Study Guide - Chapter 3: Malicious Activity Flashcards
1- Which of the following Linux commands will show you how much disk space is in use?
top
df
lsof
ps
df
The df command will show you a system’s current disk utilization. Both the top command and the ps command will show you information about processes, CPU, and memory utilization, whereas lsof is a multifunction tool for listing open files.
lsof
multi-function tool used in Linux for listing open files
2- What Windows tool provides detailed information, including information about USB host controllers, memory usage, and disk transfers?
Statmon
Resmon
Perfmon
Winmon
Perfmon
Perfmon, or Performance Monitor, provides the ability to gather detailed usage statistics for many items in Windows. Resmon, or Resource Monitor, monitors CPU, memory, and disk usage but does not provide information about things like USB host controllers and other detailed instrumentation. Statmon and winmon are not Windows built‐in tools.
Resmon
Resource Monitor, also known as resmon, is a built-in Windows tool used for monitoring system resources. It provides visibility into the CPU, memory, disk, and network utilization of a system
Items to note
* Real-time monitoring
* Process monitoring
* Network monitoring
* Easy access
* Basic Usage Measures
* Averages
* Graphical representation
Perfmon
Performance Monitor, also known as perfmon, is a built-in Windows tool used for detailed system resource and performance monitoring. provides more in-depth data than the Resource Monitor (resmon) tool
Items to note:
* Detailed data
* Remote collection: Unlike resmon, perfmon supports data collection from remote systems
* Customizable reports
* Detailed usage statistics
* Advanced monitoring: It provides much more detailed data than resmon, with counters ranging from energy usage to disk and network activitty, also things like USB host controllers and other detailed instrumentation
3- What type of network information should you capture to be able to provide a report about how much traffic systems in your network sent to remote systems?
- Syslog data
- WMI data
- Resmon data
- Flow data
Flow data
Flow data provides information about the source and destination IP address, protocol, and total data sent and would provide the detail needed. Syslog, WMI, and resmon data are all system log information and would not provide this information.
4- Which of the following technologies is best suited to prevent wired rogue devices from connecting to a network?
- NAC
- PRTG
- Port security
- NTP
NAC
Network access control (NAC) can be set up to require authentication. Port security is limited to recognizing MAC addresses, making it less suited to preventing rogue devices. PRTG is a monitoring tool, and NTP is the Network Time Protocol.
PRTG
Network monitoring tool
- Network Traffic Analysis: PRTG can monitor network traffic flow by using data from routers, identifying the source and destination IPs, protocols, and data usage. It displays flow information in a way that allows sorting and searching, similar to a phone bill showing call details.
- Behavior-Based Detection: PRTG can be used with security monitoring tools that use behavior-based detection to identify issues like unexpected communication with command-and-control systems.
- Proactive and Reactive Monitoring: Network flow data from PRTG can be used proactively to monitor network health and reactively to identify unexpected traffic or changes in bandwidth.
- Real-time Monitoring: It provides a real-time view of network traffic, allowing for the identification of issues as they happen.
- Alerting: PRTG can provide alerts based on specific thresholds such as high memory usage.
- Integration: PRTG can integrate with security information and event management (SIEM) devices or log analysis tools for deeper analysis and response capabilities.
- Visualization : It uses graphs and charts to display data, making it easier to identify trends or abnormal activity.
- Troubleshooting: PRTG is useful in diagnosing network issues. For example, it can help detect a denial-of-service (DoS) attack or identify a severed network link.
- Baseline Establishment: PRTG can be used to establish network baselines which can help in identifying unexpected or unusual traffic pattern
5- As part of her job, Danielle sets an alarm to notify her team via email if her Windows server uses 80 percent of its memory and to send a text message if it reaches 90 percent utilization. What is this setting called?
A monitoring threshold
A preset notification level
Page monitoring
Perfmon calibration
A monitoring threshold
A monitoring threshold is set to determine when an alarm or report action is taken. Thresholds are often set to specific values or percentages of capacity.
7- What term describes a system sending heartbeat traffic to a botnet command‐and‐control server?
- Beaconing
- Zombie ping
- CNCstatus
- CNClog
Beaconing
Beaconing activity (sometimes called heartbeat traffic) occurs when traffic is sent to a botnet command‐and‐control system. The other terms are made up.
9- What can the MAC address of a rogue device tell you?
Its operating system version
The TTL of the device
What type of rogue it is
The manufacturer of the device
The manufacturer of the device
Hardware vendor ID codes are part of MAC addresses and can be checked for devices that have not had their MAC address changed. It is possible to change MAC addresses, so relying on only the MAC address is not recommended, but it can be useful to help identify what a rogue device might be.
10- How can Jim most effectively locate a wireless rogue access point that is causing complaints from employees in his building?
- Nmap
- Signal strength and triangulation
- Connecting to the rogue AP
- NAC
Signal strength and triangulation
Locating a rogue AP is often best done by performing a physical survey and triangulating the likely location of the device by checking its signal strength. If the AP is plugged into the organization’s network, nmap may be able to find it, but connecting to it is unlikely to provide its location (or be safe!). NAC would help prevent the rogue device from connecting to an organizational network but won’t help locate it.
Which of the following tools does not provide real‐time drive capacity monitoring for Windows?
- Microsoft Configuration Manager
- Resmon
- SCOM
- Perfmon
Microsoft Configuration Manager
Microsoft Configuration Manager provides non‐real‐time reporting for disk space. Resmon, perfmon, and SCOM can all provide real‐time reporting, which can help identify problems before they take a system down.
SCOM
System Center Operations Manager (SCOM) is a Microsoft tool used for real-time monitoring of various systems and applications in an organization’s IT infrastructure.
Key features and capabilities of SCOM include:
* Real-time monitoring: SCOM provides real-time monitoring of disk capacity. It can help identify potential issues before they take a system down.
* Application monitoring: It monitors the health and performance of applications and services.
* Performance monitoring: SCOM monitors the performance of servers and other IT infrastructure components.
* Log data analysis: It aggregates log data to help identify unusual activity that might indicate a problem. SCOM can provide real-time reporting, which is useful for identifying problems before they take a system down.
* Alerting: SCOM can generate alerts based on defined thresholds and conditions, enabling security teams to identify security incidents.
* Reporting: It provides reporting capabilities to track performance metrics, enabling analysis and trend identification
Microsoft Configuration Manager
formerly known as System Center Configuration Manager or SCCM, is a software management tool that helps organizations manage and deploy software, operating systems, and updates across a large number of devices. It is also used for monitoring and reporting on software and hardware inventories in an enterprise environment.
Here are some of the key functions and capabilities of Microsoft Configuration Manager
* Software installation and reporting: Configuration Manager can manage software installation and report on installed software. It can quickly display the patch status of enterprise systems and remediate those with missing patches.
* Centralized Management: It provides a centralized management console for managing systems across an organization.
* Patch Management: Configuration Manager can be used to centrally distribute and monitor the patch level of systems throughout the enterprise.
* Software and Application Management: It helps to manage the software and applications present on workstations, servers, and mobile devices.
* Non-real-time Reporting: Unlike tools like resmon and perfmon, Configuration Manager does not monitor in real-time. It is designed to manage software and provide reports on the systems, but it does not provide real-time monitoring of resources like disk space.
* Software Updates: It can manage updates for operating systems and applications.
* Reporting: Configuration Manager allows administrators to quickly view the patch status of systems and remediate any systems with missing patche
12- One of the business managers in Geeta’s organization reports that she received an email with a link that appeared to be a link to the organization’s HR website, and that the website it went to when she clicked on it was very similar to the organization’s website. Fortunately, the manager noticed that the URL was different than usual. What technique best describes a link that is disguised to appear legitimate?
- An obfuscated link
- A symbolic link
- A phishing link
- A decoy link
An obfuscated link
Obfuscated links take advantage of tricks, including using alternate encodings, typos, and long URLs that contain legitimate links wrapped in longer malicious links. Symbolic links are a pointer used by Linux operating systems to point to an actual file using a filename and link. Phishing links and decoy links are not common terms.
13- Angela wants to review the syslog on a Linux system. What directory should she check to find it on most Linux distributions?
- /home/log
- /var/log
- /log
- /var/syslog
/var/log
The syslog file is found in /var/log on most Linux hosts.
14- Laura wants to review headers in an email that one of her staff is suspicious of. What should she not have that person do if she wants to preserve the headers?
- She shouldn’t have them print the email.
- She shouldn’t have them reply to the email.
- She shouldn’t have them forward the email to her.
- She shouldn’t have them download the email.
She shouldn’t have them forward the email to her.
Forwarding an email will remove the headers and replace them with new headers on the forwarded email—but not the original. Laura should use a “view headers” or “view original email” option if it exists to view and analyze the headers. Printing, replying, or downloading an email will not impact the headers.
Which of the following is a key differentiator between a SIEM and a SOAR?
- A SIEM does not provide a dashboard.
- A SOAR provides automated response capabilities.
- A SOAR does not provide log aggregation.
- A SIEM provides log analysis.
A SOAR provides automated response capabilities.
SOAR tools focus on orchestration and response. SIEM tools typically do not focus on automated response. Both leverage log analysis and aggregation and will provide dashboards and reporting.
SOAR
Security Orchestration, Automation, and Response
SOAR integrate various security systems, centralize data, automate tasks using playbooks, and enable incident response, while also enhancing threat intelligence through multiple data sources.
Unlike Security Information and Event Management (SIEM) tools, SOAR platforms focus on broader data acquisition and process automation.
16- Which of the following options is not a valid way to check the status of a service in Windows?
- Use sc at the command line.
- Use service –status at the command line.
- Use services.msc.
- Query service status using PowerShell.
Use service –status at the command line.
The service –status command is a Linux command. Windows service status can be queried using sc, the Services snap‐in for the Microsoft Management Console (MMC), or via a PowerShell query.
17- Avik has been asked to identify unexpected traffic on her organization’s network. Which of the following is not a technique she should use?
- Protocol analysis
- Heuristics
- Baselining
- Beaconing
Beaconing
Protocol analysis, using heuristic (behavior)‐based detection capabilities, and building a network traffic baseline are all common techniques used to identify unexpected network traffic. Beaconing occurs when a system contacts a botnet command‐and‐control (C&C) system, and it is likely to be a source of unexpected traffic.
19- Susan wants to use an email security protocol to determine the authenticity of an email. Which of the following options will ensure that her organization’s email server can determine if it should accept email from a sender?
- DMARC
- SPF
- DKIM
- POP3
DMARC
DMARC (Domain‐Based Message Authentication, Reporting, and Conformance) is a protocol that combines SPF and DKIM to prove that a sender is who they claim to be. DKIM validates that a domain is associated with a message, whereas SPF lists the servers that are authorized to send from your domain. POP3 is an email protocol but does not perform the function described.
DMARC
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
* an email authentication protocol that uses SPF and DKIM to determine if an email message is authentic
* DMARC records are published in DNS and can be used to reject or quarantine messages that are not sent by a DMARC-supporting sende
DKIM
DomainKeys Identified Mail (DKIM)
- an email authentication method that allows organizations to add a digital signature to their messages, which can be verified against the organization’s public key stored in DNS
- ensures that the message is actually from the organization it claims to be from, and that the message content has not been modified in transit
SPF
Sender Policy Framework (SPF)
- an email authentication technique that allows organizations to publish a list of their authorized email servers in their domain’s DNS records
- Systems not listed in the SPF record will be rejected by receiving mail servers
- helping to prevent email spoofing.
