Section 2: Compute and Application Attacks Flashcards
When implementing AWS Elastic Load Balancing (ELB), what is something to be aware of for security monitoring?
Logging requires network load balancers.
Logging is not enabled by default.
Logging requires purchasing a third-party solution.
Logging is not supported.
2a4fda0f-f56d-4fef-8863-d8e832faf41a
One important thing to be aware of is that AWS ELB does not log by default. However, the customer has the option to enable logging to an AWS S3 bucket.
Book 2 Page 60
What can be enabled to assist with detecting unusual storage activity in AWS?
S3 server access logging
S3 global logging
S3 audit logs
S3 activity monitoring
95753126-6265-4412-a3b0-dbeb152dcc69
The logging option that can be very powerful at detecting unusual storage activity in AWS is AWS S3 server access logging. This logging option is disabled by default.
Book 2 Page 145
What is a limitation of logging for Azure container instances?
Logging is not supported.
Network logs are not available.
Container logs are not available.
Container metrics are not available.
49973f89-1d6b-4b1c-b665-f31c845fd8b0
Launching containers in Azure is a very straightforward affair, but this straightforward approach does limit options regarding security logging initiatives. The host and network logs are not available to the analyst, as the Azure customer has no access to the underlying system or VPC network in which the container is running.
Book 2 Page 119
Which Azure storage type is used to send messages between cloud-hosted or customer-supported application components?
Blob containers
Queues
File shares
Tables
Azure storage accounts have up to four different storage types:
- Blob containers: Store text and binary data (i.e., object storage)
- File shares: SMB- or NFS-accessible file shares
- Tables: NoSQL database option for data storage
- Queues: Used to send messages between cloud-hosted or customer-supported application components
Book 2 Page 149
Question
What command can be used to natively access Docker logs?
docker logs container-name
docker stdout container
docker configure-logging enable container
docker-displayoutput container_name
c1d4e336-bffe-42a5-bb30-3ef82cf21e5c
Docker logs are natively available via the following methods:
- stdout of the interactive (non-daemon mode) execution
- Docker logs container-name command
Book 2 Page 88
Why is a container a better choice for an application than a virtual machine?
Containers can run any operating system.
Containers are application layer abstractions.
Containers do not require a hypervisor.
Containers take up much less disk space.
6079e7b9-d73b-459b-b5fb-cf31e8d896af
Containers help to make applications more portable — as you can package the operating system along with the application that is being developed, reducing their footprint on disk.
Book 2 Page 84
What is the attack method of using a legitimate or high-reputation cloud provider to proxy attacker traffic and hide malicious activities so that they remain undetected by defenders?
Session hijacking
Proxy hacking
Machine-in-the-Middle
Domain fronting
5e4f9cd5-548f-434f-a552-6b41d626e4f8
With domain fronting, attackers will oftentimes use a cloud provider (like CloudFlare) to simply proxy their traffic so that, to the victim, it looks like they are communicating with this cloud vendor — not the attacker’s infrastructure sitting behind this proxy service.
Book 2 Page 12
What does a security log with event ID 4624 and logon type 3 mean in Windows?
Successful network logon
Failed network logon
Failed remote interactive logon
Successful interactive logon
2fc10a1a-1fe1-450e-8a1a-1491b76b0e13
Event ID 4624 documents every successful attempt at logging on to a local computer. Logon Type 3 means it was a connection over the network.
Book 2 Page 19
What AWS-provided agent can be used to retrieve logs from an EC2 system to forward to a centralized, AWS-native service?
CloudWatch agent
Logging agent
Forwarder agent
SysLog agent
22d62aae-b58f-4e96-a683-408f40cd17bd
AWS has provided the CloudWatch agent. An open source application with Windows and Linux deployments, that can forward telemetry and logs from the EC2 to the AWS CloudWatch service. The CloudWatch agent can pull metrics and logs from a host system, gathering detailed telemetry and sending it to a CloudWatch Log Group.
Book 2 Page 44
A security analyst detects several 401 response codes over a short period in the web server access.log file. What can this observation indicate?
Attempted password-guessing attack
Web content changed or misplaced
Distributed denial-of-service attack
Web server misconfiguration
Several 401 response codes over a short period in the web server access.log file can indicate attempted authentication attacks. It is advantageous to look for a series of 401 messages if your web server application is in charge of authentication, as a 401 HTTP response identifies an unauthorized connection (i.e., a login failed attempt). The log data also identify which username the adversary attempted.
Book 2 Page 54
In container-first organizers, what is the favorite container orchestration platform for automating deployments, scaling systems, and managing containerized applications?
Functions
Kubernetes
Docker
Lambda
315f5c52-5281-45e1-a853-cab63f10443d
Kubernetes is a container orchestration platform that, among many other things, automates deployments, scales systems as demand rises and falls, and manages the complex container environment with only management actions and configuration required from the end user. In container-first organizations, Kubernetes is a favorite, but it can be quite complicated.
Book 2 Page 5
What Azure diagnostic setting logging option provides a more thorough view of Kubernetes infrastructure data related to validation and configuration of the Kubernetes API objects?
cluster-autoscaler
kube-controller-manager
kube-apiserver
guard
93844164-99b6-452b-a1a1-9d8e26c7a411
To get a more thorough view of the Kubernetes infrastructure, diagnostic settings can be enabled. The options within the diagnostic settings configuration page are broken down into two categories: log and metric. The kube-apiserver option will log data related to validation and configuration of the Kubernetes API objects (e.g., pods, services).
Book 2 Page 123
In Red Hat-based systems, which log file records the authentication logs for both successful and failed logins?
/var/log/messages
/var/log/auth.log
/var/log/kern.log
/var/log/secure
922b80b8-f3b0-4ef9-9699-f325c7711745
Log file /var/log/auth.log in a Debian-based system and /var/log/secure in a Red Hat-based system keep security-related information such as authentication logs for both successful and failed logins.
Book 2 Page 24
Which section of the CloudWatch config file specifies how often metrics are to be collected?
logging
collection
agent
config
ca395474-c484-4b31-987d-6ca52c01081b
The agent section includes fields that describe the overall configuration of the agent. The metrics_collection_interval field is optional but specifies how often all metrics in the config file are to be collected and the period of collection. Individual metric intervals can be overwritten, so consider this the global interval number.
Book 2 Page 40
Which AWS service automates deployment of clusters, services, and tasks?
AWS Elastic Compute Cloud
AWS Elastic Kubernetes Service
AWS Elastic Container Service
AWS Elastic Container Registry
f8f51724-2cd8-40bf-966a-37ffd05fbb3a
The AWS Elastic Container Service (ECS) provides a means to deploy underlying architecture to support container workloads, such as cluster, services, and tasks. AWS ECS ensures that the containers, if crashed, will automatically be re-created by monitoring container health.
Book 2 Page 107
What service can be used for an AWS deployment to manage the Kubernetes control plane?
Deployment Cloud Service
Elastic Kubernetes Service
Kubernetes connector
Cloud management
0f9974a3-9a3b-4db9-939d-52fb20e4025b
Cloud engineers may be enticed to hand off some of the Kubernetes architecture to the cloud vendor to focus on deploying containers within the hosted infrastructure. AWS EKS is a service that makes this possible by managing the Kubernetes control plane on behalf of the cloud customer.
Book 2 Page 113
What is considered a best practice when collecting AWS logs for threat hunting?
Determining how long to keep the logs
Only monitoring data live, without storing
Keeping all data permanently
Deleting data after accessing
04364a6f-2ebd-46c7-9971-00b3afbb5e15
A best practice for collecting AWS logs is determining how long to keep the logs based on your data retention policy and then setting the CloudWatch logs retention policy accordingly.
Book 2 Page 38
The Windows login attempt events can be found in which of the following event channels?
Information
System
Application
Security
f9c5078b-10bc-4959-94b2-923cbd2b0477
By default, Windows will generate many useful events within three different event channels:
- Application: These events are reported by applications installed on the operating system.
- Security: By far, the most useful event logs as many successful and unsuccessful actions are recorded here; which could help write the narrative of how the system was accessed and what was performed (to some degree).
- System: Operating system event data.
Book 2 Page 18
Why should secrets be added to the container environment and not be part of the container image?
Adding secrets to the image will automatically upload to github.
Images do not support adding secrets.
Secrets are removed during the image process.
Anyone with access to the image can access the secret.
434f8866-8ba7-4f80-bc00-82edabb17613
When using secrets within containers, it is a good idea not to include in the image build, as anyone with access to that image would have access to that secret. Add to that the challenge that every time a secret is rotated, the image must be rebuilt. The more appropriate method for using secrets in a container would be to set them as environment variables as the container is being started. However, if the container is compromised, those secrets could easily be recovered.
Book 2 Page 86
A threat hunter has discovered that a Kubernetes dashboard is broadly accessible without any authentication. What could be the possible scenario?
Attackers must have compromised the service and disabled the authentication mechanism.
The threat hunter has yet to validate whether the dashboard has been accessed.
The administrator forgot to change the default settings, which do not require any authentication.
The administrator removed any required authentication temporarily and then forgot it.
9e12ad81-801f-4316-8fff-a30f2fa4159e
Typically, and by default, Kubernetes dashboards require credentials of some sort (e.g., username and password or token retrieved internally). However, in the Tesla Kubernetes Attack, Tesla’s administrative team removed any required authentication, and this dashboard, which allows full access to the entire Kubernetes deployment, was left wide open to attack.
It is important for a threat analyst to understand how infrastructure is deployed in their organization.
Book 2 Page 8
What tool can generate custom metrics based on the results of KQL queries?
Azure DevOps
Amazon CloudWatch
Amazon CloudTrail
Azure Monitor
3e1fcbb0-ea60-4755-82b4-5fbc955b7166
Azure Monitor provides the flexibility to create custom metrics through key query language (KQL) queries, enabling you to extract meaningful security-related data.
Book 2 Page 135
How can command logging be enabled within a container?
Exec into the container and create a symlink of /proc/1/fd/1.
Update the /etc/bash.bashrc file to enable logging to stdout.
Use the docker log container-name command.
Create a new ENTRYPOINT in the container config.
77a5a8f2-586e-48b9-b727-0f35acf30727
The /etc/bash.bashrc file contains the settings for the system shell. By updating this file to echo commands to stdout, commands executed will be available outside the container.
Book 2 Page 92
Which Azure service enables you to utilize a global application delivery network to make forwarding decisions based on layer 7 payloads?
Traffic Manager
Front Door
Back Door
Content Delivery
fe5ff4c5-ce60-43aa-92be-979591ff4a7d
Azure has two options that support global load balancing. The first of these options is the Azure Front Door service. This service enables you to utilize a global application delivery network to make forwarding decisions based on layer 7 payload.
Book 2 Page 63
AWS Amplify access logs are available to download in which format?
TSV
Raw
CSV
JSON
6008a86f-d763-4470-a067-c363636094e8
Access logs are very minimal in the browser but can be downloaded in CSV format for more detail.
Book 2 Page 56
