Section 2 Flashcards

1
Q

What is Session Data?

A

Contains the 5-Tuple information, Netflow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Full packet capture?

A

PCAP Files, Wireshark, TCPdump

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is Transaction Data?

A

Server logs, login information, Regquest for HTTP pages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Statistical Data?

A

Show a graph with PPS against website.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is Metadata?

A

Data about data, Geo-location, reputation data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What tools are available in Security Onion to view Full packet capture data?

A

Wireshark, tshark, TCPdump, CapME!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What tools are available in Security Onion to view session data?

A

Bro (Most popular) Argus, PRADS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What can the Bro tool be used for?

A

Session Data, Transaction data, Statistical data, Metadata and Alert data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What typically produces Alert Data?

A

IDS and IPS systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What 2 tools in Security Onion are used as IDS system?

A

Snort and Suricata

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is Extracted Content?

A

Bro and NetworkMiner can extract content from PCAP files like image files and SSL/TLS certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the 7 stages in the Classic Kill Chain Model?

A
  1. Reconnaissance
  2. Weaponisation
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command and Control
  7. Actions on Objectives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What happens at Kill Chain phase 1?

A
Reconnaissance 
Intelligence gathering
Checking companies website
News Articles
Social Media
Using tools like nslookup, whois, centralops.net
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What happens at Kill Chain phase 2?

A

Weaponisation
The weaponisation phases goal is the development of a cyber weapon that is based on reconnaissance information about the target system such as:
Viruses
Code injection
Email or phishing campaigns
Exploits for system vulnerabilities
Tools like Metasploit are used here. Also zero days are created by attackers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What happens at Kill Chain phase 3?

A
Delivery
At this stage it is about getting the payload into the targets network or on the host device.
Using methods like:
Email attachments 
URL links in emails
USB devices
Redirect users to websites
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What happens at Kill Chain phase 4?

A

Exploitation
After the weapon delivery the exploitation phase describes what happens once the malicious code is executed. Weaknesses are usually found in Applications, OS vulnerabilities and Users.

17
Q

What happens at Kill Chain phase 5?

A

Installation
Also know as the persistence phase is were the threat actor installs a back door into the host device to gain access back into the machine when needed. It should be able to survive system reboots, anti-malware and anti-virus measures.

18
Q

What happens at Kill Chain phase 6?

A

Command and Control (C2)
CnC is when the exploited host beacon outbound or out of the network to an Internet based controller in order to establish a communications channel. IRC channel is typically used here also http traffic towards an usual domain name.

19
Q

What happens at Kill Chain phase 7?

A
The threat actor has completed their goal in getting information out of the network for example:
Intellectual property
Corporate data theft
Bandwidth theft for SPAM
DDoS attacks