Section 2

Question 1

What is Session Data?

Answer 1

Contains the 5-Tuple information, Netflow

Question 2

What is Full packet capture?

Answer 2

PCAP Files, Wireshark, TCPdump

Question 3

What is Transaction Data?

Answer 3

Server logs, login information, Regquest for HTTP pages.

Question 4

What is Statistical Data?

Answer 4

Show a graph with PPS against website.

Question 5

What is Metadata?

Answer 5

Data about data, Geo-location, reputation data

Question 6

What tools are available in Security Onion to view Full packet capture data?

Answer 6

Wireshark, tshark, TCPdump, CapME!

Question 7

What tools are available in Security Onion to view session data?

Answer 7

Bro (Most popular) Argus, PRADS

Question 8

What can the Bro tool be used for?

Answer 8

Session Data, Transaction data, Statistical data, Metadata and Alert data.

Question 9

What typically produces Alert Data?

Answer 9

IDS and IPS systems

Question 10

What 2 tools in Security Onion are used as IDS system?

Answer 10

Snort and Suricata

Question 11

What is Extracted Content?

Answer 11

Bro and NetworkMiner can extract content from PCAP files like image files and SSL/TLS certificates.

Question 12

What are the 7 stages in the Classic Kill Chain Model?

Answer 12

1. Reconnaissance
2. Weaponisation
3. Delivery
4. Exploitation
5. Installation
6. Command and Control
7. Actions on Objectives

Question 13

What happens at Kill Chain phase 1?

Answer 13

Reconnaissance 
Intelligence gathering
Checking companies website
News Articles
Social Media
Using tools like nslookup, whois, centralops.net

Question 14

What happens at Kill Chain phase 2?

Answer 14

Weaponisation
The weaponisation phases goal is the development of a cyber weapon that is based on reconnaissance information about the target system such as:
Viruses
Code injection
Email or phishing campaigns
Exploits for system vulnerabilities
Tools like Metasploit are used here. Also zero days are created by attackers.

Question 15

What happens at Kill Chain phase 3?

Answer 15

Delivery
At this stage it is about getting the payload into the targets network or on the host device.
Using methods like:
Email attachments 
URL links in emails
USB devices
Redirect users to websites

Question 16

What happens at Kill Chain phase 4?

Answer 16

Exploitation
After the weapon delivery the exploitation phase describes what happens once the malicious code is executed. Weaknesses are usually found in Applications, OS vulnerabilities and Users.

Question 17

What happens at Kill Chain phase 5?

Answer 17

Installation
Also know as the persistence phase is were the threat actor installs a back door into the host device to gain access back into the machine when needed. It should be able to survive system reboots, anti-malware and anti-virus measures.

Question 18

What happens at Kill Chain phase 6?

Answer 18

Command and Control (C2)
CnC is when the exploited host beacon outbound or out of the network to an Internet based controller in order to establish a communications channel. IRC channel is typically used here also http traffic towards an usual domain name.

Question 19

What happens at Kill Chain phase 7?

Answer 19

The threat actor has completed their goal in getting information out of the network for example:
Intellectual property
Corporate data theft
Bandwidth theft for SPAM
DDoS attacks