Section 1: Management Plane and Network Attacks Flashcards
Of the following cloud service models, which provides the capability to deploy consumer created or acquired applications onto the cloud infrastructure created using programming languages, libraries, services, and tools supported by the provider?
Platform as a Service (PaaS)
Software as a Service (SaaS)
Internet as a Service (IaaS)
Infrastructure as a Service (IaaS)
ID: 2e6479b4-97f6-4856-be54-2e8cd065fedb
A Platform as a Service (PaaS) cloud service is used to deploy consumer created or acquired applications onto the cloud infrastructure created using programming languages, libraries, services, and tools supported by the provider. Under the hood, the PaaS is operating on top of an Infrastructure as a Service (IaaS). This gives the consumer the ability to provision processing, storage, networking, and other fundamental computing resources where the consumer can deploy and run arbitrary software, which can include operating systems and applications. Software as a Service (SaaS) is the capability provided to the consumer to use the provider’s applications running on a cloud infrastructure.
Book 1 Page 6
According to NIST, which of the following features in the cloud service allows customers to automatically provision the computing resources?
Rapid elasticity
On-demand self-service
Broad network access
Measured service
ID: 6e5c635c-5009-4069-a4b5-86b2096d0d2f
Five essential characteristics distinguish a cloud service from a traditional “shared hosting service” or one of the predecessors to cloud computing:
- On-demand self-service: A consumer can provision the computing resources automatically, without requiring another human interaction for each service provider.
- Rapid elasticity
- Measured service
- Broad network access
- Resource pooling
Book 1 Page 43
The process of identifying potential security threats and vulnerabilities and prioritizing the controls or detections that need to be included is known as which of the following?
Threat modeling
Vulnerability assessment
Threat mitigation
Vulnerability management
ID: 102c2f6f-c429-406d-bc5a-577c9825bca3
Threat modeling is the process of understanding the threats and potential vulnerabilities of your organization; understanding what kind of attacker might go after your particular environment. Hospitals and city municipal environments are targets for ransomware attacks, while producers of internet/software technologies might be vulnerable to supply chain attacks. Understanding what an attacker might attempt against your environment will help focus your detections, analytic capabilities, and your security improvements.
Book 1 Page 15
Which MITRE ATT&CK technique looks to see if storage accounts are available, virtual machines are accessible, or identity access management policies can be manipulated?
Account Discovery (T1087)
Network Service Discovery (T1046)
Cloud Service Discovery (T1526)
Cloud Infrastructure Discovery (T1580)
ID: fac57ee4-d3e8-41b5-8576-730e8206ed63
With the Cloud Service Discovery (T1526) technique, the attacker uses the cloud API service to determine which cloud services are available. Cloud Infrastructure Discovery (T1580) is similar to Cloud Service Discovery; Cloud Service Discovery looks to see if storage accounts are available, virtual machines are accessible, or identity access management policies can be manipulated. Cloud Infrastructure Discovery looks for the individual resources that are part of the services, such as: what the storage accounts are called; how many virtual machines are accessible; and whether the attacker can update the IAM policy to give themself admin access.
Book 1 Page 39
An analyst needs to investigate Application Programming Interface (API) calls to the AWS environment. What AWS service would the analyst use to investigate the API calls?
Guard Duty
CloudTrail
CloudWatch
Lambda
ID: 6068a7e6-eff9-43ac-9cc0-f920a7077a58
CloudTrail tracks Application Programming Interface (API) calls to the AWS environment and provides tools for interacting with the cloud.
Book 1 Page 48
When enabling Azure NSG Flow Logs, what is the main advantage of version 2 over version 1?
Version 2 captures the amount of network traffic.
Version 2 indicates whether the traffic is allowed or denied.
Version 2 includes timestamps of network communication.
Version 2 includes flow states.
ID: 00b94b50-2bf4-4b9c-9970-f9ae890ded28
When enabling NSG Flow Logs, there are two versions to choose from: version 1 and version 2. The advantage of version 2 over version 1 is that flow states are included. In other words, it can help answer questions, such as: is the flow in this record brand new, a continuation of an older flow, or is it the end of the flow?
Book 1 Page 130
Which CloudWatch tool can be used to parse the logs and perform queries across them?
Logs Insights
Logs Analytics
Logs Visualizer
Logs Metrics
ID: 91a051dd-ab54-4b55-9af7-d82eab21315e
AWS provides the CloudWatch Logs Insights, a user interface that makes it easier to query across logs. The CloudWatch Logs Insight Query syntax is a stripped-down query language for crafting the queries. The query language lets you control what is displayed, filtering based on fields matching regular expressions or performing basic mathematical comparisons, performing aggregate statistics on the logs, and operating on data inside of unformatted strings.
CloudWatch Insights can parse VPC Flow Logs, Route 53 logs, Lambda logs, CloudTrail logs, and JSON-formatted logs. Other logs will require just-in-time parsing as part of the query syntax.
Book 1 Page 91
Which of the following extends Azure Log Activity and allows for more granular searching?
ID: 97e32a0e-5472-45c9-b47f-db74d7daabaa
Azure Log Analytics Workspace is a logical storage unit in Azure where all log data generated by Azure Monitors are stored. It can be advantageous to send data to a Log Analytics workspace to allow more granular searching.
Book 1 Page 106
Which of the following attack vectors is likely to be leveraged by cybercriminals to gain initial access to a victim’s cloud environment?
Phishing
Misconfiguration
Malicious insider
Drive-by compromise
ID: bb303c6e-a2ee-4d1e-81f6-21e2e126b04c
Most initial access to a victim’s cloud environment tends to fall into one of three categories:
- Attacker found an unconfigured or default access vector
- Hacking an application
- Attacker found or brute-forced credentials
Book 1 Page 10
Which of the following Azure networking services can monitor and repair the network health of virtual machines?
Azure Network Watcher
Azure Monitor Insights
Azure ExpressRoute Monitor
Azure Packet Manager
ID: 32dddb3f-0766-4967-8b1a-f9ce5e188712
According to the documentation, “Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS (Infrastructure as a Service) products, which includes Virtual Machines, Virtual Networks, Application Gateways, Load balancers, etc.”
Book 1 Page 143
How many CloudTrail records are created for each API call?
5
10
2
1
CloudTrail records a single JSON object for every API call.
Book 1 Page 58
In the AWS CLI command below, which of the following parameters can be utilized in order to return just the EventTime?
aws cloudtrail lookup-events –lookup-attributes AttributeKey=EventName, AttributeValue=ListBuckets
–option
–filter
–grep
–query
ID: d89f6497-10b6-4d1c-af03-9a7eba2a289e
The –query parameter in the command line can be used to limit which values are returned. The –query parameter accepts strings that are compliant with the JMESPath specification.
Book 1 Page 78
Which cyber threat intelligence resource provides remediation guidance for the most critical web application security risks based on a consensus among security experts from around the world?
OWASP Top 10
CIS Critical Security Controls
CIS Benchmarks
MITRE ATT&CK Matrix
ID: 6a62683d-9988-4e0a-b5be-ce17673aa4b1
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Every few years, OWASP publishes the “Top 10 Web Application Security Risks” based on observed attacks in the wild. This top ten list details the attack basics, how it works, and how to mitigate it. It is globally recognized by developers as the first step toward more secure coding.
Book 1 Page 31
What AWS service provides interactive query service of S3 buckets?
Athena
Aurora
S3 Browser
Kinesis
ID: f9b018cb-c268-45ed-bad2-3adcd19cf68b
Amazon Athena is an interactive query service that makes it easier to use standard SQL to analyze data across an S3 bucket. You pay per query and the S3 storage, but it is considered serverless.
Athena is built on top of S3 and AWS Glue Data Catalog but automates the data cataloging. If you know the format of the data and understand the SQL language, you can start running queries quickly.
Book 1 Page 121
Which AWS tool provides performance analysis through contributor insights?
Responses
CloudTrail
GuardDuty
CloudWatch
Security Hub
ID: 97395b0c-a585-4210-9eb5-a1b34cf3ff28
CloudWatch is AWS’s log collection and analysis service. It offers the following features: log collection and search; customizable but limited dashboards; automated event responses; docker container analysis from container insights; performance analysis through contributor insights; and web URL testing from canaries.
Book 1 Page 86
Which of the following is a framework of best practices that provides a prioritized list of measures organizations can take to mitigate cyber risks?
OWASP Top 10
CIS Benchmarks
CIS Critical Security Controls
MITRE ATT&CK Matrix
ID: 7a0b92c8-a727-4142-8901-777b4399042f
The CIS Critical Controls v8 is a set of eighteen controls organizations should have in place to better protect their infrastructure. For threat detection, these controls are useful when doing threat modeling.
Book 1 Page 33
Which operations are included in Azure Activity Log?
Only actions that create, update, and delete a cloud resource
Only actions that read, modify, and delete a cloud resource
Only actions that read and modify a cloud resource
All the actions that were performed within a cloud resource
ID: d154daed-48af-4f18-bf3a-069451295860
Azure Activity Log provides visibility into API activity within the Azure subscription. Any user account or cloud service that makes a change to the environment will be logged. This means that read-level API calls will not be captured here — only actions that create, update/modify, or delete a cloud resource.
Book 1 Page 62
Where can you find records of API calls made to your environment?
IMDS
Logging service
IAM roles and policies
User accounts
ID: 14e5636b-c4fa-4211-893a-87f94957994e
You can access API calls through the cloud service provider’s logging services.
Book 1 Page 47
What is a main feature of VPC Flow Logs in CloudWatch?
ID: 473cb838-8c00-423f-a42f-31d1ecee39ae
VPC Flow Logs are sent to either S3 or to CloudWatch. Each log flows into CloudWatch individually. In addition to providing filtering and display tools, CloudWatch is great for building metrics and rules.
Book 1 Page 120
Which command would provide evidence of an attacker trying to discover S3 buckets?
aws s3api list-buckets
aws cloudtrail lookup-events
aws sts get-caller-identity
aws cloudtrail query
ID: 80045f13-7f25-4132-b7df-ee4207c87ac0
You can detect when someone performs a ListBuckets command to the S3 service’s API. The command line is aws s3api list-buckets, which will conduct a ListBuckets request.
Book 1 Page 52
For the Cloud Service Discovery attack, what data sources are listed that we would need?
Lab Notes
AWS CloudTrail logs, Azure activity logs, StackDriver logs (GCP).
How do we list buckets in an AWS account?
Lab 1.2
aws s3api list-buckets \
–query “Buckets[].Name”
or
aws s3 ls
How do we find out our identity in AWS CLI?
Lab 1.2
aws sts get-caller-identity
How do we find information on Instances in AWS?
Lab 1.2
aws ec2 describe-instances
