Module 2 Flashcards
Which premise is the foundation of threat hunting?
Pivoting is more difficult to detect than ever before.
Attacks are becoming more difficult.
Cybercrime will only increase.
Threat actors have already infiltrated our network.
Threat actors have already infiltrated our network.
Threat hunting is proactively searching for cyber threats that thus far have gone undetected in a network. Threat hunting begins with a critical major premise: threat actors have already infiltrated our network. It then proceeds to find unusual behavior that may indicate the presence of malicious activity.
Which group is responsible for the Cloud Controls Matrix?
CSA
CIS
OSINT
NIST
The Cloud Security Alliance (CSA) is an organization whose goal is to define and raise awareness of best practices to help secure cloud computing environments. Its Cloud Controls Matrix is a specialized framework of cloud-specific security controls.
When researching how an attack recently took place, Nova discovered that the threat actor, after penetrating the system, started looking to move through the network with their elevated position. What is the name of this technique?
Lateral movement
Twirling
Jumping
Squaring up
Lateral movement
With advanced privileges, a threat actor will tunnel through the network looking for additional systems they can access from this newly elevated position
Which ISO contains controls for managing and controlling risk?
ISO 31000
ISO 27555
ISO 271101
ISO XRS
ISO 31000 contains controls for managing and controlling risk.
Lykke’s supervisor is evaluating whether to use internal security employees to conduct a penetration test. Lykke does not consider this a good idea and has created a memo with several reasons they should not be used. Which of the following would NOT be part of that memo?
They would have to stay overnight to perform the test.
The employees could have inside knowledge of the network that would give them an advantage.
There may be a lack of expertise.
Employees may have a reluctance to reveal a vulnerability.
They would have to stay overnight to perform the test.
A penetration test does not necessarily have to be performed overnight.
What is the primary goal of penetration testing?
Attempt to uncover deep vulnerabilities and then manually exploit them
Scan a network for open FTP ports
Perform SYN DOS attack towards a server in a network
Attempt to perform an automated scan to discover vulnerabilities
The primary goal of penetration testing is to uncover deep vulnerabilities and then manually exploit them.
Dillip is assigned the role of a SOC developer who must build different teams under the SOC. He must build a new team that will put security defenses in place to prevent another team from penetrating the network. Which team should he build to monitor the other team’s attacks and shore up security defenses as necessary?
Blue team
White team
Red team
Purple team
The blue team monitors for red team attacks and shores up defenses as necessary.
Alice, a vulnerability assessment engineer at a bank, is told to find all the vulnerabilities on an internet-facing web application server running on port HTTPS. When she finishes the vulnerability scan, she finds several different vulnerabilities at different levels. How should she proceed?
Only look at the highest priority vulnerability
Only look at the accuracy of the vulnerability
Look at the priority and the accuracy of the vulnerability
Escalate the situation to a higher analyst
Looking at the priority and the accuracy of the vulnerability is the most appropriate approach for Alice.
Which of the following offensive tools can be used by penetration testers post-exploitation or successful compromise of a user account in a network that dumps passwords from memory and hashes, PINs, and Kerberos tickets, and thus are used for privilege escalation attacks?
Mimikatz and hashcat
Ophcrack and John-the-Ripper
Tor and NMAP
Powershell and procdump
Mimikatz and hashcat dump passwords from memory, as well as hashes, PINs, and Kerberos tickets, and thus are used for privilege escalation attacks
Robert is a black box penetration tester who conducted pen testing attacks on all of the network’s application servers. He was able to exploit a vulnerability and gain access to the system using a mimikatz tool. Which of the following activities did he perform using mimikatz, and which task should he perform next?
Robert used mimikatz for phishing, and should perform lateral movement next.
Robert used mimikatz for footprinting, and should install a backdoor next.
Robert used mimikatz for credential harvesting, and should perform privilege escalation using a high-privileged account next.
Robert used mimikatz for tailgating, and should perform phishing next.
Mimikatz is used for credential harvesting, which will dump all the credentials stored in the OS’s memory. If an account with higher privilege, such as a domain admin or an enterprise admin, is discovered, then privilege escalation is performed to gain access to the account with elevated privileges.
What are the primary features of a security information event management (SIEM) tool?
Aggregation, deep packet investigation, and policy creation
Aggregation, correlation, event deduplication, time synchronization, and alerting
Bandwidth monitoring, alerting, and volume measuring
Filtering, alerting, packet dropping, packet capturing, and traffic analyzing
Aggregation, correlation, event deduplication, time synchronization, and alerting are the important features of a SIEM tool.
Which of the following is a characteristic of a vulnerability scan that is not a characteristic of a penetration test?
A vulnerability scan can be done when a regulatory body requires it or on a pre-determined schedule.
A vulnerability scan is usually automated.
A vulnerability scan is usually a manual process.
A vulnerability scan identifies deep vulnerabilities.
A vulnerability scan is automated, while a penetration test is performed manually.
Which of the following is considered an industry-specific cybersecurity regulation?
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Sarbanes-Oxley Act of 2002 (SOX)
Personal Information Protection and Electronic Documents Act (PIPEDA)
Gramm-Leach-Bliley Act (GLB)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains regulations protecting the privacy and security of certain personal health information (PHI).
Which of the following is the most efficient means of discovering wireless signals?
War cycling
War chalking
Wardriving
War flying
War flying
What is the primary difference between credentialed and non-credentialed scans?
- Credentialed scans are legal, while non-credentialed scans are illegal.
- Credentialed scans use valid authentication credentials to mimic threat actors, while non-credentialed scans do not provide authentication credentials.
- Credentialed scans are performed by pen testers, while non-credentialed scans are performed by authorized officers.
- Credentialed scans use advanced scanning tools, while non-credentialed scans do not use tools.
Credentialed scans are the process where valid authentication credentials are supplied to the vulnerability scanner to mimic the work of a threat actor who possesses these credentials. A non-credentialed scan provides no such authentication information.
