Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

TECHNICAL INTERVIEW > Technical > Flashcards

Technical Flashcards

1
Q

What is a Proxy?

PROXIES

A

A proxy is an intermediary server that acts as a gateway between a client and a server .
It forwards requests from the client to the server and sends the server’s responses back to the client.

Proxies serve various purposes, such as enhancing security, improving browsing performance, enabling anonymity, and bypassing restrictions.

They can operate at different layers of the OSI model, typically at the application layer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the types of proxies and their uses?

PROXIES

A
  • Forward Proxy:
    • Description: Acts as an intermediary between the client and the internet. The client sends requests to the proxy, which forwards them to the desired server.
    • Key Characteristics:
      • Typically configured on the client side.
      • Can filter traffic and enforce access policies.
  • Reverse Proxy:
    • Description: Sits in front of servers and manages client requests on behalf of the server.
    • Key Characteristics:
      • Typically configured on the server side.
      • Often used in conjunction with load balancers.
  • Transparent Proxy:
    • Description: Intercepts client requests without requiring client configuration. The client’s IP address is visible to the destination server.
    • Key Characteristics:
      • Easy to implement in networks.
      • Provides minimal privacy protection.
  • Anonymous Proxy:
    • Description: Hides the client’s IP address but identifies itself as a proxy.
    • Key Characteristics:
      • Provides basic privacy.
      • Still detectable as a proxy by destination servers.
  • Elite (High-Anonymity) Proxy:
    • Description: Hides both the client’s IP address and the fact that a proxy is being used.
    • Key Characteristics:
      • Offers the highest level of anonymity.
      • Hard to detect.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Key aspects of a reverse proxy

PROXIES

A
  1. Load Balancing:
    • Function: Distributes incoming client requests across multiple backend servers.
    • Benefits:
      • Optimizes resource usage.
      • Ensures even distribution of traffic.
      • Improves system performance and availability.
  2. Security:
    • Function: Acts as an additional security layer between clients and backend servers.
    • Benefits:
      • Protects backend servers from direct exposure to the internet.
      • Supports features like access control, authentication, and protection against web attacks (e.g., SQL injection).
  3. SSL Termination:
    • Function: Handles SSL/TLS encryption and decryption.
    • Benefits:
      • Reduces the computational load on backend servers.
      • Simplifies SSL certificate management.
  4. Content Caching:
    • Function: Stores static content like images, JavaScript, or CSS files.
    • Benefits:
      • Reduces the load on backend servers.
      • Improves response times for end users.
  5. Application Firewall (WAF):
    • Function: Protects against common web-based attacks.
    • Benefits:
      • Defends against SQL injection, cross-site scripting (XSS), and other vulnerabilities.
      • Monitors and filters HTTP traffic to ensure security.
  6. Compression:
    • Function: Compresses data before sending it to clients.
    • Benefits:
      • Reduces bandwidth usage.
      • Improves page load times for users with slower internet connections.
  7. Logging and Monitoring:
    • Function: Provides detailed logs and real-time monitoring of traffic.
    • Benefits:
      • Tracks traffic patterns and potential issues.
      • Monitors backend server performance.
      • Assists in troubleshooting and maintaining system health.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Description

IDS / IPS

A
  • IDS (Intrusion Detection System):
    • A system designed to monitor network or system activity for suspicious behavior or known threats.
    • It alerts administrators of potential security incidents but does not take direct action to stop them.
      • Placed out-of-band to monitor mirrored traffic from network devices (e.g., via SPAN ports).
      • Ideal for monitoring without disrupting traffic.
  • IPS (Intrusion Prevention System):
    • Similar to IDS but actively prevents or blocks detected threats.
    • It intercepts malicious traffic in real-time, acting as a security barrier.
      • Placed in-line, directly inspecting and controlling traffic flow.
      • Positioned between the firewall and internal network for real-time protection.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the key differences between IDS and IPS?

IDS / IPS

A
  • Action:
    • IDS: Detects and alerts.
    • IPS: Detects and blocks.
  • Placement in Network:
    • IDS: Monitors traffic passively (out-of-band).
    • IPS: Actively inspects and modifies traffic (in-line).
  • Impact on Traffic:
    • IDS: Does not affect traffic flow.
    • IPS: May introduce latency due to in-line processing.
  • Use Case:
    • IDS: Forensic analysis and monitoring.
    • IPS: Real-time threat prevention.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How does an Intrusion Detection System (IDS) work?

IDS / IPS

A
  • Traffic Monitoring: Observes network or host activity.
  • Signature-Based Detection: Compares traffic patterns against a database of known threat signatures.
  • Anomaly-Based Detection: Identifies deviations from normal behavior to detect unknown threats.
  • Alerting: Generates alerts for suspicious activity, allowing security teams to investigate further.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How does an Intrusion Prevention System (IPS) work?

IDS / IPS

A
  • Traffic Analysis: Analyzes incoming traffic in real-time.
  • Threat Detection: Uses the same methods as IDS (signature- and anomaly-based).
  • Threat Prevention: Takes proactive actions, such as:
    • Dropping malicious packets.
    • Blocking IP addresses or connections.
    • Modifying traffic to neutralize threats.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What detection methods are used in IDS and IPS?

IDS / IPS

A
  • Signature-Based Detection:
    • Matches patterns against a database of known attack signatures.
    • Pros: Accurate for known threats.
    • Cons: Ineffective against zero-day attacks.
  • Anomaly-Based Detection:
    • Detects deviations from established baselines of normal behavior.
    • Pros: Identifies unknown threats.
    • Cons: High false positive rates.
  • Behavior-Based Detection:
    • Tracks user or system behavior to identify suspicious activity.
    • Pros: Adapts to dynamic environments.
    • Cons: May require extensive training data.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is Endpoint Detection and Response (EDR)?

EDR/XDR

A

Endpoint Detection and Response (EDR) is a cybersecurity solution focused on monitoring, detecting, and responding to threats on individual devices or endpoints.

It collects and analyzes endpoint data in real time to identify suspicious activity and enables quick response to mitigate potential risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the key features of EDR?

EDR/XDR

A
  • Continuous Monitoring: Collects real-time data from endpoints.
  • Threat Detection: Uses behavior analysis and machine learning to identify malicious activity.
  • Incident Response: Automates responses such as isolating infected endpoints.
  • Data Forensics: Provides detailed insights into the timeline and scope of attacks.
  • Integration: Works alongside other security tools like antivirus and firewalls.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is Extended Detection and Response (XDR)?

EDR/XDR

A

Extended Detection and Response (XDR) is a security solution that integrates and correlates data from multiple security layers (e.g., endpoints, network, servers, cloud) to provide a unified view of threats.

It expands beyond EDR by covering a broader range of attack vectors and streamlining threat detection and response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the key features of XDR?

EDR/XDR

A
  • Unified Threat Detection: Correlates data across endpoints, network, and cloud.
  • Advanced Analytics: Uses AI and machine learning for deeper threat insights.
  • Centralized Dashboard: Offers a single pane of glass for managing and analyzing threats.
  • Automated Response: Streamlines incident response across multiple layers of the environment.
  • Improved Visibility: Provides a holistic view of the security posture.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the differences between EDR and XDR?

EDR/XDR

A
  • Scope:
    • EDR: Focuses on individual endpoints.
    • XDR: Covers endpoints, network, cloud, and more.
  • Data Correlation:
    • EDR: Limited to endpoint data.
    • XDR: Correlates data across multiple layers for deeper insights.
  • Threat Detection:
    • EDR: Endpoint-specific detection and response.
    • XDR: Detects threats across the entire environment.
  • Visibility:
    • EDR: Narrow, endpoint-focused visibility.
    • XDR: Broad, integrated visibility across all security domains.
  • Use Case:
    • EDR: Best for endpoint-centric organizations.
    • XDR: Ideal for organizations seeking holistic threat detection and response.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

TCP/UDP
What is TCP (Transmission Control Protocol)?
What are common use cases for TCP?

TCP/UDP

A

TCP is a connection-oriented protocol that ensures reliable communication between devices over a network. It uses a handshake mechanism to establish a connection and guarantees data delivery in the correct order.

Key Features:

  1. Reliable communication.
  2. Error checking and correction.
  3. Ensures data arrives in sequence.
  4. Slower due to overhead from connection setup and error checking.

Use Cases
- Web Browsing: HTTP/HTTPS relies on TCP for reliable page loading.
- File Transfers: Protocols like FTP use TCP to ensure files arrive intact.
- Email: SMTP, IMAP, and POP3 use TCP for reliable message delivery.
- Remote Access: SSH and Telnet depend on TCP for secure and ordered communication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is UDP (User Datagram Protocol)?
What are common use cases for UDP?

TCP/UDP

A

UDP is a connectionless protocol that allows fast communication without guaranteeing reliability or delivery order. It sends data as independent packets (datagrams) without establishing a connection.

Key Features:

  • Faster but less reliable.
  • No error correction.
  • No guarantee of delivery order.
  • Useful for real-time applications like streaming.

Use Cases UDP
- Streaming: Video (e.g., YouTube, Netflix) and audio (e.g., Spotify) streaming.
- Gaming: Multiplayer games use UDP for real-time responsiveness.
- VoIP: Applications like Skype or Zoom prioritize speed over reliability.
- DNS Queries: DNS uses UDP for quick resolution of domain names to IP addresses.
- Broadcasting: Sending data to multiple devices (e.g., live video feeds).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the differences between TCP and UDP?

TCP/UDP

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is a Firewall?

FIREWALLS

A

A firewall is a network security device or software that monitors and controls incoming and outgoing traffic based on predefined security rules.

Its primary purpose is to establish a barrier between a trusted internal network and untrusted external networks, such as the internet, to protect against unauthorized access and cyber threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are the types of firewalls?

FIREWALLS

A
  • Packet-Filtering Firewall:
    • Examines packets based on source/destination IP, ports, and protocols.
    • Operates at the network layer (OSI Layer 3).
    • Fast but limited in functionality (no deep inspection).
  • Stateful Inspection Firewall:
    • Tracks the state of active connections.
    • Operates at the transport layer (OSI Layer 4).
    • More secure than packet filtering but resource-intensive.
  • Application-Layer Firewall (Proxy Firewall):
    • Filters traffic at the application layer (OSI Layer 7).
    • Can inspect data within the traffic (e.g., HTTP requests).
    • Slower but offers advanced security features.
  • Next-Generation Firewall (NGFW):
    • Combines traditional firewall functions with advanced capabilities like deep packet inspection, intrusion prevention, and application awareness.
    • Operates across multiple OSI layers.
  • Cloud-Based Firewall (Firewall as a Service):
    • Hosted in the cloud to secure cloud-based infrastructures.
    • Scalable and flexible for remote workforces and cloud environments.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the primary functions of a firewall?

FIREWALLS

A
  1. Traffic Monitoring and Control: Firewalls analyze network traffic in real time, allowing or blocking packets based on predefined rules.
  2. VPN Support: Secures remote connections through Virtual Private Networks.
  3. Perimeter Security: They act as the first line of defense between internal and external networks, preventing unauthorized access.
  4. Threat Defense: Firewalls protect against attacks such as DoS/DDoS, intrusion attempts, and malware.
  5. Policy Management: They allow the configuration of detailed security policies, such as access restrictions based on IP addresses, ports, or specific applications.
  6. Logging and Auditing: Firewalls generate detailed logs of activities, useful for audits and forensic analysis in case of security incidents.
  7. Adaptability: Modern firewalls use advanced techniques like deep packet inspection and machine learning to enhance threat detection.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What makes a firewall “next-generation”?

FIREWALLS

A
  • Deep Packet Inspection (DPI): Examines the content of packets beyond headers.
  • Application Awareness: Identifies and controls traffic based on the application, not just port or protocol.
  • Intrusion Prevention (IPS): Actively blocks detected threats.
  • Threat Intelligence Integration: Uses real-time data to recognize and block new threats.
  • Encrypted Traffic Inspection: Analyzes encrypted traffic (e.g., SSL/TLS).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is a Domain Generation Algorithm (DGA)?

DOMAIN GENERATION ALGORITHMS (DGA)

A

A Domain Generation Algorithm (DGA) is a technique used by malware to generate a large number of domain names in a pseudo-random or algorithmic manner.

These domains are used to establish communication between the infected device and its Command-and-Control server, helping attackers evade detection and domain blacklisting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Why do attackers use DGAs in malware?

DOMAIN GENERATION ALGORITHMS (DGA)

A
  • Avoid Detection: Generated domains are unpredictable and make it difficult for defenders to preemptively block C2 communication.
  • Resilience: If one domain is blocked or taken down, the malware can switch to another generated domain.
  • Dynamic Infrastructure: Attackers can rotate C2 domains quickly, making it hard for security tools to track.
  • Scale: DGAs can generate thousands of domains daily, overwhelming traditional domain monitoring systems.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are the indicators of DGA-generated domains?

DOMAIN GENERATION ALGORITHMS (DGA)

A
  • Unusual Domain Names: Long, nonsensical, or randomized strings.
    • Example: sdf23tr4d56g.com
  • High Domain Volumes: Large numbers of unique domains queried in a short time.
  • Failed DNS Resolutions: Many queries return NXDOMAIN (non-existent domain) responses.
  • Non-Human Patterns: Queries to domains with no apparent user activity or intent.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

How can DGA-based threats be mitigated?

DOMAIN GENERATION ALGORITHMS (DGA)

A
  • DNS Traffic Analysis: Monitor DNS queries for signs of DGA activity (e.g., high volumes of failed resolutions).
  • Machine Learning Models: Use AI to detect patterns associated with DGA-generated domains.
  • Sinkholing: Pre-register or block DGA-predicted domains to disrupt malware communication.
  • Threat Intelligence Feeds: Use updated threat feeds to identify known DGA patterns.
  • Endpoint Protection: Deploy security solutions that detect and block malware attempting to use DGAs.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are the challenges in detecting DGA-generated domains?

DOMAIN GENERATION ALGORITHMS (DGA)

A
  • Evasion Techniques: Attackers make domains look legitimate by using wordlists or mimicking real domains.
  • High Volume of Domains: DGAs can generate thousands of domains, overwhelming security systems.
  • Encryption: Malware may encrypt domain generation logic, making reverse-engineering difficult.
  • False Positives: Legitimate domains can sometimes appear random, leading to detection errors.
26
Q

DETECTION & MITIGATION OF DGA

A

🔍Detection Techniques:

  • DNS Traffic Analysis: Monitor DNS queries for suspicious patterns, such as high-frequency lookups of non-existent domains.
  • Machine Learning: Analyze domain names to identify characteristics typical of DGA-generated domains (e.g., randomness or specific patterns).
  • Threat Intelligence: Compare domains against known DGA lists or IOC databases.

🛡️Mitigation Strategies:

  • DNS Sinkholing: Redirect suspicious domains to a controlled server to neutralize the threat.
  • Blacklist/Whitelist: Maintain updated lists of malicious domains to block them.
  • Proactive Threat Hunting: Use network monitoring tools to identify and disrupt malware communication.
27
Q

What is SSH (Secure Shell)?

SSH

A

SSH (Secure Shell) is a cryptographic network protocol used to securely access and manage remote devices over an unsecured network.

It provides authentication, encryption, and data integrity, allowing users to execute commands, transfer files, and manage servers securely.

28
Q

What are the key features of SSH?

SSH

A
  • Authentication:
    • Uses a combination of public-key cryptography and password-based authentication.
    • Public-key authentication is preferred for its enhanced security compared to passwords.
    • Can integrate certificate-based or two-factor authentication for additional security.
  • Encryption:
    • Encrypts all data exchanged between the SSH client and server to ensure confidentiality.
    • Protects sensitive information like login credentials, file contents, and commands from interception.
  • Port Forwarding (Tunneling):
    • Allows secure tunnels to be created between a local machine and a remote server.
    • Enables users to access remote services (e.g., databases or web servers) as if they were local.
    • Enhances security and privacy by encrypting forwarded traffic.
  • Protocols:
    • SSH-2: The modern and more secure protocol version, widely adopted.
    • SSH-1: Older version with known vulnerabilities, no longer recommended for use.
29
Q

SSH VS TELNET

SSH

A
30
Q

What is Active Directory (AD)?

ACTIVE DIRECTORY

A

Active Directory (AD) is a directory service developed by Microsoft that manages and organizes resources such as users, computers, groups, and services in a Windows domain network.

It provides centralized authentication, authorization, and directory services.

31
Q

What are the advantages of using Active Directory?

ACTIVE DIRECTORY

A
  • Centralized Administration: Simplifies management of users, devices, and resources.
  • Scalability: Supports large-scale enterprise networks with multiple domains and forests.
  • Improved Security: Offers features like SSO, Group Policy, and encryption for secure access.
  • Automation: Automates repetitive tasks such as user account provisioning and updates.
32
Q

What are key use cases for Active Directory security monitoring?

ACTIVE DIRECTORY

A
  • Account Management and User Activity:
    • Monitoring Changes: Tracks user account creations, modifications, and deletions.
    • Logon/Logoff Events: Identifies unusual login patterns.
    • Unauthorized Access: Detects failed login attempts or suspicious access.
  • Privileged User Monitoring:
    • Privileged Activities: Monitors actions of administrators to detect suspicious behavior.
    • Privilege Escalation: Alerts on changes to group memberships or privilege escalation.
  • Authentication Anomalies:
    • Abnormal Patterns: Detects unusual login times or multiple failed login attempts.
    • Brute-Force Attacks: Identifies repeated unauthorized login attempts.
  • Account Lockout and Password Management:
    • Lockout Monitoring: Tracks repeated account lockouts to identify threats or credential issues.
    • Password Activity: Monitors password changes and resets for signs of malicious intent.
  • Group Policy Changes:
    • Policy Monitoring: Tracks changes to Group Policies.
    • Unauthorized Modifications: Detects changes to security settings or configurations.
  • Directory Service Changes:
    • Schema Tracking: Monitors changes to objects or attributes in the directory.
    • Suspicious Modifications: Detects changes that could indicate security incidents.
  • Failed Authentication and Brute-Force Detection:
    • Failed Login Analysis: Identifies patterns of failed authentication attempts.
    • Thresholds and Alerts: Sets alerts for multiple failed attempts to mitigate brute-force attacks.
  • Account Exploitation and Lateral Movement:
    • Exploitation Indicators: Tracks abnormal access patterns and privilege escalation.
    • Lateral Movement: Monitors network traffic to detect unauthorized movement.
  • Group Membership Changes:
    • Sensitive Groups: Tracks changes to critical groups (e.g., Domain Admins).
    • Unauthorized Modifications: Detects unauthorized additions or removals.
  • Security Policy Violations:
    • Policy Monitoring: Identifies violations of organizational security policies.
    • Response: Alerts on breaches of predefined policies.
33
Q

What is SSL/TLS Encryption?

SSL/TLS

A

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that provide encryption, authentication, and data integrity for communications over networks.

TLS is the successor to SSL and is more secure and widely used.

These protocols ensure secure transmission of sensitive information, such as passwords, credit card details, and other private data, between a client and a server.

34
Q

What are common uses of SSL/TLS encryption?

SSL/TLS

A
  • HTTPS (Secure Web Browsing): Encrypts traffic between a web browser and a web server.
  • Email Security: Secures communication for SMTP, IMAP, and POP3 protocols.
  • File Transfers: Ensures secure file transfers over FTPS and SFTP.
  • VPNs: Protects data transmitted over virtual private networks.
  • VoIP: Secures voice communication over the internet.
35
Q

What are Indicators of Compromise (IOCs)?

INDICATORS OF COMPROMISE (IOCs)

A

Indicators of Compromise (IOCs) are pieces of forensic data or artifacts that indicate a potential security breach, malicious activity, or compromise within a system or network.

These artifacts are used by cybersecurity professionals to detect, investigate, and respond to threats.

36
Q

What are the main types of IOCs?

INDICATORS OF COMPROMISE (IOCs)

A
  • Network-Based IOCs:
    • Suspicious IP addresses.
    • Domain names associated with malware (e.g., via DGAs).
    • Unusual DNS requests or high outbound traffic.
  • Host-Based IOCs:
    • Suspicious files or executables (e.g., malware payloads).
    • Unexpected processes or services running on a host.
    • Modified or unauthorized registry keys (Windows).
  • Email-Based IOCs:
    • Phishing emails with malicious links or attachments.
    • Spoofed sender addresses.
    • Abnormal email behaviors (e.g., bulk outbound emails).
  • Behavioral IOCs:
    • Abnormal login attempts or times (e.g., authentication anomalies).
    • Privilege escalation attempts.
    • Lateral movement across the network.
37
Q

What are some examples of IOCs?

INDICATORS OF COMPROMISE (IOCs)

A
  • File Hashes: MD5, SHA-1, or SHA-256 hash values of malicious files.
  • IP Addresses: Known malicious or blacklisted IPs.
  • Domain Names: Domains associated with C2 servers or phishing attacks.
  • URLs: Links to malicious websites or payloads.
  • Email Artifacts: Suspicious headers, subject lines, or attachments.
  • Registry Keys: Changes to Windows registry indicating malware persistence.
  • Process Anomalies: Unexpected processes or excessive resource usage.
38
Q

How Are IOCs Used?

INDICATORS OF COMPROMISE (IOCs)

A
  • Threat Detection:
    • Identify malicious activity by matching IOCs against logs and network traffic.
  • Incident Response:
    • Investigate security incidents by correlating IOCs with system data.
  • Threat Intelligence Sharing:
    • Share IOCs with organizations and communities to proactively detect threats.
  • Hunting and Monitoring:
    • Use IOCs in threat hunting to uncover hidden or dormant threats.
  • Blocking and Prevention:
    • Add IOCs to security tools like firewalls, IDS/IPS, and endpoint protection for proactive blocking.
39
Q

What is the Pyramid of Pain?

INDICATORS OF COMPROMISE (IOCs)

A

The Pyramid of Pain is a framework to describe the impact of disrupting an adversary’s operations based on the type of Indicators of Compromise (IOCs) detected and mitigated.

The higher you go on the pyramid, the more impactful it is to the attacker, but the harder it is to implement.

  • Hash Values (Bottom):
    • Definition: Unique signatures (e.g., MD5, SHA-256) for malicious files.
    • Disruption to Attacker: Low (easily bypassed by changing files).
  • IP Addresses:
    • Definition: Known malicious or C2 server IPs.
    • Disruption to Attacker: Low to Medium (IPs can be rotated).
  • Domain Names:
    • Definition: Domains used for malicious communication (e.g., phishing, C2).
    • Disruption to Attacker: Medium (more effort to register new domains).
  • Network/Host Artifacts:
    • Definition: Specific patterns in traffic, registry keys, or file paths.
    • Disruption to Attacker: Medium to High (requires reconfiguration).
  • Tools:
    • Definition: Software or frameworks used by attackers (e.g., Cobalt Strike, Mimikatz).
    • Disruption to Attacker: High (forces attackers to adapt their toolset).
  • TTPs (Top - Tactics, Techniques, and Procedures):
    • Definition: The overall strategies and methods attackers use.
    • Disruption to Attacker: Very High (requires attackers to rethink their approach).
40
Q

How are IOCs prioritized based on their danger level and criticality?

INDICATORS OF COMPROMISE (IOCs)

A

Very High Danger (Critical - Immediate Action Needed):

  • Privilege Escalation:
    • Example: New administrator accounts or unauthorized changes to privileges.
    • Reason: Indicates an attacker attempting to gain full control of systems.
  • Lateral Movement:
    • Example: Unusual RDP, SMB, or PowerShell usage.
    • Reason: Signals that attackers are moving through the network to access critical systems.
  • C2 Communication (Command-and-Control):
    • Example: Persistent connections to suspicious IPs/domains.
    • Reason: Indicates malware is receiving instructions or exfiltrating data.
  • Behavioral Anomalies:
    • Example: Abnormal login times or locations (e.g., login from another country).
    • Reason: Strong indication of account compromise or insider threat.

2. High Danger (High Priority - Requires Fast Response):

  • Host-Based Artifacts:
    • Example: Suspicious registry changes, unknown processes, or unusual file paths.
    • Reason: Suggests malware installation or persistence.
  • Abnormal File Activity:
    • Example: Unexpected encryption of files (potential ransomware).
    • Reason: Indicates active malware affecting business-critical data.
  • Network Anomalies:
    • Example: High outbound traffic to unknown IPs or domains.
    • Reason: Suggests data exfiltration or botnet communication.
  • Failed Login Attempts:
    • Example: Multiple failed logins for privileged accounts.
    • Reason: Indicates brute-force attempts or credential stuffing.

3. Medium Danger (Moderate Priority - Monitor Closely):

  • Domain Indicators:
    • Example: Newly registered or obscure domains in DNS traffic.
    • Reason: Could be malicious, especially if linked to DGAs.
  • Email IOCs:
    • Example: Phishing attempts with suspicious links or attachments.
    • Reason: Potential entry point for attackers but not an immediate compromise.
  • Unusual Software/Tool Activity:
    • Example: Execution of tools like Mimikatz or other known attacker frameworks.
    • Reason: Indicates potential attacker reconnaissance or privilege harvesting.

4. Low Danger (Monitor for Trends - Low Immediate Risk):

  • Hash Values:
    • Example: Known malicious file signatures (e.g., MD5, SHA-256).
    • Reason: Easy to detect but often outdated as attackers modify files.
  • Known Malicious IPs:
    • Example: Connections to previously blacklisted IPs.
    • Reason: Useful but attackers often rotate IPs frequently.
  • Port Scanning Indicators:
    • Example: Frequent probing of open ports on internal or external systems.
    • Reason: Suggests early-stage reconnaissance but not an immediate threat.
41
Q

What is a Port in Networking?

PORTS & PROTOCOLS

A

A port is a virtual endpoint in a device used to identify specific processes or services for communication in a network.

Ports allow multiple applications to share the same network connection by assigning unique numbers to each service.

42
Q

What is port forwarding?

PORTS & PROTOCOLS

A

Port forwarding redirects traffic from one port or IP address to another, enabling external devices to access internal network services.

Example:
Forwarding external traffic on port 8080 to an internal server running on port 80.

43
Q

What is SMTP and its key ports?

PORTS & PROTOCOLS

A
  • Description: SMTP is used for sending emails between mail servers and from clients to servers. It handles outgoing email delivery and supports relaying. However, encryption is not native to basic SMTP.
  • Unsecure Port: 25
  • Secure Ports: 465 (SMTP over SSL) and 587 (SMTP with STARTTLS).
  • Cybersecurity Implications: Unsecured SMTP can be exploited for spam or email interception. Secure versions protect data in transit and authenticate email senders.
44
Q

What is POP3 and its key ports?

PORTS & PROTOCOLS

A
  • Description: POP3 retrieves emails from mail servers, typically removing them from the server after downloading. It’s simple but lacks encryption by default.
  • Unsecure Port: 110
  • Secure Port: 995 (POP3S with SSL/TLS).
  • Cybersecurity Implications: Without encryption, attackers can intercept login credentials. Using POP3S encrypts communication and ensures privacy.
45
Q

What is IMAP and its key ports?

PORTS & PROTOCOLS

A
  • Description: IMAP allows access to emails on a server without removing them, making it ideal for multi-device synchronization. Default IMAP is not encrypted.
  • Unsecure Port: 143
  • Secure Port: 993 (IMAPS with SSL/TLS).
  • Cybersecurity Implications: IMAPS encrypts traffic, preventing credential theft and eavesdropping during email management.
46
Q

What is LDAP and its key ports?

PORTS & PROTOCOLS

A
  • Description: LDAP is used to query and modify directory services, such as Active Directory. It provides authentication and directory management.
  • Unsecure Port: 389
  • Secure Port: 636 (LDAPS over SSL/TLS).
  • Cybersecurity Implications: Secure LDAP prevents eavesdropping on authentication data and unauthorized directory access.
47
Q

What is RDP and its key port?

PORTS & PROTOCOLS

A
  • Description: RDP enables remote access to a computer’s desktop and resources. It is widely used for remote work and server administration.
  • Port: 3389
  • Cybersecurity Implications: RDP is often targeted by brute-force attacks. It should be secured using VPNs, strong passwords, and multi-factor authentication.
48
Q

What is SMB and its key ports?

PORTS & PROTOCOLS

A
  • Description: SMB facilitates file and resource sharing over a network. Commonly used in Windows environments.
  • Ports: 139 (NetBIOS over TCP/IP) and 445 (Direct SMB).
  • Cybersecurity Implications: Unsecured SMB can expose systems to attacks like EternalBlue. Use secure SMB versions (SMBv3) to reduce risks.
49
Q

What is DNS and its key port?

PORTS & PROTOCOLS

A
  • Description: DNS resolves domain names into IP addresses, enabling user-friendly internet navigation.
  • Port: 53
  • Cybersecurity Implications: DNS is vulnerable to attacks like spoofing, tunneling, and amplification. Secure DNS queries with DNSSEC and monitor for anomalies.
50
Q

What are HTTP and HTTPS, and their ports?

PORTS & PROTOCOLS

A
  • Description: HTTP transmits data over the web without encryption, while HTTPS secures data using SSL/TLS.
  • Ports: HTTP: 80, HTTPS: 443.
  • Cybersecurity Implications: HTTPS ensures data confidentiality and integrity, protecting against MITM attacks and eavesdropping.
51
Q

What are FTP, FTPS, and SFTP, and their ports?

PORTS & PROTOCOLS

A
  • Description: FTP is used for transferring files but lacks encryption. FTPS adds encryption with SSL/TLS, and SFTP uses SSH for secure file transfers.
  • Ports:
    • FTP: 20, 21
    • FTPS: 21 (Secure)
    • SFTP: 22 (Secure over SSH).
  • Cybersecurity Implications: FTP is vulnerable to eavesdropping. FTPS and SFTP protect file transfers with encryption.
52
Q

What is Kerberos and its key port?

PORTS & PROTOCOLS

A
  • Description: Kerberos is an authentication protocol that uses tickets to securely verify user identities in a network. Commonly used in Active Directory environments.
  • Port: 88
  • Cybersecurity Implications: Kerberos provides strong authentication but can be targeted for ticket-granting attacks. Monitoring is essential.
53
Q

What is SNMP and its key ports?

PORTS & PROTOCOLS

A
  • Description: SNMP monitors and manages network devices like routers and switches.
  • Ports: 161 (Requests), 162 (Traps).
  • Cybersecurity Implications: Misconfigured SNMP can expose sensitive device information. Use SNMPv3 with encryption to mitigate risks.
54
Q

What is DHCP and its key ports?

PORTS & PROTOCOLS

A
  • Description: DHCP automatically assigns IP addresses and other network configurations to devices on a network.
  • Ports: 67 (Server), 68 (Client).
  • Cybersecurity Implications: DHCP is susceptible to spoofing and rogue servers. Implement DHCP snooping to enhance security.
55
Q

What is OWASP and its purpose?

OWASP

A

OWASP (Open Web Application Security Project) is a non-profit organization focused on improving software security.

It provides tools, resources, and guidelines to help developers, security professionals, and organizations identify, prevent, and mitigate vulnerabilities in web applications.

56
Q

What is the OWASP Top 10?

OWASP

A

The OWASP Top 10 is a regularly updated list of the most critical security risks to web applications. It serves as a guideline for understanding and mitigating common vulnerabilities.

57
Q

What are examples of OWASP Top 10 vulnerabilities?

OWASP

A
  • Broken Access Control: Improper restrictions on user permissions.
  • Cryptographic Failures: Weak or misused encryption methods.
  • Injection: Exploiting improper handling of untrusted input (e.g., SQL injection).
  • Insecure Design: Poorly planned security in application architecture.
  • Security Misconfiguration: Misconfigured servers, databases, or APIs.
58
Q

What tools and resources does OWASP provide?

OWASP

A
  • OWASP ZAP (Zed Attack Proxy): A tool for testing web application vulnerabilities.
  • Dependency-Check: Scans libraries for known vulnerabilities.
  • Cheat Sheets: Quick security guidelines for developers.
  • Application Security Verification Standard (ASVS): A framework for testing and verifying web application security.
59
Q

What is antivirus software, and what does it do?

ANTIVIRUS

A

Antivirus software is a security application designed to detect, prevent, and remove malicious software (malware) such as viruses, trojans, worms, ransomware, and spyware.

It monitors system activity, scans files and programs, and uses signature-based and heuristic methods to identify threats.

60
Q

What are the primary functions of antivirus software?

ANTIVIRUS

A
  • Malware Detection and Removal: Identifies and eliminates malicious files.
  • Real-Time Protection: Continuously monitors system activity to block threats.
  • Behavioral Analysis: Detects unusual behavior patterns indicative of unknown malware.
  • Signature Updates: Regularly updates its database to recognize the latest threats.
  • Quarantine: Isolates suspicious files to prevent further damage.
61
Q

What detection methods do antivirus programs use?

ANTIVIRUS

A
  • Signature-Based Detection: Matches files against a database of known malware signatures.
    • Pros: Effective for known threats.
    • Cons: Ineffective against new, unknown malware.
  • Heuristic Analysis: Analyzes code behavior to identify new or modified malware.
    • Pros: Detects zero-day threats.
    • Cons: Can produce false positives.
  • Behavioral Analysis: Monitors program behavior to detect malicious activity.
    • Pros: Real-time detection of sophisticated threats.

TECHNICAL INTERVIEW (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions