Modules 26-28 Flashcards
Match the intrusion event defined in the Diamond Model of intrusion to the description.
According to NIST, which step in the digital forensics process involves drawing conclusions from data?
- Collection
- Examination
- Analysis
- Reporting
Analysis
When dealing with security threats and using the Cyber Kill Chain model, which two approaches can an organization use to block a potential back door creation? (Choose two.)
- Audit endpoints to discover abnormal file creations.
- Establish an incident response playbook.
- Consolidate the number of Internet points of presence.
- Conduct damage assessment.
- Use HIPS to alert or place a block on common installation paths.
Audit endpoints to discover abnormal file creations.
Use HIPS to alert or place a block on common installation paths.
A threat actor collects information from web servers of an organization and searches for employee contact information. The information collected is further used to search personal information on the Internet. To which attack phase do these activities belong according to the Cyber Kill Chain model?
- action on objectives
- exploitation
- reconnaissance
- weaponization
reconnaissance
In which step of the NIST incident response process does the CSIRT perform an analysis to determine which networks, systems, or applications are affected; who or what originated the incident; and how the incident is occurring?
- incident notification
- attacker identification
- scoping
- detection
Scoping: Provide information on the containment of the incident and deeper analysis of the effects of the incident.
What is the objective the threat actor in establishing a two-way communication channel between the target system and a CnC infrastructure?
- to allow the threat actor to issue commands to the software that is installed on the target
- to steal network bandwidth from the network where the target is located
- to send user data stored on the target to the threat actor
- to launch a buffer overflow attack
to allow the threat actor to issue commands to the software that is installed on the target
What two shared sources of information are included within the MITRE ATT&CK framework? (Choose two.)
- collection of digital evidence from most volatile evidence to least volatile
- attacker tactics, techniques, and procedures
- details about the handling of evidence including times, places, and personnel involved
- eyewitness evidence from someone who directly observed criminal behavior
- mapping the steps in an attack to a matrix of generalized tactics
attacker tactics, techniques, and procedures
mapping the steps in an attack to a matrix of generalized tactics
Which meta-feature element in the Diamond Model describes information gained by the adversary?
- methodology
- resources
- results
- direction
resources
According to NIST standards, which incident response stakeholder is responsible for coordinating an incident response with other stakeholders to minimize the damage of an incident?
- human resources
- legal department
- management
- IT support
“Ultimately, management is held responsible for coordinating incident response among various stakeholders…”
What is the purpose for data reduction as it relates to NSM?
- to make the alert data transmission fast
- to remove recurring data streams
- to enhance the secure transmission of alert data
- to diminish the quantity of NSM data to be handled
to decrease/diminish/reduce the quantity of NSM data to be handled
To reduce data, it is essential to identify the network data that should be gathered and stored to reduce the burden on systems.
Which term is used to describe the process of converting log entries into a common format?
- classification
- systemization
- normalization
- standardization
normalization is the process of combining data from a number of sources into a common format.
How is the hash value of files useful in network security investigations?
- It is used to decode files.
- It helps identify malware signatures.
- It verifies confidentiality of files.
- It is used as a key for encryption.
the hash value can be submitted to an online site to determine if the file is a known malware.
What is the purpose for data normalization?
- to simplify searching for correlated events
- to reduce the amount of alert data
- to enhance the secure transmission of alert data
- to make the alert data transmission fast
Data normalization is also required to simplify searching for correlated events.
How does an application program interact with the operating system?
- sending files
- accessing BIOS or UEFI
- making API calls
- using processes
making API calls
Which tool is a Security Onion integrated host-based intrusion detection system?
- Snort
- OSSEC
- ELK
- Sguil
OSSEC
A threat actor has successfully breached the network firewall without being detected by the IDS system. What condition describes the lack of alert?
- false negative
- true negative
- true positive
- false positive
Alerts can be classified as follows:
- True Positive: The alert has been verified to be an actual security incident.
- False Positive: The alert does not indicate an actual security incident. Benign activity that results in a false positive is sometimes referred to as a benign trigger.
- An alternative situation is that an alert was not generated. The absence of an alert can be classified as:
- True Negative: No security incident has occurred. The activity is benign.
* False Negative: An undetected incident has occurred.
Refer to the exhibit. A security analyst is reviewing an alert message generated by Snort. What does the number 2100498 in the message indicate?
- the id of the user that triggers the alert
- the message length in bits
- the Snort rule that is triggered
- the session number of the message
The Snort rule that is triggered
Which classification indicates that an alert is verified as an actual security incident?
false negative
true positive
false positive
true negative
