Domain 4 Flashcards by Jesse Margarini

What commands display the route a packet takes to a destination, recording the number of hops along the way
These are excellent tools to use to see where a packet may get hung up during transmission

tracert and trace-route

How well did you know this?

Not at all

Perfectly

If you want to query a DNS server, you can use this command on Windows or this command on Linux .you can Query for individual DNS record

nslookup/dig

How well did you know this?

Not at all

Perfectly

To obtain the network information about a host, you can use this command on Windows or the same command on Linux

ipconfig/ifconfig

How well did you know this?

Not at all

Perfectly

What is an open-source security scanner You can use it to scan hosts for vulnerabilities, scan for open ports, or fingerprint remote hosts to find out which operating systems they run
This tool is very useful for analyzing an environment

Nmap

How well did you know this?

Not at all

Perfectly

This command is used to test connectivity between systems
This command is a multi-platform utility, originally written for UNIX, that uses ICMP to communicate with remote hosts

ping/pathping

How well did you know this?

Not at all

Perfectly

is a TCP/IP packet creation tool that allows a user to craft raw IP, TCP, UDP, and ICMP packets from scratchThis tool provides a means of performing a wide range of network operations; anything that you can do with those protocols can be crafted into a packet

Hping

How well did you know this?

Not at all

Perfectly

The ____ command enables you to look at the current network communications on a host You can use it to look for listening Ports and established connections

Netsat

How well did you know this?

Not at all

Perfectly

What is the network utility designed for Linux environments. What is a network tool that can be used to perform network troubleshooting, explore networks or scan for open ports

Netcat

How well did you know this?

Not at all

Perfectly

What scan IP networks and can report on the status of IP addresses
There are a wide range of free and commercial scanning tools

IP scanners

How well did you know this?

Not at all

Perfectly

The ___ command is used to display the ____ table on a host

It can also be used to delete ARB entries in a table

Arp

How well did you know this?

Not at all

Perfectly

What command works in Linux and Windows systems to provide information on current routing parameters and to manipulate these parametersIn addition to listing the current routing table, it has the ability to modify the table

Route

How well did you know this?

Not at all

Perfectly

What is a tool designed to transfer data to or from a server, without user interaction
It works on both Linux and Windows systems

Curl

How well did you know this?

Not at all

Perfectly

What is a Python-based program designed to assist penetration testers in the gathering of information during the reconnaissance portion of a penetration test This is a useful tool for exploring what is publicly available about your organization on the Web

theHarvester

How well did you know this?

Not at all

Perfectly

What is a Linux-based tool used by penetration testers. What is the automated scanner designed to collect a large amount of information while scanning for vulnerabilities

Sn1per

How well did you know this?

Not at all

Perfectly

What is a command-line utility to interface with websites that can perform port scans as part of a penetration testWhen you use this tool, the source IP address for the scan is the website, not your testing machine

Scanless

How well did you know this?

Not at all

Perfectly

What is a Perl script designed to enumerate DNS information. This will enumerate DNS entries, including subdomains, MX records, and IP addresses
DNS enumeration can be used to collect information such as user names and IP addresses of targeted systems

Dnsenum

How well did you know this?

Not at all

Perfectly

What is one of the leading vulnerability scanners in the marketplaceIt comes in a free version, with limited IP address capability, and fully functional commercial versions. What is designed to perform a wide range of testing on a system

Nessus

How well did you know this?

Not at all

Perfectly

What is a sandbox used for malware analysis. What is designed to allow a means of testing a suspicious file and determining what it does It is open source, free software that can run on Linux and Windows

Cuckoo

How well did you know this?

Not at all

Perfectly

What is a utility designed to return the first lines of a file. A common option is the number of lines one wishes to return

Head

How well did you know this?

Not at all

Perfectly

What is a utility designed to return the last lines of a file
A common option is the number of lines one wishes to return

Tail

How well did you know this?

Not at all

Perfectly

What is a Linux command, short for concatenate, that can be used to create and manipulate files

Cat

How well did you know this?

Not at all

Perfectly

What is a Linux utility that can perform pattern-matching searches on file contents

Grep

How well did you know this?

Not at all

Perfectly

What is the Linux command used to change access permissions of a file
The general form of the command ischmod<options> <permissions> <filename></filename></permissions></options>

Chmod

How well did you know this?

Not at all

Perfectly

The Linux command loggeris how you can add log file information to /var/log/syslog
The ______ command works from the command line, from scripts, or from other files, thus providing a versatile means of making log entries

Logger

How well did you know this?

Not at all

Perfectly

What is a cryptographically secured means of communicating and managing a network This uses port 22 and is the secure replacement for Telnet

SSH

What is a Microsoft Windows-based task automation and configuration management framework, consisting of a command-line shell and scripting language. This is a powerful command-line scripting interface. These files use the .ps1 file extension

PowerShell

This is a computer language commonly used for scripting and data analysis tasks facing system administrators and security personnel This is a general-purpose computer programming language that uses the file extension

Python

What is a general-purpose cryptography library that offers a wide range of cryptographic functions on Windows and Linux systems Designed to be a full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, it provides so much more for real-world daily challenges

OpenSLL

What is the name for both a tool and a suite of tools As a suite, this is a group of free, open source utilities for editing and replaying previously captured network trafficAs a tool, it specifically replays a PCAP file on a network

Tcpreplay

This utility is designed to analyze network packets either from a network connection or a recorded fileYou also can use this to create files of packet captures, called PCAP files, and perform filtering between input and output, making it a valuable tool to lessen data loads on other tools

Tcpdump

Whatis the gold standard for graphical analysis of network protocol lsWith dissectors that allow the analysis of virtually any network protocol, this tool can allow you toexamine individual packets, monitor conversations, carve out files, and more

Wireshark

What is the use of specific methods to determine who did what on a system at a specific time, or some variant of this question Computers have a wide range of artifacts that can be analyzed to make these determinations

Forensics

What is a Linux command-line utility used to convert and copy files On Linux systems, virtually everything is represented in storage as a file, and this can read and/or write from/to these files, provided that function is implemented in the respective drivers

Data Dump dd

This program dumps system memory to the standard output stream, skipping over any holes in memory maps By default, the program dumps the contents of physical memory (/dev/mem). The output from this is in the form of a raw dump

Memedump

What is a hexadecimal file editor This tool is very useful in forensically investigating files, and can examine specific application files without invoking the application and changing the data

WinHex

What is the company AccessData’s answer to dd. This is a commercial program, free for use, and is designed to capture an image of a hard drive (or other device) in a forensic fashion

FTK imager

This is the open source answer for digital forensic tool suites It runs on Windows and offers a comprehensive set of tools that can enable network-basedcollaboration and automated, intuitive workflows

Autopsy

What are toolsets designed to assist hackers in the tasks associated with exploiting vulnerabilities in a system These frameworks are important because the exploitation path typically involves multiple steps, all done in precise order on a system to gain meaningful effect

Exploitation frameworks

What is a tool that tries to obtain access credentials without authorization. These work using dictionary lists and brute force

password cracker

These tools are tools used to destroy, purge, or otherwise identify for destruction specific types of data on systems Before a system can be retired and disposed of, you need to sanitize the data needs

Data sanitization

This the describes the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system or network

Incident response plans

What is the set of actions security personnel perform in response to a wide range of triggering events 1.Preparation2.Identification3.Containment4.Eradication5.Recovery6.Lessons learned

Incident response process

What the phase of incident response that occurs before a specific incident This includes all the tasks needed to be organized and ready to respond to an incident

Preparation

What is the process where a team member suspects that a problem is bigger than an isolated incident and notifies the incident response team for further investigationA n incident is defined as a situation that departs from normal, routine operations

Identification

What is the set of actions taken to constrain the incident to a minimal number of machines This preserves as much of production as possible and ultimately makes handling the incident easier

Containment

What involves removing the problem, and in today’s complex system environment, this may mean rebuilding a clean machine A key part of operational eradication is the prevention of reinfection

Eradication

What is the process of returning the asset into the business function and restoring normal business operationsThe recovery process includes the steps necessary to return the system and applications to operational status

Recovery

What phase serves two distinct purposes The first is to document what went wrong and allowed the incident to occur in the first place The second is to examine the incident response process itself

Lessons learned

What exercise is one that is designed for the participants to walk through all the steps of a process, ensuring all elements are covered and that the plan does not forget a key dataset or personThis is typically a fairly high-levelreview, designed to uncover missing or poorly covered elements

tabletop

How do you examine the actual steps that take place associated with a process, procedure, or event What are in essence a second set of eyes, where one party either explains or demonstrates the steps to perform a task while a second person observes

Walkthroughs

what is an approximation ofthe operation of a process or system that is designed to represent the actual system operations over a period of timeThe simulation can be used in place of systems or elements that are not practical to replicate during an exercise

Simulations

What framework is a knowledgebase of various real-world observations and attack techniquesIt is often used by organizations for threat modeling

MITRE ATT&CK

What is a cognitive model used by the threat intelligence community to describe a specific event The Diamond Model enables intrusion analysis by placing malicious activity at four points of the diamond: adversary, infrastructure, capability, and victim

The Diamond Model of Intrusion Analysis

Developed by Lockheed Martin, what is is a framework used to defend against the chain of events an attacker takes, from the beginning of an attack to the end of an attackThis model has a series of distinct steps that an attacker usesduring a cyberattack—from the early reconnaissance stages to the exfiltration of data

Cyber Kill Chain

What is Having a management process, including defined personnel roles and responsibilities, is essential for the management of the stakeholders and their relationships during incidents

Stakeholder management

as part of the incident response effort that answers the preceding questions and defines responsibilities for communication is a key element to be developed during the preparation phase

communication plan

What is critical for effective disaster recovery efforts. This defines the data and resources necessary and the steps required to restore critical organizational processes

A disaster recovery plan

What is a long-term strategy to ensure the business will continue to operate (critical business functions/services) before, during, and after a disaster is experienced The focus of this is the continued operation of the essential elements of the business or organization

Business continuity planBCP

What is designed in order to maintain operations during a disasterThe overall goal of this is to determine which subset of normal operations needs to be continued during periods of disruption

Continuity of operations planning (COOP)Continuity of Operations Plan (COOP)

What is composed of the personnel who are designated to respond to an incident The incident response plan should identify the membership and backup members, prior to an incident occurring

The cyber incident response team (CIRT)

Which Data retention is the storage of data records One of the first steps in understanding data retention in an organization is the determination of what records require storage and for how long

Retention policies

A vulnerability report provides you information on what is visible on your network, authorized or not

Vulnerability scan output

What allows you to identify, visualize, and monitor trends via alerts within a dashboard view

SIEM dashboards (security information and event management)

What are the devices that provide security data that is important for investigators Sensor placement begins with defining collection objectives

Sensors

What is the quality of being quick to detect or respond to slight changes, signals, or influencesAs the purpose of a SIEM system is to alert operators to changes that indicate significant events, sensitivity to those events is important

Sensitivity

What are a series of data points that indicate a change over time. They can be increasing, decreasing, cyclical, or related to variability What is important is that this indicates some form of change

Trends

What is the primary method of communication between the SIEM system and operators When conditions meet the rule requirements, the SIEM system can send this

Alerts

This is the process of establishing a relationship between two variables SIEM event ________ logs are extremely useful because they can be used to identify malicious activity across a plethora of network devices and programs

Correlation

What are a primary source of information during an investigation Software can record in this in a wide range of information as it is operating

Log files

What are filled with equipment that can provide valuable log information Firewalls, routers, load balancers, and switches can provide a wealth of information as to what is happening on the network

Network

These logs can provide a very detailed history of what actions were performed on a system Login records that indicate failed logins can be important, but so can entries that show login success

System

What logs are generated by the applications themselves as they runSome applications provide extensive logging; others minimal or even no logging

Application

What logs are logs kept by the OS for metadata associated with security operations The driving force for what needs to be recorded is the system’s audit policy, a statement about what records need to be

Security

What servers respond to specific, formatted requests for resources with responses, whether in the form of a web page or an error and all of this activity can be logged

Web

What logs, when enabled, can contain a record for every query and responseThis can be a treasure trove of information for an investigator because it can reveal malware calling out to its command-and-control server, or data transfers to non-company locations

DNS

What logs contain information about successful and failed authentication attempts The most common source of authentication log information comes from the system’s security logs, but additional sources exist as well

Authentication

What are copies of what was in memory at a point in time—typically a point when some failure occurred Dump files can be created by the operating system (OS) when the OS crashes, and these files can be analyzed to determine the cause of the crash

Dump files

What call manager applications enable a wide range of audio and video communication services over the Internet These systems can log a variety of data, including call information such as the number called (to and from), time of the call, and duration of the call

VoIP and call managers

What is a text-based protocol used for signaling voice, video, and messaging applications over IPSIP provides information for initiating, maintaining, and terminating real-time sessions

Session Initiation Protocol (SIP)

What stands for System Logging Protocol and is a standard protocol used in Linux systems to send system log or event messages to a specific server, called a syslog server

Syslogs

What is the command that is used to view logs created through through the systemd-journald serviceWhen systemd creates log files, it does so through the systemd- service

Journald

How do both extend the original syslog standard by adding capabilities such as content filtering, log enrichment, and correlation of data elements into higher-level events

Rsyslog and syslog-ng

What is a multiplatform log management tool designed to assist in the use of log data during investigations This tool suite is capable of handling syslog-type data as well as other log formats

NXLog

What are utilities designed to measure network bandwidth utilization over time Bandwidth monitors can provide information as to how much bandwidth is being utilized, by service type, and how much remains

Bandwidth monitors

What data about data A file entry on a storage system has the file contents plus metadata, including the filename, creation, access, and update timestamps, size, and moreDigital contains metadata, and correlating metadata is a part of almost every investigation

Metadata

How is metadata is in the header of the e-mail and includes routing information, the sender, receiver, timestamps, subject, and other information associated with the delivery of the message E-mail header data can be important in investigations

What devices generate, store, and transmit metadataCommon fields include when a call or text was made, whether it was an incoming or outgoing transmission, the duration of the call or the text message’s length (in characters), and the phone numbers of the senders and recipients

Mobile

What browsers store different metadata covering what pages were accessed and whenBrowser metadata is a commonly used source of forensic information, because entries of what and when a browser has accessed data can be important

Web

What metadata comes in two flavors: system and applicationThe file system uses metadata to keep track of the filename as well as the timestamps associated with last access, creation, and last write

File

What is a proprietary standard from CiscoFlow data is generated by the network devices themselves, including routers and switches

NetFlow

Both NetFlow and sFlowcollect packets from routers and switches This is used primarily for traffic management

sFlow

What is a protocol that’s the answer to the proprietary Cisco NetFlow standard what is based on NetFlow version 9 and is highly configurable using a series of templates

IPFIXInternet Protocol Flow Information Export (IPFIX)

(also known as a packet sniffer, network analyzer, or network sniffer) is a piece of software or an integrated software/hardware system that can capture and decode network traffic

Protocol analyzer

This application approved list consists of a list of allowed applications If an application is not on the allowed list, it is blocked

Application approved

What use of an application block or deny list is essentially noting which applications should not be allowed to run on the machine This is basically a permanent “ignore” or “call block” type of capability

Application blocklist/deny list

What is item is to render it disabled but not permanently removed from the system There are a variety of mechanisms to do this, but the end result is the same: a quarantine option gives the user the opportunity to undo the disablement

Quarantine

Protecting a system from configuration changes is essential to secure the system in the specific configuration that the implementation intended

Configuration changes

What have directionality; there are inbound and outbound rules. Inbound rules protect a machine from incoming traffic Outbound rules can also protect against sending data (including requests) to unauthorized or dangerous places

Firewall rules

What is a collective set of commonly employed protection elements associated with mobile devices

Mobile device management (MDM)

What refers to technology employed to detect and prevent transfers of data across an enterprise Employed at key locations, DLP technology can scan packets for specific data patterns

Data loss prevention (DLP)

What are used to limit specific types of content across the Web to users A common use is to block sites that are not work related, and to limit items such as Google searches and other methods of accessing content determined to be inappropriate

Content filter/URL filter

What Certificates remain valid for a specific duration of time When a certificate is about to expire, it should be renewed if needed

Update or revoke certificates

What is the use of networking protocols and resultant connectivity to limit access to different parts of a networkThis limit can be partial or it can be complete, as offered by an air gap, and this method of separation is used to enforce different trust boundaries

Isolation

What the act of performing specific actions that limit the damage potential of an incident, keeping the damage limited, and preventing further damage

Authentications

What applies to networking security, is a broad term VLANs, firewalls, and even storage segmentation and containerization can be used for segmentation purposes

Segmentation

What systems are extremely valuable when it comes to incident mitigation of severe threats because they can automate data gathering and initiate threat response

SOAR

What consists of a series of action-based conditional steps to perform specific actions associated with security automation A runbook typically focuses on technical aspects of computer systems or network

Runbooks

What is a set of approved steps and actions required to successfully respond to a specific incident or threat this is more comprehensive than a runbook and has more of a people/general business focus

Playbooks

What legal hold is the process by which you properly preserve any and alldigital evidence related to a potential case Once an organization receives this notice, it is required to maintain a complete set of unaltered data, including metadata, of any and allinformation related to the issue causing the legal hold

Legal hold

What allow high-bandwidth data collection that can show what was connected to what, how things were laid out, desktops, and so forth

Video

AdmissibilityFor evidence to be credible, especially if it will be used in court proceedings or in corporate disciplinary actions that could be challenged legally, it must meet three standards: •________ evidence - The evidence must be convincing or measure up without question •________ evidence - The evidence must be legally qualified and reliable •________evidence The evidence must be material to the case or have a bearing on the matter at hand

Admissibility 1. Sufficient 2. Competent evidence. 3. Relevant evidence

What shows who obtained the evidence, when and where it was obtained, where it was stored, and who had control or possession of the evidence for the entire time since the evidence was obtained

Chain of custody

What events refers to the specifics, including the metadata to document it, demonstrating the sequence of events as recorded by the computer The sequence can be very important because it provides key clues as to what actually happened, even when there is not a direct artifact

Timelines of sequence

What are metadata entries associated with artifacts in a computer systemWhile a log entry may have a this, some items can have multiple of this, stored in multiple locations

Time Stamps

What is the difference in time between the system clock and the actual time Computers keep their own internal time, but to minimize record time offset, most computers sync their time over the Internet with an official time source

Time offset

What Physical serialized tags are attached to each evidence item, and the tag number is used to identify a specific itemFrequently the evidence items are then stored in anti-static bags to protect them from damage