Section 2 Flashcards
What is Session Data?
Contains the 5-Tuple information, Netflow
What is Full packet capture?
PCAP Files, Wireshark, TCPdump
What is Transaction Data?
Server logs, login information, Regquest for HTTP pages.
What is Statistical Data?
Show a graph with PPS against website.
What is Metadata?
Data about data, Geo-location, reputation data
What tools are available in Security Onion to view Full packet capture data?
Wireshark, tshark, TCPdump, CapME!
What tools are available in Security Onion to view session data?
Bro (Most popular) Argus, PRADS
What can the Bro tool be used for?
Session Data, Transaction data, Statistical data, Metadata and Alert data.
What typically produces Alert Data?
IDS and IPS systems
What 2 tools in Security Onion are used as IDS system?
Snort and Suricata
What is Extracted Content?
Bro and NetworkMiner can extract content from PCAP files like image files and SSL/TLS certificates.
What are the 7 stages in the Classic Kill Chain Model?
- Reconnaissance
- Weaponisation
- Delivery
- Exploitation
- Installation
- Command and Control
- Actions on Objectives
What happens at Kill Chain phase 1?
Reconnaissance Intelligence gathering Checking companies website News Articles Social Media Using tools like nslookup, whois, centralops.net
What happens at Kill Chain phase 2?
Weaponisation
The weaponisation phases goal is the development of a cyber weapon that is based on reconnaissance information about the target system such as:
Viruses
Code injection
Email or phishing campaigns
Exploits for system vulnerabilities
Tools like Metasploit are used here. Also zero days are created by attackers.
What happens at Kill Chain phase 3?
Delivery At this stage it is about getting the payload into the targets network or on the host device. Using methods like: Email attachments URL links in emails USB devices Redirect users to websites