Test 1

Question 1

What are the four use cases for the MITRE ATT&CK Framework?

Answer 1

Threat intelligence

Detection
and analysis

Adversary emulation
and red teaming

Assessment and engineering

Question 2

How many levels of maturity are associated with each use case of the MITRE ATT&CK Framework?

If you worked for a small- to medium-sized business, which of the maturity levels of MITRE ATT&CK Framework
would you more than likely implement and why

Answer 2

3 levels of maturity.

For a small to medium
sized business you should consider levels 1 to 2

Question 3

What is the ATT&CK Navigator?

Answer 3

It helps do annotation and navigation for different attack techniques.

Question 4

Tools such as Sysmon, Windows Event Logs and EDR platforms can be used to perform what type of defensive actions?

Answer 4

Process command line, file, and registry monitoring.

Question 5

What is Adversary Emulation? How does it differ from a Purple Team engagement?

Answer 5

Trying to evade your created analytics by executing the types of attacks and evasions that we know adversaries use in the real world.

Purple Teaming involves a back and forth between red team and the developers to try and update the analytic to seek different ways to stay safe from a certain attack

Question 6

What is the Atomic Red Team project?

Answer 6

An open source project that provides red team content that aligns with ATT&CK that can be
used to test analytics

Question 7

What is the Pyramid of Pain?

Answer 7

The Pyramid of Pain defines levels of indicators, each escalating in difficulty for adversaries to alter

Question 8

What are the six levels of the Pyramid of Pain? Which is the most difficult to defend against.

Answer 8

TTPs
Tools
Network/Host Artifacts
Domain names
IP address
Hash Values
The most difficult to detect and protect against are TTPs

Question 9

What pentest requires you to act like an insider?

Answer 9

Internal penetration test

Question 10

What is an external pentest?

Answer 10

Simulate an attack via the internet

Question 11

What is a white hat hacker?

Answer 11

An individual who uses hacking skills to identify security vulnerabilities in hardware, software or networks. Does so with respect of the law.

Question 12

What is a black hat hacker?

Answer 12

A black hat is a computer hacker who violates laws or ethical standards for nefarious purposes, such as cybercrime, cyberwarfare, or malice.

Question 13

What is a greyhat hacker?

Answer 13

A computer hacker who may sometimes violate laws or typical ethical standards, but usually does not have the malicious intent typical of a black hat hacker.

Question 14

What is a red team?

Answer 14

Ethical hackers who are authorized by an organization to emulate real attackers’ tactics, techniques and procedures (TTPs) against your own systems

Question 15

What is a blue team?

Answer 15

The group responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers (i.e., the Red Team).

Question 16

What is a purple team?

Answer 16

An org is attacked and defended multiple types, strengthening an org’s defense with defense.

Question 17

What is Netcraft and what do they offer?

Answer 17

Netcraft is a company that logs the uptime of websites and makes queries about the underlying software.
IE… When a website was first seen, how it was registered, and What OS and server it is running.

Question 18

What is Whois?

Answer 18

Gives information about a website like the owner, register, address of registrar and register.

Question 19

Nslookup?

Answer 19

Provides IP’s and addresses, can also be used to search for mail servers.

Question 20

What is theHarvester?

Answer 20

theHarvester searches Google, bing, to find email addresses.

Question 21

What are the phases of the COMPTIA penetration testing process?

Answer 21

Planning and Scoping (asking the client about the rules of the engagement (subnets, systems))

Information Gathering (When engagement is stared, what relevant info can be gathered about the target organization to make them easier to attack)

Vulnerability Identification (What services are running on open ports and can we take advantage of them)

Attacking and Exploiting (How can access be gained using the vulnerabilities discovered)

Reporting and Communication results (Showing the client gaps in their security and helping them understand what is wrong and how to correct it)

Question 22

What is a vulnerability assessment?

Answer 22

Gathers data from public resources and various tools to identify open ports and identify potential vulnerabilities that can be exploited.

Question 23

What is a risk assessment?

Answer 23

An assessment of an organization’s ability to protect its information and information systems from cyber threats.

Question 24

What are the phases of the Attacker Methodolgy?

Answer 24

Reconnaissance

Scanning and Enumeration

Exploitation & Gaining Access

Maintaining Access & Covering Tracks

Question 25

What is OSINT?

Answer 25

Open Source Intelligence, used to gather as much relevant information about a target organization.

Typically uses free resources but can include searched of Deep Web and Dark Web content.

Used during the Reconnaissance phase of the attacker methodology.

Question 26

What is CherryTree?

Answer 26

An application used to organize screenshots taken while exploiting machines.

Question 27

What is being looked for during Reconnaissance?

Answer 27

Domain Names
Subnets, IP’s
Email Addresses
Physical Locations
Employee Names
Social media accounts

Question 28

What is google dorking?

Answer 28

Involves using operators in the Google search engine to locate specific sections of text on websites that are evidence of vulnerabilities or findings of interest.

Question 29

What is nmap and what are some common switches?

Answer 29

Nmap is an application used for port scanning.

SYN Scan -sS

UDP scan -sU

Output results -o

Service Scan -sV

Script Scan -sC

TCP Scan -sT

No ping -Pn

Question 30

What are the phases of ATT&CK?

Answer 30

PRE-ATT&CK consists of Recon and Weaponize

ATT&CK for Enterprise consists of
Deliver
Exploit
Control
Execute
Maintain

Question 31

What are tactics in terms of ATT&CK?

Answer 31

Details the approach by a specific threat actor at each phase of an attack.

Question 32

What are the 12 tactics of ATT&CK?

Answer 32

Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Command & Control
Impact

Question 33

What are techniques

Question 34

John is conducting a pen test, during he finds a number of credentials for the institution from a data breach website and tries to login. What is this called?

Answer 34

Credential stuffing

Question 35

Burp Suite is the most commonly used tool to conduct what specific type of pen testing?

Answer 35

Web application testing

Question 36

What is DNSlytics?

Answer 36

DNSlytics is used to access main components of OSINT analysis including WHOIS records, along with ASN (autonomous system number), IP subnets and domain enumeration.

Can perform Reverse IP Lookup.

Question 37

DNSdumpster?

Answer 37

Used to enumerate hosts, subdomains and ASNs associated with a domain

Question 38

Shodan?

Answer 38

Can be used to search across the Internet for systems, open ports and vulnerabilities based on search terms

Question 39

builtwith.com ?

Answer 39

Enumerates the different components used to build a specific website

Question 40

bgp.he.net ?

Answer 40

Enumeration based on Autonomous System Numbers (ASNs) used in BGP routing

Question 41

netcraft.com

Answer 41

Used to view a profile of particular sites

Question 42

SpiderFoot?

Answer 42

Written by Steve Micallef (@binarypool), SpiderFoot takes an automated “shotgun” approach to gathering as much OSINT information about a target.

Question 43

Recon-ng

Answer 43

Written by Tim Tomes (@lanmaster53), recon-ng works as a framework to assist with the OSINT gathering process in a “scalpel” version (vs SpiderFoot “shotgun”)

Question 44

STIX (Structured Threat Information Expression) ?

Answer 44

Designed as a structured language to be used for effectively sharing cyber security intelligence data related to a threat, focused on sharing “high fidelity” information.

Question 45

What is Cyber Threat Intelligence?

Answer 45

Provides context to data from a cyber security perspective, based primarily on Indicators of Compromise (IOCs) for detection of malicious activity.

Question 46

Grey box pentest?

Answer 46

The tester has access to the knowledge of a user, perhaps with elevated privileges. Allows testing of security inside the hardened perimeter and simulates an attacker with longer-term access to the network.

Question 47

Black box pentest?

Answer 47

The pentester is acting as if they are a true black hat hacker. Testers aren’t given any data that is not publicly available.

Question 48

Crystal box pentest?

Answer 48

Also called a white box pentest, testers are given full access to the source code, architecture, and even documentation of a system. They sift through that data and determine any potential points of weakness in the system.

Question 49

Reverse shell attack?

Answer 49

When an app is vulnerable to a remote code execution vulnerability, a threat actor can execute commands on the targets machine by making a shell session.

Question 50

buffer overflow attack?

Answer 50

Abusing the bounds of a programming language to input your own code onto a program or website.

Question 51

Cross-site scripting?

Answer 51

Also called a XSS attack, an attacker inject client-side scripts into web pages that are viewed by others. When another user visits the page the script is activated.

Question 52

Lateral movement attack?

Answer 52

Threat actor gains access to a device and then uses a shell to issue commands. The machine is compromised, reconnaissance, is used and then the threat actor gets what they came for.

Question 53

privilege escalation attacks?

Answer 53

A threat actor gains access to an employee’s account , bypasses authorization channels and is granted access to data.

Vertical is when an attacker gains access directly to an account with the intent to perform actions as that person.
Horizontal gains access to an account and then elevates their privileges.

Question 54

SQL injection attack?

Answer 54

An attacker sends malicious code into an SQL server, the server than reveals information that shouldn’t be seen.

Question 55

DNS tunneling?

Answer 55

Abuses the DNS protocol to tunnel malware and other data via a client-server model.