Security Operations and Monitoring Flashcards
Susan wants to use an email security protocol to determine the authenticity of an email. Which of the following options will ensure that her organization’s email server can determine if it should accept email from a sender?
A. DMARC
B. SPF
C. DKIM
D. POP3
Answer:
A. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a protocol that combines SPF and DKIM to prove that a sender is who they claim to be. DKIM validates that a domain is associated with a message, whereas SPF lists the servers that are authorized to send from your domain. POP3 is an email protocol but does not perform the function described.
Ben wants to reverse-engineer a malware sample. Which of the following tools will allow him to view assembly code for the program if he only has a binary executable?
A. A debugger
B. A compiler
C. grep
D. A disassembler
Answer:
D. A disassembler can translate binary machine code into assembly code, allowing it to be far more human readable. Once he has run a disassembler against the binary, Ben can perform further analysis of the program and its functions.
Angela wants to review the syslog on a Linux system. What directory should she check to find it on most Linux distributions?
A. /home/log
B. /var/log
C. /log
D. /var/syslog
Answer:
B. The syslog file is found in /var/log on most Linux hosts.
Charles is reviewing flow logs for his organization and notices that traffic has seen a 20 percent increase on the second Thursday of each month, after which the traffic returns to normal. What type of analysis is Charles conducting?
A. Timeline-based analysis
B. Threat hunting
C. Trend analysis
D. Heuristic analysis
Answer:
C. Charles is performing trend analysis. He has noticed a consistent change in pattern and has checked it over a period of time. His next step will likely be to look at the source and destination of the traffic, as well as details like the port and protocol associated with the traffic. With that information, he can determine if there is any security concern.
Ian wants to view all of the data about current memory consumption on his Linux system but wants to be able to read it one page at a time. Which of the following commands will allow him to do so?
A. top | more
B. top | grep
C. top -p
D. top - n
Answer:
A. Piping output to more will break it up into pages, allowing Ian to page through the output from the top one at a time. grep would be useful for searching if he provided search terms. Neither of the flags shown will paginate top’s output.
Ben works with a team that includes a dozen security analysts who all write detection rules for his organization’s IPS devices for multiple divisions around the world. What type of system could he implement to ensure that releases follow the proper testing and implementation processes?
A. A CD pipeline
B. A SIEM
C. A workflow orchestration system
D. A fuzzer
Answer:
C. Ben’s best option is a workflow orchestration system that can define and manage the logical flow of his business processes. A continuous deployment (CD) pipeline can ensure that rules are deployed, but there is no mention of continuous integration, which is important for testing in addition to implementation. Finally, a SIEM is a security information and event management tool, and a fuzzer is used to test software by inserting random data. Neither will help Ben with this issue.
Chris is reviewing NetFlow logs while monitoring for systems that are participating in a botnet. Which of the following types of data will he not be able to see in his NetFlow records?
A. Packet payload
B. Source IP address
C. Protocol
D. Destination IP address
Answer:
A. NetFlow does not capture the packet payload, and Chris will not be able to see this.
Alaina wants to deploy a tool that can monitor the behavior of users while correlating that behavior centrally to determine if a security incident has occurred. What type of tool should she acquire?
A. A network analyzer
B. A UEBA tool
C. Antimalware with heuristics
D. A DMARC tool
Answer:
B. A user and entity behavior analytics (UEBA) tool will be her best bet. UEBA tools monitor end-user behavior using agents and focus on detection of anomalous behavior paired with analytics and correlation capabilities. A network analyzer would be useful for reviewing packets, antimalware with heuristics can detect malware but aren’t focused on user behavior in most cases, and a DMARC tool would help with email security configuration.
Chris wants to decrease the threat of malicious email links in email. What technique can he use to decrease their likelihood of success without having a significant business impact?
A. Block all links in email
B. Implement DNS blackholing using a DNS reputation service
C. Turn on SPF and DKIM for all email
D. Use a proxy to filter all web traffic from email links
Answer:
B. Chris can block many known malicious links by implementing a DNS blackhole that is fed by a DNS reputation service. Blocking all links in email is likely to cause significant business impact, SPF and DKIM will not have an impact on links in email, and a proxy can filter web traffic. However, determining which URLs are from email links and which may have been browsed for or manually entered isn’t likely to be able to be implemented in any reasonable way.
Tim has assigned an analyst to add third-party threat data feeds to his organization’s SIEM. Once the analyst is done, they will spend time reviewing syslog data feeds to ensure that they contain the information that is needed for responses. What is the analyst doing?
A. Threat feed grooming
B. Workflow orchestration
C. Syslog combing
D. Data enrichment
Answer:
D. The analyst is performing data enrichment, the process of enhancing or improving data. In this case, the threat feeds and syslog input review will improve the overall quality of both the SIEM’s threat feed and the data it is used to analyze.
Elaine wants to check for user logins on a Linux system. What log location should she check first?
A. /var/log/syslog
B. /var/log/auth.log
C. /var/log/logins
D. /var/log/messages
Answer:
B. Elaine should check /var/log/auth.log, which is the default collection point for authentication logs for Linux systems. Red Hat and Centos logs for authentication go to /var/log/secure, but since that isn’t listed, auth.log is the best and only correct answer among those listed.
While analyzing a malware infection, Joseph notes that the malware has encrypted files, thereby preventing the organization’s main web application server from serving files. What type of impact has he noted?
A. Localized, immediate impact
B. Organizational total impact
C. Organizational, immediate impact
D. Localized total impact
Answer:
A. Joseph hasn’t taken into account the impact to the organization that the server being down may have, and he likely needs to assess whether the files were also uploaded or otherwise exposed. This means that he has looked at the localized impact to just the system and the immediate impact by noting what the impact is at the moment instead of what longer-term issues may arise.
Ben’s organization uses an IP reputation service to block outbound access to all sites that are flagged with a negative reputation score. What issue could this cause?
A. Customers may be unable to access the organization’s website.
B. Inadvertent blocking of sites due to false positives.
C. Too many SIEM entries due to blacklisted sites being accessed.
D. This will not lead to any problems.
Answer:
B. While IP reputation tools can be useful, much like any automated blacklisting tool, they can also result in desired sites and services being blocked. Attacks that rely on popular services like Google Forms can result in services being blocked until they are manually whitelisted or fall out of the blacklist.
James wants to monitor a Linux system’s filesystem for unauthorized changes. What open source tool can he use to perform this task?
A. Tripwire
B. Filemon
C. Filecatcher
D. ftracker
Answer:
A. Tripwire and OSSEC are both open source options that provide host intrusion detection capabilities, including filesystem monitoring. The other answers were made up for this question.
Charlene executes the following command against the file shown. What entries will it return?
grep -v error /var/log/boot.log
A. All lines with the string “error” in them
B. All lines with successful boot messages
C. All lines without the string “error” in them
D. All lines without successful boot messages
Answer:
C. The -v flag for grep returns any line that doesn’t match the string. In this case, it will search for all logs in /var/log/boot.log without the string “error” in them. Charlene likely needs a better search string, since most of the boot.log file won’t include the string error!