Section 4 - Security Operations

Question 1

What is the continual process used to understand the threat faced by an organization and what organization aids in identifying the different types of issues faced

Answer 1

Threat Intelligence

Cybersecurity & Infrastructure Security Agency (CISA) - 16 critical sectors

Question 2

What 3 distinct areas are threat intelligence broken down into

Answer 2

Tactical - Tactics, techniques and procedures of a threat actor (TTP’s). Used by network and security teams to fortify VulnMgmt, alerting, and architectural design

Strategic - big picture leadership and associated with reports to identify the motivations, capabilities, and intentions of various threat actors

Operational - logs, SIEM Platforms, used to identify current attacks and IOCs. Used by security and forensic analyst and incident responders.

Question 3

Describe the differences between Threat and Adversary Emulation

Answer 3

Threat emulation describes emulating known TTP’s to mimic the actions of a threat in a realistic way without emulating a specific threat actor which is where adversary emulation comes into play.

Question 4

What is an assessment technique that utilizes insights gained from threat intelligence to proactively discover IOC’s within the environment using an “assume breach” mindset.

Answer 4

Threat Hunting - led by senior staff and very time consuming.

Uses Advisories and Bulletins
Used Intelligence fusion and threat data:

• Intelligence Feeds
• Deep Web
• OSINT
• Human Intelligence (HUMINT)

Question 5

Name the Threat Actor Groups

Answer 5

Script Kiddies
Insider Threats - employee or contractor and intentional and unintentional
Competitor - corporate espionage
Organized Crime - for commercial gain
Hacktivists -
Nation-State - both military and commercial goals - APT

Question 6

Which Threat Management Framework is focused on the relationship between tactics and techniques

Answer 6

MITRE ATT&CK

also documents group behavior profiles of various well-known adversarial groups to show the techniques of each group.

There is a MITRE ATT&CK for ICS

Question 7

What Threat Management framework focuses on events and describes them in terms of four core and interrelated base features

Answer 7

Diamond Model of Intrusion Analysis

1. Advesary
2. Capability
3. Infrastructure
4. Victim

Uses visualization using a diamond to demonstrate the meta features that connect to each of them.

Question 8

What is the threat management framework developed by Lockheed Martin that describes the steps/actions an adversary must complete in order to achieve their goals.

Answer 8

Cyber Kill Chain - 7 Steps
1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control (C2)
7. Action on objectives

Question 9

Name some key elements of Vulnerability Management

Answer 9

With our without credentials
Agent vs Agentless
Active vs Passive (netflow)
Criticality Ranking
invariably identify patching requirements

Question 10

Name some Vulnerability Information Sources

Answer 10

Advisories - typically software vendor
Bulletins - newsletters and reports
ISACS - Information Sharing and Analysis Centers - non-profit agencies
News Reports

Question 11

What describes a suite of interoperable specifications designed to standardize the formatting and naming conventions used to identify and report on the presence of software flaws such as misconfiguration and/or vulnerabilities

Answer 11

Security Content Automation Protocol

Question 12

Name the SCAP Languages

Answer 12

Open vulnerability and Assessment Language (OVAL) - describes 3 main aspects of an evaluated system.

Asset Reporting Format (ARF) helps to correlate formats to asset information independently from any specific application or vendor for consistency

Extensible Configuration Checklist Description Format (XCCDF) - written in XML and provides a consistent and standardize way to define benchmark information as well as configuration and security checks to be performed.

Question 13

Name the 3 SCAP Identification schemes

Answer 13

Common Platform Enumeration (CPE)- standardize naming format for systems and software

Common Vulnerabilities and Exposures (CVE) - unique identifier to describe public known vulnerabilities

Common Configuration Enumeration (CCE) - similar to CVE but focused on configuration issues which may result in a vulnerability

Question 14

How is SCAP scored for levels of severity and what are those levels

Answer 14

Common Vulnerability Scoring System (CVSS)
0 - None
.1-3.9 - Low
4.0-6.9 - Medium
7-8.9 - High
9-10 - Critical

Question 15

What is the difference between a Protocol Analyzer and a Network Traffic Analyzer?

Answer 15

Network traffic analyzer is crafted to aid in the analysis of data capture by a sensor while protocol analyzer like wireshark to create PCAP files for further analysis

Question 16

What is a common HTTP Interceptor or Proxy

Answer 16

BurpSuite and BeEF

Question 17

What does a SCAP Scanner perform?

Answer 17

Uses SCAP to compare a target computer/software configuration and patch levels against predetermined settings contained in SCAP content baseline.

SCAP scanners also use DOD STiGS as a baseline

Question 18

Name the deceptive technologies that can be used to help better identify threats and facilitate research and analysis of the techniques in a safe environment

Answer 18

Decoy Files - honeytokens and/or canary traps .

Honeypot - mimics genuine system
Honeynet - several honeypots
Simulators - such as ssh, mail, telnet, etc.
Dynamic Network Configuration – allows for SDN and flexibility to be re-deployed.

Question 19

What advanced service can Security Data Analytics feed into

Answer 19

User and Entity Behavior Analytics (UEBA)

Question 20

What is the monitoring of data focused on DBMS

Answer 20

Database Activity Monitoring (DAM)
requirement of SOX 404

Question 21

What is the type of attack that is based on a race condition where the time it is checked vs the time it is used allowing attacker to achieve unauthorized outcomes

Answer 21

Time of check vs time of use (TOCTOU)

Question 22

What is the Linux utility for software deployment, application virtualization, and package management?

Answer 22

Flatpak

Question 23

What are some techniques that can protect against buffer overflow attacks

Answer 23

Patching
Security Coding
Address Space Layout Randomization (ASLR) - components are randomized
Data Execution Protection (DEP) - allows for an OS to detect areas of memory that contain executable code and areas that do not and prevent execution

Question 24

Name some common Web Application vulnerabilities

Answer 24

Broken Authentication
Insecure References - changing Customer ID for example
Weak Ciphers and Cipher Suites
Improper Headers
Certificate Errors

Question 25

What describes the process by which software can be analyzed for open-source components

Answer 25

Software Composition Analysis Best performed using automation such as the OWASP Dependency-Check Tool and in more depth the Dependency-Track tool.

Question 26

What is the popular data exchange based on web technologies

Answer 26

JSON/REST API SOAP - where REST is an architectural style SOAP is a protocol to communicate over HTTP using XML

Question 27

What is the difference between Browser Extensions and Browser Plugins and what technology has replaced plugins

Answer 27

Extensions can be added web browser to expand its functionality or add features not present by default. Plugin are applications installed in a way to be called or executed. Flash, Java, etc. are examples of plugins HTML5 and Asynchronous JavaScript and XML (AJAX)

Question 28

What ty-pe of attack allows an attacker to access OS files that run the web application

Answer 28

Directory or File Traversal %2E - . and %2F - /

Question 29

What attack is similar to directory traversal that manipulates file paths to control how a web application operates

Answer 29

Cross Site Scripting (XSS) Reflected - bounces off web site when link is clicked Stored - inserts malicious code into the web application

Question 30

Type of attack that causes victim to unintendedly carry out an action on a website.

Answer 30

Cross-Site Request Forgery (CSRF)

Question 31

What type of attack uses SQL Language in place of username

Answer 31

Authentication Bypass Protection is input validation

Question 32

What is the attack where there threat actor is able to execute shell commands on a host via a vulnerable web application

Answer 32

Command Injection OS API's should be used instead of command shells

Question 33

What is the attack that where an adversary can insert code into an existing process to evade detection and gain access privileges equivalent to the exploited process

Answer 33

Process Injection MITRE ATT&CK ID T1055

Question 34

Name some common infrastructure attacks and mitigations

Answer 34

Sandbox escape VM Hopping and Escape VLAN Hopping - spoofing and double tagging - disable dynamic trunking and change default VLAN ID BGP Route Hijacking

Question 35

What is the difference between packet and protocol capture and Netflow

Answer 35

a flow connector is a means of recording metadata and statistics about network traffic rather than capturing each frame. Developed by Cisco and redeveloped as IP Flow Information Export (IPFIX)

Question 36

What tools and classification systems can be used with Antivirus protection

Answer 36

virus total Yara Rules

Question 37

Describe False/True Negative/Positive

Answer 37

False Negative - a case that is not identified Fales Positive - case that is reported that should not be True Positive - case reported when it should be True Negative - not reported and it should not be. Informational only

Question 38

What are the action and guideline for dealing with security events and what are the specific actions to take in response to emergency scenarios

Answer 38

Incident Response Plans (IRP) Incident response playbooks

Question 39

Describe the differences between Cryptanalysis and Steganalysis

Answer 39

Cryptanalysis is the art and science of cracking cryptographic schemes with Steganalysis attempts to identify messages and/or media which have been hidden in cover files

Question 40

What is the tool for inspecting firmware images

Answer 40

Binwalk -

Question 41

What is as tool for performing memory analysis

Answer 41

Volatility

Question 42

What tool can used to identify interactions between processes and Linux Kernel

Answer 42

Strace

Question 43

which command line utility is designed to display real time information about system memory, running processes, interrupts, paging and I/O stats

Answer 43

vmstat