ensure that any vendor patches are tested before deploying them into the production environment. What type of environment should his organization establish?
Staging
tcpdump -e
Includes the ethernet header during packet capture
What utilizes a well-written set of carefully developed and tested scripts to orchestrate runbooks and generate consistent server builds across an enterprise?
Infrastructure as Code
What proprietary tool is used to create forensic disk images without making changes to the original evidence?
FTK Imager
DES
A cipher that is outdated and should not be used for any modern applications
You see the following in a user’s terminal history:
for i in seq 255; ping -c 1 10.1.0.$i; done
What action was performed?
User conducted a ping sweep of the subnet
What protocol is commonly used to collect information about CPU utilization and memory usage from network devices?
SNMP
You are conducting a code review of a program and observe the calculation of 0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program?
Integer overflow attack
getfacl
Allows backups of directories to include permissions, saved to a text file.
setfacl
Used to restore the permissions from the backup created.
What technique would best mitigate malware that utilizes a fast flux network for its command and control infrastructure?
Utilize a secure recursive DNS resolver to a third-party secure DNS resolver
What kind of information would a French citizen’s race or ethnic origin classify as?
SPI
You have been hired as a cybersecurity analyst for a privately-owned bank. Which regulation would have the greatest impact on your bank’s cybersecurity program?
GLBA
Technical View
Focuses on technologies, settings, and configurations
Operational View
Looks at how a function is performed or what it accomplishes
Logical View
Describes how systems interconnect
SIFT
SANS Investigative Forensics Toolkit
Group of free, open-source incident response and forensic tools designed to perform detailed digital forensic examinations in various settings.
FTK, EnCase, and Helix are _________
COMMERCIALLY AVAILABLE forensics tools
Which nmap scan type is useful for probing firewall rules?
TCP ACK
Whether ports are open or closed, the target is required to respond with an RST packet. Firewalls that block the probe usually make no response or send back an ICMP destination unreachable error. This distinction allows Nmap to report whether the ACK packets are being filtered.
A web developer wants to protect their new web application from an on-path attack. What control would best prevent an attacker from stealing tokens stored in cookies?
Setting the secure attribute on the cookie
When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if transmitted over a secure channel (typically HTTPS).
net view
Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain.
Who does a User-Agent request a resource from when conducting a SAML transaction?
Service Provider (SP)
Formal Verification Methods
Use a mathematical model of the inputs and outputs of a system to prove that the system works as specified in all cases.
What two technologies could be used to ensure that users who log in to a network are physically in the same building as the network they are attempting to authenticate on?
GPS Location
NAC
What analysis technique would most likely identify a buffer overflow vulnerability in an application during development?
Static Code Analysis
Deperimeterization
A strategy that strengthens an organization’s security posture by implementing multiple levels of protection, including inherently secure computer systems and protocols, high level encryption, and authentication. Called such since it implies the organization no longer relies on its network perimeter for security.
Essentially instead of walled cities we have a heavier police presence
An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. What challenge do you now have to overcome as part of the recovery and remediation efforts?
The attack widely fragmented the image across the host file system
CVSS Attack Vector: A
Adjacent
Attacker must launch the attack from the same shared physical (such as Bluetooth or Wi-Fi network), logical network (such as a local subnet), or a limited administrative domain (such as a VPN or MPLS)
Shawn needs to boot a system to remediate it. The system was compromised by an attack and had a malicious program installed by creating a RunOnce key in the registry. What can Shawn do to boot the computer and prevent the RunOnce from executing the malicious program listed in the registry key?
Boot with Safe Mode
Safe Mode
When booting in Safe Mode, Run and RunOnce are ignored by the Windows system.
Tripwire
File integrity monitoring program
%3A
Hex-code for :
Hashing algorithms provide ________ while encryption algorithms can ensure ___________
Hashing algorithms provide INTEGRITY while encryption algorithms can ensure CONFIDENTIALITY
Slack Space
Slack space is the space left after a file has been written to a cluster. Slack space may contain remnant data from previous files after the pointer to the files was deleted by a user.
Files that users have deleted are most likely to be found in the _____ or _______
Recycle bin or slack space
Regex .
Wildcard- any single character except newline
Regex \
Escape the next character- only used with metacharacters
Example- if you wanted to treat a . as a period and not as a wildcard you’d use .
Regex \t
This is how to express a tab in Regex
Regex \n
This is how to express a new line in Regex
Regex- how to negate a character set
Add ^ as the first character inside a character set
Ex- /[^aeiou]/ matches any one consonant
Ex- /see[^mn]/ would match seek, but not seem or seen
Regex \d
Digit, equivalent of [0-9]
Regex \w
Word character, equivalent of [a-zA-Z0-9_]
Regex \s
Whitespace, equivalent of [\t\n]
Regex \D
Exclude digits [^0-9]
Regex \W
Exclude word characters [^a-zA-Z0-9_]
Regex \S
Exclude whitespace [^\t\n]
As part of the recon stage of a penetration test, Kumar wants to retrieve info about an organization’s network infrastructure without causing an IPS alert. What is his best course of action?
Perform a DNS brute force attack. This queries a list of IPs and typically bypasses IPS systems that do not alert on DNS queries.
Your organization’s primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. This critical patch was designed to remediate a vulnerability that can allow a malicious actor to execute code on the server over the Internet remotely. You ran a vulnerability scan of the network and determined that all servers are still being reported as having the vulnerability. You verified all your scan configurations are correct. Why might the scan report still show the servers as vulnerable?
The scan is returning a false positive
The critical patch did not remediate the vulnerability
Data retention policies highlight _____ and _____.
The types of information an organization will maintain
The length of time they will maintain it
According to Lockheed Martin’s white paper “Intel Driven Defense,” what technology could DEGRADE an adversary’s effort during the actions on the objectives phase of the kill chain?
Purposely manipulating service quality to decrease their transfer speeds
You have been asked to review the SIEM event logs for suspected APT activity. You have been given several indicators of compromise, such as a list of domain names and IP addresses. What is the BEST action to take to analyze the suspected APT activity?
Analyze the trends of the events while manually reviewing them to see if any indicators match
What phase of the software development lifecycle is sometimes known as the acceptance, installation, and deployment phase?
Training and transition
What is the default nmap scan type when you do not provide a flag when issuing the command?
A TCP SYN scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets.
By default, what file contains an Apache server’s logs?
access_log
James is working with the software development team to integrate real-time security reviews into some of their SDLC processes. Which programming methodology would best meet this requirement?
Pair programming, as it utilizes two developers working on one workstation, where one developer reviews the code being written in real-time by the other developer.
Your company is adopting a cloud-first architecture model. Management wants to decommission the on-premises SIEM your analysts use and migrate it to the cloud. What is an issue with using this approach?
If there are legal or regulatory requirements that require the company to host their security audit data on-premises, then moving to the cloud will not be possible without violating applicable laws. For example, some companies must host their data within their national borders, even if migrating to the cloud.
The three phases of the vulnerability management lifecycle
Detection, remediation, testing
An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent conducts a screen-sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. What most likely caused this?
The attachment is using a double file extension to mask its identity
Where should a forensic analyst search to find a list of the wireless networks that a laptop has previously connected to with a company-owned laptop?
Search the registry for a complete list
_____ integrate more than one form of attack to accomplish their goal.
Chained exploits
An organization wants to choose an authentication protocol that can be used over an insecure network without implementing additional encryption services. What should they use?
Kerberos
Regex ? when used with a Quantifier
Instructs Quantifier to use a lazy strategy for making choices, ie match as little as possible before giving control to the next expression part
How would you use the tcpdump command to create a packet capture filter for all traffic going to AND from the server located at 10.10.1.1?
tcpdump -i eth0 host 10.10.1.1
The host option specifies a filter to capture ALL traffic to or from a designated IP address
You are analyzing a Linux server that you suspect has been tampered with by an attacker. You went to the terminal and typed “history” and see the output:
echo 127.0.0.1 diontraining.com»_space; /etc/hosts
What actions were performed?
The attacker routed traffic destined for the diontraining.com domain to the localhost
Linux permissions are read as _____, _______, ______ when expressed numerically
Owner, group, other
Linux numerically expressed permissions
Read = 4
Write = 2
Execute = 1
%40
Hex code for @ symbol
When using the netstat command during analysis, what connection status message indicates that an active connection is created between two systems?
ESTABLISHED
What is the default macOS file system for the drive?
HFS+
Hierarchical File System Plus
DKIM
Domain Keys Identified Mail
Provides a cryptographic authentication mechanism that can replace or supplement SPF. Organization uploads a public key as a TXT record in the DNS server
SPF
Sender Policy Framework
Uses a DNS record published by an organization hosting an email service. The SPF record identifies the host authorized to send emails from that domain and there must be only one per domain. SPF does not provide a cryptographic authentication mechanism like DKIM does though.
DMARC
Domain Based Massage Authentication, Reporting and Conformance Framework
Can ensure that SPF and DKIM are being utilized effectively. DMARC relies on DKMI for the cryptographic authentication mechanism.
NAC
Network Access Control
An approach to computer security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement.
When a remote workstation connects to the network, NAC will place it in into a segmented portion of the network, scan it for malware and validate its security controls, and then based on the results of those scans either connect it to the company’s networks or place the workstation into a separate quarantined portion of the network for further remediation.
Hybrid password attack
Combining the dictionary and brute force methods into a single tool
nbtstat -c
Shows the contents of the NetBIOS name cache and shows a list of name to IP address mappings
Which sources are most commonly used to gather information about technologies a target organization uses during intelligence gathering?
OSINT searches of support forums and social engineering
Regex ()
Creates a group
(abc) would match abcdefg
(abc)+ would match both abc and abcabcabc
(in)?dependent would match independent and dependent
Data Wiping/Clearing
Occurs by using a software tool to overwrite the data on a hard drive to destroy all electronic data on a hard disk or other media
Which technique would provide the largest increase in security on a network with ICS, SCADA, and IoT devices?
User and entity behavior analytics to establish baseline behavior
Port 515
Print services, listening for incoming connections
Port 631
IPP- Internet Printing Protocol
Port 9100
Printer related
Ports 1433 and 1434
Microsoft SQL
Port 1521
Oracle database
Port 6667
IRC
Port 5900
VNC desktop sharing
Port 3306
MySQL
Port 8443
Common alt port for HTTPS
Ports 1812 and 1813
RADIUS
Ports 544 and 2105
Kerberos
PCI DSS requires that merchants and service providers present a clean scan results that shows no ____________ in order to maintain compliance.
Critical or high vulnerabilities
Why are banner grabbing scans notorious for resulting in false positive reports?
The only validation they do is check the version number of an operating system or application against a list of known vulnerabilities. This approach is unable to detect any remediation activities that may have taken place that do not alter the version number.
You are conducting the recovery process after your organization experienced a security incident. You plan to apply patches to all systems in the environment. Which systems should be your highest priority for patching?
Systems involved in the incident
The Windows Registry, Master File Tables, and INDX files all contain ______, including _______
Information about files
Removed or deleted files
What does the nmap response “filtered” mean in port scan results?
nmap cannot tell whether the port is open or closed
What is the minimum scanning requirement for environments subject to HIPAA?
No scanning is required, though you should do it anyway
Continuous Scanning
Configuring vulnerability scanner to start a new scan immediately after the prior scan completes
What is the most useful metric for determining the effectiveness of a vulnerability remediation program?
Time to resolve critical vulnerabilities
Shadow Rules
A rule that will never trigger because it is placed beneath a broader rule. Example- rule 1 allows any traffic over the internet to ports 80 or 443. Rule 2 is listed below it and is meant to block any traffic to Blocked hosts but since rules trigger in order, it won’t fire.
Rule 1: allow TCP any (source) any (ports) Internet (destination network) 80, 443 (destination ports)
Rule 2: deny TCP any (source) any (ports) Blocked_Hosts (dest) 80, 443 (dest ports)
After finishing a forensic case, you need to wipe the media that you are using to prepare it for the next case. What method is best suited to preparing the hard drive if you want to be in compliance with NIST SP 800-88?
Zero-write the device
On Linux systems that use the Bash shell, where can you find a log of recently performed actions?
$home/.bash_history
During the analysis of an incident on the network you discover that the attacker used a stolen cookie to access a web application. What type of attack most likely occurred?
Session hijacking
During a recon exercise, Mika uses the following command:
nc -v 10.0.2.9 8080
www.example.com [10.0.2.9] 8080 (http-alt) open
GET / HTTP/1.0
What is she doing?
HTTP Banner grabbing using netcat
netcat -z
Used for port scanning when a better port scanning tool is unavailable
Open redirect attack
An open redirect vulnerability occurs when an application allows a user to control a redirect or forward to another URL. If the app does not validate untrusted user input, an attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker’s phishing site.
Where in a Linux system can you look to find information on when users were created?
/var/log/auth.log
nmap -P0
Turns off pings
nmap -T
Set scan timing
-T0 “paranoid”
-T1 “sneaky”
A log showing a successful user authentication is classified as what type of occurrence according to NIST?
An event- anything that is an observable occurrence
MISP
Malware Information Sharing Platform
An open source threat information platform used to facilitate the collection and sharing of threat information
OpenCTI
An open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. It is a platform meant for processing and sharing knowledge for cyber threat intelligence purposes.
Snort
Open source, rule based NIDS/NIPS
Snort rule format
Action, Protocol, Source IP, Source Port, Direction (unidirectional or bidirectional), Destination IP, Destination Port, Options
Snort rule actions
Alert
Log
Drop
Reject
Snort rule protocol options
IP, TCP, UDP and ICMP
To specify other protocols you’d do it by port number
Snort rule Msg field
Quick identifier of the rule that will appear in the console/log. Usually a one liner that summarizes the event.
Snort SID
Snort Rule ID
<100- Reserved rules
100-999,999- rules that come with the build
>=1,000,000- rules created by user
Snort rule reference
Each rule can have additional information or reference to explain the purpose of the rule or threat pattern. That could be a common vulnerabilities and exposures ID or external information. Having references for the rules will always help analysts during the alert and incident investigation.
Snort rule rev
Snort rules can be modified and updated for performance and efficiency issues. Rev option help analysts to have the version information of each rule. Therefore it will be easy to understand rule improvements.
Snort rule content option
Payload data. It matches specific payload data by ASCII, hex, or both. It is possible to use this option multiple times in a single rule. However, the more you create specific pattern match features, the more it takes time to investigate a packet.
Snort rules- how to disable case sensitivity
Use the nocase option
Snort rules- how to filter SYN, ACK, FIN, etc
Use the flags option. Example for SYN:
alert tcp any any <> any any (msg: “FLAG TEST”; flags:S; sid: 1000001; rev:1;)
Snort rules- how to filter by packet payload size
Use the dsize option. Examples:
dsize:100<>300
dsize:>100
dsize:<100
Where are Snort rules that you create stored?
/etc/snort/rules/local.rules
SQL injection is prevented through ___ and ____
input validation
least privilege
Credential Stuffing
Brute force attack where stolen credentials are tested against multiple websites
Directory traversal using percent encoding
%2e%2e%2f is the encoding of ../
Active vulnerability scanning
Scan type that analyzes the responses from probes sent to a target
Consumes network bandwidth and processor resources
Credentialed scanning
Uses a service account and since it can access privileged areas it is more likely to find vulnerabilities
Non-credentialed scanning
Can use default passwords still. Less likely to find vulnerabilities than credentialed
Agent-Based scanning pros and cons
Scanner installed locally. Reduces impact on network, but could be compromised by malware
Passive vulnerability scanning pros and cons
Scan type that analyzes only intercepted network traffic rather than sending probes to a target
Least likely to create impact on network/hosts
Least likely to properly identify vulnerabilities
SDN
Software Defined Networking
APIs and compatible hardware allowing for programmable network appliances and systems
Create more complex networks due to size, scope, and ability to rapidly change
802.1x
Standard for encapsulating EAP communications over a LAN or WLAN and that provides port-based authentication
nmap -sN
Null scan
Conducts a scan by sending a packet with the header bit set to zero
Most IDS/IPS will flag this as malicious
nmap sparse scan
–scan-delay <time>
Issues probes with significant delays to become stealthier and avoid detection by an IDS or IPS</time>
nmap -sL
List scan
Lists the IP addresses from a target range and performs a reverse DNS query to discovery any host names associated with them
Reconstitution
Method of restoring a system that cannot be sanitized using manual removal, reinstallation, and monitoring processes
Pulling out exact, small bits of data, like performing surgery with a scalpel
nmap -sU
UDP scan
Sends a UDP packet to a target and waits for a response or timeout
namp -sX
Christmas Tree Scan
Conducts scan by sending packet with FIN, PSH and URG flags set to one
Lights up IDS “like a Christmas Tree” and is really just a way of seeing if blue team is paying attention
nmap -sF
Sends unexpected FIN packet
Most IDS/IPS will flag as malicious
nmap -sT
TCP connect, conducts full three-way handshake
This is the default if you don’t have root or admin privileges
nmap -oG
Save output to a greppable format
nmap -oX
Save output to XML file
nmap -oN
Save output normally
SLE
Single loss expectancy
Asset Value x Exposure Factor = SLE
50,000 x 0.05 (20% likelihood) = $2500
WMIC
Windows Management Instrumentation Command-Line
Program used to review log files on a remote Windows machine, provide users with a terminal interface, and enables admins to run scripts to manage machines remotely
Windows Performance Monitor
Provides a live view of memory usage per running application or service.
resmon
A Windows tool to both see real-time data and graph it over time
Binary Diffing
Looks at multiple potentially related binaries that have anti-reverse engineering tools run on them and looks for similarities, helping the tool identify malware families despite the protections that malware authors begin.
How is integrated intelligence most commonly used in a firewall system?
Threat intelligence is used to provide IP information for rules.
What does execution of wmic.exe, PowerShell.exe, or winrm.vbs most likely indicate if you discover one or more was run on a typical end users workstation?
Remote execution of code
Well monitoring a SIEM, you notice that all of the log sources from your organization’s New York branch have stopped reporting for the past 24 hours. What type of detection rules or alerts should you configure to make sure you are aware of this sooner next time?
Availability rules or alerts
Where can you find sudo events on Linux systems?
/var/log/auth.log
What type of information can you determine from Tripwire logs on a Linux system if it is configured to monitor a directory?
If files in the directory have changed
If you want to validate the application files you’ve downloaded from a vendor, what information should you request from them?
MD5 Hash
If you want to run John the Ripper against a Linux system’s passwords, what do you need to attempt password recovery on the system?
Both /etc/passwd and /etc/shadow
AccessEnum
Sysinternals tool. GUI based, gives a full view of file system and registry settings and can display either files with permissions that are less restrictive than the parent or any files with permissions that differ from the parent
AccessChk
A command line program that can check the rights a user or group has to resources
What type of segmentation is where you place untrusted systems that want to connect to the network into the guest network segment?
Proactive network segmentation
If your company is required to be compliant with PCI DSS, and it experiences a card data breach, what type of disclosure will they be required to provide?
Notification to their acquiring bank
What should you do to restore systems after a long term APT compromise?
Rebuild and patch the system using original installation media and application software using your organization’s build documentation
What steps should you take before sending a drive containing a forensic image
Encrypt the raw file and transfer a hash and key under separate cover
Purpose Limitation
Ensuring that information is used only for disclosed purposes
Why should you not use ARP tables to enumerate hosts? What should you use instead?
This is a difficult method and prone to error.
Better methods include use of asset management tool, running a discovery scan, or using results of other recent scans.
You are configuring vulnerability scanning for a new web server that your organization is deploying on its DMZ Network. The server hosts the company’s public website. What type of scanning should you configure for best results?
Internal and external scanning
Port 389
LDAP
Ports 137 and 139
NetBIOS
Fagan Inspection
Highly formalized, rigorous code review process that involves six phases
During which SDLC phase is security architecture completed?
Design
Disposition
SDLC phase that is designed to ensure that data is properly purged at the end of an application life cycle
What is typically the final testing done before code is released to production?
UAT- User acceptance training
You want to prevent email impersonation of individuals inside your company. What technology can help prevent this?
DMARC
While SPF and DKIM can help, combining them to limit trusted senders to only a known list and proving that the domain is the domain that is sending the email combine in the form of DMARC to prevent email impersonation when other organizations also DMARC.
You want to determine whether other Windows systems on your network are infected with the same malware package that you discovered on the workstation you are analyzing. You have removed the system from the network by unplugging its network cable, as required by corporate policy. You know that the system has previously exhibited beaconing behavior and want to use that behavior to identify other infected systems. How can you safely create a fingerprint for this beaconing without modifying the infected system?
Plug the system into an isolated switch and use a span port or tap and Wireshark / tcpdump to capture traffic.
Senior management at the company that you work for is concerned about rogue devices on the network. If you want to identify rogue devices on your wired network, what solution will quickly provide the most accurate information?
Router and switch-based MAC address reporting
John the Ripper’s incremental mode
Most powerful mode, it will try all possible character combinations as defined by the settings you enter at the start
During a forensic investigation, you discover that you need to capture a virtual machine that is part of the critical operations of your company’s website. If you cannot suspend or shut down the machine for business reasons, what imaging process should you follow?
Copy the virtual disk files and then use a memory capture tool.
Signal
Designed for secure end-to-end messaging.
Using a distinct messaging tool for incident response can be helpful to ensure that staff separates incident communication from day-to-day operations.
What is the default macOS drive format?
APFS
Eraser
A tool used to securely wipe files and drives.
If eraser is not typically installed on your organization’s machines, you should expect that the individual being investigated has engaged in some anti-forensic activities including wiping files that may have been downloaded or used against company policy
COBIT
Control Objectives for Information and Related Technologies. Consists of four domains:
Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate
What is the current ISO standard governing cybersecurity requirements?
ISO 27001
Exposure factor
Percentage of asset expected to be impacted if the risk materializes
What is the minimum password length required by PCI DSS?
7 characters
PCI DSS requires that networks be scanned __________
Quarterly or after any significant change in the network
You have been asked to deploy a secure wireless network in parallel with a public wireless network inside your organization’s buildings. What type of segmentation should you implement to do so without adding additional costs and complexity?
Logical segmentation
FIPS 140
US government standard for information processing, and FIPS 140-2 is used to approve cryptographic modules
OpenFlow
Used to allow software defined network controllers to push changes to switches and routers, allowing flow control, network traffic partitioning, and testing of applications and configurations.
Packers
Tools that self-extract when run, making the code harder to reverse engineer
Crypters
Use actual encryption or simply obfuscate the code, making it harder to interpret or read
Protectors
Software that is intended to prevent reverse engineering and often include packing and encryption techniques as well as other protective technologies
DGA
Domain Generation Algorithm
Creates procedurally generated domain names for malware command and control hosts
What are the two most commonly used methods for preventing Linux buffer overflow attacks?
ASLR and the NX bit
What Linux command is best suited to determine if an attacker has modified a Linux executable using static libraries?
file, which shows a file’s format, encoding, what libraries it is linked to, and file type
What tool will provide the fastest results in most circumstances when cracking passwords from a Windows system?
Ophcrack, which uses a rainbow table
What type of acquisition is when you only collect specific files of interest?
Logical acquisition
You want to access Chrome logs as part of a forensic investigation. What format is information about cookies, history, and saved form-fill information saved in?
SQLite
What Windows utility can be used to get the MD5 Hash of a file?
certutil
certutil -hashfile [file location] md5
A sudden resumption of traffic headed “in” after sitting at zero likely indicates ____
A network link or route has been repaired
What framework best helps organizations design IT processes that fit together seamlessly?
ITIL
What is the key difference between virtualization and containerization?
Virtualization lets you run multiple operating systems on a single physical system, whereas containerization lets you run multiple applications on the same system.
Facebook Connect, CAS, Shibboleth, and ADFS are all examples of what?
Single sign on implementations
phpinfo file
A testing file often used by web developers during the initial configuration of a server.
Best practice is to remove this file before the server is moved into production or made publicly accessible.
Linux NX bit
Stands for no execute, used to mark certain areas of memory as non executable
