Security Operations and Monitoring Flashcards

1
Q

Susan wants to use an email security protocol to determine the authenticity of an email. Which of the following options will ensure that her organization’s email server can determine if it should accept email from a sender?

A. DMARC

B. SPF

C. DKIM

D. POP3

A

Answer:

A. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a protocol that combines SPF and DKIM to prove that a sender is who they claim to be. DKIM validates that a domain is associated with a message, whereas SPF lists the servers that are authorized to send from your domain. POP3 is an email protocol but does not perform the function described.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Ben wants to reverse-engineer a malware sample. Which of the following tools will allow him to view assembly code for the program if he only has a binary executable?

A. A debugger

B. A compiler

C. grep

D. A disassembler

A

Answer:

D. A disassembler can translate binary machine code into assembly code, allowing it to be far more human readable. Once he has run a disassembler against the binary, Ben can perform further analysis of the program and its functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Angela wants to review the syslog on a Linux system. What directory should she check to find it on most Linux distributions?

A. /home/log

B. /var/log

C. /log

D. /var/syslog

A

Answer:

B. The syslog file is found in /var/log on most Linux hosts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Charles is reviewing flow logs for his organization and notices that traffic has seen a 20 percent increase on the second Thursday of each month, after which the traffic returns to normal. What type of analysis is Charles conducting?

A. Timeline-based analysis

B. Threat hunting

C. Trend analysis

D. Heuristic analysis

A

Answer:

C. Charles is performing trend analysis. He has noticed a consistent change in pattern and has checked it over a period of time. His next step will likely be to look at the source and destination of the traffic, as well as details like the port and protocol associated with the traffic. With that information, he can determine if there is any security concern.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Ian wants to view all of the data about current memory consumption on his Linux system but wants to be able to read it one page at a time. Which of the following commands will allow him to do so?

A. top | more

B. top | grep

C. top -p

D. top - n

A

Answer:

A. Piping output to more will break it up into pages, allowing Ian to page through the output from the top one at a time. grep would be useful for searching if he provided search terms. Neither of the flags shown will paginate top’s output.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Ben works with a team that includes a dozen security analysts who all write detection rules for his organization’s IPS devices for multiple divisions around the world. What type of system could he implement to ensure that releases follow the proper testing and implementation processes?

A. A CD pipeline

B. A SIEM

C. A workflow orchestration system

D. A fuzzer

A

Answer:

C. Ben’s best option is a workflow orchestration system that can define and manage the logical flow of his business processes. A continuous deployment (CD) pipeline can ensure that rules are deployed, but there is no mention of continuous integration, which is important for testing in addition to implementation. Finally, a SIEM is a security information and event management tool, and a fuzzer is used to test software by inserting random data. Neither will help Ben with this issue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Chris is reviewing NetFlow logs while monitoring for systems that are participating in a botnet. Which of the following types of data will he not be able to see in his NetFlow records?

A. Packet payload

B. Source IP address

C. Protocol

D. Destination IP address

A

Answer:

A. NetFlow does not capture the packet payload, and Chris will not be able to see this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Alaina wants to deploy a tool that can monitor the behavior of users while correlating that behavior centrally to determine if a security incident has occurred. What type of tool should she acquire?

A. A network analyzer

B. A UEBA tool

C. Antimalware with heuristics

D. A DMARC tool

A

Answer:

B. A user and entity behavior analytics (UEBA) tool will be her best bet. UEBA tools monitor end-user behavior using agents and focus on detection of anomalous behavior paired with analytics and correlation capabilities. A network analyzer would be useful for reviewing packets, antimalware with heuristics can detect malware but aren’t focused on user behavior in most cases, and a DMARC tool would help with email security configuration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Chris wants to decrease the threat of malicious email links in email. What technique can he use to decrease their likelihood of success without having a significant business impact?

A. Block all links in email

B. Implement DNS blackholing using a DNS reputation service

C. Turn on SPF and DKIM for all email

D. Use a proxy to filter all web traffic from email links

A

Answer:

B. Chris can block many known malicious links by implementing a DNS blackhole that is fed by a DNS reputation service. Blocking all links in email is likely to cause significant business impact, SPF and DKIM will not have an impact on links in email, and a proxy can filter web traffic. However, determining which URLs are from email links and which may have been browsed for or manually entered isn’t likely to be able to be implemented in any reasonable way.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Tim has assigned an analyst to add third-party threat data feeds to his organization’s SIEM. Once the analyst is done, they will spend time reviewing syslog data feeds to ensure that they contain the information that is needed for responses. What is the analyst doing?

A. Threat feed grooming

B. Workflow orchestration

C. Syslog combing

D. Data enrichment

A

Answer:

D. The analyst is performing data enrichment, the process of enhancing or improving data. In this case, the threat feeds and syslog input review will improve the overall quality of both the SIEM’s threat feed and the data it is used to analyze.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Elaine wants to check for user logins on a Linux system. What log location should she check first?

A. /var/log/syslog

B. /var/log/auth.log

C. /var/log/logins

D. /var/log/messages

A

Answer:

B. Elaine should check /var/log/auth.log, which is the default collection point for authentication logs for Linux systems. Red Hat and Centos logs for authentication go to /var/log/secure, but since that isn’t listed, auth.log is the best and only correct answer among those listed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

While analyzing a malware infection, Joseph notes that the malware has encrypted files, thereby preventing the organization’s main web application server from serving files. What type of impact has he noted?

A. Localized, immediate impact

B. Organizational total impact

C. Organizational, immediate impact

D. Localized total impact

A

Answer:

A. Joseph hasn’t taken into account the impact to the organization that the server being down may have, and he likely needs to assess whether the files were also uploaded or otherwise exposed. This means that he has looked at the localized impact to just the system and the immediate impact by noting what the impact is at the moment instead of what longer-term issues may arise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Ben’s organization uses an IP reputation service to block outbound access to all sites that are flagged with a negative reputation score. What issue could this cause?

A. Customers may be unable to access the organization’s website.

B. Inadvertent blocking of sites due to false positives.

C. Too many SIEM entries due to blacklisted sites being accessed.

D. This will not lead to any problems.

A

Answer:

B. While IP reputation tools can be useful, much like any automated blacklisting tool, they can also result in desired sites and services being blocked. Attacks that rely on popular services like Google Forms can result in services being blocked until they are manually whitelisted or fall out of the blacklist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

James wants to monitor a Linux system’s filesystem for unauthorized changes. What open source tool can he use to perform this task?

A. Tripwire

B. Filemon

C. Filecatcher

D. ftracker

A

Answer:

A. Tripwire and OSSEC are both open source options that provide host intrusion detection capabilities, including filesystem monitoring. The other answers were made up for this question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Charlene executes the following command against the file shown. What entries will it return?

grep -v error /var/log/boot.log

A. All lines with the string “error” in them

B. All lines with successful boot messages

C. All lines without the string “error” in them

D. All lines without successful boot messages

A

Answer:

C. The -v flag for grep returns any line that doesn’t match the string. In this case, it will search for all logs in /var/log/boot.log without the string “error” in them. Charlene likely needs a better search string, since most of the boot.log file won’t include the string error!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Megan is trying to prevent impersonation attacks from impacting her company but receives a “No DMARC record found” error when she checks a frequent business partner’s DNS information. What do they need to do to enable DMARC?

A. Publish a SPF record

B. Publish a DMARC record

C. Set up DKIM authentication

D. All of the above

A

Answer:

D. DMARC relies on both SPF and DKIM being set up properly, so Megan may need to walk their email administrator through all three steps to be able to use DMARC with them.

17
Q

Ian finds entries in /var/log/faillog on a Linux system. What types of events will be in the log file?

A. Application start failures

B. System errors resulting in reboots

C. Failed login attempts

D. Failed privilege escalation attempts

A

Answer:

C. The /var/log/faillog log file contains failed login attempts on Linux systems.

18
Q

Tony wants to check the digital signature of an email. What key does he need verify that an email is from his friend Mal?

A. Mal’s private key

B. Tony’s private key

C. Mal’s public key

D. Tony’s public key

A

Answer:

C. All Tony needs to verify that an email is from Mal is Mal’s public key. The email will be signed with Mal’s private key. If the public key works, then Mal signed it.