Module 12 - Evading IDS , Firewalls, and Honeypots ( EC Mode Part 01 ) Flashcards by Naser aljufairah

Deleted

How well did you know this?

Not at all

Perfectly

Which of the following attributes in a packet can be used to check whether the packet originated from an unreliable zone?

A. TCP flag bits
B. Direction
C. Interface
D. Source IP address

Correct Answer: C. Interface

How well did you know this?

Not at all

Perfectly

Which of the following types of firewall inspects only header information in network traffic?

A. Application-level gateway
B. Stateful inspection
C. Packet filter
D. Circuit-level gateway

Correct Answer: C. Packet filter

How well did you know this?

Not at all

Perfectly

Which of the following intrusion detection technique involves first creating models of possible intrusions and then comparing these models with incoming events to make a detection decision?

A. Anomaly Detection
B. Signature Recognition
C. Protocol Anomaly Detection
D. Obfuscating

Correct Answer: B. Signature Recognition

How well did you know this?

Not at all

Perfectly

Which of the following statements concerning proxy firewalls is correct?

A. Proxy firewalls block network packets from passing to and from a protected network
B. Firewall proxy servers decentralize all activity for an application
C. Computers establish a connection with a proxy firewall that initiates a new network connection for the client
D. Proxy firewalls increase the speed and functionality of a network

Correct Answer: C. Computers establish a connection with a proxy firewall that initiates a new network connection for the client

How well did you know this?

Not at all

Perfectly

Which solution can be used to emulate computer services, such as mail and ftp, and to capture information related to logins or actions?

A. Honeypot
B. Intrusion detection system (IDS)
C. DeMilitarized zone (DMZ)
D. Firewall

Correct Answer: A. Honeypot

How well did you know this?

Not at all

Perfectly

which of the following conditions does the IDS generate a true positive alert?

A. A true positive is a condition occurring when an IDS fails to react to an actual attack event
B. A true positive is a condition occurring when an IDS identifies an activity as acceptable behavior and the activity is acceptable
C. A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress
D. A true positive is a condition occurring when an event triggers an alarm when no actual attack is in progress

Correct Answer: C. A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress

How well did you know this?

Not at all

Perfectly

What is the main advantage that a network-based IDS/IPS system has over a host-based solution?

A. They are easier to install and configure
B. They will not interfere with user interfaces
C. They are placed at the boundary, allowing them to inspect all traffic
D. They do not use host system resources

Correct Answer: D. They do not use host system resources

How well did you know this?

Not at all

Perfectly

Which of the following indicators identifies a network intrusion?

A. Repeated probes of the available services on your machines
B. Sudden decrease in bandwidth consumption is an indication of intrusion
C. Connection requests from IPs from those systems within the network range
D. Rare login attempts from remote hosts

Correct Answer: A. Repeated probes of the available services on your machines

How well did you know this?

Not at all

Perfectly

At which two traffic layers do most commercial IDSes generate signatures? (Select Two)

A. Application layer
B. Network layer
C. Session layer
D. Transport layer

Correct Answer: B. Network layer and D. Transport layer

How well did you know this?

Not at all

Perfectly

Jamie has purchased and deployed an application firewall to protect his company infrastructure which includes various email servers, file server shares, and applications. Also, all the systems in his company share the same onsite physical datacenter. Jamie has positioned the newly purchased firewall nearest to the application systems so as to protect the applications from attackers. This positioning does not protect the complete network.

What can be done to address the security issues by this deployment for Jamie?

A. Jamie will need to add at least three additional firewalls at the DMZ, internet, and intranet
B. Jamie will need to add at least three additional firewalls at the untrusted network, router side, and application side
C. Jamie will need to replace the application firewall with a packet filtering firewall at the network edge
D. Jamie will need to add at least one additional firewall at the network edge

Correct Answer: D. Jamie will need to add at least one additional firewall at the network edge

How well did you know this?

Not at all

Perfectly

Jamie was asked by their director to make new additions to the firewall in order to allow traffic for a new software package. After the firewall changes, Jamie receives calls from users that they cannot access other services, such as email and file shares, that they were able to access earlier.

What was the problem in the latest changes that is denying existing users from accessing network resources?

A. Jamie’s additional entries were processed first
B. Jamie needs to restart the firewall to make the changes effective
C. Jamie should exit privileged mode to allow the settings to be effective
D. Jamie needs to have the users restart their computers in order to make settings effective

Correct Answer: A. Jamie’s additional entries were processed first

How well did you know this?

Not at all

Perfectly

When analyzing the IDS logs, the system administrator notices connections from outside of the LAN have been sending packets where the source IP address and destination IP address are the same. However, no alerts have been sent via email or logged in the IDS. Which type of an alert is this?

A. False negative
B. True negative
C. False positive
D. True positive

Correct Answer: A. False negative

How well did you know this?

Not at all

Perfectly

When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator’s computer to update the router configuration. What type of an alert is this?

A. True-negative
B. True-positive
C. False-negative
D. False-positive

Correct Answer: D. False-positive

How well did you know this?

Not at all

Perfectly

A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system. The alert was generated because a large number of packets were coming into the network over ports 20 and 21. During analysis, there were no signs of attack on the FTP servers. How should the administrator understand this situation?

A. False negatives
B. True positives
C. True negatives
D. False positives

Correct Answer: D. False positives

How well did you know this?

Not at all

Perfectly

Which of the following methods detects an intrusion based on the fixed behavioral characteristics of the users and components of a computer system?

A. Signature recognition
B. Bastion host
C. Anomaly detection
D. Protocol anomaly detection

Answer: C. Anomaly detection

How well did you know this?

Not at all

Perfectly

The general indicators of which of the following types of intrusions are repeated login attempts from remote hosts, a sudden influx of log data, and a sudden increase in bandwidth consumption?

A. System intrusion
B. File-system intrusion
C. Signature recognition
D. Network intrusion

Answer: D. Network intrusion

How well did you know this?

Not at all

Perfectly

Which of the following types of honeypots is very effective in determining the entire capabilities of adversaries and is mostly deployed in an isolated virtual environment along with a combination of vulnerable servers?

A. Honeynets
B. Spider honeypots
C. Spam honeypots
D. Malware honeypots

Correct Answer: A. Honeynets

How well did you know this?

Not at all

Perfectly

Which of the following attributes in a packet can be used to check whether the packet originated from an unreliable zone?

A. Source IP address
B. Interface
C. Direction
D. TCP flag bits

Correct Answer: B. Interface

How well did you know this?

Not at all

Perfectly

In which of the following conditions does the IDS generate a true positive alert?

A. A true positive is a condition occurring when an IDS identifies an activity as acceptable behavior and the activity is acceptable
B. A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress
C. A true positive is a condition occurring when an event triggers an alarm when no actual attack is in progress
D. A true positive is a condition occurring when an IDS fails to react to an actual attack event

Correct Answer: B. A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress

How well did you know this?

Not at all

Perfectly

What is the main advantage that a network-based IDS/IPS system has over a host-based solution?

A. They are easier to install and configure
B. They do not use host system resources
C. They are placed at the boundary, allowing them to inspect all traffic
D. They will not interfere with user interfaces

Correct Answer: B. They do not use host system resources

How well did you know this?

Not at all

Perfectly

Which of the following is a hardware requirement that either an IDS/IPS system or a proxy server must have in order to properly function?

A. Similar RAM requirements
B. They must be dual-homed
C. Fast processor to help with network traffic analysis
D. Fast network interface cards

Correct Answer: B. They must be dual-homed

How well did you know this?

Not at all

Perfectly

Which type of intrusion detection system can monitor and alert on attacks, but cannot stop them?

A. Detective
B. Passive
C. Intuitive
D. Reactive

Correct Answer: B. Passive

How well did you know this?

Not at all

Perfectly

An advantage of an application-level firewall is the ability to

A. Filter packets at the network level
B. Monitor TCP handshaking
C. Filter specific commands, such as http:post
D. Retain state information for each packet

Correct Answer: C. Filter specific commands, such as http:post

How well did you know this?

Not at all

Perfectly

Teyla is a security analyst for BAYARA Company. She is responsible for the firewall, antivirus, IPS, and web filtering security controls. She wants to protect the employees from a new phishing attack. What should Teyla do? A. Use the web filtering application to prevent the employees from accessing the phishing webpage B. Use IPS to block phishing C. Block the phishing via antivirus D. Block outbound traffic to the ports 80 and 443 in the firewall

Correct Answer: A. Use the web filtering application to prevent the employees from accessing the phishing webpage

Correct Answer: C. False negative

Which of the following is a mobile intrusion detection tool that allows users to find all the devices connected to a network and provides relevant data such as the IP addresses, manufacturer names, device names, and MAC addresses of the connected devices? A. Wifiphisher B. Wifi Inspector C. WIBR+ D. Reaver

Correct Answer: B. Wifi Inspector

Which of the following commands is an example of a Snort rule using a bidirectional operator? A. log tcp any any -> 192.168.1.0/24 !6000:6010 B. alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 111 C. 192.168.1.0/24 1:1024 D. log !192.168.1.0/24 any <> 192.168.1.0/24 23

Correct Answer: D. log !192.168.1.0/24 any <> 192.168.1.0/24 23

Which of the following is a security solution for mobile devices that can reduce a mobile device’s network traffic and battery consumption as well as allow users to create network rules based on apps, IP addresses, and domain names? A. Bitvise B. NetPatch Firewall C. KFSensor D. Snort

Correct Answer: B. NetPatch Firewall

When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following: A. Blocks the connection with the source IP address in the packet B. Continues to evaluate the packet until all rules are checked C. Stops checking rules, sends an alert, and lets the packet continue D. Drops the packet and moves on to the next one

Correct Answer: B. Continues to evaluate the packet until all rules are checked

Which of the following is not an action present in Snort IDS? A. Alert B. Pass C. Audit D. Log

Correct Answer: C. Audit

Which of the following firewalls is used to secure mobile device? A. NetPatch firewall B. Glasswire C. TinyWall D. Comodo firewall

Correct Answer: A. NetPatch firewall

Manav wants to simulate a complete system and provide an appealing target to push hackers away from the production systems of his organization. Can you identify the tool? A. PeerBlock B. TinyWall C. SPECTER D. Glasswire

Correct Answer: C. SPECTER

Which of the following firewall solution tool has the following features: Two-way firewall that monitors and blocks inbound as well as outbound traffic Allows users to browse the web privately Identity protection services help to prevent identity theft by guarding crucial data of the users. It also offers PC protection and data encryption Through Do Not Track, it stops data-collecting companies from tracking the online users Online Backup to backs up files and restores the data in the event of loss, theft, accidental deletion or disk failure A. Vangaurd Enforcer B. zIPS C. Wifi Inspector D. ZoneAlarm Free Firewall

Correct Answer: D. ZoneAlarm Free Firewall

Which of the following is a malware research tool that allows security analysts to detect and classify malware or other malicious codes through a rule-based approach? A. Hping3 B. Nmap C. YARA D. Fing

Correct Answer: C. YARA

Which of the following tools helps security professionals in generating YARA rules from strings identified in malware files? A. yarGen B. Weevely C. Tamper Chrome D. HoneyBOT

Correct Answer: A. yarGen

Which of the following is an IDS evasion technique used by an attacker to confuse the IDS by forcing it to read invalid packets as well as blindly trust and accept a packet that an end system rejects? A. Insertion attack B. Fragmentation attack C. Obfuscation D. Invalid RST packets

Correct Answer: A. Insertion attack

One of the following is an IDS evasion technique used by an attacker to send a huge amount of unnecessary traffic to produce noise or fake traffic. If the IDS does not analyze the noise traffic, the true attack traffic goes undetected. A. Flooding B. Encryption C. Overlapping fragments D. Denial-of-service attack

Correct Answer: A. Flooding

In which of the following IDS evasion techniques does an attacker use an existing buffer-overflow exploit and set the “return” memory address on the overflowed stack to the entrance point of the decryption code? A. Urgency flag B. Polymorphic shellcode C. Invalid RST packets D. Overlapping fragments

Correct Answer: B. Polymorphic shellcode

Which of the following techniques is used by an attacker to exploit a host computer and results in the IDS discarding packets while the host that must receive the packets accepts them? A. Fragmentation attack B. Obfuscation C. Evasion D. Session splicing

Correct Answer: C. Evasion

In which of the following IDS evasion techniques does an attacker split the attack traffic into an excessive number of packets such that no single packet triggers the IDS? A. Evasion B. Session splicing C. Insertion attack D. Denial-of-service attack (DoS)

Correct Answer: B. Session splicing

The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities? A. Network packets are dropped if the volume exceeds the threshold B. Thresholding interferes with the IDS’ ability to reassemble fragmented packets C. The IDS will not distinguish among packets originating from different sources D. An attacker, working slowly enough, can evade detection by the IDS

Correct Answer: D. An attacker, working slowly enough, can evade detection by the IDS

Which evasion technique is used by attackers to encode the attack packet payload in such a way that the destination host can only decode the packet but not the IDS? A. Unicode evasion B. Obfuscation C. Session splicing D. Fragmentation attack

Correct Answer: B. Obfuscation

How many bit checksum is used by the TCP protocol for error checking of the header and data and to ensure that communication is reliable? A. 14-bit B. 16-bit C. 15-bit D. 13-bit

Correct Answer: B. 16-bit

An attacker hides the shellcode by encrypting it with an unknown encryption algorithm and by including the decryption code as part of the attack packet. He encodes the payload and then places a decoder before the payload. Identify the type of attack executed by attacker. A. Polymorphic shellcode B. Preconnection SYN C. Postconnection SYN D. ASCII shellcode

Correct Answer: A. Polymorphic shellcode

Which network-level evasion method is used to bypass IDS where an attacker splits the attack traffic in too many packets so that no single packet triggers the IDS? A. Unicode evasion B. Overlapping fragments C. Fragmentation attack D. Session splicing

Correct Answer: D. Session splicing

Which of the following is an IDS evasion technique used by an attacker to confuse the IDS by forcing it to read invalid packets as well as blindly trust and accept a packet that an end system rejects? A. Invalid RST packets B. Obfuscation C. Insertion attack D. Fragmentation attack

Correct Answer: C. Insertion attack

Which network-level evasion method is used to bypass IDS where an attacker splits the attack traffic in too many packets so that no single packet triggers the IDS? A. Fragmentation attack B. Overlapping fragments C. Session splicing D. Unicode evasion

Correct Answer: C. Session splicing

Which of the following is a technique used by an attacker masquerading as a trusted host to conceal their identity for hijacking browsers or gaining unauthorized access to a network? A. Port scanning B. IP address spoofing C. Firewalking D. Banner grabbing

Correct Answer: B. IP address spoofing

Which of the following techniques routes all traffic through an encrypted tunnel directly from a laptop to secure and harden servers and networks? A. Tiny fragments B. Source routing C. ACK tunneling method D. Anonymizer

Correct Answer: D. Anonymizer

Which of the following attack techniques is used by an attacker to exploit the vulnerabilities that occur while processing the input parameters of end users and the server responses in a web application? A. Denial-of-service attack B. XSS attack C. MITM attack D. Social engineering attack

Correct Answer: B. XSS attack

Which of the following techniques is used by attackers for collecting information about remote networks behind firewalls, where the TTL value is used to determine ACL gateway filters and map networks by analyzing the IP packet response? A. Firewalking B. Banner grabbing C. Tiny fragments D. Source routing

Correct Answer: A. Firewalking

Firewalk has just completed the second phase (the scanning phase) and a technician receives the output shown below. What conclusions can be drawn based on these scan results? TCP port 21—no response TCP port 22—no response TCP port 23—Time-to-live exceeded A. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall. B. The scan on port 23 was able to make a connection to the destination host prompting the firewall to respond with a TTL error. C. The lack of response from ports 21 and 22 indicate that those services are not running on the destination server. D. The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of the target host.

Correct Answer: A. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall.

Check Point's FireWall-1 listens to which of the following TCP ports? A. 1745 B. 1080 C. 259 D. 1072

Correct Answer: C. 259

Which of the following is a two-way HTTP tunneling software tool that allows HTTP, HTTPS, and SOCKS tunneling of any TCP communication between any client–server systems? A. Super network tunnel B. Bitvise C. Loki D. Secure Pipes

Correct Answer: B. Loki

Which of the following tools is used to execute commands of choice by tunneling them inside the payload of ICMP echo packets if ICMP is allowed through a firewall? A. Anonymizer B. Loki C. HTTPTunnel D. AckCmd

Correct Answer: D. AckCmd

Which feature of Secure Pipes tool open application communication ports to remote servers without opening those ports to public networks? A. Remote backwards B. SOCKS proxies C. Local forwards D. Remote forwards

Correct Answer: C. Local forwards

Which of the following is a hijacking technique where an attacker masquerades as a trusted host to conceal his identity, hijack browsers or websites, or gain unauthorized access to a network? A. IP address spoofing B. Port scanning C. Firewalking D. Source routing

Correct Answer: A. IP address spoofing

An organization’s web application firewall (WAF) allows specific queries and syntaxes that originate from their internal addresses. Jack, a professional hacker, exploited this functionality to send spoofed requests to trick the target WAF and server into believing that the request originated from their internal network. Jack also appended various extensions such as X-Originating-IP, X-Forwarded-For, X-Remote-IP, and X-Remote-Addr to the spoofed requests to bypass the target WAF. Identify the technique employed by Jack to bypass the target WAF. A. HTTP header spoofing B. VLAN hopping C. MAC spoofing D. ARP spoofing

Correct Answer: A. HTTP header spoofing

In which of the following techniques do attackers first send payloads to the WAF connected to their local network to identify the payloads that can be used for evasion and then send those payloads to the target WAF for evasion? A. Fuzzing/brute-forcing B. Code emulation C. Function testing D. Runtime execution path profiling

Correct Answer: A. Fuzzing/brute-forcing

In which of the following attacks does an attacker create a malicious link by developing a JavaScript-based blob with a compatible MIME that is set to automatically download the malware on the victim’s machine? A. URL encoding B. Pre-connection SYN C. HTML smuggling D. Polymorphic shellcode

Correct Answer: C. HTML smuggling

Which of the following practices helps security professionals in defending against HTML smuggling attacks? A. Recommend user to access web browser activated with Microsoft Defender SmartScreen B. Disable cloud delivery-based protection C. Never block auto-execution of .js and .jse files D. Never verify the perimeter operation of security devices

Correct Answer: A. Recommend user to access web browser activated with Microsoft Defender SmartScreen

Mark, a professional hacker, has targeted an organization’s employee to create a backdoor on his system. To achieve his goal, Mark exploited a standard service of Microsoft-based OS that distributes automatic updates to its global users. The administrators often disregard monitoring this service as it delivers continuous updates. Which of the following features did Mark abuse in the above scenario? A. ICMP protocol B. SSH tunneling C. Windows BITS D. HTTP tunneling

Correct Answer: C. Windows BITS

Which of the following tools audits and validates the behavior of security devices and is generally used by security personnel for assessing, auditing, and testing the behavioral characteristics of a non-proxy packet filtering device? A. Colasoft Packet Builder B. AckCmd C. SPECTER D. Traffic IQ Professional

Correct Answer: D. Traffic IQ Professional

In which of the following attacks does an attacker create a malicious link by developing a JavaScript-based blob with a compatible MIME that is set to automatically download the malware on the victim’s machine? A. Polymorphic shellcode B. URL encoding C. Pre-connection SYN D. HTML smuggling

Correct Answer: D. HTML smuggling

Mark, a professional hacker, has targeted an organization’s employee to create a backdoor on his system. To achieve his goal, Mark exploited a standard service of Microsoft-based OS that distributes automatic updates to its global users. The administrators often disregard monitoring this service as it delivers continuous updates. Which of the following features did Mark abuse in the above scenario? A. Windows BITS B. HTTP tunneling C. SSH tunneling D. ICMP protocol

Correct Answer: A. Windows BITS

Which of the following tools is used by attackers to bypass antivirus software by utilizing binary deconstruction, insertion of arbitrary assembly code, and reconstruction? A. Ghostwriting.sh B. FaceNiff C. Colasoft Packet Builder D. KFSensor

Correct Answer: A. Ghostwriting.sh

Identify the evasion technique in which attackers perform DDL hijacking to place a malicious DLL with a legitimate name that the application is looking for in the same directory where the executable resides and then the malicious DLL gets executed along with the application to disable the endpoint security. A. Application whitelisting B. Using blacklist detection C. Fake security applications D. Overlapping fragments

Correct Answer: A. Application whitelisting

Identify the technique in which attackers abuse Microsoft Excel macro sheets to bypass endpoint protection and execute a malicious payload on a target system. A. Fuzzing/brute-forcing B. Fast flux DNS method C. XLM weaponization D. Password grabbing

Correct Answer: C. XLM weaponization

Which of the following tools allows an attacker to identify the hooked syscalls that are stored in the memory during execution? A. USM Anywhere B. X64dbg debugger C. Censys D. WIBR+-WIfi BRuteforce

Correct Answer: B. X64dbg debugger

Which of the following is a cyber defense software suite with antivirus, anti-malware, and intrusion detection capabilities? A. Mention B. Euromonitor C. Symantec Endpoint Protection D. Followerwonk

Correct Answer: C. Symantec Endpoint Protection

Which of the following tools allows attackers to create malicious payload or launcher to bypass endpoint protection? A. Covenant C2 Framework B. Metagoofil C. Sherlock D. Octoparse

Correct Answer: A. Covenant C2 Framework

Identify the bypass technique in which attackers use hex-format encryption to ping different IP addresses for evading detection mechanisms. A. Heuristic analysis B. Passing encoded commands C. Website defacement D. Honey trap

Correct Answer: B. Passing encoded commands

Which of the following techniques helps an attacker circumvent blacklists and hide the C&C server behind the compromised systems operating as reverse proxies? A. Web application fuzz testing B. Reverse DNS lookup C. Fast flux DNS method D. WHOIS lookup

Correct Answer: C. Fast flux DNS method

James, a professional hacker, was targeted to bypass endpoint security and gain access to the internal systems connected to a corporate network. For this purpose, he employed a technique through which malware is executed when a victim performs specific actions such as opening a particular window and clicking it; as a result, the malware gets activated after the system reboots. Identify the technique employed by James to evade endpoint security. A. Timing-based evasion B. Unicode evasion C. Flooding D. IP address spoofing

Correct Answer: A. Timing-based evasion

Which of the following techniques allows attackers to leverage trusted in-built utilities for the execution of malicious codes to evade EDR solutions? A. Distortion techniques B. Signed binary proxy execution C. Masking and filtering D. Spawning using XMLDOM

Correct Answer: B. Signed binary proxy execution

Identify the evasion technique used by attackers to bypass endpoint detection and response (EDR) to infect the devices with potential malware and establish command and control to maintain a foothold without being detected. A. Dark web footprinting B. Website mirroring C. Banner grabbing D. XLM weaponization

Correct Answer: D. XLM weaponization

Which of the following is a simple VLAN enumeration and hopping script that sniffs out CDP packets and extracts the VTP domain name, VLAN management address, native VLAN ID, and IOS version of Cisco devices? A. Nikto B. got-responded C. Frogger D. Maltego

Correct Answer: C. Frogger

Which of the following tools allows attackers to place their device between a network switch and an authenticated device to ensure that the traffic flows through their device? A. InSpectre B. nac_bypass_setup.sh C. Dependency Walker D. OmniPeek

Correct Answer: B. nac_bypass_setup.sh

Identify the evasion technique in which attackers perform DDL hijacking to place a malicious DLL with a legitimate name that the application is looking for in the same directory where the executable resides and then the malicious DLL gets executed along with the application to disable the endpoint security. A. Using blacklist detection B. Application whitelisting C. Overlapping fragments D. Fake security applications

Correct Answer: B. Application whitelisting

Which of the following tools allows attackers to analyze the detection rate of a malicious file that is being propagated to bypass the antivirus solution? A. Zsteg B. VirusTotal C. BeRoot D. Robber

Correct Answer: B. VirusTotal

Which of the following is a cyber defense software suite with antivirus, anti-malware, and intrusion detection capabilities? A. Euromonitor B. Symantec Endpoint Protection C. Mention D. Followerwonk

Correct Answer: B. Symantec Endpoint Protection

Which of the following tools allows attackers to create malicious payload or launcher to bypass endpoint protection? A. Metagoofil B. Octoparse C. Covenant C2 Framework D. Sherlock

Correct Answer: C. Covenant C2 Framework

Which of the following commands allows attackers to transform a malicious payload created using Covenant C2 Framework into a position-independent shellcode? A. Get-ObjectAcl -SamAccountName "users" -ResolveGUIDs B. mimikatz “lsadump::dcsync /domain:(domain name) /user:Administrator” C. ntdsutil "ac in ntds" "ifm" "cr fu c:\temp" q D. ./donut -c GruntStager -a 3 -b 2 -z 2 -x -e 3 GruntHTTP.exe -o gruntloader.bin

Correct Answer: D. ./donut -c GruntStager -a 3 -b 2 -z 2 -x -e 3 GruntHTTP.exe -o gruntloader.bin

Identify the bypass technique in which attackers use hex-format encryption to ping different IP addresses for evading detection mechanisms. A. Passing encoded commands B. Heuristic analysis C. Website defacement D. Honey trap

Correct Answer: A. Passing encoded commands

Which of the following techniques helps an attacker circumvent blacklists and hide the C&C server behind the compromised systems operating as reverse proxies? A. WHOIS lookup B. Web application fuzz testing C. Reverse DNS lookup D. Fast flux DNS method

Correct Answer: D. Fast flux DNS method

Correct Answer: A. Frogger

Which of the following techniques manipulates the TCP/IP stack and is effectively employed to slow down the spread of worms and backdoors? A. Layer 4 tar pits B. Layer 2 tar pits C. Layer 7 tar pits D. Honeyd honeypot

Correct Answer: A. Layer 4 tar pits

One of the following techniques redirects all malicious network traffic to a honeypot after any intrusion attempt is detected. Attackers can identify such honeypots by examining specific TCP/IP parameters such as the round-trip time (RTT), time to live (TTL), and TCP timestamp. Which is this technique? A. User-Mode Linux (UML) B. Fake AP C. Snort_inline D. Bait and switch

Correct Answer: D. Bait and switch

Which honeypot detection tool has the following features: Checks lists of HTTPS, SOCKS4, and SOCKS5 proxies with any ports Checks several remote or local proxylists at once Can upload “Valid proxies” and “All except honeypots” files to FTP Can process proxylists automatically every specified period May be used for usual proxylist validating as well A. WAN Killer B. Send-Safe Honeypot Hunter C. Ostinato D. WireEdit

Correct Answer: B. Send-Safe Honeypot Hunter

Which of the following methods is NOT a countermeasure to defend against IDS evasions? A. Regularly update the antivirus signature database B. Never define the DNS server for client resolver in routers C. Shut down switch ports associated with known attack hosts D. Train users to identify attack patterns

Correct Answer: B. Never define the DNS server for client resolver in routers

Which of the following countermeasures allows security professionals to defend against IDS evasion? A. Always open switch ports associated with known attack hosts B. Never store the attack information for future analysis C. Avoiding traffic normalization solutions at the IDS to protect the system from evasions D. Use the TCP FIN or Reset (RST) packet to terminate malicious TCP sessions

Correct Answer: D. Use the TCP FIN or Reset (RST) packet to terminate malicious TCP sessions

Riya wants to defend against the polymorphic shellcode problem. What countermeasure should she take against this IDS evasion technique? A. Configure a remote syslog server and apply strict measures to protect it from malicious users B. Look for the nopopcode other than 0x90 C. Catalog and review all inbound and outbound traffic D. Disable all FTP connections to or from the network

Correct Answer: B. Look for the nopopcode other than 0x90

Which of the following practices makes an organization’s network susceptible to IDS evasion attempts? A. Perform an in-depth analysis of ambiguous network traffic for all possible threats B. Allow malicious script injection in snort rules directory C. Use TCP FIN or Reset (RST) packet to terminate malicious TCP sessions D. Look for the nop opcode other than 0x90 to defend against the polymorphic shellcode problem

Correct Answer: B. Allow malicious script injection in snort rules directory

Which of the following practices helps security professionals defend their organizational network against IDS evasion attempts? A. Ensure that the packets are arriving from a path secured with IDS B. Do not store the attack information for future analysis C. Look for 0x90 other than nop opcode to defend against the polymorphic shellcode problem D. Never use a traffic normalizer to remove potential ambiguity from the packet stream

Correct Answer: A. Ensure that the packets are arriving from a path secured with IDS

Which of the following practices helps security professionals defend their network against firewall bypass attempts? A. By default, enable all FTP connections to or from the network B. Never configure a remote syslog server C. Use HTTP Evader to run automated testing for suspected firewall evasions D. The firewall should be configured such that the IP address of an intruder should not be filtered out

Correct Answer: C. Use HTTP Evader to run automated testing for suspected firewall evasions

Which of the following practices makes an organization’s network susceptible to firewall evasion attempts? A. Specify the source and destination IP addresses as well as the ports B. Do not use HTTP Evader to run automated testing for suspected firewall evasions C. Run regular risk queries to identify vulnerable firewall rules D. Monitor user access to firewalls and control who can modify the firewall configuration

Correct Answer: B. Do not use HTTP Evader to run automated testing for suspected firewall evasions

Which of the following is a honeypot application that captures rootkits and other malicious malware that hijacks the read() system call? A. Sebek B. Bait and switch C. Tar pits D. Fake AP

Correct Answer: A. Sebek

In what way do the attackers identify the presence of layer 7 tar pits? A. By looking at the IEEE standards for the current range of MAC addresses B. By looking at the latency of the response from the service C. By analyzing the TCP window size D. By looking at the responses with unique MAC address 0:0:f:ff:ff:ff

Correct Answer: B. By looking at the latency of the response from the service