Operations and Incident Response Flashcards
Your company is required to remain compliant with PCI-DSS due to the type of information processed by your systems. If there was a breach of this data, which type of disclosure would you be required to provide during your incident response efforts?
Notification to local law enforcement
Notification to your credit card processor
Notification to federal law enforcement
Notification to Visa and Mastercard
Notification to your credit card processor
Which analysis framework provides the most explicit detail regarding how to mitigate or detect a given threat?
MITRE ATT&CK framework
Lockheed Martin cyber kill chain
Diamond Model of Intrusion Analysis
OpenIOC
MITRE ATT&CK framework
Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation?
Encrypt the source drive to ensure an attacker cannot modify its contents
Digitally sign the image file to provide non-repudiation of the collection
Encrypt the image file to ensure it maintains data integrity
Create a hash digest of the source drive and the image file to ensure they match
Create a hash digest of the source drive and the image file to ensure they match
Dion Training wants to ensure that none of its computers can run a peer-to-peer file-sharing program on its office computers. Which of the following practices should be implemented to achieve this?
MAC filtering
Application blacklisting
Application whitelisting
Enable NAC
Application blacklisting
You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the following evidence should you capture first?
Backup tapes
L3 cache
Image of the server’s SSD
ARP cache
L3 cache
What information should be recorded on a chain of custody form during a forensic investigation?
The list of individuals who made contact with files leading to the investigation
Any individual who worked with evidence during the investigation
The law enforcement agent who was first on the scene
The list of former owners/operators of the workstation involved in the investigation
Any individual who worked with evidence during the investigation
You are attending a cybersecurity conference and just watched a security researcher demonstrating the exploitation of a web interface on a SCADA/ICS component. This caused the device to malfunction and be destroyed. You recognize that the same component is used throughout your company’s manufacturing plants. Which of the following mitigation strategies would provide you with the most immediate protection against this emergent threat?
Logically or physically isolate the SCADA/ICS component from the enterprise network
Evaluate if the web interface must remain open for the system to function; if it isn’t needed, block the web interface
Demand that the manufacturer of the component release a patch immediately and deploy the patch as soon as possible
Replace the affected SCADA/ICS components with more secure models from a different manufacturer
Evaluate if the web interface must remain open for the system to function; if it isn’t needed, block the web interface
During which incident response phase is the preservation of evidence performed?
Post-incident activity
Containment, eradication, and recovery
Preparation
Detection and analysis
Containment, eradication, and recovery
An attacker is searching in Google for Cisco VPN configuration files by using the filetype:pcf modifier. The attacker was able to locate several of these configuration files and now wants to decode any connectivity passwords that they might contain. What tool should the attacker use?
Nessus
Nmap
Netcat
Cain and Abel
Cain and Abel
Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Time: Jun 12, 2020 09:24:12 Port:20 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:14 Port:21 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:16 Port:22 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:18 Port:23 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:20 Port:25 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:22 Port:80 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:24 Port:135 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:26 Port:443 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP Time: Jun 12, 2020 09:24:26 Port:445 Source: 10.10.3.2 Destination:10.10.3.6 Protocol:TCP -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What type of activity occurred based on the output above?
Port scan targeting 10.10.3.2
Port scan targeting 10.10.3.6
Denial of service attack targeting 10.10.3.6
Fragmentation attack targeting 10.10.3.6
Port scan targeting 10.10.3.6
You have discovered that an employee has been conducting illegal activities using his workplace computer. You have taken possession of the employee’s laptop according to your company’s procedures and are waiting to give it law enforcement authorities. What should you do when turning over the laptop to the police?
Maintain the chain of custody
Quarantine the system
Preserve the evidence
Document the changes
Maintain the chain of custody
You have been hired to conduct an investigation into a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command)
journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo
journalctl _UID=1003 | grep -e 1003 | grep sudo
journalctl _UID=1003 | grep -e [Tt]erri | grep sudo
journalctl _UID=1003 | grep sudo
journalctl _UID=1003 | grep sudo
An attacker is using the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only name servers?
transfer type=ns
set type=ns
request type=ns
locate type=ns
set type=ns
You are working as a junior cybersecurity analyst and utilize a SIEM to support investigations into ongoing incidents. The SIEM is configured to collect data from numerous sources across the network, including network sensors, routers, switches, firewalls, hosts, and servers. Unfortunately, due to the number of data sources, you have data about a particular event being detected by different sensors and devices. Which of the following must you ensure to make sense of all the data being collected by your SIEM prior to analyzing it?
Data recovery
Data sanitization
Data retention
Data correlation
Data correlation
Which of the following command-line tools would you use to identify open ports and services on a host along with the version of the application that is associated with them?
ping
netstat
Wireshark
nmap
nmap
You have been asked to assist with an investigation into a malicious user’s activities. Unfortunately, your organization did not have full packet capture available for the time period of the suspected activities. Instead, you have received netflow data that contains statistics and information about the network traffic during that time period. Which of the following best represents the type of data you can obtain from this netflow data to support the investigation?
File contents
Metadata
Email messages
Application logs
Metadata
You are an analyst and have been asked to review and categorize the following output from a packet analysis in Wireshark: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Source Destination Protocol Length Info 192.168.3.145 4.4.2.2 DNS 74 Standard query 0xaed A test.diontraining.com 4.4.2.2 192.168.3.145 DNS 90 Standard query response 0x3aed A test.diontraining.com A 173.12.15.23 192.168.3.145 173.12.15.23 TCP 78 48134 -80 [SYN] seq=0 Win=65635 Len=0 MSS=1426 WS=16 TSVal=486234134 Tsecr=0 SACK_PERM=1 173.12.15.23 192.168.3.145 TCP 78 80-48134 [SYN,ACK] seq=0 Ack=1 Win=65535 Len=0 MSS=1426 WS=4 TSVal=0 Tsecr=0 SACK_PERM=1 a1=486234134 Tsecr=240612 192.168.3.145 192.168.3.255 NBNS 92 Namequery NB WORKGROUP 34.250.23.14 192.168.3.145 TCP 60 443 - 48134 [RST] Seq=1 Win=0 Len=0 34.250.23.14 192.168.3.145 TCP 60 8080 - 48134 [RST] Seq=1 Win=0 Len=0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on your review, what does this scan indicate?
This appears to be normal network traffic
192.168.3.145 might be infected and beaconing to a C2 server
192.168.3.145 might be infected with malware
173.12.15.23 might be infected and beaconing to a C2 server
173.12.15.23 might be infected with malware
173.12.15.23 might be infected and beaconing to a C2 server
Which analysis framework provides a graphical depiction of the attacker’s approach relative to a kill chain?
OpenIOC
Diamond Model of Intrusion Analysis
MITRE ATT&CK framework
Lockheed Martin cyber kill chain
Diamond Model of Intrusion Analysis
Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across a large number of devices?
Anti-malware
Patch management
GPO
HIPS
GPO (Microsoft’s Group Policy Object)
Dion Training wants to implement a technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST?
Intrusion detection system
Application whitelisting
Anti-malware solution
Host-based firewall
Application whitelisting
Application whitelisting will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation again a zero-day virus
You have been asked by the incident response team leader to perform a forensic examination on a workstation that is suspected to have been infected with malware. You remember from your training that you must collect digital evidence in the proper order to protect it from being changed during your evidence collection efforts. Which of the following describes the correct sequence to collect the data from the workstation?
Swap, RAML, CPU cache, Hard drive
CPU cache, RAM, Swap, Hard drive
Hard drive, Swap, CPU cache, RAM
RAM, CPU cache, Swap, Hard drive
CPU cache, RAM, Swap, Hard drive
Dion Training requires that the staff simulate their response to a potential data breach. During this simulation, the staff gathers in the conference room and discusses each action they would take as part of their response. This information is then analyzed to ensure the company’s data breach response playbook is up to date and would work properly when needed. Which of the following best describes what the staff did?
Incident response
Disaster recovery planning
Business impact analysis
Tabletop exercise
Tabletop exercise
You are reviewing the logs in your IDS and see that there were entries showing SYN packets received from a remote host targeting each port on your web server from 1 to 1024. Which of the following MOST likely occurred?
SYN flood
Remote host cannot find the right service port
UDP probe
Port scan
Port scan
Which of the following Wireshark filters should be applied to a packet capture to detect applications that are sending passwords in cleartext to a REST API located at 10.1.2.3?
http.request.methd==”POST” && ip.dst=10.1.2.3
http.request.method==”POST”
ip.proto=tcp
ip.dst=10.1.2.3
http.request.methd==”POST” && ip.dst=10.1.2.3
An analyst just completed a port scan and received the following results of open ports: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- TCP: 80 TCP: 110 TCP: 443 TCP: 1433 TCP: 3306 TCP: 3389 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Based on these scan results, which of the following services are NOT currently operating?
Web
RDP
Database
SSH
SSH
Which of the following type of digital forensic investigations is most challenging due to the on-demand nature of the assets being analyzed?
Employee workstations
On-premise servers
Cloud services
Mobile devices
Cloud services
During which phase of the incident response process does an organization assemble an incident response toolkit?
Preparation
Detection and analysis
Post-incident activity
Containment, eradication, and recovery
Preparation
During the preparation phase, the incident response team conducts training, prepares their incident response kits, and researches threats and intelligence.
If you are unable to ping a target because you are receiving no response or a response that states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to try to elicit a response from a host using TCP, what tool would you use?
Broadcast ping
Hping
TCP ping
Traceroute
Hping
Hping is a handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies.
An attacker has compromised a virtualized server. You are conducting forensic analysis as part of the recovery effort but found that the attacker deleted a virtual machine image as part of their malicious activity. Which of the following challenges do you now have to overcome as part of the recovery and remediation efforts?
All log files are stored within the VM disk image, therefore, they are lost
File formats used by some hypervisors cannot be analyzed with traditional forensic tools
The attack widely fragmented the image across the host file system
You will need to roll back to an early snapshot and then merge any checkpoints to the main image
The attack widely fragmented the image across the host file system
You have discovered that an employee has been conducting illegal activities using his workplace computer. You have taken possession of the employee’s laptop according to your company’s procedures and are waiting to give it law enforcement authorities. What should you do when turning over the laptop to the police?
Maintain the chain of custody
Quarantine the system
Preserve the evidence
Document the changes
Maintain the chain of custody
You have been hired to conduct an investigation into a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command)
journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo
journalctl _UID=1003 | grep -e 1003 | grep sudo
journalctl _UID=1003 | grep -e [Tt]erri | grep sudo
journalctl _UID=1003 | grep sudo
journalctl _UID=1003 | grep sudo
Which analysis framework provides a graphical depiction of the attackers approach relative to a kill chain
OpenIOC
Lockheed Martin cyber kill chain
MITRE ATT&CK framework
Diamond Model of Intrusion Analysis
Diamond Model of Intrusion Analysis
Diamond Model provides an excellent methodology for communicating cyber events and allowing analysts to implicitly derive mitigation strategies. The Diamond Model is constructed around a graphical representation of an attacker’s behavior. The MITRE ATT&CK framework provides explicit pseudo-code examples for how to detect or mitigate a given threat within a network and ties specific behaviors back to individual actors. The Lockheed Martin cyber kill chain provides a general life cycle description of how attacks occur but does not deal with the specifics of how to mitigate. OpenIOC contains a depth of research on APTs but does not integrate the detections and mitigation strategy.
An attacker is using the nslookup interactive mode to locate information on a Domain Name Service. What command should they type to request the appropriate records for only name servers
transfer type=ns
set type=ns
locate type=ns
request type=ns
set type=ns
The “set type=ns” tells nslookup to only report information on name servers. If you used “set type=mx” instead, you would receive information only about mail exchange servers.
Dion Training wants to implement a technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST?
Anti-malware solution
Application whitelisting
Intrusion detection system
Host-based firewall
Application whitelisting
Application whitelisting will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation again a zero-day virus.
You work as the incident response team lead at Fail to Pass Systems. Sierra, a system administrator, believes an incident has occurred on the network and contacts the SOC. At 2:30 am, you are woken up by a phone call from the CEO of Fail to Pass stating an incident has occurred and that you need to solve this immediately. As you are getting dressed to drive into the office, your phone rings again. This time, it is the CIO who starts asking you a lot of technical questions about the incident. The first you heard of this incident was 5 minutes ago from the CEO, so you obviously don’t have the answers to the CIO’s questions. Based on this scenario, which of the following issues needs to be documented in your lessons learned report once this incident is resolved?
An established incident response form for all employees to use to collect data
A robust method of incident detection
A call list/escalation list
An offline incident response jump bag or kit
Overall explanation
A call list/escalation list
What does the bs=1M signify in the command list above?
Removes error messages and other incorrect data
Sets the block size
Sets the beginning sector
Sends output to a blank sector
Sets the block size
bs
You have been asked by the incident response team leader to perform a forensic examination on a workstation that is suspected to have been infected with malware. You remember from your training that you must collect digital evidence in the proper order to protect it from being changed during your evidence collection efforts. Which of the following describes the correct sequence to collect the data from the workstation?
Swap, RAML, CPU cache, Hard drive
RAM, CPU cache, Swap, Hard drive
CPU cache, RAM, Swap, Hard drive
Hard drive, Swap, CPU cache, RAM
CPU cache, RAM, Swap, Hard drive
Which of the following Wireshark filters should be applied to a packet capture to detect applications that are sending passwords in cleartext to a REST API located at 10.1.2.3?
ip.dst=10.1.2.3
ip.proto=tcp
http.request.method==”POST”
http.request.methd==”POST” && ip.dst=10.1.2.3
http.request.methd==”POST” && ip.dst=10.1.2.3
Which of the following type of digital forensic investigations is most challenging due to the on-demand nature of the assets being analyzed?
Employee workstations
On-premise servers
Cloud services
Mobile devices
Cloud services
Dion Training wants to implement a technology within their corporate network to BEST mitigate the risk that a zero-day virus might infect their workstations. Which of the following should be implemented FIRST?
Application whitelisting
Host-based firewall
Intrusion detection system
Anti-malware solution
Application whitelisting
Application whitelisting will only allow a program to execute if it is specifically listed in the approved exception list
What does the bs=1M signify in the command list above?
Sets the block size
If you are unable to ping a target because you are receiving no response or a response that states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to try to elicit a response from a host using TCP, what tool would you use?
Traceroute
Hping
Broadcast ping
TCP ping
Hping
Hping is a handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies.
Which analysis framework makes no allowance for an adversary retreat in its analysis?
MITRE ATT&CK framework
Lockheed Martin cyber kill chain
AlienVault (AT&T Cybersecurity) Cyber Kill Chain
Diamond Model of Intrusion Analysis
Lockheed Martin cyber kill chain
You are notified by an external organization that an IP address associated with your company’s email server has been sending spam emails requesting funds as part of a lottery collection scam. An investigation into the incident reveals the email account used was Connor from the sales department, and that Connor’s email account was only used from one workstation. You analyze Connor’s workstation and discover several unknown processes running, but netflow analysis reveals no attempted lateral movement to other workstations on the network. Which containment strategy would be most effective to use in this scenario?
Request disciplinary action for Connor for causing this incident
Isolate the workstation computer by disabling the switch port and reset Connor’s username/password
Unplug the workstation’s network cable and conduct a complete reimaging of the workstation
Isolate the network segment Connor is on and conduct a forensic review of all workstations in the sales department
Isolate the workstation computer by disabling the switch port and reset Connor’s username/password
What information should be recorded on a chain of custody form during a forensic investigation?
The list of individuals who made contact with files leading to the investigation
The law enforcement agent who was first on the scene
Correct answer
Any individual who worked with evidence during the investigation
The list of former owners/operators of the workstation involved in the investigation
Any individual who worked with evidence during the investigation
During which incident response phase is the preservation of evidence performed?
Preparation
Detection and analysis
Containment, eradication, and recovery
Post-incident activity
Containment, eradication, and recovery
A cybersecurity analyst must preserve evidence during the containment, eradication, and recovery phase. They must preserve forensic and incident information for future needs, to prevent future attacks, or to bring up an attacker on criminal charges
You are in the recovery steps of an incident response. Your analysis revealed that the attacker exploited an unpatched vulnerability on a public-facing web server as the initial intrusion vector in this incident. Which of the following mitigations should be implemented first during the recovery?
Disable unused user account and reset the administrator credentials
Restrict shell commands per user or per host for least privilege purposes
Scan the network for additional instances of this vulnerability and patch the affected assets
Restrict host access to peripheral protocols like USB and Bluetooth
Scan the network for additional instances of this vulnerability and patch the affected assets
You have been hired to conduct an investigation into a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command)
journalctl _UID=1003 | grep sudo
journalctl _UID=1003 | grep -e 1003 | grep sudo
journalctl _UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo
journalctl _UID=1003 | grep -e [Tt]erri | grep sudo
journalctl _UID=1003 | grep sudo
Which of the following tools is useful for capturing Windows memory data for forensic analysis?
Nessus
dd
Wireshark
Memdump
Memdump
You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server?
Failed logins
Unauthorized sessions
Malicious processes
Off-hours usage
Malicious processes
What containment techniques is the strongest possible response to an incident?
Segmentation
Enumeration
Isolating affected systems
Isolating the attacker
Isolating affected systems
Obj-4.4: Given an incident, apply mitigation technique or controls to secure environment
Which of the following elements is LEAST likely to be included in an organization’s data retention policy?
Maximum retention period
Minimum retention period
Classification of information
Description of information that needs to be retained
Classification of information
Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it.
