Midterm Flashcards

Question 1

Q

confidentiality

Answer

A

Ensuring thatonly those who are authorized have access to specific assetsand thatthose who are unauthorized are actively prevented from obtaining access

Question 2

Q

Integrity

Answer

A

Ensuring that data have not been tampered with and, therefore, can be trusted. It is correct, authentic, and reliable

Question 3

Q

Availability

Answer

A

Ensuring thatauthorized users have timely, reliable access to resources when they are needed - networks, systems, and applications are up and running

Question 4

Q

Cyber Hygiene

Answer

A

Patch your systems regularly

Question 5

Q

Non repudiation

Answer

A

Only installed signed software updates

Question 6

Q

Data Integrity

Answer

A

Source code changes virtually undetectable

Question 7

Q

5 pillars of cybersecurity

Answer

A

governance
secure systems engineering
tools development
OCO/DCO
Test and Eval

Question 8

Q

what is governance

Answer

A

policy
regulations/compliance
standards (NIST, IEEE)
norms/conventions
audits
procedures
leadership 
oversight
best practices

Question 9

Q

2 roles of CISO

Answer

A

King/Queen of NO

Empowered CISO

Question 10

Q

king/queen of NO

Answer

A

success= compliance
auto response with NO
primary focus is prevent liability in event of breach
wraps self in blanket of policy documentation

Question 11

Q

Empowered CISO

Answer

A

Leans in to address risk
collaboration with team to seek solution
primary focus is enable the business/mission

Question 12

Q

governance best practice:

least privilege

Answer

A

The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function

Question 13

Q

governance best practice:

2 person integrity

Answer

A

Requirement for multiple people to authenticate in order to perform certain administrative tasks

Question 14

Q

governance best practice:

network separation

Answer

A

Separation of network into separate mini-networks/segments with distinct security boundaries and protection profiles to limit ability to “pivot” from entry point

Question 15

Q

governance best practice:

enclave

Answer

A

A set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter.

Question 16

Q

Discussion: Where in the waterfall does cybersecurity usually enter in the system?

Answer

A

usually in realization : solution validation right before delivery

Question 17

Q

Discussion: Where SHOULD cybersecurity enter the system?

Answer

A

Operational need (before requirements)

Question 18

Q

Systems security engineering

Answer

A

specialty engineering discipline of systems engineering
applies scientific, mathematical engineering and measurement principles, concepts and methods to coordinate, orchestrate, and direct the activities of various security engineering and other contributing engineering specialties

Question 19

Q

offensive cyber operations (OCO)

Answer

A

Cyberspace operations intended to project power by the application of force in or through cyberspace.

Question 20

Q

Defensive Cyber Operations (DCO)

Answer

A

Passive and active cyberspace operations intended to preserve the ability to utilize friendly cyberspace capabilities and protect data, networks, net-centric capabilities, and other designated systems

Question 21

Q

Continuity of Operations Plan (CooP):

Answer

A

A predetermined set of instructions or procedures that describe how an organization’s mission-essential functions will be sustained within 12 hours and for up to 30 days as a result of a disaster event before returning to normal operations.

Question 22

Q

1-10-60 Challenge

Answer

A

Combating sophisticated adversaries requires a mature process that can prevent, detect and respond to threats with speed and agility.
To effectively combat sophisticated cyberthreats:
Detect intrusions in under one minute.
Investigate and understand threats in under 10 minutes.
Contain and eliminate the adversary from the environment in under 60 minutes.

Question 23

Q

Advanced Persistent Threat

Answer

A

Advanced Persistent Threat (APT) attack uses continuous, clandestine, and sophisticated hacking techniques to gain access to a system and remain inside for a prolonged period of time, with potentially destructive consequences.

Question 24

Q

Modeling the APT Attack

Answer

A

Five Stages of an Evolving APT Attack
Gain Access
Establish a Foothold
Deepen Access
Move Laterally
Look, Learn, and Remain

Question 25

Q

APT: Gain Access

Answer

A

Like a burglar forcing open a door with a crowbar, cybercriminals usually gain entry through a network, an infected file, junk email, or an app vulnerability to insert malware into a target network

Question 26

Q

APT: Establish Foothold

Answer

A

Cybercriminals implant malware that allows the creation of a network of backdoors and tunnels used to move around in systems undetected.

The malware often employs techniques like rewriting code to help hackers cover their tracks.

Question 27

Q

APT: Deepen Access

Answer

A

Once inside, hackers use techniques such as password cracking to gain access to administrator rights so they can control more of the system and get even greater levels of access.

Question 28

Q

APT: Move Laterally

Answer

A

Deeper inside the system with administrator rights, hackers can move around at will. They can also attempt to access other servers and other secure parts of the network.

Question 29

Q

APT:Look, Learn, and Remain

Answer

A

From inside system, hackers understand how it works and its vulnerabilities
Harvest the information they want at will.
Hackers keep this process running indefinitely or withdraw once they accomplish a specific goal.
They often leave a back door open to access the system again in the future.

Question 30

Q

APT Attackers are Ninjas, not Tanks

Answer

A

Dwell Time: The time an attack goes undetected (i.e., the delta between intrusion and detection) around 90 min

Question 31

Q

Test & Evaluation: 3 types of testing

Answer

A

Test types:
Functional Testing:
Performance/Load Testing
Penetration Testing:

Question 32

Q

Functional Testing:

Answer

A

Test cases performed to confirm the system operates as it was designed/specified and meets all functional requirements – Availability and Integrity

Question 33

Q

Performance/Load Testing:

Answer

A

Test cases performed to confirm the system operates as it was designed/specified and meets performance requirements under a real or simulated load - Availability

Question 34

Q

Penetration Testing

Answer

A

Test cases performed to simulate intrusion by an intentional or unintentional cyber threat actor – Confidentiality and Availability (perhaps some Integrity)

Question 35

Q

Incident Response

Answer

A

Preparation
Detection
Analysis
containment
eradication/recovery
post incident activity

Question 36

Q

Mitre Defend vs Incident response (how does incident response fit into mitre defend)

Answer

A

Harden -> preparation
Detect -> Detection and Analysis
Isolate-> Analysis and containment
Deceive -> Containment
Evict-> Eradicate and recover
All Defend strategy -> post-incident activity

Question 37

Q

Incident Response step 1. Preparation

Answer

A

Without good preparation, any subsequent incident response is going to be disorganized and has the potential to make the incident worse.

Create incident response plan

Train the team

Acquire tools (altering systems, workflow apps, SIEM, ad hoc/automated reports) and make them available to the team

Prepping the environment for defense (hardening) and altering

Tourist to busker: How do you get to Carnegie Hall?
Busker: Practice, man. Practice.

Question 38

Q

Detection

Answer

A

Process where the organization first becomes aware of a set of events that possibly indicates malicious activity.

Depending on the size, an org may receive >100 million events per day.

Human analysts are inundated with data

Filter indicators of compromise (signals of interest) from records of legitimate actions (noise)

Security Incident andEvent Management(SIEM)tools lose effectiveness if heuristics not updated to identify potential incidents

AI/ML tools (e.g., Vectra.ai, Cylance, Darktrace, ExtraHop) are better than humans at detecting some incidents, but take time to learn what “normal” behavior is

Question 39

Q

Detection sources can include

Answer

A

Activity logs: A security analyst may receive an alert that a specific administrator account was in use during the time where the administrator was on vacation.

External sources: An ISP or law enforcement agency may detect malicious activity originating in an organization’s network and contact them and advise them of the situation.
I
nternal users: An employee contacting the help desk and informing agent that services are no longer available, or files are suddenly encrypted

Question 40

Q

Analysis

Answer

A

Personnel begin the task of collecting evidence from systems such as running memory, log files, network connections, and running software processes.

Depending on the incident, this can take a few hours or several days

Once the evidence is collected, data are be examined

Analysts attempt to ascertain what happened, what it affected, whether any other systems were involved, and whether any confidential data was removed/altered/destroyed

Determine the root cause of the incident and reconstruct the actions of the threat actor from initial compromise to detection

Question 41

Q

Containment

Answer

A

Organizations take measures to limit the ability for threat actors to continue compromising other network resources, communicating with command and control infrastructures, or exfiltrating confidential data

Alter system configuration: lock down ports and IP addresses on a firewall, applying security updates, even removing the network cable from the back of an infected machine

Have several options available to allow for flexibility in response

Stop the bleeding at the source if you can

Respond as quickly as possible to limit damage done

Question 42

Q

Eradication and recovery

Answer

A

Organization removes the threat actor from the impacted network

Organization may run an enhanced anti-malware solution

Infected machines may be wiped/reimaged or fresh OS installed

Remove or change compromised user accounts; ensure no new user accounts created by threat actors

Apply security patches

Restore to last known good backup

Comprehensive vulnerability scan

Steps align withbusiness continuity / disaster recovery

Question 43

Q

Post-incident activity

Answer

A

Complete review of the incident with all the principal stakeholders

Review of all the actions taken during the incident

Retrospective: What worked, and more importantly, what did not work, lessons learned

Written report: detailed and clear, focus on root cause and cause-effect relationships

Avoid jargon (or explain terms)

Vet language with contracts/legal to ensure compliance with regulatory and statutory requirements

Question 44

Q

What is the value of a thorough incident response process

Answer

A

CY6: cover for legal liability
Minimize risk of future breaches
Understand the risk
Build the “right” culture – problem solving vice blame, be aware of our surroundings

Question 45

Q

Incident response coordinator:

Answer

A

Individual often has overall responsibility for the security of the organization’s information; responsible for management of the CSIRT prior to, during, and after an incident

Chief Security Officer (CSO)
Chief Information Security Officer (CISO)
Information Security Officer (ISO)

Question 46

Q

CSIRT senior analyst(s):

Answer

A

Personnel with extensive training and experience in incident response, digital forensics, network data examination

Often take part in training junior personnel

Engage with other CSIRT members to acquire and analyze evidence, direct containment activities, and assist other personnel with remediation

Question 47

Q

CSIRT analyst(s):

Answer

A

Personnel with CSIRT responsibilities that have less exposure or experience in incident response activities

Take part in reviews and updates to the incident response plan

Gather evidence from potentially compromised hosts, network devices, or log files

Take part in analysis of evidence and assist team in remediation activities

Data scientists, network admins who want to roll into Cybersecurity

Question 48

Q

Security operations center analyst:

Answer

A

Analysts assigned to the 24/7Security
Operations Center(SOC) monitoring capability; serve as the point person when it comes to incident detection and alerting
In-House SOC
Outsourced: On-premises contractors, Remote monitoring, SOCaaS

Question 49

Q

IT security engineer(s) / analyst(s):

Answer

A

Personnel tasked with deployment, maintenance, and monitoring of security software or hardware

Preparation component of the incident
response process

Ensure security applications (e.g., antivirus) and devices (e.g., firewalls, SIEM) are properly configured to alert to possible incidents and to ensure devices properly log events to support post hoc analysis / reconstruction

Question 50

Q

Tech support personnel

Answer

A

May not be formal members of CSIRT, but have expertise or access to systems / processes that may be affected by an incident
Network/Server Administrators
Application Support
Desktop Support
Help Desk

Question 51

Q

Why is alert tuning critical

Answer

A

causes alert fatigue
Thousands of alerts emanating from security tools across the enterprise - it’s easy to become overwhelmed and miss important threats

Question 52

Q

Component configuration

Answer

A

mismatch control to threat need to devote time and resources to implement security controls that are irrelevant to the threats the organization is trying to mitigate

Question 53

Q

Mismatching Control to Threat (examples):

Answer

A

Using firewalls to prevent data theft from applications that are allowed to operate through the firewall

Using standard antivirus tools that to protect against zero-day attacks, APT

Using controls at the operating-system level to detect application-layer attacks

Using ingress-only firewall rules to protect against data exfiltration

Question 54

Q

Organizational support personnel

Answer

A

Assist with a variety of non-technical issues that fall outside those that are addressed by the CSIRT core and technical support personnel
Legal
Human Resources
Marketing / Communications
Facilities
Corporate Security

Question 55

Q

What is an Incident Response Playbook

Answer

A

A well-documented IR Playbook contains clear steps/roles and responsibilities:
Preparation
Detection
Analysis
Containment
Eradication
Recovery
Post-incident Activity

Question 56

Q

Purpose of the playbook

Answer

A

You must test your IR Plan/Procedures:
Validate steps
Lessons Learned
Build muscle memory

Test approaches:
Cyber Table Top
Pen Test events
Process Review/Audit

Question 57

Q

Managing Cyber Incidents

Answer

A

CSIRT is like organization’s 911 Force:
Engagement procedures are important
Multiple models for CSIRT Engagement exist

Question 58

Q

Common model for dedicated SOC

Answer

A

Incident -> SOC /Tier 1 analyst ->SOC manager -> incident escalation -> CSIRT manager -> TIer2 IR Analyst and Tier 3 IR analyst

Question 59

Q

SOC escalation concerns/drawbacks/risks

Answer

A

Several individuals handling an incident before CSIRT engaged

If incident escalation is not properly documented, CSIRT manager would have to engage SOC manager for clarification or additional information, increasing time to address incident
SOC personnel require training to determine which observed events constitute an incident and which may be false positives

CSIRT may suffer from burnout and become weary of the SOC chasing up false incidents

Communication between the SOC and the CSIRT needs to be clear and concise to avoid confusion

Question 60

Q

SOC and CSIRT combined

Answer

A

incident->SOC Analyst/Tier 1 Analyst ->Incident escalation Tier 2 analyst and Tier 3 analyst
All managed by CSIRT manager

Question 61

Q

SOC and CSIRT Combined in other words

Answer

A

SOC analyst serves as the first tier and escalates directly to CSIRT analyst

Question 62

Q

SOC and CSIRT combined

Strengths and benefits

Answer

A

CSIRT has greater visibility into what SOC is seeing and doing

Allows CSIRT manager and team to craft more efficient policies and procedures related to incidents

Incident escalation is faster more precise

Reduced back-and-forth for clarification

Question 63

Q

SOC and CSIRT combined

Concerns/Drawbacks/Risks

Answer

A

Not realistic for organizations making use of a network operations center or a helpdesk, and without a dedicated SOC,

Additional CSIRT managers may be required, in order to address day-to-day workload of both the SOC and the CSIRT

Question 64

Q

CSIRT Fusion Center

Answer

A

CSIRT analysts, SOC analysts, and threat intelligence analysts are teamed up together, within a single team structure

Answer 65

A

Model allows the CSIRT to make use threat intelligence without having to create new processes

Likely to see this model at SOCaaS organizations

Answer 66

A

CSIRT fusion center is not widely deployed

Threat intelligence integration is relatively new

Resource-intensive

Answer 67

A

Identify Scope: What data affected? Which systems?

Identify Impact: Based on CIA Triad

Identify Root Cause: How did this happen? What were the Indicators of
Compromise?

Identify sequence of events leading to incident.

Incident Attribution: CSIRT or investigative body attempts to determine which organization was behind the attack. Nation-state Actors? Criminals? Hacktivists?

Answer 68

A

Physical containment: Physical connection to the network is removed from the system. Best for limited scope incidents.

Network containment: Network administrator(s) modify switch configurations to limit the traffic on a subnet to other portions of the network. May require modification of configurations on individual switches.

Perimeter containment: CSIRT contains network traffic at the perimeter firewall.

Virtual containment: Contain incident via software defined infrastructure, Software Defined Networking, Infrastructure as Code, serverless cloud architectures

Answer 69

A

Network segmentation: Subdivide network into Virtual LAN(VLAN) segments

Reimage affected machines: Restore to last known good configuration prior to incident

Test new image: 
Ideally in air gapped Test environment
Promote test image to Staging (sneakernet)
Retest in Staging environment
Promote to Produciton

Answer 70

A

Cyber hygiene check: Ensure that all systems (i.e., not only those that have been through the eradication phase) are properly patched with the most up-to-date patches

Update alert profile: CSIRT coordinates with IT, SOC, NOC personnel to refine additional detection and prevention alerts

Change review: Review changes made in response to incident and determine if emergency changes need to be permanent, or backed out from Production

Vulnerability scan: Scan all assets in environment; remediate issues

After Action Report: Document events of incident, IoCs; identify recommendations / lessons learned

Answer 71

A

Some applicable U.S. legal considerations

Title 18, US Code (Fraud and related activity): addresses the use of a computer to commit fraud

Computer Fraud and Abuse Act (CFAA: Makes denial of service (DoS) attacks illegal

Electronic Communications Privacy Act(ECPA): Amendment to the Federal Wiretap Statute makes illegal the unauthorized interception of communications through electronic means, such as telecommunications and the internet.

Communications Assistance for Law Enforcement Act(CALEA). Forces ISPS to make networks available to law enforcement agencies for lawfully authorized surveillance.

Economic Espionage Act of 1996(EEA): Makes economic espionage and the theft of trade secrets a crime

Riley v. California (2014): U.S. Supreme Court ruling that the warrantless search and seizure of digital contents of a cell phone during an arrest is unconstitutional

Carpenter v. United States (2017): Law enforcement can seize cell phone records with a valid warrant

Answer 72

A

Test for Relevant Evidence: Evidence should be relevant to the proceedings and should prove or disprove a facet of the case

Attorney-Client Privilege and Work Product: Digital Forensics reports are often written concerning actions taken and information obtained. Incident responders may be working directly for attorneys on behalf of their clients. As a result, these reports prepared in conjunction with an incident may fall under attorney work product rules.

Testimony by Expert Witnesses: CSIRT/SOC analyst may be allowed to testify as an expert witness

Evidence that is Self-Authenticating: Requires that a qualified person presents the evidence and that the evidence being presented has been collected according to best practices. Allows the verification of digital evidence integrity through hashing.

Best Evidence Rule: In civil or criminal proceedings, the original writings, recordings, or photographs need to be offered up as evidence, unless a reasonable exception can be made. Courts have held that a forensically sound image of a hard drive/flash storage is a reasonable substitute for the actual drive.

Admissibility of Duplicates: Allows for such an image to be admitted into court. Analyst who performed that action will most likely have to testify to having performed the action correctly

Answer 73

A

1.Identification
2. preservation
3. collection
4 examination
5. analysis
6 presentation

Answer 74

A

Examples of trace evidence in Digital World
Cookies
Firewall records
Event logs (success/failure)
IP packet captures
Proxy logs

Answer 75

A

Important to safeguard it from any type of modification or deletion
Secure backups if all systems
Enable controls that protect log files from removal or modification
Isolate the system from the rest of the network (physical or logical controls, network access controls, perimeter controls)
Make sure users are not able to access a suspect system
Virtual machines/IaC/SDx: Take snapshot/backup of virtual systems affected and store in nonvolatile memory

Answer 76

A

Collect volatile data to a non-volatile medium, such as an external hard drive
Internet Engineering Task Force(IETF) order of volatility of digital evidence:
Registers and cache
Routing table, ARP cache, process table, kernel statistics, memory (RAM)
Temporary filesystems
Disk
Remote logging and monitoring data
Physical configuration, network topology
Archival media

Answer 77

A

Specific tools and forensic techniques that are used to discover and extract data from the evidence that is seized as part of an incident
Memory images
Desktop images
Log file analysis
Network captures

Perform examination on a copy of the backup (vice the sole backup) – examination of data could result in contamination of evidence!

Answer 78

A

Analyze the data in light of any other relevant data obtained
Example:
A compromised host has an open connection to an external IP address, they would then correlate that information with an analysis of a packet capture taken from the network
Using IP address as a starting point, the analyst would be able to isolate traffic
Eventually find that compromised host is sending out a beacon to a C2 server

FireEye investigation led to identification of Solarwinds incident

Answer 79

A

Reporting of facts related to digital forensics needs to be clear, concise, and unbiased

Detailed written report that addresses every action and captures the critical data required

Report should be thorough, accurate, and without opinion or bias

May require court testimony

Testifying in court may be required

Testimony may include opinions/conclusions based on experience of the analyst

Answer 80

A

Disk Imager/duplicator
Network scanner
PC/Linux machine with MANY I/O ports, Hard drives
Specialty Products

Answer 81

A

Tableau HDD Duplicator
Image SATA, USB 3.0, and IDE drives 
Disk-to-File (image) duplication
Format/Wipe
Hash (MD5 or SHA-1)
Blank Disk Check

ATRIO
All-in-one hardware/software solution
Devices and HDDs
Patented parallel processing capability
Customizable AI-based object detection
Rugged, durable casing
NIST-Accredited

FRED
Image multiple drives simultaneously, sequentially
User selectable RO or RW via LCD
Integrated high availability heat sink, power
Multiple RAID Controller options
RAM/CPU optimized for Forensics software tools

Answer 82

A

Performance tuned for specialty software
designed by HW engineers who specialize in performance
designed by forensics specialists
may be more likely to be admissible in court
available tech support, warranty coverage

Answer 83

A

expensive
staff needs to be trained to use it
EOL issues
hardware supply chain questions
designed to the 80% of market needs. may not be customizable.

Answer 84

A

Network Scanner/sniffer
Data analysis
Regedit analysis
Deep Packet inspection
UEBA (User/Entity Behavior Analysis):
Heuristics based
AI/ML tools

Answer 85

A

Open source software that automates key digital forensics tasks
Open source modules extend functionality
Timeline Analysis - Advanced graphical event viewing interface
Hash Filtering - Flag known bad files and ignore known good
Keyword Search - Find files that mention relevant terms
Web Artifacts - Extract history, bookmarks, and cookies from Firefox, Chrome, and IE
Data Carving - Recover deleted files from unallocated space
Multimedia - Extract EXIF from pictures and watch videos.
Indicators of Compromise - Scan a computer using STIX

Answer 86

A

-Open Source library and collection of command line tools that allow you to investigate disk images
-Analyze volume and file system data
-Library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence
- Functions:
Volume and File System Analysis
Download
Documents
History
Licenses

Answer 87

A

Full-spectrum digital forensics application, performing the entire gamut of tasks in the examination of digital evidence, primarily from hard drives and other storage me
Proprietary software from OpenText
Reporting capability that allows examiners to output case data in an easy-to-digest format
Widely deployed in government and law enforcement agencies
Drawback is the cost associated with the application

Answer 88

A

Full-service forensic application that is in wide use by government and law enforcement agencies
Proprietary software from AccessData (competitor to OpenText)
Specializes in dead-box forensics
Unmatched speed through distributed processing engines
Wizard-driven to ensure no data is missed
State-of-the-art data visualization to highlight relationships and patterns

Answer 89

A

Similar forensics functionality to FTK and EnCase
Lower Cost option (~$1300/year/seat)
Windows XP/2003/Vista/2008/7/8/8.1/2012/10/2016*, 32 Bit/64 Bit, standard/PE/FE
As a German product is potentially more trustworthy (NOTE: vendor’s claim, not mine or author’s)
Portable: Runs off a USB stick on any Windows system

NOTE: DOES NOT include imaging or investigative tools
(sold separately)

Answer 90

A

Forensics tools that looks at RAM and other volatile storage
Free, open source software (FOSS)
Windows, Mac, Linux options
Annual contents to build plugins for software!

Answer 91

A

Forensics tools that focuses on Windows Registry
Parses Registry data so that Registries which have existed on a Windows system over time can be rebuilt
Provides access to an enormous volume of Registry data which has been effectively deleted, whether that deletion occurred due to benign system activity, malfeasance by a user, or even re-imaging by IT personnel
Subscription-based pricing: monthly, annual, 3 year, 5 year

Answer 92

A

Forensics tools for mobile devices
Bypass pattern, password or PIN locks and overcome encryption challenges quickly on popular Android and iOS devices
Collect data from mobile phones, drones, SIM Cards, SD cards, GPS devices, etc.
Access to 40+ apps on Android devices
Software or hardware/software packages available

Answer 93

A

Based on the Ubuntu 16.04 Base OS
Tools are included for imaging, memory analysis, timeline creation, and a host of other digital forensics tasks
SIFT Workstation VM Appliance is an option!
Runs on Microsoft Windows using -Windows Subsystem for Linux

Answer 94

A

NOTE: Capturing network traffic can be considered an invasion of privacy if there is no policy clearly stating that network monitoring takes place. Work with Legal to ensure all employees of the organization understand that their use of the information system will be monitored.

Answer 95

A

Switch: Allows multiple hosts to connect and intercommunicate
Router: Allows organizations to connect multiple networks
Firewall: Contains a wide variety of features such as intrusion detection and prevention, web filtering, data loss prevention, and detailed logs about allowed and denied traffic.
Network intrusion detection and prevention systems: Provide security personnel and incident responders with information concerning potential malicious activity on the network infrastructure.
Web proxy servers: Control how users interact with websites and other internet-based resources.
Domain controllers or authentication servers: Primary location for details on successful or unsuccessful logins, credential manipulation, or other credential uses.
DHCP server: Allows for the dynamic assignment of IP addresses to systems on the LAN.
Application servers: A wide range of applications from email to web applications is housed on network servers - can provide logs that are specific to the type of application.

Answer 96

A

A map of your computer network

Allows for the quick identification of potential evidence sources

Answer 97

A

Ingress/egress points into the network from the internet

Answer 98

A

Provides the source and destination IP addresses and protocols of connections
Can help determine whether any internal systems may have contacted an adversary-controlled system or are possibly being controlled
Provide an insight into connections that were denied (adversaries use tools to attempt to connect to well-known ports that are commonly in use) - successive denies across a range of ports are indicative of reconnaissance activity.

Answer 99

A

Firewalls often serve as theVirtual Private Network(VPN) concentrator for remote access
Remote access logs will show systems that are connected and what time they connected
May allow incident responders to correlate activities and determine whether a remote user was the source of the infection.

Answer 100

A

Exploit packages (e.g., droppers, C2 calls, etc.) often use URLs to point to an outside (i.e., internet) resource
Organizations that make use of web proxy servers for HTTP and HTTPS requests will have a record of any system on the internal network that reached out to an external site
Incident responders can view the history of an activity that has happened over weeks or even months – this is critical info for reconstructing the attack for an incident report

Answer 101

A

Allows network administrators to monitor traffic across the network
provides deep insights into the internal traffic of systems as they communicate with each other

Answer 102

A

lateral movement within a network segment

Answer 103

A

movement from one network segment to another

Answer 104

A

Process of intercepting and logging network data as packets travel across a network

Answer 105

A

In-line connection that detects/inspects packets as they flow within a segment

Answer 106

A

Linux command-line tool to offload network flow history of a network node (e.g., switch, router, edge device) from memory to a file

Answer 107

A

Windows application to enable tcpdump on Windows machines

Answer 108

A

Standard tool for packet capture on Windows systems

Drawback of WinPcap tools is they have to be installed on every Windows host to be used

Answer 109

A

An alternative to WinPcap with the same basic capability as WinPcap without the need to install it on the local system – can run via command line off a USB drive

Answer 110

A

GUI-based tool and has a number of packet capture and analysis features
Available for multiple platforms
Can be run from a USB drive

Answer 111

A

File Name: CSIRT should have a naming convention for different types of evidence files

Description: A brief description of the file. There does not need to be too much detail unless it is a unique file that warrants more detail (e.g., suspicious file of unknown origin)

Location: Usually IP address or other description of host node of the file

Date and Time: Record the date and time the file was transferred to the medium

MD5 Hash: a one-way algorithm that is utilized to provide a digital fingerprint for a file

Answer 112

A

Volatility is used to describe how data on a host system is maintained after changes such as log-offs or power shutdowns

Data that will be lost if the system is powered down is referred to as volatile data

Malware leaves a number of key pieces of evidence within the memory of a system and, if lost, can leave the incident response analyst with little or no room to investigate

Answer 113

A

Local: Having access to the system under investigation is often a luxury, but when CSIRT members have direct access, tey can capture more data

Remote: Incident response analysts leverage tools and network connections to acquire evidence; can also be useful if incident response analysts cannot be onsite immediately

Answer 114

A

Analyst acquires the evidence from a system that is currently powered on and running

Some of the techniques must be deployed on a live system (for example, running memory)

May be necessary in high-availability environments where a suspected system cannot be taken offline

Answer 115

A

often used by law enforcement agencies to preserve digital evidence on the hard drive. Technique requires that the system be powered down and the hard drive removed.

Answer 116

A

Sound approach for law enforcement to inspect evidence

Works well for systems that are no longer functional

Answer 117

A

Requires specialized tools to acquire the hd evidence

Loss of any volatile memory

Time-consuming to acquire a suspect system’s hd, image it, and process the image for investigation

Answer 118

A

Great deal of evidence for a security incident is contained within the memory of a potentially compromised system; trace evidence is often found within the running memory of the system

Memory dumps may contain passwords to encrypted volumes (TrueCrypt, BitLocker, PGP Disk), account login credentials for many webmail and social network services

Answer 119

A

If you have direct access to the system, you can run tools from a USB device (or other removable media)

Tools include FTK Imager, WinPmem, RAMCapturer.

Make sure your USB drive has TWO partitions – one for tools, one for the data captured

Answer 120

A

Default open source memory acquisition driver for windows for a long time

Capture raw memory from Linux, macOS, and Windows systems

Open source

Support for WinXP - Win 10, x86 + x64

Three different independent methods to create a memory dump.

Answer 121

A

Default open source memory acquisition driver for windows for a long time

Simple tool; small footprint

Can be run from a USB

Designed to work correctly even if an aggressive anti-debugging or anti-memory dumping system is running

Answer 122

A

Local access may not be possible or feasible in a timely manner

Same tools, but you first access the system remotely (e.g., via Remote Desktop)

Drawback: Remote tools may not be possible if the system had to be taken offline

Answer 123

A

Virtual machines include multiple files to operate. Virtual memory is often stored as a separate file.

VMware stores volatile memory in a VMEM file

VMware stores a snapshot of the VM in a VMSS file

Access the host of the Virtual Machine (locally or remote)

Pause the Virtual Machine

Transfer VMEM and VMSS files to USB or network storage location

Answer 124

A

Registry Keys: Contains information, settings, options, and other values for programs and hardware installed on all versions of Microsoft Windows operating system

Event Logs: Record events taking place in the execution of a system in order to provide an audit trail that can be used to understand the activity of the system and to diagnose problems

CyLR.exe is a useful tool (small footprint, runs from USB) to capture registry keys and log files

Answer 125

A

Forensic Imaging ≠ Copying files

Copying files from provides analysts with the actual data associated with a file

Imaging allows the analyst to capture the entire drive

Slack space

Unallocated space

Possible access to deleted files

Metadata on the volume, including file timestamps

Answer 126

A

Cloning a drive creates a one-to-one copy of the drive, resulting in a fully function al/bootable drive

Can be cumbersome for dead box forensic analysis

Includes Master Boot Record

Full Disk Encryption makes a clone difficult to analyze

Imaging copies all relevant files but is not intended to create a bootable/usable drive

Easier for forensics tools to analyze

Does not require the Master Boot Record

Answer 127

A

Logical image of a partitioned drive allows analyst to copy only the suspected portion, not include Full Disk Encryption protections, and accelerate the process

Major drawback of Logical Image: Does not capture unallocated space on physical drive or any data not part of the file system (e.g., deleted files, trace data)

Answer 128

A

Raw Image: Contains only the data from the imaged volume

EnCase Evidence File: Includes additional useful data

Metadata about the image (type, OS, timestamps)

Cyclical Redundancy Check (CRC) to ensure file integrity of blocks copied

Preferred output for law enforcement and legal entities as it combines the ability to verify evidence integrity with software features such as compression

Answer 129

A

FTK Imager: GUI-based FOSS application allows for the forensically sound acquisition of logical and physical volumes, memory, and other protected files and outputs images in multiple formats; runs on removable media

AFF4 Imager: CLI imager; Capable of isolating files based on time creation and splitting volumes to reduce time to image
dd: Linux command to clone whole drives or a partition

Virtualization: Defining the entire OS environment in software as a virtual machine makes imaging a virtual image easier: pause the VM, create a copy of the VM and state files

Answer 130

A

Delete: Hide a file from the OS, making is no longer visible; OS ONLY overwrites the data when you require that disk space for other files

Wipe/Erase: Permanently remove all data from a drive/partition by removing all files on the drive, then overwriting with a random pattern of 1s and 0s

Shred: Applying wipe/erase function to a single file

Quick Format: Basically a delete of a drive or partition

Full Format: Wipe/Erase of a drive/partition (Single Pass Overwrite)

Answer 131

A

Write Blockers: Tools to ensure that no changes are made to digital evidence while processing and examining it

Software Write Blockers: Sit between the OS and the evidence, ensure that there is read-only access to the evidence file

Hardware Write Blockers: Physical piece of hardware that sits between the evidence drive and the system performing the acquisition, and allows only one-way data transfer from the disk to the evidence analysis system (i.e., data diode)

Answer 132

A

Used on media that is not energized (and often removed from the potentially compromised system)

Most comprehensive imaging method for evidence collection; allows for the complete preservation and analysis of physical volume

Usually involves use of a hardware write blocker to preserve evidence integrity of compromised system

Answer 133

A

Used on when system must remain running due to criticality

Run imaging from a USB drive/stick

Allows the incident response analyst to image the drive without changing the operational system

Answer 134

A

Preferred method for the acquisition of memory is through direct contact with the suspect system

Adaptability in case primary approach fails

Faster (independent of network)

Two primary tools discussed in text

WinPmem: Open Source, local installation, command line

F-Response: Can run remotely, does no require installation on target host

Answer 135

A

In this configuration, the switch closest to the compromised host will have port mirroring enabled.

This then sends the traffic from the entire segment the switch is on to the system that is on
used for network traffic capture

Answer 136

A

The VMSS file contains the files that are saved as part of the suspended state of the virtual machine.

Answer 137

A

The VMEM file is the RAM or physical memory of the virtual machine.

Answer 138

A

CPU, registers ->RAM -> PageFile/Swap File -> Storage Drives

Brainscape's Knowledge GenomeTM

Midterm Flashcards

Brainscape's Knowledge Genome^TM