Section 3: Security Services and Data Discovery Flashcards
What is the next step after Cloud Service Discovery that an attacker typically performs to determine which infrastructure is available for different services?
System infrastructure discovery
Cloud infrastructure discovery
Cloud service scanning
Cloud infrastructure scanning
229b11f1-0340-4280-a651-b4ff2e4915b4
Right after a Cloud Service Discovery, the attacker will do Cloud Infrastructure Discovery (T1580), which determines the infrastructure available from these services.
Book 3 Page 11
What attack can be performed where the goal is to execute code within the operating environment of a Lambda function in order to return the sensitive information stored in the environment variables?
Privilege escalation
Data exfiltration
Command injection
Denial of service
3a68f177-6d65-4e79-a81f-2bc18ceecdf5
Command injection, or command and scripting interpreter attack, is when the attacker abuses the execution of a command, script, or binary by providing an input value that was not expected. A typical command injection vulnerability comes from improperly sanitized inputs.
Book 3 Page 51
An analyst has executed an AWS SSM Run Command via the CLI to perform discovery on a few systems. What value from the command run would they need to query to see the results of the Run Command?
instance-ids
CommandInvocations
document-name
CommandId
54783b4a-67a2-40f0-ba09-303604555050
While the Run Command will execute, it will not return the results of the command. It only returns the results of the fact that you created the command, and it is waiting for the SSM agents to grab it. You will need to include the CommandId flag to see the results of the Run Command.
Book 3 Page 92
AWS implemented the IMDSv2 service to add a layer of security on metadata service calls. What HTTP method needs to be used as a part of the IMDSv2 metadata call?
HTTP GET method
HTTP HEAD method
HTTPS PUT method
HTTP PUT method
ec084689-75fa-4847-a6cc-af308954be24
While communicating to IMDSv2, the cURL command must use an HTTP PUT command to /latest/api/token to return a TOKEN value. Applications that are vulnerable to SSRF are usually performing a GET; the requirement for a PUT will plug up that hole.
Book 3 Page 33
An analyst would like to perform searches on Lambda functions in AWS looking for usage of credentials. Which of the following would you recommend to perform this?
AWS Inspector
AWS Macie
Custom scripts
Azure Cognitive Search
d5aad129-9274-47be-9a73-c4a1c6c0931e
Since the command-line tools make these data easy to retrieve and transform, wrapping the tool output in another scripting language (with a little bit of regex) makes discovering the data relatively easy. Using a little command-line knowledge, you are able to retrieve the underlying Lambda code, decode it, and look for the sensitive data.
Book 3 Page 104
An analyst is dealing with lot of findings generated through GuardDuty. What could they do to limit and remove findings from the dashboard?
Suppression rule
Signature rule
Filtering rule
Alerting rule
9702172b-9434-4304-929a-aa08be39c293
GuardDuty can be noisy, and it may flag activity that is normal in your environment, or you may not wish to see reports. To limit and remove findings from the dashboard, you can create a filter and apply it as a suppression rule.
Book 3 Page 42
Azure has two types of managed identities. Which managed identity is enabled on the cloud resource and has a lifecycle tied to that of the resource?
User-assigned
Metadata-assigned
Cloud-assigned
System-assigned
9d9abab7-ba2a-4b19-9aad-d05b4253ab96
System-assigned managed identity is enabled on cloud resource, and its lifecycle is tied to that of the resource. System-assigned allows the Azure customer to allow Azure to generate and assign a new identity during a cloud resource deployment (or even after the resource has been provisioned). The lifecycle is also handled by Azure in that, when the cloud resource in which this identity is assigned is deleted, so is the identity.
Book 3 Page 32
An analyst would like to use the “Run Command” feature to launch customized commands and search for IoCs on AWS cloud systems. Which of the following is a requirement to perform this?
Target instances should have EDR installed.
Target instances should be SSM-managed.
Target instances should be reachable from the Internet.
Target instances should be running Linux.
483a01b5-2969-4088-a0a6-a4587c403423
The AWS System Manager (SSM) is an agent that runs on your EC2s with a dedicated GUI to run operations on your EC2s. The real power of System Manager is how the AWS service can collect some of the results and provide visualizations and invoke automations. System Manager was built to run commands across a fleet of systems and can be used to use the Run Command feature.
Book 3 Page 86
What three pieces of information are needed to configure an AWS CLI on any workstation?
SecretAccessKey, Credential, and Token
AccessKeyID, SecretAccessKey, and IP Address
AccessKeyID, SecretAccessKey, and Token
AccessKeyID, Password, and Token
287cf37c-cacd-4319-9cc1-d41b1b400a9e
AccessKeyID, SecretAccessKey, and Token. These three pieces of information are all that is needed to configure an AWS CLI on any workstation — even sitting at home, with the credentials necessary to make calls to the AWS API service as if they were the inspector-role. They would simply need to update the AWS CLI’s credentials file3 to use the retrieved secrets.
Book 3 Page 28
As an analyst, which of the following AWS services can be utilized to see a timeline of changes, details of changes, and to help tell the story of the resource?
AWS Config
AWS SecurityConfig
AWS GuardDuty
AWS SecurityHub
9a5454da-3f9e-4310-a8bd-36da45961634
AWS Config provides GUI and command-line access to resources and relationships. It gives a timeline of changes, details of changes, and can be used to help tell the story of the resource.
Book 3 Page 77
An attacker queries the metadata service of an EC2 system with an IP address of 169.254.169.254. What information would they receive from the metadata service that can enable them to make calls to AWS API from an attacker’s machine?
Temporary access token
API key
System password
Metadata ID
dabaca1e-7791-4339-a5db-302a6f3e6e78
This metadata service is available by querying the IP address 169.254.169.254, which acts as a REST interface. This is not a normal IP address that is routable to some web server in AWS.
The metadata service interacts with the AWS IAM service to create a temporary access token for that instance that can be used to make calls for resources through the AWS API.
Book 3 Page 10
Which of the following is an AWS resource inventory, configuration history, and configuration change notification service?
AWS Security Hub
AWS Config
AWS Configuration Manager
GuardDuty
dba1d1a5-7af0-468c-94db-4008089300e4
AWS Config was introduced in November of 2014 as an AWS resource inventory, configuration history, and configuration change notification service. AWS has since expanded AWS Config to support integration of compliance and conformance packs with configuration rules that let you define how resources should be configured and perform alerts or automated response actions when the rule is broken.
Book 3 Page 71
Which of the following can be leveraged to parse the content in configured backend datastores while using Azure Cognitive Search?
Lucene Query Syntax
Structured Query Language
Kusto Query Language
Boolean Query Syntax
9fc23e90-3f58-4e91-b218-2d49f56acbbd
A Lucene-formatted query can be leveraged to parse the content in the configured backend datastores. Luckily, within the Azure Search services, there is a component that aids in the creation of these queries and will even convert the query string to URI-encoded, as this search may be leveraged by other, authenticated Azure applications.
Book 3 Page 102
Which of the following provides a way to add metadata to your AWS or Azure resource that is user controlled?
Keys
Comments
Tags
Metadata
588e5ca9-d54a-4cfb-8626-523feac143a0
Tags are a way to add metadata to your AWS or Azure resource that is user controlled and can greatly help in an investigation. Tags themselves have no special magical property, but they can be used to change the way IAM policies work, how your automations use the resource, and how you bill sub teams.
Book 3 Page 69
Which of the following is the recommended way to perform search and discovery of sensitive data in AWS cloud storage solutions?
Run search commands using SSM Agents.
Use AWS Macie for inventory and searching.
Use vulnerability scanners.
Use DLP solutions.
b01422a7-8914-4a91-9000-4377d4692b79
Macie first generates an inventory of the account’s S3 buckets. While doing this, several best practices are assessed and can provide recommended deviations. You can also extend Macie beyond its default capabilities. Since it has visibility of AWS S3 bucket contents, AWS Macie can conduct searches for sensitive data using machine learning and pattern matching.
Book 3 Page 96
How do Lambda functions access sensitive environment information?
Stored in protected S3 buckets
Sending an HTTP request to a service on a local port
Querying the AWS secrets server
Injected environment variables at runtime
b847ce7a-0c44-4330-9a47-507ae01677d8
Lambda makes key data available through environment variables that are injected into the runtime environment of the Lambda function upon execution.
Book 3 Page 50
Which of the following would be a good use of AWS Lambda?
Sending a notification to the user when their order status has changed
Running a permanent website using Python Flask framework
Performing a one-time update of a database table
Executing workloads that require local access to resources
9ac389b8-3291-4a91-9c6f-6289f5b4b02d
AWS Lambda is a serverless compute service that lets you run arbitrary code when an event occurs. Long running applications or ones that need local resources are better served with alternate services.
Book 3 Page 47
An analyst would like to query Azure metadata services. What should be the value of the custom header field for them to be able to perform this?
Securitytoken:true
Encrypted:true
Metadata:false
Metadata:true
cd4daffe-0e2e-40e7-bec0-8f93f2509084
Azure requires a custom header to be sent as part of the HTTP GET request. The value of the header must be Metadata:true to signify in the request that: yes, you know this is for metadata and nothing else. Without the header, the Azure metadata service will drop the query.
Book 3 Page 31
Which cloud native tool can check for and alert on service misconfigurations in Azure?
Macie
Defender
GuardDuty
Security Hub
0d161886-08c9-4712-893c-2e56bfc9bb85
Microsoft Defender for Cloud is the Azure solution for posture management and protecting workloads. It will look for and evaluate service misconfigurations. Microsoft Defender for Cloud breaks this down into three distinct sections. The Description section explains the finding and how the proper setting could enhance your security posture.
Book 3 Page 113
Which of the following solutions from Microsoft uses machine learning to detect and generate alerts on bad activity?
Azure Machine Learning Studios
Defender for Cloud
Amazon Q
Azure Front Door
4618de6b-2e66-45f5-85a8-e9706f91d7bf
Microsoft Defender for Endpoint (and others) uses machine learning models to detect bad activities in the services it monitors. Microsoft Defender for other services also uses anomaly detection and machine learning.
Book 3 Page 132
When interacting with a cloud environment, which tool offers the least amount of customization?
Command Line
SDK
CLI
GUI
b16c75ca-a5f6-45f4-885a-74c537fc9e2f
One drawback of using web GUIs to access cloud environments is that they are designed for a broad audience and not tailored specifically to your needs.
Book 3 Page 59
Which of the following pieces of information do attackers typically try to gather from an application running on a Cloud system when they perform an SSRF attack?
Application secret key and token
User credentials
Application private certificate and secret key
Application cookie and private certificate
b5af1104-a068-4ffb-bd9d-9bf15605ba09
During the Capital One attack, the attacker asked the application to return its own secret key and token information provided by the AWS management environment by querying the metadata service.
Book 3 Page 8
An analyst would like to set up a vulnerability management service within their AWS cloud environment. Which of the following native tools can the analyst use to perform network and host assessments in AWS?
GuardDuty
Security Hub
Inspector
CloudWatch
1ef09211-d8dd-4236-b0cc-13f71ab7bbd4
AWS Inspector can assess the systems against a multitude of standards; once the assessment completes, there are several options to acquire the assessment data depending on the cloud customer’s preference, such as: sending the data to AWS CloudWatch, AWS Security Hub, and/or AWS Simple Notification Service (SNS).
Book 3 Page 116
Which AWS native security tool displays a security score indicating the percentage of how compliant the cloud instance is with a certain framework?
Inspector
Security Hub
Systems Manager
Firewall Manager
fd22dc0f-eef5-47db-9152-b13faac40320
AWS Security Hub is a service that brings in alerts from multiple AWS services and third party services. It rolls up the appropriate data and presents the security findings to the customer in an easy-to-digest format.
AWS Security Hub can break down different compliance frameworks in the form of a security score. This score will show a rough percentage of how compliant the customer’s cloud environment is with a certain framework.
Book 3 Page 111
