Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
314 Cards in this Set
- Front
- Back
- 3rd side (hint)
What is represented as the outermost ring of defense-in-depth.
|
Security Policy
|
Though this particular “ring” illustration is purely notional; this outer ring choice is valid given that it (i.e., the blank above) effectively “drives” the what and how of the other “rings” of defense.
|
|
What explains why IDSs are important w/in the DoD?
|
IDSes alert you to anomalies that can indicate malicious activity.
|
|
|
What is the term often used to describe the most “amateurish” of black hat hackers?
|
Script-kiddies
|
|
|
Which of the attacker categories is generally characterized as motivated by ideological motives?
|
Hacktivist
|
|
|
During which phase of an (cyber) attack is the goal; that of determining potential vulnerabilities of the target system(s)?
|
enumeration
|
|
|
Which of these does not belong in this list?
a. Cross Site Scripting b. Pass the hash c. Buffer Overflow d. SQL Injection e. Format String |
Pass the hash
|
|
|
“Pivoting” is mentioned here. What is meant by “pivoting” in this context?
|
Pivoting: an attacker scans a network, compromises a host, port scan is launched from the compromised host, and other network host are attacked (attackers pivots from a compromised host).
|
(e.g. technique during the Post-Exploitation phase).
|
|
What attacks are push-based, and have been largely mitigated via savvy use of perimeter defenses including firewalls.
|
Server-side
|
|
|
What attacks are pull-based, and thus are poorly mitigated by firewalls.
|
Client-side
|
|
|
What URL resource was mentioned for guidance regarding the hardening (“lock down”) of clients and servers?
|
http://iase.disa.mil/stigs
|
|
|
What else (besides STIGs) are the configuration standards for DOD IA and IA-enabled devices/systems?
|
DOD Security Technical Implementation Guides and NSA guides
|
|
|
What STIG compliance reporting automation protocol was mentioned on this STIG’s page?
|
NIST Security Content Automation Protocol (S-CAP)
|
four letter acronym and what it stands for
|
|
Is the following a client-side or server-side attack: Attacks vulnerable listening services directly.
|
Server Side
|
|
|
Is the following a client-side or server-side attack: Tricks the user into accessing malicious data or content.
|
Client Side
|
|
|
Is the following a client-side or server-side attack: Are more easily mitigated by firewall and patch management.
|
Server Side
|
|
|
Is the following a client-side or server-side attack: Attacks user-driven applications on a system.
|
Client Side
|
|
|
Which OSI layer would be responsible for “lip sync” (i.e., synchronization) problems with streaming media?
|
Layer 5 Session
|
|
|
In which OSI layer (according to the video) would we find the services of application-layer encryption provided?
|
Layer 6 Presentation
|
|
|
If you needed to communicate, but could only choose to have the functionality of one layer; which would you choose?
|
Physical layer
|
|
|
Which model comprises fewer protocol layers?
|
TCP/IP model
|
|
|
Which model layer comprises a presentation layer provides data formatting functions.
|
OSI model
|
|
|
Which model layer comprises internet layer encapsulates data into packets or datagrams – fragmenting and reassembling as needed.
|
TCP/IP model
|
|
|
Which model layer comprises an application layer is not responsible for data exchanges of extended time periods (e.g., video streams).
|
OSI model
|
|
|
Which model layer comprises a physical layer sends the electrical, light or radio signals across the network/s
|
OSI model
|
|
|
Which IPv6 field serves the same purpose as IPv4’s TTL field?
|
Hop limit
|
|
|
Which IPv6 field serves the same purpose as IPv4’s TOS field?
|
Traffic Class
|
|
|
Which IPv6 field serves the same purpose as IPv4’s Protocol field?
|
Next Header
|
|
|
Which IPv6 field serves the same purpose as IPv4’s IHL field?
|
Header size is fixed.
|
|
|
Which IPv6 field could be employed to support connection-oriented layer-3 service over a packet-switched network?
|
Flow Label
|
|
|
Which IPv6 field serves the same purpose as IPv4’s Fragment Offset field?
|
Only source nodes perform fragmentation, not routers
|
|
|
What is the most widely deployed Internet Protocol (IP) version.
|
IPv4
|
|
|
What IP version contains 128 bits of address data, representing more than 3.4 x 1038 possible addresses.
|
IPv6
|
|
|
What IP version has a simplified packet header.
|
IPv6
|
|
|
What IP version has packet fragment information included in the header.
|
IPv4
|
|
|
What IP version's address space will be exhausted in the near future.
|
IPv4
|
|
|
What protocol has connectionless protocol for fast transmissions tolerant of some packet loss?
|
UDP
|
|
|
What simple protocol designed to carry data across networks?
|
IP
|
|
|
What protocol is slower but more reliable transmissions?
|
TCP
|
|
|
What protocol is a helper for IP?
|
ICMP
|
|
|
Which RFC covers the three blocks of private IP space, and which IETF organization established this (reserved) IP space?
|
RFC1918 and IANA
|
|
|
What provides service-to-service communications and interacts directly with user applications and programs
|
Application Layer
|
|
|
What is the Ephemeral port range is used for?
|
random and temporary port allocations
|
|
|
What is the combination of an IP address and a port called?
|
socket
|
|
|
What is often used to translate private IP addresses into a public IP address for homes and offices?
|
NAT
|
|
|
What was the “problem” with version 1 of SSH?
|
It is susceptible to man-in-the-middle attacks.
|
|
|
Why is SSH traffic problematic for intrusion analysts?
|
Attackers can employ SSH tunnels to hide malicious traffic.
|
|
|
Why is SMTP is a prime candidate for attackers to pivot ?
|
Highly susceptible to denial of service (DoS) attacks, spammers use SMTP for unsolicited mass mailings, can reveal server and/or mail accounts using SMTP commands, and prime candidate for pivoting.
|
its lack of (organic) authentication or access-control
|
|
DNS cache poisoning is an attack on (C) (I) or (A)?
|
All three. When DNS cache is poisoned, incorrect information is provided to client machines.
|
|
|
What are the three commands (mentioned in this tutorial) that can be used to manipulate a Web server, client, or back-end resources?
|
GET, PUT, and POST
|
|
|
What port is used for file-sharing support for UDP (connectionless)
|
138
|
|
|
What port is used for file-sharing support for TCP (connection-oritented)
|
139
|
|
|
What port is used for name registration and resolution
|
137
|
|
|
According to what was presented what is true regarding two common mail “download/access” programs?
|
POP deletes after download.
|
|
|
What protocol and port does SMB run over?
|
TCP and 445
|
|
|
What does SMB replace as a protcol in post WinNT systems, and is another example of a file transfer protocol?
|
NetBIOS
|
|
|
Which protocol mentioned on this slide is commonly used “…as C2 networks for botnets” ?
|
IRC-Internet Relay Chat
|
|
|
What is the functionality of FTP/TFTP?
|
file exchange services
|
|
|
What is the functionality of SSH/telnet
|
remote log on capability
|
|
|
What is the functionality of HTTP/DNS
|
WWW message format definition and transmission/IP address to domain name translation
|
|
|
What is the functionality of NetBIOS/SMB/AD?
|
Windows-based services
|
|
|
What is the functionality of RPC/EPM?
|
Remote code execution, and assigning and tracking client service port numbers
|
|
|
What is the functionality of SMTP/POP/IMAP?
|
Server-to-server message transmission/email services
|
|
|
What is the meaning of “nick” when seen in the context of an IRC chat session?
|
nickname
|
|
|
Which IDS type, Host or Network, is better “positioned” to provide the highest quality of security alerting on a per-server basis?
|
Host
|
|
|
What is not considered one of the three IDS “methods”?
a. Protocol-based b. Anomaly-based c. Signature-based d. Vector-based |
Vector-based
|
|
|
What type of IDS does not scale-well to large networks?
|
Anomaly-based
|
|
|
What type of IDS does not exist?
|
Vector-based
|
|
|
What type of IDS is not good at detecting a new threat/intrusion?
|
Signature-based
|
|
|
What type of IDS works via direct “string matching”?
|
Signature-based
|
|
|
What type of IDS is totally made up by Mr. Fulp?
|
Vector-based
|
|
|
What type of IDS would be better if all adhered to very specific standards?
|
Protocol-based
|
|
|
What type of IDS would most likely detect a bandwidth type DoS attack?
|
Anomaly-based
|
|
|
What type of IDS is an independent device that analyzes network traffic for malicious activity?
|
NIDS
|
|
|
What type of IDS is a software agent installed on an individual server or workstation?
|
HIDS
|
|
|
What type of IDS gains access to network traffic through a hub, switch, or network tap?
|
NIDS
|
|
|
What type of IDS has a vantage point allows you to see widespread intrusions?
|
NIDS
|
|
|
What IDS operating methods detects whether current traffic is outside of the normal baseline parameters?
|
Anomaly-based IDS
|
|
|
What is the most widely know/used open source NIDS?
|
SNORT
|
|
|
What event describes when a malicious event occurs but the IDS does not “alert” on it?
|
False negative-a malicious event occurs, IDS is silent
|
|
|
What make the “best” target for an attacker to setup a pivot point?
|
A public-facing server in the private network
|
By “best”, I mean most likely accessible to the attacker, and most likely to be capable of reaching other systems that the attacker would like to exploit/own.
|
|
How many firewalls is a classic DMZ constructed with?
|
Two
|
|
|
How many firewalls is a service-leg DMZ constructed with?
|
One
|
|
|
What is a classic DMZ also known as?
|
firewall sandwich
|
|
|
What is a service-leg DMZ also known as?
|
3-legged firewall
|
|
|
What is the true goal of a DMZ?
|
contain a compromise from spreading to the rest of the network
|
|
|
What do DMZ's house?
|
public-facing, Internet-exposed servers
|
|
|
What can happen if public facing services are not put in a DMZ?
|
an attacker can more easily use a pivot attack to compromise multiple hosts on a network
|
|
|
What class of IP space (A, B, C, D, or E) is used for multicast traffic?
|
D
|
|
|
What duplex mode do hubs work in and are they a better choice than switches for an attachment point for monitoring traffic with an IDS?
|
half-duplex and no
|
|
|
What is a switch port configured for “promiscuous” operation called by CISCO?
|
SPAN - Switched Port Analyzer port
|
|
|
What is a switch port configured for “promiscuous” operation called by HP?
|
mirror port
|
|
|
What does a port-aggregator tap allow an IDS to do?
|
tap more than one traffic stream
|
|
|
Assume the following: You employ a service-leg type DMZ, both your DMZ and trusted (private) network systems are somewhat vulnerable, you have only one IDS to deploy. Where is the best location to place the IDS?
|
On the organization’s external (Internet-facing) interface
|
|
|
Assume the following: You employ a service-leg type DMZ, your DMZ systems are highly hardened (patched & STIG’ed), your trusted (private) network systems are somewhat vulnerable, you have only one IDS to deploy. Where is the best location to place the IDS?
|
In the trusted (private) network
|
|
|
Assume the following: You employ a classic type DMZ, both your DMZ and trusted (private) network systems are somewhat vulnerable, you have only one IDS to deploy. Where is the best location to place the IDS?
|
In the DMZ
|
|
|
What operates in full duplex and allows the IDS to see traffic that passes through it, without interruption?
|
a TAP
|
|
|
What is a very popular/common tool to scan a network to create a “map” of it, and to determine which OSs and applications are running on the various systems connected to it? Also, what is a well-known GUI “front-end” for this tool?
|
Network Scanner such as NMAP-results can be viewed through a GUI called Zenmap
|
|
|
Do most IDSes have a concept of trusted and untrusted networks?
|
yes
|
|
|
Can tuning your IDS sensors increases the processing load.
|
no
|
|
|
Is is important to get permission to perform an active network scan?
|
yes
|
|
|
Is it important to tune the IDS to recognize any device running as a web server.
|
yes
|
|
|
What layer of the stack (TCP/IP or OSI) is responsible for fragmentation and defragmentation?
|
3
|
|
|
What is fragmentation based upon?
|
MTU
|
|
|
What indicates a “middle” fragment?
|
More Fragments (MF) = 1, Fragment Offset (FO) != 0
|
|
|
What kind of IDS is most likely to be “foiled” by a malicious payload fragmentation attack?
|
Signature-based
|
What is “GET etc/shadow” an example of…
|
|
What is “GET etc/shadow” an example of in terms of IDS detection characteristics?
|
Eluding an IDS
|
|
|
Under which circumstances could an attacker elude* an IDS when attacking a server?
a. Both IDS and server follow the First Rule (wrt overlapping frag-reassembly) b. Both IDS and server follow the Last Rule (wrt overlapping frag-reassembly) c. Either a or b. d. Neither a nor b. |
Neither a nor b.
|
Elude, as used here, means that even though the IDS may indeed obtain and “see” traffic, it does not—for whatever reason (there are many that can be employed)—process the traffic correctly. “Correctly” will in almost all circumstances mean, not the same way that the target machine does.
|
|
Assume the IDS follows the First Rule, and the target follows the Last Rule. What would result in the attacker successfully “attacking” the server while eluding the IDS?
|
Send GET /etc/shine with frag-offset 0, then send adow with frag-offset 11
|
|
|
Can some IDSes can be configured to emulate the reassembly method (First or Last) used by various target systems (OS-dependent)?
|
Yes
|
|
|
Linux systems use the ( First / Last ) rule; while Windows systems use the ( First / Last ) rule.
|
Last and First
|
|
|
Does fragmentation occurs at the Network layer of the OSI model of interoperability?
|
Yes
|
|
|
Can attackers manipulate fragment offsets to overlap fragments?
|
Yes
|
|
|
Are fragmentation attacks rare, because it is hard to force fragmentation?
|
No
|
|
|
Can Snort's® Frag3 preprocessor lets you customize reassembly policies for individual IP addresses and operating systems?
|
Yes
|
|
|
Can NIDS must perform packet reassembly to avoid fragmentation blindness?
|
Yes
|
|
|
What layer is segmentation done at?
|
4
|
|
|
What layer is fragmentation done at?
|
3
|
|
|
What is segmentation set/driven by?
|
MSS (Maximum Segment Size)
|
|
|
What is fragmentation set/driven by?
|
MTU (Maximum Transmission Unit)
|
|
|
If you knew the path MTU for most/all traffic… what could you do as a server sys-admin to reduce the amount of fragmentation occurring on the Internet with your server’s traffic?
|
Set the _MSS____ (3-letters) to force segmentation so that +TCP_header + IP_header remains less than the __MTU___ (3-letters).
|
|
|
What does it mean if a given IDS is said to be incapable of detecting attacks if the attacks are split across fragments?
|
It means that that IDS does not re-build fragments before checking for attack signatures.
|
|
|
What does it mean if a given IDS is said to be incapable of detecting attacks if the attacks are split across segments?
|
It does a signature search on individual segments vice rebuilding segments before checking for signatures.
|
|
|
Would a lot of very small segments going to a system (single or many) be a legitimate “signature” or “behavior” to take notice of? Why?
|
Abnormal segmentation due to segment size, it will not be normal to get many packets for a segment that could have been able to fit in one segment. Attackers use small segments to evade detection.
|
|
|
Which facts related to segmentation pose the greatest risk of attacks?
|
TCP does not set a minimum segment size. A NIDS automatically performs segment reassembly.
|
|
|
What would be the logical way to operationally combine CLI sniffers with GUI sniffers?
|
Use CLI-based to pre-filter/-select traffic of interest, then use GUI-based for more detailed analysis.
|
|
|
Do all of the three CLI-based protocol analyzers mentioned have equal analysis capabilities?
|
No
|
|
|
Can SNORT can be used as a sniffer, a logger, or a NIDS.
|
Yes
|
|
|
What method does SNORT use run in NIDS mode?
|
It can be configured for signature, anomaly, or protocol based detection
|
|
|
What does LIBPCAP stand for?
|
Promiscuous Capture Library
|
|
|
What does GUID stand for?
|
Globally Unique Identifier
|
|
|
What command line tool was highlighted here, that allows for searching through packet data information for ASCII-printable characters?
|
Strings
|
|
|
What was the Windows go-to site given to find this tool for running on a Windows machine?
|
Microsoft’s Sysinternals website
|
|
|
Under the protocol heading of the Packet List Pane, why do you sometimes see the OSI layer 7 protocol (e.g., FTP), and at other times see the layer 4 protocol (e.g., TCP)?
|
Wireshark will display the Highest layer protocol that it recognizes.
|
|
|
What filter rule would display TCP traffic from a client ?
|
tcp and ip.src == x.x.x.x
|
|
|
How would you preclude seeing any traffic to or from 1.2.3.4?
|
! (ip.addr == 1.2.3.4) —OR— ip.addr != 1.2.3.4
|
|
|
What does the Follow TCP Stream option does?
|
Extracts all payload exchanged in a socket-pair and displays it all together for easy viewing.
|
|
|
If you’re an analyst whose been alerted about a potential bot-infected machine on your network, and that bot C2 is suspected to be via the IRC protocol; what would be the best way of investigating?
|
Use the find packet feature to search for the string “JOIN”
|
|
|
When analyzing header fields what layers should you particularly pay attention to?
|
3 and 4
|
|
|
What should you pay attention to when looking at payloads in conjunction with protocols?
|
Encrypted Content for protocols that don't normally do this
|
|
|
What was mentioned when analyzing data payloads as an indicator that not only was exploit traffic sent to a target system, but that the exploit was successful?
|
Unique bytes that indicate a exploit from that target.
|
|
|
What term of the trade is used to indicate certain “strings” that serve as likely indicators of malicious activity?
|
Dirty Words
|
|
|
Which statement is made about client-side attacks?
|
Server-side attacks get most of the security attention.
|
|
|
Which statements are true (choose two)?
a. Server-side attacks are generally pushed in. b. Server-side attacks are generally pulled in. c. Client-side attacks are generally pushed in. d. Client-side attacks are generally pulled in. |
Server-side attacks are generally pushed in.
Client-side attacks are generally pulled in. |
|
|
How do attackers exploit two way traffic flow?
|
injecting malware in responses to outbound traffic
|
|
|
What is an attack surface?
|
Entry point[s] into a system, network, or application_that an adversary can leverage to cause harm.
|
|
|
How is OS and application attack (target) surface area is largely mitigated?
|
patching
|
|
|
How difficult is it to support patch coverage owing to the complex interaction among OSes, applications, and supporting plug-ins (give in percentage 0-100)?
|
100%
|
|
|
What are the two primary client-side attack vectors?
|
Emailing or Hosting malicious content
|
|
|
Ideally for the attacker; he/she would like to be able to ...
|
directly deliver a malicious .exe as an email attachment
|
|
|
If the ideal is not possible, an attacker may employ VBA in order to ...
|
“embed” malicious (executable) code in non .exe files
|
|
|
If unable to directly send/embed malicious code, an attacker might try to …
|
exploit a file format vulnerability in an non-malicious application
|
|
|
What is meant by a “drive-by download”?
|
No need to click a link or install a program
|
|
|
Which of these was not mentioned as a way attackers craft attacks to evade detection?
a. Whitelisting capabilities b. Using encrypted channels c. Employing out-of-band channels. d. Hiding in plain sight. |
Employing out-of-band channels.
|
|
|
What is the meaning of polymorphic malware?
|
Malicious software that constantly changes its signature without modifying its intended purpose which result in creating difficulty for anti-malware programs to detect
|
|
|
What do attackers like to employ to avoid most detection security controls that are looking for attacks coming from outside the network?
|
pivoting
|
|
|
Does the Botnet problem appear to be in decline owing to wider deployment of modern security-controls.
|
No
|
|
|
Can a Botnet attacks also exist for smartphones?
|
Yes
|
|
|
Are there are commercial tools available to create botnets?
|
Yes
|
|
|
Is a Botnet is typically a two-tier architecture; with a Bot Herder directly controlling an army of zombines?
|
No
|
|
|
Is Bot activity is restricted to DoS style attacks?
|
No
|
|
|
What is the term for the malicious tools package pulled into a recently bot-infected machine?
|
Stage 2 executable
|
|
|
What two techniques were mentioned that may be employed by the Bot architects to obscure stage 2 executables from IDS/IDP systems?
|
Compressing Strings and using encryption algorithms
|
|
|
What are the two “classic” strings found in payload that may serve as good candidate “dirty word” searches for the Wireshark’s Strings search tool?
|
Kernel.DLL and LoadLibrary API
|
one is a DLL the other an API
|
|
What does DLL and API stand for?
|
Dynamic Link Library and Application Programming Interface
|
|
|
What problem does finding KERNEL32.DLL and references to one or more APIs present?
|
false positive
|
|
|
Why it is difficult to detect botnet network traffic?
|
Malicious, packed, and sometimes encrypted botnet code passes unfiltered through the firewall to the zombie computer on an internally initiated connection.
|
|
|
In a nut-shell, this (Part 3) IDS training is focused on ...
|
Present a structured approach to analysis methodology
|
|
|
In a nut-shell, analysis is…
|
Making sense of data.
|
|
|
What are the three types of event characterizations?
|
Explained, false-positive, and anamalous.
|
|
|
What is presented in regard to (attacker) attribution?
|
This is in purview of a fusion analyst or LEO, but may be quite difficult to do.
|
|
|
What DoD document specifies the requirements of a CND analyst?
|
DoD Information Assurance Workforce Improvement Program
|
|
|
What is the responsibility of the CND analyst?
|
Correlate information and trends, Propose methods of responding to the threat, Recognize when a system has been compromised, Determine methods used in the event, Characterize the incident
|
|
|
In Phase 2 of the Analysis Methodology, what step follows the Incident Response step?
|
Remediation
|
|
|
What is the (alternative) forensic term for key indicators?
|
Dirty words
|
|
|
Of the 6 data types discussed, which (according to this presentation) is the most common for the intrusion analyst?
|
alert data
|
|
|
What two important considerations (i.e. potential problem issue or difficulty) were brought up with regard to Log Data?
|
Time zone of the logs & Access to logs based on storage location of those logs
|
|
|
Of the 6 data types discussed, which was characterized as a “gold mine” of information for the analyst?
|
Packet data
|
|
|
Which specific product was mentioned in the discussion of packet data data type?
|
Wireshark
|
|
|
Of the 6 data types discussed, which is essentially “socket-pair” –level data?
|
Session/Flow Data
|
|
|
What does correlation bring to multiple data sources?
|
order
|
|
|
What does correlation rely on?
|
dirty word lists
|
|
|
What is perhaps the best—single—statement regarding the efficacy/utility of developing a timeline (chronology) relationship?
|
it reveals a cause-effect relationship
|
|
|
Which among the 5W+H is more likely to be based upon inference?
|
why
|
|
|
What two major “aspects” of the How of the 5W+H should be investigated for the purpose of developing the intrusion/incident narrative?
|
Exploitation & vulnerability
|
Risk = (Threats * Vulnerabilities * Impact) / Security_Controls
|
|
What does the acronym RAT stand for in this context?
|
remote access tool
|
|
|
Which type of post-exploitation was specifically mentioned as a “specific concern within DoD”?
|
Data exfiltration
|
|
|
What are four major considerations for determining "root cause" of a vulnerability?
|
Social Engineering, Unpatched System, Misconfigured security device, and User violation of policy
|
|
|
Generally, the analyst should…
|
Present as many plausible hypothetical scenarios as analysis of the data supports.
|
|
|
Generally, incident reporting should be done…
|
At any time throughout the incident handling process (as the “narrative” evolves).
|
|
|
Which Report type provides information that may enhance STIG development?
|
Technical Report
|
|
|
Which Joint Chiefs manual includes procedural information regarding CND Incident Handling, including reporting procedures?
|
Enclosure C, CJCSM 6510.01A
|
|
|
What data type gets info about network connections and fills gaps left by alert data?
|
session/flow data
|
|
|
What data type will show trends or abnormal spikes in activity?
|
statistical data
|
|
|
What data type can be used to review records of systems, users, and network activities?
|
log data
|
|
|
What data type is typically the initial focus of CND analysis?
|
alert data
|
|
|
What data type provides the most comprehensive info about incidents?
|
packet data
|
|
|
What data type provides info about overall security posture of the system/network and helps predict susceptibilities to exploitation?
|
asset/vulnerability data
|
|
|
What approach to intrusion analysis tells the story of the incident?
|
develop narratives
|
|
|
What approach to intrusion analysis fills gaps in the data
|
analyze & correlate data
|
|
|
What approach to intrusion analysis helps to show cause and effect?
|
develop timelines
|
|
|
What approach to intrusion analysis gathers data?
|
none
|
|
|
What approach to intrusion analysis uses the "dirty word" list?
|
analyze & correlate data
|
|
|
What approach to intrusion analysis asks: "How else can you explain this incident?"
|
develop hypotheses
|
|
|
What approach to intrusion analysis reveals trends and unusual activity?
|
develop timelines
|
|
|
What NIDS rule-syntax is used as a “least-common-denominator” for most other NIDS/NIPS.
|
Snort
|
|
|
What are the two composite parts of a NIDS rule?
|
Header and options
|
|
|
What is the 7-tuple—in left-to-right order—used for a Snort rule header?
|
Action, protocol, source ip, source port, direction, destination ip, destination port
|
|
|
What are the 3 most common Snort IDS actions?
|
Alert, log, and pass
|
|
|
Write a Snort rule that would alert on any tcp traffic coming from 1.2.3.4 or 1.2.3.20 on any port, going to any well-known port, of any system in the 5.6.0.0 /16 network.
|
alert tcp [1.2.3.4,1.2.3.20] any -> 5.6.0.0/16 1:1023
|
|
|
What is the correct “direction” operator to use if you want your Snort rule to be applied to defined source and destination traffic in both directions?
|
<>
|
|
|
Which Windows OSs are dual-stacked (i.e., support both IPv4 and IPv6)?
|
All Windows OS versions since Windows Vista
|
|
|
What is the Snort rule options syntax?
|
(keyword1:option1; keyword2:option2; keyword[n]:option[n];)
|
|
|
What are the 5 primary Snort keywords for rule options?
|
msg, content, sid, rev, classtype
|
|
|
Write version 1 of a Snort log rule (no SID) that would send the message “Likely Reverse DNS query” if any udp traffic goes to port 53 of your DNS server (1.2.3.4) and has the hex string 0900 somewhere in its “payload”.
|
alert udp any any -> 1.2.3.4 53 (msg:”Likely Reverse DNS query”; content:”|09 00|”; rev:1;)
|
|
|
Is Message a component of the header or option portion of a Snort rule?
|
Option
|
|
|
Is SnortID(SID) a component of the header or option portion of a Snort rule?
|
Option
|
|
|
Is Source Port a component of the header or option portion of a Snort rule?
|
Header
|
|
|
Is Classtype a component of the header or option portion of a Snort rule?
|
Option
|
|
|
Is Revision ID a component of the header or option portion of a Snort rule?
|
Option
|
|
|
Is Action a component of the header or option portion of a Snort rule?
|
Header
|
|
|
Is Direction a component of the header or option portion of a Snort rule?
|
Header
|
|
|
Is Content a component of the header or option portion of a Snort rule?
|
Option
|
|
|
What can the Snort keyword option "flow" be used for?
|
“to_server” is one acceptable option, Used only with TCP traffic, Indicates which traffic to analyze
|
|
|
Assume you’re looking for the dirty-word “DIRTY”, in upper case, to appear somewhere in the first 20 bytes of the packet payload AND the word “business”, in any case, to appear somewhere within the next 30 byes following the appearance of “DIRTY”. Write a Snort rule.
|
(content:”DIRTY”; depth:20; content:”business”; within: 30; nocase;)
|
|
|
Assume you need to find a C2 bot that is delivering commands via any ICMP traffic and that infected machines respond within 5 minutes sending DoS attack traffic. Write a Snort rule that includes a tag option.
|
alert icmp $EXTERNAL_NET -> $HOME_NET (tag: host, 300, seconds, dst;)
|
|
|
When you used the tag options what type of file does it automatically create?
|
PCAP
|
|
|
What tag modifier defines the unit used to determine the amount of data to log, including seconds, packets, and bytes?
|
metric
|
|
|
What tag modifier determines how long the logging is to occur?
|
count
|
|
|
What tag modifier defines what will be logged when the rule is triggered, includes session or host?
|
type
|
|
|
What tag modifier defines directional flow of traffic to log and can only be used with host type?
|
direction
|
|
|
Botnets are grown in what type of iteration?
|
segment
|
|
|
What type of ports are bot-to-c2 communications typically on?
|
standard/typical
|
|
|
What are the three particular items that were recommended as deserving special attention regarding data exfiltration?
|
Physical data exfiltration, encrypted data exfiltration, compressed data exfiltration
|
|
|
Which phase of a worm/bot outbreak would a NIDS be least likely to detect the activity?
|
Initial infection
|
|
|
Write a Snort rule that would display the alert message “Attempt to run WIN32/64 executable remotely”. It should search for dirty-word content that would indicate either of the failure signatures for WIN32 or WIN64 going to any external port from any internal port.
|
Alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”Attempt to run WIN32/64 executable remotely”; content:”MZ”; offset:0; depth:2; content:”This program must be run under WIN”; within:120; nocase; tag:session,50,packets; sid:10000004; rev:2;)
|
|
|
What does TTP stand for?
|
Tactics, Techniques, and Procedures
|
|
|
What does C/S/A stand for?
|
Command/Service/Agency
|
|
|
In the CNS Framework, which tier level provides support at the base, post, camp, or station?
|
Tier Three
|
|
|
What are the 3 primary CND services?
|
Protect, Detect, and Respond
|
|
|
According to this description of CND services, how often is the subscriber supposed to provide an updated network topology diagram?
|
Semi-annually
|
|
|
What does IAVA stand for?
|
Information Assurance Vulnerability Alert
|
|
|
Which CND Tiers support Red Teaming?
|
Supported by Tiers 2 and 3
|
|
|
What does COA stand for?
|
Course of Action
|
|
|
What CND tier includes local control centers that manage information systems at DoD installations?
|
Tier 3
|
|
|
What CND tier operates at the component level?
|
Tier 2
|
|
|
What CND tier includes USSTRATCOM?
|
Tier 1
|
|
|
What CND tier provides CND operational direction or support at the enclave level to DoD bases, posts, camps, and stations?
|
Tier 3
|
|
|
What CND tier includes agency and field activity CNDSPs?
|
Tier 2
|
|
|
What is the objectives of Incident Analysis?
|
systematically capture the methods used in the attack and the security controls that could prevent future occurrences
|
|
|
What does Incident Analysis try to understand?
|
patterns of activity [in order to] characterize the threat and direct protective and defensive strategies
|
|
|
What does incident analysis try to identify?
|
root causes of incidents through technical analysis
|
|
|
What actions can be taken with incident analysis?
|
research actions that can be taken to respond to and eradicate the risk and/or threat
|
|
|
What does incident analysis characterize and communicate?
|
the potential impact of the incident, and to ensure the accuracy and completeness of incident reports
|
|
|
What is central repository for storing malware and associated analysis?
|
Joint Malware Catalogue (JMC)
|
|
|
Who or what organization maintains the Joint Malware Catalogue (JMC)?
|
USCYBERCOM
|
|
|
What is considered a higher precedence: a user-level intrusion or a denial-of-service incident?
|
User level intrusion
|
|
|
What is the proper incident categorization (#) for a remote C2-controlled bot that gets installed on one of your systems?
|
1—Root Level Intrusion and 2—User Level Intrusion
|
|
|
You discover a user who is using USB drives on systems where this is prohibited by policy. What is the proper event categorization (#) for this?
|
Non-Compliance Activity
|
|
|
Which category of incident or event should you never see in any finalized (i.e. “closed”) report?
|
8 - Investigating (Event)
|
|
|
What is the primary method used to cause [or deliver…] the incident?
|
attack vector
|
|
|
You have detected a Syn-flood attack that appears to be originating from a single IP address. What (correct) attack vector category and sub-category (#+ltr) would you report this as?
|
7 - Resource Exhaustion, A - Non-Distributed Network Activity
|
|
|
It appears that an attacker has obtained one of your agency’s employee’s RSA SecureID (OTP) token and used it to access a sensitive agency file. What (correct) attack vector category and sub-category (#+ltr) would you report this as?
|
6 - Transitive Trust, B - Masquerading
|
|
|
Should you identify and mitigate the root cause prior to recovering or restoring any system.
|
yes
|
|
|
What are the four "classes" of impact?
|
realized, potential, technical, and operational
|
|
|
What type of effect does a low impact have?
|
Limited
|
|
|
What type of effect does a moderate impact have?
|
Serious
|
|
|
What type of effect does a high impact have?
|
Severe/Catastrophic
|
|
|
The Incident and Reportable Event Categories matrix supports which step of the methodology?
|
Validate the Incident
|
|
|
Further analyzing the incident information to expand on the initial assessment is part of which step?
|
Determine Impact
|
|
|
Systematically recording and categorizing major classes of security controls is part of which step?
|
Determine System Weaknesses
|
|
|
Identifying and collecting all relevant information about the incident for use in your incident analysis is part of which step?
|
Gather Information
|
|
|
Which step expands upon the identified attack vectors and system weaknesses by identifying conditions that allowed the incident to occur?
|
Identify Root Causes
|
|
|
Of the 5 primary types of analysis presented, which is most directly employed to conduct the initial triage on the incident?
|
Volatile Data Analysis
|
|
|
As an incident analyst, you must (should) keep what in mind through all of your analysis efforts?
|
correlation
|
|
|
What 3 locations are considered a location/media for volatile data?
|
Chipset registers, System RAM, and System (L1 or L2) caches
|
|
|
At any point in time, the exact “array” of specific values that represent (captures) exactly what the machine is doing, is referred to as the what of the system/machine?
|
integrity/state
|
|
|
What is the opposite of volatile data?
|
Persistent Data / Non-volatile data
|
|
|
Disk imaging should not only collect/preserve a target disk’s files, including deleted, hidden and swap files; but also accurately capture what two types of space?
|
slack and unallocated
|
|
|
Malware should be investigated in an isolated environment that will protect against accidental further infection. This isolated environment is generally referred to as a what?
|
sandbox
|
|
|
Which level of malware analysis is intended to determine the basic nature and intent of the malware?
|
Surface
|
|
|
Which level of malware analysis provides a high degree of confidence with respect to understanding adversarial intent via direct executable code analysis?
|
Static
|
|
|
Which level of malware analysis provides the most in-depth analysis that can provide a definitive understanding of the malware?
|
Reverse Engineering
|
|
|
Which level of malware analysis entails “black box” level analysis?
|
Behavioral
|
Hopefully you recall the notion of black- vs glass-box analysis of any system
|
|
Which level of malware analysis entails running the malware in a sandbox environment with the goal of developing an initial idea of adversarial intent?
|
Run-time
|
|
|
What 4 things does forensic analysis identify and confirm?
|
compromises , infection vectors and security violations and may also generate additional indicators and recommendations for intrusion detection and prevention
|
|
|
What is the main distinction between the two overlapping fields of forensics analysis and “Other types” (e.g., Intrusion/Incident) of analysis?
|
Forensic Analysis is focused on processing and preserving authenticity and integrity of data while other types are focused on gaining a technical understanding.
|
|
|
Which type of analysis gathers and reviews all information from or about the affected system or systems to further incident analysis and better understand the full scope of the incident?
|
System/host analysis
|
|
|
Which type of analysis combines elements of law and computer science to collect and analyze data from computer system, networks, wireless communication devices, and storage devices in a way that is admissible as evident in a court of law?
|
Forensic analysis
|
|
|
Which type of analysis collects, examines, and interprets network traffic to identify and respond to incidents affecting networked resources?
|
Network analysis
|
|
|
Which type of analysis analyzes and captures the capabilities of software artifacts suspected of being malicious code?
|
Malware/binary analysis
|
|
|
Which type of analysis involves pattern matching, protocol analysis, and statistical anomaly detection?
|
Network/traffic analysis
|
|
|
Which type of analysis involves behavioral analysis, run-time analysis, and reverse engineering?
|
Malware/binary analysis
|
|
|
Which type of analysis involves analysis of volatile and persistent (non-volatile) data?
|
System/host analysis
|
|
|
Which type of analysis involves collection, examination, analysis, and reporting as the primary phases in its analysis process?
|
Forensic analysis
|
|
|
Which type of analysis involves analysis of logs, files, processes and connections?
|
System/host analysis
|
|
|
Which type of analysis must be conducted in isolation?
|
Malware/binary analysis
|
|
|
What type of analysis activity is related to surface analysis?
|
Malware/binary analysis
|
|
|
What type of analysis activity is related to correlation between data types?
|
Network/traffic analysis
|
|
|
What type of analysis activity is related to analysis of open sockets and ports?
|
System/host analysis
|
|
|
What type of analysis activity is related to wire speed network packet capture?
|
Network/traffic analysis
|
|
|
What type of analysis activity is related to reverse engineering?
|
Malware/binary analysis
|
|
|
What type of analysis activity is related to configuration settings?
|
System/host analysis
|
|
|
Which level of malware analysis involves quick checks to character the sample?
|
surface analysis
|
|
|
Which level of malware analysis involves controlled execution of the malware sample in an isolated environment to monitor, observer, and record run-time behavior?
|
run-time analysis
|
|
|
Which level of malware analysis involves execution of the malware in a sandbox to observe its interactions with the environment?
|
behavioral analysis
|
|
|
Which level of malware analysis involves examining and interpreting the contents of the malware sample to determine adversarial intent with a high degree of confidence?
|
static analysis
|
|
|
Which level of malware analysis is the most in-depth method of analysis?
|
reverse engineering
|
|
|
Why do you think Snort made the determination of “potentially malicious” regarding the 3rd alert shown (“POLICY Inbound . . . attempt”)?
|
The packet data shows an internal system connecting to an external IP via an HTTP GET request for an LNK file. LNK files are subject to many security vulnerabilities.
|
This is directly addressed in the audio commentary, and has to do with “payload” information (full packet data) and a particular file type. You may be interested in researching the meaning of a .lnk file to better understand this.
|
|
What is it about the top-most Snort alert that would likely have gotten your attention?
|
VNC is virtual network computing which is a way to access a desktop remotely and it is from an external IP
|
Do you think remote desktop access is likely something your (professional) C/S/A is going to permit across your network perimeter? Here the alert data is the primary cue.
|
|
What piece of session type data was involved in this example that would likely have raised an analyst’s eyebrow?
|
The source port is also the default port for Metasploit (4444) which is an open source exploitation framework often used by threat actors.
|
|
|
I argue that 2 of the 6 bullets presented have little to do with determining if any other of your other systems are vulnerable. Which two address awareness of the existence of vulnerabilities, vice awareness of whether they exist on any of your systems?
|
Consult IAVAs, IAVBs, and IATAs identified and distributed by DoD-CERT and review latest VAA results and Review latest red team assessments (CNDSP) of potentially affected systems
|
|
|
What does IAVA, IAVB and IATA stand for, and which DoD agency issues them.
|
Information Assurance Vulnerability Alert (IAVA), Information Assurance Technical Advisory (IATA), and Information Assurance Vulnerability Bulletin (IAVB) is issued by DOD-Computer Emergency Response Team (DOD-CERT)
|
|
|
Defense-in-depth is discussed here. Which of these firewall rules would prevent this attack (as it was conducted in this incident), and would present an additional layer in your defensive posture?
|
deny tcp any eq 4444 any any
|
Recall the basic ACL syntax: permit/deny sIP sPort dIP dPort
for traffic leaving your network |
|
Which element(s) of the CIA-Triad does MAC address?
|
Integrity and Availability
|
|