MODULE 28 - CERTIFICATION EXAM PREPARATION Flashcards

Question 1

Q

Regulatory compliance may require documentation, and this documentation may be inspected by authorities in the event of a public investigation.

Answer

A

Regulatory compliance may require documentation, and this documentation may be inspected by authorities in the event of a public investigation.

Question 2

Q

NIST Special Publication 800-86

Guide to Integrating Forensic Techniques into Incident Response is a valuable resource for organizations that require guidance in developing digital forensics plans.

For example, it recommends that forensics be performed using the four-phase process.

Answer

A

NIST Special Publication 800-86

Guide to Integrating Forensic Techniques into Incident Response is a valuable resource for organizations that require guidance in developing digital forensics plans.

For example, it recommends that forensics be performed using the four-phase process.

Question 3

Q

The Digital Evidence Forensic Process..

https://snipboard.io/mD1asv.jpg

STEP 1 - COLLECTION

STEP 2 - EXAMINATION

STEP 3 - ANALYSIS STEP 4 - REPORTING

Answer

A

The Digital Evidence Forensic Process..

https://snipboard.io/mD1asv.jpg

STEP 1 - COLLECTION

STEP 2 - EXAMINATION

STEP 3 - ANALYSIS STEP 4 - REPORTING

Question 4

Q

The Digital Evidence Forensic Process STEP 1

The Digital Evidence Forensic Process..

https://snipboard.io/mD1asv.jpg

STEP 1 - COLLECTION

STEP 2 - EXAMINATION

STEP 3 - ANALYSIS STEP 4 - REPORTING

Answer

A

STEP 1 :

COLLECTION :

This is the identification of potential sources of forensic data and acquisition, handling, and storage of that data.

This stage is critical because special care must be taken not to damage, lose, or omit important data.

Question 5

Q

The Digital Evidence Forensic Process STEP 2

The Digital Evidence Forensic Process..

https://snipboard.io/mD1asv.jpg

STEP 1 - COLLECTION

STEP 2 - EXAMINATION

STEP 3 - ANALYSIS STEP 4 - REPORTING

Answer

A

STEP 2 :

EXAMINATION :

This entails assessing and extracting relevant information from the collected data.

This may involve decompression or decryption of the data. Information that is irrelevant to the investigation may need to be removed.

Identifying actual evidence in large collections of data can be very difficult and time-consuming.

Question 6

Q

The Digital Evidence Forensic Process STEP 3

The Digital Evidence Forensic Process..

https://snipboard.io/mD1asv.jpg

STEP 1 - COLLECTION

STEP 2 - EXAMINATION

STEP 3 - ANALYSIS STEP 4 - REPORTING

Answer

A

STEP 3 :

ANALYSIS :

This entails drawing conclusions from the data.

Salient features, such as people, places, times, events, and so on should be documented.

This step may also involve the correlation of data from multiple sources.

Question 7

Q

The Digital Evidence Forensic Process STEP 4

The Digital Evidence Forensic Process..

https://snipboard.io/mD1asv.jpg

STEP 1 - COLLECTION

STEP 2 - EXAMINATION

STEP 3 - ANALYSIS STEP 4 - REPORTING

Answer

A

STEP 4 :

REPORTING :

This entails preparing and presenting information that resulted from the analysis.

Reporting should be impartial and alternative explanations should be offered if appropriate.

Limitations of the analysis and problems encountered should be included.

Suggestions for further investigation and next steps should also be made.

Question 8

Q

Types of Evidence

Best evidence Corroborating evidence Indirect evidence

Answer

A

Types of Evidence

Best evidence Corroborating evidence Indirect evidence

Question 9

Q

Types of Evidence :

BEST EVIDENCE

evidence that is in its original state.

This evidence could be storage devices used by an accused, or archives of files that can be proven to be unaltered.

Answer

A

Types of Evidence :

BEST EVIDENCE

evidence that is in its original state.

This evidence could be storage devices used by an accused, or archives of files that can be proven to be unaltered.

Question 10

Q

Types of Evidence :

CORROBORATING EVIDENCE

This is evidence that supports an assertion that is developed from best evidence.

Answer

A

Types of Evidence :

CORROBORATING EVIDENCE

This is evidence that supports an assertion that is developed from best evidence.

Question 11

Q

Types of Evidence :

INDIRECT EVIDENCE

This is evidence that, in combination with other facts, establishes a hypothesis.

This is also known as circumstantial evidence.

For example, evidence that an individual has committed similar crimes can support the assertion that the person committed the crime of which they are accused.

Answer

A

Types of Evidence :

INDIRECT EVIDENCE

This is evidence that, in combination with other facts, establishes a hypothesis.

This is also known as circumstantial evidence.

For example, evidence that an individual has committed similar crimes can support the assertion that the person committed the crime of which they are accused.

Question 12

Q

Evidence Collection Order IETF RFC 3227

provides guidelines for the collection of digital evidence.

It describes an order for the collection of digital evidence based on the volatility of the data.

Data stored in RAM is the most volatile, and it will be lost when the device is turned off.

Answer

A

In addition, important data in volatile memory could be overwritten by routine machine processes.

Therefore, the collection of digital evidence should begin with the most volatile evidence and proceed to the least volatile:

https://snipboard.io/2MTuNn.jpg

Question 13

Q

An example of most volatile to least volatile evidence collection order:

1) Memory registers, caches
2) Routing table, ARP cache, process table, kernel statistics, RAM
3) Temporary file systems
4) Non-volatile media, fixed and removable
5) Remote logging and monitoring data
6) Physical interconnections and topologies
7) Archival media, tape or other backups

Answer

A

An example of most volatile to least volatile evidence collection order:

1) Memory registers, caches
2) Routing table, ARP cache, process table, kernel statistics, RAM
3) Temporary file systems
4) Non-volatile media, fixed and removable
5) Remote logging and monitoring data
6) Physical interconnections and topologies
7) Archival media, tape or other backups

Question 14

Q

Details of the systems from which the evidence was collected including who has access to those systems and at what level of permissions should be recorded.

Such details should include hardware and software configurations for the systems from which the data was obtained.

Answer

A

Details of the systems from which the evidence was collected including who has access to those systems and at what level of permissions should be recorded.

Such details should include hardware and software configurations for the systems from which the data was obtained.

Question 15

Q

Chain of custody involves the collection, handling, and secure storage of evidence.

Detailed records should be kept of the following:

Who discovered and collected the evidence?

All details about the handling of evidence including times, places, and personnel involved.

Who has primary responsibility for the evidence, when responsibility was assigned, and when custody changed?

Who has physical access to the evidence while it was stored?

Access should be restricted to only the most essential personnel.

Answer

A

Chain of custody involves the collection, handling, and secure storage of evidence.

Detailed records should be kept of the following:

Who discovered and collected the evidence?

All details about the handling of evidence including times, places, and personnel involved.

Who has primary responsibility for the evidence, when responsibility was assigned, and when custody changed?

Who has physical access to the evidence while it was stored?

Access should be restricted to only the most essential personnel.

Question 16

Q

When collecting data it is important that it is preserved in its original condition.

Answer

A

When collecting data it is important that it is preserved in its original condition.

Question 17

Q

Timestamping of files should be preserved.

For this reason, the original evidence should be copied, and analysis should only be conducted on copies of the original.

This is to avoid accidental loss or alteration of the evidence.

Because timestamps may be part of the evidence, opening files from the original media should be avoided.

Answer

A

Timestamping of files should be preserved.

For this reason, the original evidence should be copied, and analysis should only be conducted on copies of the original.

This is to avoid accidental loss or alteration of the evidence.

Because timestamps may be part of the evidence, opening files from the original media should be avoided.

Question 18

Q

The process used to create copies of the evidence that is used in the investigation should be recorded.

Whenever possible, the copies should be direct bit-level copies of the original storage volumes.

It should be possible to compare the archived disc image and the investigated disk image to identify whether the contents of the investigated disk have been tampered with.

For this reason, it is important to archive and protect the original disk to keep it in its original, untampered with, condition.

Answer

A

The process used to create copies of the evidence that is used in the investigation should be recorded.

Whenever possible, the copies should be direct bit-level copies of the original storage volumes.

It should be possible to compare the archived disc image and the investigated disk image to identify whether the contents of the investigated disk have been tampered with.

For this reason, it is important to archive and protect the original disk to keep it in its original, untampered with, condition.

Question 19

Q

Volatile memory could contain forensic evidence, so special tools should be used to preserve that evidence before the device is shut down and evidence is lost.

Users should not disconnect, unplug, or turn off infected machines unless explicitly told to do so by security personnel.

Following these processes will ensure that any evidence of wrongdoing will be preserved, and any indicators of compromise can be identified.

Answer

A

Volatile memory could contain forensic evidence, so special tools should be used to preserve that evidence before the device is shut down and evidence is lost.

Users should not disconnect, unplug, or turn off infected machines unless explicitly told to do so by security personnel.

Following these processes will ensure that any evidence of wrongdoing will be preserved, and any indicators of compromise can be identified.

Question 20

Q

Threat attribution refers to the act of determining the individual, organization, or nation responsible for a successful intrusion or attack incident.

Answer

A

Threat attribution refers to the act of determining the individual, organization, or nation responsible for a successful intrusion or attack incident.

Question 21

Q

Identifying responsible threat actors should occur through the principled and systematic investigation of the evidence

Answer

A

Identifying responsible threat actors should occur through the principled and systematic investigation of the evidence

Question 22

Q

In an evidence-based investigation, the incident response team correlates Tactics, Techniques, and Procedures (TTP) that were used in the incident with other known exploits.

Answer

A

In an evidence-based investigation, the incident response team correlates Tactics, Techniques, and Procedures (TTP) that were used in the incident with other known exploits.

Question 23

Q

Threat intelligence sources can help to map the TTP identified by an investigation to known sources of similar attacks.

However, this highlights a problem with threat attribution.

Evidence of cybercrime is seldom direct evidence.

Identifying commonalities between TTPs for known and unknown threat actors is circumstantial evidence.

Answer

A

Threat intelligence sources can help to map the TTP identified by an investigation to known sources of similar attacks.

However, this highlights a problem with threat attribution.

Evidence of cybercrime is seldom direct evidence.

Identifying commonalities between TTPs for known and unknown threat actors is circumstantial evidence.

Question 24

Q

Some aspects of a threat that can aid in attribution are the location of originating hosts or domains, features of the code used in malware, the tools used, and other techniques.

Sometimes, at the national security level, threats cannot be openly attributed because doing so would expose methods and capabilities that need to be protected.

Answer

A

Some aspects of a threat that can aid in attribution are the location of originating hosts or domains, features of the code used in malware, the tools used, and other techniques.

Sometimes, at the national security level, threats cannot be openly attributed because doing so would expose methods and capabilities that need to be protected.

Question 25

Q

For internal threats, asset management plays a major role.

Uncovering the devices from which an attack was launched can lead directly to the threat actor.

IP addresses, MAC addresses, and DHCP logs can help track the addresses used in the attack back to a specific device.

AAA logs are very useful in this regard, as they track who accessed what network resources at what time.

Answer

A

For internal threats, asset management plays a major role.

Uncovering the devices from which an attack was launched can lead directly to the threat actor.

IP addresses, MAC addresses, and DHCP logs can help track the addresses used in the attack back to a specific device.

AAA logs are very useful in this regard, as they track who accessed what network resources at what time.

Question 26

Q

One way to attribute an attack is to model threat actor behavior.

Answer

A

One way to attribute an attack is to model threat actor behavior.

Question 27

Q

The MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) Framework enables the ability to detect attacker tactics, techniques, and procedures (TTP) as part of threat defense and attack attribution.

This is done by mapping the steps in an attack to a matrix of generalized tactics and describing the techniques that are used in each tactic.

Answer

A

The MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) Framework enables the ability to detect attacker tactics, techniques, and procedures (TTP) as part of threat defense and attack attribution.

This is done by mapping the steps in an attack to a matrix of generalized tactics and describing the techniques that are used in each tactic.

Question 28

Q

Tactics consist of the technical goals that an attacker must accomplish in order to execute an attack and techniques are the means by which the tactics are accomplished.

Answer

A

Tactics consist of the technical goals that an attacker must accomplish in order to execute an attack and techniques are the means by which the tactics are accomplished.

Question 29

Q

procedures are the specific actions taken by threat actors in the techniques that have been identified.

Procedures are the documented real-world use of techniques by threat actors.

Answer

A

procedures are the specific actions taken by threat actors in the techniques that have been identified.

Procedures are the documented real-world use of techniques by threat actors.

Question 30

Q

The MITRE ATT&CK Framework is a global knowledge base of threat actor behavior.

It is based on observation and analysis of real-world exploits with the purpose of describing the behavior of the attacker, not the attack itself.

It is designed to enable automated information sharing by defining data structures for the exchange of information between its community of users and MITRE.

Answer

A

The MITRE ATT&CK Framework is a global knowledge base of threat actor behavior.

It is based on observation and analysis of real-world exploits with the purpose of describing the behavior of the attacker, not the attack itself.

It is designed to enable automated information sharing by defining data structures for the exchange of information between its community of users and MITRE.

Question 31

Q

MITRE ATT&CK Matrix for a Ransomware Exploit

https://snipboard.io/OCE1B0.jpg

Answer

A

MITRE ATT&CK Matrix for a Ransomware Exploit

https://snipboard.io/OCE1B0.jpg

Question 32

Q

The Cyber Kill Chain was developed by Lockheed Martin to identify and prevent cyber intrusions.

Answer

A

The Cyber Kill Chain was developed by Lockheed Martin to identify and prevent cyber intrusions.

Question 33

Q

HOW MANY STEPS ARE THERE TO THE CYBER KILL CHAIN?

7

Answer

A

HOW MANY STEPS ARE THERE TO THE CYBER KILL CHAIN?

7

Question 34

Q

Focusing on Cyber Kill Chain steps helps analysts understand the techniques, tools, and procedures of threat actors.

Answer

A

Focusing on Cyber Kill Chain steps helps analysts understand the techniques, tools, and procedures of threat actors.

Question 35

Q

When responding to a security incident the objective is to detect and stop the attack as early as possible in the kill chain progression.

The earlier the attack is stopped; the less damage is done and the less the attacker learns about the target network.

Answer

A

When responding to a security incident the objective is to detect and stop the attack as early as possible in the kill chain progression.

The earlier the attack is stopped; the less damage is done and the less the attacker learns about the target network.

Question 36

Q

The Cyber Kill Chain specifies what an attacker must complete to accomplish their goal.

https://snipboard.io/eUECVy.jpg

Answer

A

The Cyber Kill Chain specifies what an attacker must complete to accomplish their goal.

https://snipboard.io/eUECVy.jpg

Question 37

Q

If the attacker is stopped at any stage OF Cyber Kill Chain the chain of attack is broken.

Breaking the chain means the defender successfully thwarted the threat actor’s intrusion.

Threat actors are successful only if they complete Step 7.

Answer

A

If the attacker is stopped at any stage OF Cyber Kill Chain the chain of attack is broken.

Breaking the chain means the defender successfully thwarted the threat actor’s intrusion.

Threat actors are successful only if they complete Step 7.

Question 38

Q

Lockheed Martin uses the term “adversary” in its description of the Cyber Kill Chain

Answer

A

Lockheed Martin uses the term “adversary” in its description of the Cyber Kill Chain

Question 39

Q

FIRST STEP OF CYBER KILL CHAIN :

Reconnaissance

Reconnaissance is when the threat actor performs research, gathers intelligence, and selects targets.

This will inform the threat actor if the attack is worth performing.

Answer

A

Any public information may help to determine the what, where, and how of the attack to be performed.

There is a lot of publicly available information, especially for larger organizations including news articles, websites, conference proceedings, and public-facing network devices. Increasing amounts of information surrounding employees is available through social media outlets.

Question 40

Q

The threat actor will choose targets that have been neglected or unprotected because they will have a higher likelihood of becoming penetrated and compromised.

All information obtained by the threat actor is reviewed to determine its importance and if it reveals possible additional avenues of attack.

Answer

A

The threat actor will choose targets that have been neglected or unprotected because they will have a higher likelihood of becoming penetrated and compromised.

All information obtained by the threat actor is reviewed to determine its importance and if it reveals possible additional avenues of attack.

Question 41

Q

Reconnaissance Adversary (THREAT ACTOR) Tactics

Plan and conduct research:

– Harvest email addresses

– Identify employees on social media

– Collect all public relations information (press releases, awards, conference attendees, etc.)

– Discover internet-facing servers

– Conduct scans of the network to identify IP addresses and open ports.

Answer

A

Reconnaissance Adversary (THREAT ACTOR) Tactics

Plan and conduct research:

– Harvest email addresses

– Identify employees on social media

– Collect all public relations information (press releases, awards, conference attendees, etc.)

– Discover internet-facing servers

– Conduct scans of the network to identify IP addresses and open ports.

Question 42

Q

Reconnaissance SOC Defenses

Discover adversary’s intent:

– Web log alerts and historical searching data

– Data mine browser analytics

– Build playbooks for detecting behavior that indicate recon activity

– Prioritize defense around technologies and people that reconnaissance activity is targeting

Answer

A

Reconnaissance SOC Defenses

Discover adversary’s intent:

– Web log alerts and historical searching data

– Data mine browser analytics

– Build playbooks for detecting behavior that indicate recon activity

– Prioritize defense around technologies and people that reconnaissance activity is targeting

Question 43

Q

STEP 2 : CYBER KILL CHAIN:

Weaponization

The goal of this step is to use the information from reconnaissance to develop a weapon against specific targeted systems or individuals in the organization.

To develop this weapon, the designer will use the vulnerabilities of the assets that were discovered and build them into a tool that can be deployed.

Answer

A

After the tool has been used, it is expected that the threat actor has achieved their goal of gaining access into the target system or network, degrading the health of a target, or the entire network.

The threat actor will further examine network and asset security to expose additional weaknesses, gain control over other assets, or deploy additional attacks.

Question 44

Q

It is often more effective to use a zero-day attack to avoid detection methods.

Answer

A

It is often more effective to use a zero-day attack to avoid detection methods.

Question 45

Q

A zero-day attack uses a weapon that is unknown to defenders and network security systems.

The threat actor may wish to develop their own weapon that is specifically designed to avoid detection, using the information about the network and systems that they have learned.

Attackers have learned how to create numerous variants of their attacks in order to evade network defenses.

Answer

A

A zero-day attack uses a weapon that is unknown to defenders and network security systems.

The threat actor may wish to develop their own weapon that is specifically designed to avoid detection, using the information about the network and systems that they have learned.

Attackers have learned how to create numerous variants of their attacks in order to evade network defenses.

Question 46

Q

Weaponization Adversary Tactics :

Prepare and stage the operation:

– Obtain an automated tool to deliver the malware payload (weaponizer).

– Select or create a document to present to the victim.

– Select or create a backdoor and command and control infrastructure.

Answer

A

Weaponization Adversary Tactics :

Prepare and stage the operation:

– Obtain an automated tool to deliver the malware payload (weaponizer).

– Select or create a document to present to the victim.

– Select or create a backdoor and command and control infrastructure.

Question 47

Q

Weaponization SOC Defense :

Detect and collect weaponization artifacts:

– Ensure that IDS rules and signatures are up to date. – Conduct full malware analysis.

– Build detections for the behavior of known weaponizers.

– Is malware old, “off the shelf” or new malware that might indicate a tailored attack?

– Collect files and metadata for future analysis.

– Determine which weaponizer artifacts are common to which campaigns.

Answer

A

Weaponization SOC Defense :

Detect and collect weaponization artifacts:

– Ensure that IDS rules and signatures are up to date. – Conduct full malware analysis.

– Build detections for the behavior of known weaponizers.

– Is malware old, “off the shelf” or new malware that might indicate a tailored attack?

– Collect files and metadata for future analysis.

– Determine which weaponizer artifacts are common to which campaigns.

Question 48

Q

CYBER KILL CHAIN STEP 3 : Delivery

Weapon is transmitted to the target using a delivery vector.

This may be through the use of a website, removable USB media, or an email attachment.

If the weapon is not delivered, the attack will be unsuccessful.

Security sensors are so advanced that they can detect the code as malicious unless it is altered to avoid detection.

The code may be altered to seem innocent, yet still perform the necessary actions, even though it may take longer to execute.

Answer

A

CYBER KILL CHAIN STEP 3 : Delivery

Weapon is transmitted to the target using a delivery vector.

This may be through the use of a website, removable USB media, or an email attachment.

If the weapon is not delivered, the attack will be unsuccessful.

Security sensors are so advanced that they can detect the code as malicious unless it is altered to avoid detection.

The code may be altered to seem innocent, yet still perform the necessary actions, even though it may take longer to execute.

Question 49

Q

Delivery Adversary Tactics

Launch malware at target:

– Direct against web servers

– Indirect delivery through:

– Malicious email

– Malware on USB stick

– Social media interactions

– Compromised websites

Answer

A

Delivery Adversary Tactics

Launch malware at target:

– Direct against web servers

– Indirect delivery through:

– Malicious email

– Malware on USB stick

– Social media interactions

– Compromised websites

Question 50

Q

Delivery SOC Defense

Block delivery of malware:

– Analyze the infrastructure path used for delivery.

– Understand targeted servers, people, and data available to attack

– Infer intent of the adversary based on targeting.

– Collect email and web logs for forensic reconstruction.

Answer

A

Delivery SOC Defense

Block delivery of malware:

– Analyze the infrastructure path used for delivery.

– Understand targeted servers, people, and data available to attack

– Infer intent of the adversary based on targeting.

– Collect email and web logs for forensic reconstruction.

Question 51

Q

CYBER KILL CHAIN STEP 4: Exploitation

After the weapon has been delivered, the threat actor uses it to break the vulnerability and gain control of the target.

The most common exploit targets are applications, operating system vulnerabilities, and users.

The attacker must use an exploit that gains the effect they desire.

Answer

A

CYBER KILL CHAIN STEP 4: Exploitation

After the weapon has been delivered, the threat actor uses it to break the vulnerability and gain control of the target.

The most common exploit targets are applications, operating system vulnerabilities, and users.

The attacker must use an exploit that gains the effect they desire.

Question 52

Q

Exploitation Adversary Tactics :

Exploit a vulnerability to gain access:

– Use software, hardware, or human vulnerability

– Acquire or develop the exploit

– Use an adversary-triggered exploit for server vulnerabilities

– Use a victim-triggered exploit such as opening an email attachment or malicious weblink

Answer

A

Exploitation Adversary Tactics :

Exploit a vulnerability to gain access:

– Use software, hardware, or human vulnerability

– Acquire or develop the exploit

– Use an adversary-triggered exploit for server vulnerabilities

– Use a victim-triggered exploit such as opening an email attachment or malicious weblink

Question 53

Q

Exploitation SOC Defense

Train employees, secure code, and harden devices:

– Employee security awareness training and periodic email testing

– Web developer training for securing code

– Regular vulnerability scanning and penetration testing

– Endpoint hardening measures

– Endpoint auditing to forensically determine origin of exploit

Answer

A

Exploitation SOC Defense

Train employees, secure code, and harden devices:

– Employee security awareness training and periodic email testing

– Web developer training for securing code

– Regular vulnerability scanning and penetration testing

– Endpoint hardening measures

– Endpoint auditing to forensically determine origin of exploit

Question 54

Q

CYBER KILL CHAIN STEP 5: INSTALLATION

This step is where the threat actor establishes a back door into the system to allow for continued access to the target.

To preserve this backdoor, it is important that remote access does not alert cybersecurity analysts or users.

Answer

A

The access method must survive through antimalware scans and rebooting of the computer to be effective.

This persistent access can also allow for automated communications, especially effective when multiple channels of communication are necessary when commanding a botnet.

Question 55

Q

INSTALLATION Adversary Tactics

Install persistent backdoor:

– Install webshell on web server for persistent access.

– Create point of persistence by adding services, AutoRun keys, etc.

– Some adversaries modify the timestamp of the malware to make it appear as part of the operating system.

Answer

A

INSTALLATION Adversary Tactics

Install persistent backdoor:

– Install webshell on web server for persistent access.

– Create point of persistence by adding services, AutoRun keys, etc.

– Some adversaries modify the timestamp of the malware to make it appear as part of the operating system.

Question 56

Q

INSTALLATION SOC Defense

Detect, log, and analyze installation activity:

– HIPS to alert or block on common installation paths.

– Determine if malware requires elevated privileges or user privileges

– Endpoint auditing to discover abnormal file creations.

–Determine if malware is known threat or new variant.

Answer

A

INSTALLATION SOC Defense

Detect, log, and analyze installation activity:

– HIPS to alert or block on common installation paths.

– Determine if malware requires elevated privileges or user privileges

– Endpoint auditing to discover abnormal file creations.

–Determine if malware is known threat or new variant.

Question 57

Q

CYBER KILL CHAIN STEP 6: Command and Control

The goal is to establish command and control (CnC or C2) with the target system.

Compromised hosts usually beacon out of the network to a controller on the internet.

This is because most malware requires manual interaction in order to exfiltrate data from the network.

Answer

A

CnC channels are used by the threat actor to issue commands to the software that they installed on the target.

The cybersecurity analyst must be able to detect CnC communications in order to discover the compromised host.

This may be in the form of unauthorized Internet Relay Chat (IRC) traffic or excessive traffic to suspect domains.

Question 58

Q

Command and Control Adversary Tactics

Open channel for target manipulation:

– Open two-way communications channel to CNC infrastructure

– Most common CNC channels over web, DNS, and email protocols

– CnC infrastructure may be adversary owned or another victim network itself

Answer

A

Command and Control Adversary Tactics

Open channel for target manipulation:

– Open two-way communications channel to CNC infrastructure

– Most common CNC channels over web, DNS, and email protocols

– CnC infrastructure may be adversary owned or another victim network itself

Question 59

Q

Command and Control SOC Defense

Last chance to block operation:

– Research possible new CnC infrastructures

– Discover CnC infrastructure though malware analysis

– Isolate DNS traffic to suspect DNS servers, especially Dynamic DNS

– Prevent impact by blocking or disabling CnC channel

– Consolidate the number of internet points of presence

– Customize rules blocking of CnC protocols on web proxies

Answer

A

Command and Control SOC Defense

Last chance to block operation:

– Research possible new CnC infrastructures

– Discover CnC infrastructure though malware analysis

– Isolate DNS traffic to suspect DNS servers, especially Dynamic DNS

– Prevent impact by blocking or disabling CnC channel

– Consolidate the number of internet points of presence

– Customize rules blocking of CnC protocols on web proxies

Question 60

Q

CYBER KILL CHAIN STEP 7: Actions on Objectives :

The final step of the Cyber Kill Chain describes the threat actor achieving their original objective.

This may be data theft, performing a DDoS attack, or using the compromised network to create and send spam or mine Bitcoin.

Answer

A

At this point the threat actor is deeply rooted in the systems of the organization, hiding their moves and covering their tracks.

It is extremely difficult to remove the threat actor from the network.

Question 61

Q

Actions on Objectives Adversary Tactics

Reap the rewards of successful attack:

Collect user credentials

Privilege escalation

Internal reconnaissance

Lateral movement through environment

Collect and exfiltrate data

Destroy systems Overwrite, modify, or corrupt data

Answer

A

Actions on Objectives Adversary Tactics

Reap the rewards of successful attack:

Collect user credentials

Privilege escalation

Internal reconnaissance

Lateral movement through environment

Collect and exfiltrate data

Destroy systems Overwrite, modify, or corrupt data

Question 62

Q

Actions on Objectives SOC Defense

Detect by using forensic evidence:

Establish incident response playbook

Detect data exfiltration, lateral movement, and unauthorized credential usage

Immediate analyst response for all alerts

Forensic analysis of endpoints for rapid triage

Network packet captures to recreate activity

Conduct damage assessment

Answer

A

Actions on Objectives SOC Defense

Detect by using forensic evidence:

Establish incident response playbook

Detect data exfiltration, lateral movement, and unauthorized credential usage

Immediate analyst response for all alerts

Forensic analysis of endpoints for rapid triage

Network packet captures to recreate activity

Conduct damage assessment

Question 63

Q

The Diamond Model of Intrusion Analysis is made up of four parts, as shown in the figure :

https://snipboard.io/CBGjH8.jpg

The model represents a security incident or event.

In the Diamond Model, an event is a time-bound activity that is restricted to a specific step in which an adversary uses a capability over infrastructure to attack a victim to achieve a specific result.

Answer

A

The Diamond Model of Intrusion Analysis is made up of four parts, as shown in the figure :

https://snipboard.io/CBGjH8.jpg

The model represents a security incident or event.

In the Diamond Model, an event is a time-bound activity that is restricted to a specific step in which an adversary uses a capability over infrastructure to attack a victim to achieve a specific result.

Question 64

Q

The four core features of an intrusion event are :

– Adversary

– Capability

– Infrastructure

– Victim

Answer

A

The four core features of an intrusion event are :

– Adversary

– Capability

– Infrastructure

– Victim

Answer 65

A

intrusion event: Adversary

These are the parties responsible for the intrusion.

Answer 66

A

– Capability

This is a tool or technique that the adversary uses to attack the victim.

Answer 67

A

– Infrastructure

This is the network path or paths that the adversaries use to establish and maintain command and control over their capabilities.

Answer 68

A

– Victim

This is the target of the attack.

However, a victim might be the target initially and then used as part of the infrastructure to launch other attacks.

Answer 69

A

The adversary uses capabilities over infrastructure to attack the victim.

The model can be interpreted as saying, “The adversary uses the infrastructure to connect to the victim.

The adversary develops capability to exploit the victim.”

For example, a capability like malware might be used over the email infrastructure by an adversary to exploit a victim.

Answer 70

A

Meta-features of Diamond Model expand the model slightly to include the following important elements:

– Timestamp

– Phase

– Result

– Direction

– Methodology

– Resources

Answer 71

A

– Timestamp

This indicates the start and stop time of an event and is an integral part of grouping malicious activity.

Answer 72

A

–Phase

This is analogous to steps in the Cyber Kill Chain; malicious activity includes two or more steps executed in succession to achieve the desired result.

Answer 73

A

–Result

This delineates what the adversary gained from the event.

Results can be documented as one or more of the following:

confidentiality compromised,

integrity compromised, and a

vailability compromised.

Answer 74

A

–Direction

This indicates the direction of the event across the Diamond Model.

These include Adversary-to-Infrastructure,

Infrastructure-to-Victim,

Victim-to-Infrastructure, and

Infrastructure-to-Adversary.

Answer 75

A

–Methodology

This is used to classify the general type of event, such as port scan, phishing, content delivery attack, syn flood, etc.

Answer 76

A

–Resources

These are one or more external resources used by the adversary for the intrusion event, such as software, adversary’s knowledge, information (e.g., username/passwords), and assets to carry out the attack (hardware, funds, facilities, network access).

Answer 77

A

An analysis of the malware reveals that the malware contains a list of CnC domain names.

These domain names resolve to a list of IP addresses.

These IP addresses are then used to identify the adversary, as well as investigate logs to determine if other victims in the organization are using the CnC channel.

Diamond Model Characterization of an Exploit:

https://snipboard.io/XRgas1.jpg

Answer 78

A

Do Adversaries operate in just a single event?

Nooo. events are threaded together in a chain in which each event must be successfully completed before the next event.

This thread of events can be mapped to the Cyber Kill Chain.

Answer 79

A

Activity Thread Examples:

https://snipboard.io/uJPjbx.jpg

Answer 80

A

Incident Response involves the methods, policies, and procedures that are used by an organization to respond to a cyberattack.

The aims of incident response are to limit the impact of the attack, assess the damage caused, and implement recovery procedures.

Answer 81

A

The U.S. National Institute of Standards and Technology (NIST) recommendations for incident response are detailed in their Special Publication 800-61, revision 2 entitled “Computer Security Incident Handling Guide,”

Answer 82

A

The NIST 800-61r2 standard provides guidelines for incident handling, particularly for analyzing incident-related data, and determining the appropriate response to each incident.

The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.

Answer 83

A

The first step for an organization is to establish a computer security incident response capability (CSIRC).

NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC.

Answer 84

A

Statement of management commitment

Purpose and objectives of the policy

Scope of the policy

Definition of computer security incidents and related terms

Organizational structure and definition of roles, responsibilities, and levels of authority

Prioritization of severity ratings of incidents

Performance measures

Reporting and contact forms

An incident response policy details how incidents should be handled based on the organization’s mission, size, and function.

The policy should be reviewed regularly to adjust it to meet the goals of the roadmap that has been laid out.

Answer 85

A

Mission Strategies and goals

Senior management approval

Organizational approach to incident response

How the incident response team will communicate with the rest of the organization and with other organizations

Metrics for measuring the incident response capacity

How the program fits into overall organization

A good incident response plan helps to minimize damage caused by an incident.

It also helps to make the overall incident response program better by adjusting it according to lessons learned.

It will ensure that each party involved in the incident response has a clear understanding of not only what they will be doing, but what others will be doing as well.

Answer 86

A

The procedures that are followed during an incident response should follow the incident response plan.

Technical processes

Using techniques

Filling out forms,

Following checklists

These are Typical Standard operating Procedures (SOPs).

These SOPs should be detailed so that the mission and goals of the organization are in mind when these procedures are followed.

SOPs minimize errors that may be caused by personnel that are under stress while participating in incident handling.

Answer 87

A

Incident Response Stakeholders:

Other groups and individuals within the organization may also be involved with incident handling.

It is important to ensure that they will cooperate before an incident is underway.

Their expertise and abilities can help the Computer Security Incident Response Team (CSIRT) to handle the incident quickly and correctly.

Answer 88

A

These are some of the stakeholders that may be involved in handing a security incident:

– Management

– Information Assurance

– IT Support

– Legal Department

– Public Affairs and Media Relations

– Human Resources

– Business Continuity Planners

– Physical Security and Facilities Management

Answer 89

A

– Management

Managers create the policies that everyone must follow.

They also design the budget and are in charge of staffing all of the departments.

Management must coordinate the incident response with other stakeholders and minimize the damage of an incident.

Answer 90

A

– Information Assurance

This group may need to be called in to change things such as firewall rules during some stages of incident management such as containment or recovery.

Answer 91

A

– IT Support

This is the group that works with the technology in the organization and understands it the most.

Because IT support has a deeper understanding, it is more likely that they will perform the correct action to minimize the effectiveness of the attack or preserve evidence properly.

Answer 92

A

– Legal Department

It is a best practice to have the legal department review the incident policies, plans, and procedures to make sure that they do not violate any local or federal guidelines.

Also, if any incident has legal implications, a legal expert will need to become involved.

This might include prosecution, evidence collection, or lawsuits.

Answer 93

A

– Public Affairs and Media Relations

There are times when the media and the public might need to be informed of an incident, such as when their personal information has been compromised during an incident.

Answer 94

A

– Human Resources

The human resources department might need to perform disciplinary measures if an incident caused by an employee occurs.

Answer 95

A

– Business Continuity Planners

Security incidents may alter an organization’s business continuity.

It is important that those in charge of business continuity planning are aware of security incidents and the impact they have had on the organization as a whole.

This will allow them to make any changes in plans and risk assessments.

Answer 96

A

–Physical Secuirty and Facilities Management

When a security incident happens because of a physical attack, such as tailgating or shoulder surfing, these teams might need to be informed and involved.

It is also their responsibility to secure facilities that contain evidence from an investigation.

Answer 97

A

Security breaches related to DoD information indicated that NIST standards were not sufficient to mitigate against the increasing and evolving threat landscape, especially from nation-state treat actors.

In order for companies to receive contracts from the DoD, those companies must be certified.

The certification consists of five levels, with different levels required depending on the degree of security required by the project.

Answer 98

A

WHAT DOES THE CMMC STANDS FOR ?

Cybersecurity Maturity Model Certification

Answer 99

A

The Cybersecurity

Maturity Model Certification specifies 17 domains each of which has a varying number of capabilities that are associated with it.

The organization is rated by the maturity level that has been achieved for each of the domains.

One of the domains concerns incident response.

Answer 100

A

The Cybersecurity Maturity Model Certification (CMMC) capabilities that are associated with the incident response domain are as follows:

Plan incident response

Detect and report events

Develop and implement a response to a declared incident

Perform post incident reviews

Test incident response

Answer 101

A

The CMMC certifies organizations by level.

For most domains, there are five levels, however for incident response, there are only four.

The higher the level that is certified, the more mature the cybersecurity capability of the organization.

Answer 102

A

A summary of the incidence response domain maturity levels is shown

Level 2 - Establish an incident response plan that follows the NIST process. Detect, report, and prioritize events. Respond to events by following predefined procedures. Analyze the cause of incidents in order to mitigate future issues.

Level 3 - Document and report incidents to stakeholders that have been identified in the incident response plan. Test the incident response capability of the organization.

Level 4 - Use knowledge of attacker tactics, techniques, and procedures (TPT) to refine incident response planning and execution. Establish a security operation center (SOC) that facilitates a 24/7 response capability.

Level 5 - Utilize accepted and systematic computer forensic data gathering techniques including the secure handling and storage of forensic data. Develop and utilize manual and automated real-time responses to potential incidents that follow known patterns.

Answer 103

A

NIST defines four steps in the incident response process life cycle, as shown in the figure:

https://snipboard.io/hVuqCZ.jpg

– Preparation

– Detection and Analysis

– Containment, Eradication, and Recovery

– Post-Incident Activities

Answer 104

A

– Preparation

The members of the CSIRT are trained in how to respond to an incident.

CSIRT members should continual develop knowledge of emerging threats.

Answer 105

A

– Detection Analysis

Through continuous monitoring, the CSIRT quickly identifies, analyzes, and validates an incident.

Answer 106

A

– Containment, Eradication and Recovery

The CSIRT implements procedures to contain the threat, eradicate the impact on organizational assets, and use backups to restore data and software.

This phase may cycle back to detection and analysis to gather more information, or to expand the scope of the investigation.

Answer 107

A

– Post-Incident Activities

The CSIRT then documents how the incident was handled, recommends changes for future response, and specifies how to avoid a reoccurrence.

Answer 108

A

The incident response life cycle is meant to be a self-reinforcing learning process whereby each incident informs the process for handling future incidents.

Each of these phases are discussed in more detail in this topic.

Answer 109

A

The following list has examples of actions that also take place during the preparation phase:

Organizational processes are created to address communication between people on the response team.

This includes such things as contact information for stakeholders, other CSIRTs, and law enforcement, an issue tracking system, smartphones, encryption software, etc.

Facilities to host the response team and the SOC are created. Necessary hardware and software for incident analysis and mitigation is acquired. This may include forensic software, spare computers, servers and network devices, backup devices, packet sniffers, and protocol analyzers.

Risk assessments are used to implement controls that will limit the number of incidents.

Validation of security hardware and software deployment is performed on end-user devices, servers, and network devices.

User security awareness training materials are developed.

Answer 110

A

Mitigation software is also an important item when preparing to handle a security incident.

An image of a clean OS and application installation files may be needed to recover a computer from an incident.

Answer 111

A

It is important to inspect the jump kit on a regular basis to install updates and make sure that all the necessary elements are available and ready for use.

It is helpful to practice deploying the jump kit with the CSIRT to ensure that the team members know how to use its contents properly.

Answer 112

A

Detection & Analysis Phase:

Because there are so many different ways in which a security incident can occur, it is impossible to create instructions that completely cover each step to follow to handle them.

Different types of incidents will require different responses.

Answer 113

A

ATTACK VECTORS :

An organization should be prepared to handle any incident but should focus on the most common types of incidents so that they can be dealt with swiftly.

These are some of the more common types of attack vectors:

Web - Any attack that is initiated from a website or application hosted by a website.

Email - Any attack that is initiated from an email or email attachment.

Loss or Theft - Any equipment that is used by the organization such as a laptop, desktop, or smartphone can provide the required information for someone to initiate an attack.

Impersonation - When something or someone is replaced for the purpose of malicious intent.

Attrition - Any attack that uses brute force to attack devices, networks, or services.

Media - Any attack that is initiated from external storage or removable media.

Answer 114

A

DETECTION:

Some incidents are easy to detect while others may go undetected for months.

The detection of security incidents might be the most difficult phase in the incident response process.

Incidents are detected in many different ways and not all of these ways are very detailed or provide detailed clarity.

There are automated ways of detection such as antivirus software or an IDS.

There are also manual detections through user reports.

Answer 115

A

DETECTION PART 2:

There are two categories for the signs of an incident:

– Precursor - This is a sign that an incident might occur in the future.

When precursors are detected, an attack might be avoided by altering security measures to specifically address the type of attack detected.

Examples of precursors are log entries that show a response to a port scan, or a newly-discovered vulnerability to an organization’s web server.

– Indicator - This is a sign that an incident might already have occurred or is currently occurring.

Some examples of indicators are a host that has been infected with malware, multiple failed logins from an unknown source, or an IDS alert.

Answer 116

A

– Containment,

– Eradication, and

– Recovery Phase

After a security incident has been detected and sufficient analysis has been performed to determine that the incident is valid, it must be contained in order to determine what to do about it.

Strategies and procedures for incident containment need to be in place before an incident occurs and implemented before there is widespread damage.

Answer 117

A

Containment, Eradication, and Recovery Phase

CONTAINMENT STRATEGY:

For every type of incident, a containment strategy should be created and enforced.

These are some conditions to determine the type of strategy to create for each incident type:

How long it will take to implement and complete a solution?

How much time and how many resources will be needed to implement the strategy?

What is the process to preserve evidence?

Can an attacker be redirected to a sandbox so that the CSIRT can safely document the attacker’s methodology?

What will be the impact to the availability of services?

What is the extent of damage to resources or assets?

How effective is the strategy?

Answer 118

A

Containment, Eradication, and Recovery Phase CONTAINMENT STRATEGY PART 2:

During containment, additional damage may be incurred.

For example, it is not always advisable to unplug the compromised host from the network.

The malicious process could notice this disconnection to the CnC controller and trigger a data wipe or encryption on the target.

This is where experience and expertise can help to contain an incident beyond the scope of the containment strategy.

Answer 119

A

Containment, Eradication, and Recovery Phase EVIDENCE

During an incident, evidence must be gathered to resolve it.

Evidence is also important for subsequent investigation by authorities.

Clear and concise documentation surrounding the preservation of evidence is critical.

For evidence to be admissible in court, evidence collection must conform to specific regulations.

After evidence collection, it must be accounted for properly. This is known as the chain of custody.

Answer 120

A

Containment, Eradication, and Recovery Phase EVIDENCE PART 2:

It is vital to educate anyone involved in evidence handling on how to preserve evidence properly.

Answer 121

A

Containment, Eradication, and Recovery Phase

ATTACKER IDENTIFICATION

Identifying attackers is secondary to containing, eradicating, and recovering hosts and services.

However, identifying attackers will minimize the impact to critical business assets and services.

Answer 122

A

These are some of the most important actions to perform to attempt to identify an attacking host during a security incident:

Use incident databases to research related activity. This database may be in-house or located at organizations that collect data from other organizations and consolidate it into incident databases such as the VERIS community database.

Validate the attacker’s IP address to determine if it is a viable one. The host may or may not respond to a request for connectivity.

This may be because it has been configured to ignore the requests, or the address has already been reassigned to another host.

Use an internet search engine to gain additional information about the attack. There may have been another organization or individual that has released information about an attack from the identified source IP address.

Monitor the communication channels that some attackers use, such as IRC. Because users can be disguised or anonymized in IRC channels, they may talk about their exploits in these channels.

Often, the information gathered from this type of monitoring is misleading and should be treated as leads and not facts.

Answer 123

A

Containment, Eradication, and Recovery Phase

After containment, the first step to eradication is identifying all of the hosts that need remediation.

All of the effects of the security incident must be eliminated.

This includes malware infections and user accounts that have been compromised.

All of the vulnerabilities that were exploited by the attacker must also be corrected or patched so that the incident does not occur again.

Answer 124

A

Change all host passwords and passwords for critical systems in accordance with the password security policy.

This may be a good time to validate and upgrade network security, backup strategies, and security policies.

Attackers often attack the systems again, or use a similar attack to target additional resources, so be sure to prevent this as best as possible.

Focus on what can be fixed quickly while prioritizing critical systems and operations.

Answer 125

A

Post-Incident Activity Phase

After incident response activities have eradicated the threats and the organization has begun to recover from the effects of the attack, it is important to take a step back and periodically meet with all of the parties involved to discuss the events that took place and the actions of all of the individuals while handling the incident.

This will provide a platform to learn what was done right, what was done wrong, what could be changed, and what should be improved upon.

Answer 126

A

Lessons-based hardening

After a major incident has been handled, the organization should hold a “lessons learned” meeting to review the effectiveness of the incident handling process and identify necessary hardening needed for existing security controls and practices.

Answer 127

A

What would the staff and management do differently the next time a similar incident occurs?

How could information sharing with other organizations be improved?

What corrective actions can prevent similar incidents in the future?

What precursors or indicators should be watched for in the future to detect similar incidents?

What additional tools or resources are needed to detect, analyze, and mitigate future incidents?

Answer 128

A

Incident Data Collection and Retention

By having ‘lessons learned’ meetings, the collected data can be used to determine the cost of an incident for budgeting reasons, as well as to determine the effectiveness of the CSIRT, and identify possible security weaknesses throughout the system.

The collected data needs to be actionable.

Only collect data that can be used to define and refine the incident handling process.

Answer 129

A

It could also show a lack of incident detection.

Separate incident counts for each type of incident may be more effective at showing strengths and weakness of the CSIRT and implemented security measures.

These subcategories can help to target where a weakness resides, rather than whether there is a weakness at all.

Answer 130

A

Incident Data Collection and Retention PART 3:

The time of each incident provides insight into the total amount of labor used and the total time of each phase of the incident response process.

The time until the first response is also important, as well as how long it took to report the incident and escalate it beyond the organization, if necessary.

Answer 131

A

Incident Data Collection and Retention PART 4:

It is important to perform an objective assessment of each Incident.

The response to an incident that has been resolved can be analyzed to determine how effective it was.

Answer 132

A

Determining if the incident is a recurrence of a previous incident. Calculating the estimated monetary damage from the incident (e.g., information and critical business processes negatively affected by the incident).

Measuring the difference between the initial impact assessment and the final impact assessment.

Identifying which measures, if any, could have prevented the incident.

Subjective assessment of each incident requires that incident response team members assess their own performance, as well as that of other team members and of the entire team.

Another valuable source of input is the owner of a resource that was attacked, in order to determine if the owner thinks the incident was handled efficiently and if the outcome was satisfactory.

Answer 133

A

Incident Data Collection and Retention PART 6:

There should be a policy in place in each organization that outlines how long evidence of an incident is retained.

Evidence is often retained for many months or many years after an incident has taken place.

Answer 134

A

Data Type - An organization may specify that specific types of data should be kept for a specific period of time.

Items such as email or text may only need to be kept for 90 days.

More important data such as that used in an incident response (that has not had legal action), may need to be kept for three years or more.

Cost - If there is a lot of hardware and storage media that needs to be stored for a long time, it can become costly.

Remember also that as technology changes, functional devices that can use outdated hardware and storage media must be stored as well.

Answer 135

A

Reporting Requirements and Information Sharing

Governmental regulations should be consulted by the legal team to determine precisely the organization’s responsibility for reporting the incident.

In addition, management will need to determine what additional communication is necessary with other stakeholders, such as customers, vendors, partners, etc.

Answer 136

A

Reporting Requirements and Information Sharing PART 2:

Beyond the legal requirements and stakeholder considerations, NIST recommends that an organization coordinate with organizations to share details for the incident.

For example, the organization could log the incident in the VERIS community database.

Answer 137

A

Attempt to automate as much of the information sharing process as possible.

Balance the benefits of information sharing with the drawbacks of sharing sensitive information.

Share as much of the appropriate incident information as possible with other organizations.

Brainscape's Knowledge GenomeTM

MODULE 28 - CERTIFICATION EXAM PREPARATION Flashcards

Brainscape's Knowledge Genome^TM