week 4 content

Question 1

___ team - A group authorized and organized to emulate a potential adversary’s attack or exploitation against an organizations network

Answer 1

red team

Question 2

___ team - The group responsible for defending an organizations security posture against all adversary, internal or external

Answer 2

blue team

Question 3

___ team - A collaborative cybersecurity group that brings together red and blue teams to test and improve security posture

Answer 3

purple team

Question 4

___-_ - an individual or a group that performs malicious acts against cyber resources generally for monetary gain or disruption of service

Answer 4

adversary

Question 5

___ - Techniques, tactic and procedures. A tactic is the highest level description of the behavior, while technique give more detailed description of behavior in the context of a tactic. Procedures are lowest level, highly detailed description in the context of a technique

Answer 5

TTP

Question 6

____ ____ - A globally accessible knowledge base framework of adversary tactics and techniques based on real world observations.

Answer 6

Mitre attack

Question 7

____ - Living Off the Land Binaries are binaries of a non-malicious nature, local to the operating system, to camouflage malicious activity

Answer 7

LOLBINS

Question 8

_____ - common vulnerabilities and exposures is a database of publicly disclosed information security code flaws

Answer 8

CVE

Question 9

____ ____ - use a single or small list of commonly used passwords against many different accounts for credential access

Answer 9

password spraying

Question 10

____ ___ - use of credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap

Answer 10

credential stuffing

Question 11

Threat actors place a high priority on targeting _____in their attacks

Answer 11

networks

Question 12

Attacks that target a network or a process that relies on a network include:
* ______ attacks
*______ attacks
*_____attacks
* _____attacks
*_____attacks

Answer 12

Interception attacks
Layer 2 attacks
DNS
Distributed denial of service attacks
Malicious codding and scripting attacks

Question 13

Interception attacks

In an ____, a threat actor is positioned in a communication between two parties
* The goal of it is to eavesdrop on the conversation or impersonate one of the parties
- it has two phases:
- ____ the traffic
- ____ the transmissions

a ___ attack makes a copy of a legitimate transmission before sending it to the
recipient

threat actors use several techniques for stealing an active session ID:
___ attacks: (hijacks and altered communication between two users)
____ attacks: (cross-site scripting, Trojans, and malicious JavaScript coding)

A _____ attack intercepts communication between parties to steal or manipulate the data
* It occurs between a browser and the underlying computer

usually begins with a ___infecting the computer and installing an
“extension” into the browser configuration

Answer 13

MITM (man in the middle)
intercept the traffic
decrypt the transmissions

replay attack

network attacks
endpoint attacks

MItb (man in the browser)

trojan

Question 14

Advantages to a MITB attack:

difficult to ___
remains ___
resides in the web browser, hard to ___

Answer 14

recognize
dormant
detect

Question 15

Layer 2 attacks

Layer 2, the Data Link Layer, is responsible for dividing the data into packets. A comprise here can affect the entire communication

____ ____ - Relies upon MAC spoofing, which is imitating another computer by means of
changing the MAC address

media access control attacks

MAC ____ attack - threat actors discover a valid MAC address of a device connected to a switch
they spoof the MAC address on and the switch changes its MAC address table to reflect the MAC address with the port to which the attacker’s device is connected

A MAC _____attack is another attack based on spoofing, MAC cloning, and the MAC address table of a switch A threat actor overflows the switch with Ethernet packets that have been spoofed so that every packet contains a different source MAC address

Answer 15

ARP poisoning

MAC cloning attack

MAC flooding attack

Question 16

___ is a hierarchical name system for matching computer names
and IP addresses

Answer 16

DNS (domain name system)

Question 17

DNS attacks
_____ a DNS address so that the computer is silently redirected to a different device

• A successful DNS attack has two consequences:
  URL _____
  domain _____

DNS _____ : modifies a local lookup table on a device to point to a different domain

DNS ____: is intended to infect an external DNS server with IP addresses that point
to malicious sites

Answer 17

substitutes

URL redirection
domain reputation

DNS poisoning
DNS hijacking

Question 18

Two locations for DNS poisoning
*_____ ___ table
______ ____ server

Answer 18

Two locations for DNS poisoning
* Local host table
* External DNS server

Question 19

DNS hijacking

has the advantage of ____ all users accessing the server

Attackers attempt to exploit a ____ ___ and convince the authentic DNS server to accept fraudulent DNS entries sent from the attackers’ DNS serve

Answer 19

redirecting

protocol flaw

Question 20

Distributed Denial of Service Attack
(DDoS)
is a deliberate attempt to prevent authorized users from
accessing a system by _____ it with requests

users are aware that their systems are part of a DDoS attack (T/F)

Answer 20

overwhelming
F

Question 21

Malicious Coding and Scripting Attacks
uses:
___
___ ___ (VBA)
___
__/___ ___

Answer 21

powershell
visual basic
python
Linux/unix bash

Question 22

Malicious Coding and Scripting Attacks
Visual basic for applications

is an ___-___ Microsoft programming language

used to create ___

microsoft implemented several protections
- ___ view
- trusted ___
- trusted ____

Answer 22

event driven
macros

protected view
trusted documents
trusted location

Question 23

In which type of attack is the threat actor positioned between two parties and alters the
transmission to eavesdrop or impersonate one of the parties?
a. MITB
b. MAC cloning
c. MITM
d. Session replay

Answer 23

Answer: c. MITM
In a man-in-the-middle (MITM) attack, a threat actor is positioned between two parties
with the goal of eavesdropping or impersonating a party. In an MITM attack, the
transmission is altered whereas in a session replay attack, a copy is made of a
legitimate transmission for the purpose of replaying it later.

Question 24

Packet Capture and Replay Tools

• ____ is a popular GUI packet capture and analysis tool
• ____ is a command-line packet analyzer
• ____ is a tool for editing packets and then “replaying” the packets back onto the
  network to observe their behavior

It can detect unusual behavior that could
- indicate the presence of ____

- search for unusual \_\_\_\_ or \_\_\_ \_\_ \_\_\_

- discover regular \_\_\_\_ to a threat actor’s command and control (C&C) server

Answer 24

Wireshark
Tcpdump
Tcpreplay

malware
unsual domains
IP address endpoints
connections

Question 25

Which of the following is a GUI tool that it used to capture and analyze packets?
a. Tcpdump
b. PowerShell
c. Tcpreplay
d. Wireshark

Answer 25

Answer: d. Wireshark
Wireshark is a GUI packet capture and analysis tool. Tcpdump is a command-line
packet analyzer, Tcprelay is used to edit and replay packets, and PowerShell is a
scripting tool

Question 26

Physical Security Controls

Physical security involves preventing a threat actor from ___ ___ the network

Physical security controls include:
* ____ ___ defenses
* ___ ___ ___ controls
* ___ ___ security

Answer 26

physically accessing

External perimeter
Internal physical security
Computer hardware

Question 27

External Perimeter Defenses

___ ____ is an attempt to make the physical presence of a building as
nondescript as possible
* When its not possible, external perimeter defenses must be used

barriers: acts as passive security devices

____is usually a permanent structure to keep unauthorized personnel out. It is usually accompanied by signage that explains the area is restricted

• A ____ is generally designed to block the passage of traffic but not designed to keep out individuals
• A ____ is a short but sturdy vertical post that is used as a vehicular traffic barricade to
  prevent a car from ramming into a secured area

____ - human security guards, drones, robot sentries

___ - To supplement the work of security guards, sensors can be placed in strategic locations
to alert guards by generating an audible alarm of an unexpected or unusual action

Answer 27

Industrial camouflage

Fencing
barricade
bollard
personnel
Sensors

Question 28

Internal Physical Security Controls
includes:
____ - require a key or other device
types:
___ ____: uses buttons
___ ___: uses phone
___ ___: scans for

Answer 28

locks
electronic locks
smart locks
fingerprint locks

Question 29

Internal Physical Security Controls
Secure areas

A ____ ___ in cybersecurity is an area that separates threat actors from
defenders

A _____ is designed as an air gap to separate a nonsecure area from a secured area. monitors and controls two interlocking doors to a vestibule

Answer 29

demilitarized zone (DMZ)

mantrap

Question 30

Internal Physical Security Controls
protected cable distribution (PDS)

is a system of ___ ___ used to protect classified information that is being transmitted between two secure areas

two types of PDS:
* In a ____ carrier PDS, the data cables are installed in a conduit constructed of
special electrical metallic tubing and all connections between segments are permanently sealed with welds or special sealants

* In an \_\_\_\_\_ carrier PDS, the carrier system is deployed with specialized optical fibers in the conduit that can sense acoustic vibrations that occur when an intruder attempts to gain access to cables

Answer 30

cable conduits

hardened carrier
alarmed carrier

Question 31

Internal Physical Security Controls
Computer Hardware Security

is the physical security that involves protecting endpoint hardware

A ___ ___ can be inserted into the security slot of a portable device to secure the device

For storage, a laptop can be placed in a ___/___

Computer systems, printers, and similar electronic devices emit ____ fields, which can result in interference

____ ___ can be defined as picking up electromagnetic fields and reading data that is producing them

A ___ ___ is a metallic enclosure that prevents entry or escape of an electromagnetic field. A Faraday cage can prevent electromagnetic spying and remote
wiping of electronic devices

Answer 31

cable lock
safe/vault

electromagnetic fields

Electromagnetic spying
Faraday cage