4.0 Operations and Incident Response

Question 1

a command-line utility that you can use to trace the path that an Internet Protocol (IP) packet takes to its destination.

Answer 1

Linux: traceroute domainname

Windows: tracert domainname

Question 2

Command that lets an Internet server administrator or any computer user enter a host name (for example, “whatis.com”) and find out the corresponding IP address or domain name system (DNS) record

Answer 2

Linux: dig domainname

Windows: nslookup domainname

Question 3

Command for Displaying all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings

Answer 3

Linux: ifconfig

Windows: ipconfig

Question 4

program scans the network that a computer is connected to and outputs a list of ports, device names, operating systems, and several other identifiers that help the user understand the details behind their connection status

Answer 4

nmap

Question 5

command can be used to send large volumes of TCP traffic at a target while spoofing the source IP address, making it appear random or even originating from a specific user-defined source

Answer 5

HPing

Question 6

command is a networking tool used for troubleshooting and configuration, that can also serve as a monitoring tool for connections over the network. Both incoming and outgoing connections, routing tables, port listening, and usage statistics are common uses for this command

Answer 6

netstat

Question 7

a back-end tool that allows for port scanning and port listening

Answer 7

netcat

Question 8

analyzing a business network to discover IP addresses and identify relevant information associated with those IP addresses and devices.

Answer 8

IP Scanner

Question 9

command allows you to make manual entries into the network routing tables.

Answer 9

route

Example

route add -net 192.56.76.0 netmask 255.255.255.0 dev eth0

Question 10

a command-line tool that lets you transmit HTTP requests and receive responses from the command line or a shell script

Answer 10

curl

Question 11

Linux that acts as a wrapper for a variety of search engines and is used to find email accounts, subdomain names, virtual hosts, open ports / banners, and employee names related to a domain from different public sources

Answer 11

TheHarvester

Question 12

automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities

Answer 12

Sn1per

Question 13

automated tool developed in the Python language, which performs port scanning on the target host

Answer 13

Scanless

Question 14

multithreaded perl script to list DNS information of a domain and to discover non-contiguous ip blocks.

Answer 14

Dnsenum

Question 15

an open-source network vulnerability scanner that uses the Common Vulnerabilities and Exposures architecture for easy cross-linking between compliant security tools

Answer 15

Nessus

Question 16

is a tool that is used to launch malware in a secure and isolated environment, the idea is the sandbox fools the malware into thinking it has infected a genuine host

Answer 16

Cuckoo sandbox

Question 17

Linux command to used to change the access mode of a file

Answer 17

Chmod

Question 18

a linux command prints the first lines of one or more files (or piped data) to standard output

Answer 18

Head

Question 19

a linux command which prints the last few number of lines (10 lines by default) of a certain file, then terminates.

Answer 19

Tail

Question 20

a Linux command used in searching and matching text files contained in the regular expressions

Answer 20

grep

Question 21

provides an interface to the syslog subroutine, which writes entries to the system log

Answer 21

logger

Question 22

a tool for replaying network traffic from files saved with tcpdump or other tools which write pcap(3) files

Answer 22

TCPreplay

Question 23

packet analyzer that is launched from the command line. It can be used to analyze network traffic by intercepting and displaying packets that are being created or received by the computer it’s running on. It runs on Linux

Answer 23

TCPDump

Question 24

basic purpose of this linux command is to transfer data from one drive to another while also making sure that the data itself is not changed

Answer 24

dd

Question 25

used for forensics, data recovery, low-level data processing, and IT security. It allows the user to view files in hexadecimal format

Answer 25

winHex

Question 26

a tool for creating disk images and is absolutely free to use. It was developed by The Access Data Group. It is a tool that helps to preview data and for imaging

Answer 26

FTK Imager

Question 27

are supported software packages that contain reliable exploit modules and other useful features, such as agents used for successful repositioning

Answer 27

Exploitation frameworks

Question 28

recovers passwords using various techniques. The process can involve comparing a list of words to guess passwords or the use of an algorithm to repeatedly guess the password

Answer 28

password crackers

Question 29

the process of irreversibly removing or destroying data stored on a memory device (hard drives, flash memory / SSDs, mobile devices, CDs, and DVDs, etc.) or in hard copy form

Answer 29

Data sanitization

Question 30

A plan that has a set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization's information systems

Answer 30

incident response plans

Question 31

This is a process for identifying an attack, understanding its severity and prioritizing it, investigating and mitigating the attack, restoring operations, and taking action to ensure it won't recur

Answer 31

incident response process

Question 32

Incident Response Process technique that does the following These are things you would before an attack happens - communication, who gets contacted, what are the phone numbers, etc - resources: documentation, diagrams, base-lines - incident mitigation software - policies to follow

Answer 32

IRP Preparation

Question 33

Incident Response Process technique that does the following This step in the IRP is figuring out the type of attack buffer overflows - anti-virus can identify - host-based monitors detect configuration changes: something is going to happen or is already underway - network traffic flow deviates

Answer 33

IRP Identification

Question 34

This is a incident response process technique for making sure the attack doesn’t get out of hand Techniques you would use - don't leave it alone - sandbox - isolation can sometimes be problematic because some malware will delete itself and other data once it detects is doesn't have an internet connection

Answer 34

IRP Containment

Question 35

Incident Response Process technique that does the following - remove malware - disable breached user accounts - fix vulnerabilities

Answer 35

IRP Eradication

Question 36

Incident response process technique that has: - different ways to detect incidents, due to large amount of data - security incidents are normally complex

Answer 36

IRP Detection

Question 37

Incident Reponse Process technique that is referring to the aftermath: - have it soon after the attack - what happened? - evaluate how incident plans worked - did the precursors help?

Answer 37

IRP Lesson Learned

Question 38

Incident Response process technique to get back to working operation can take months - a phased approach - start with high-value parts

Answer 38

IRP Recovery

Question 39

set of data matrices, and assessment tool developed by this corporation to help organizations understand their security readiness and uncover vulnerabilities in their defenses.

Answer 39

MITRE ATT&CK

Question 40

analysis is an approach employed by several information security professionals to authenticate and track cyber threats.

Answer 40

Diamond Model of Intrusion Analysis

Question 41

a way to understand the sequence of events involved in an external attack on an organization's IT environment.

Answer 41

Cyber Kill chain

Question 42

Palnning effort within individual agencies to ensure they can continue to perform their mission essential functions during a wide range of emergencies

Answer 42

continuity of operations planning

Question 43

signaling protocol that enables the Voice Over Internet Protocol (VoIP) by defining the messages sent between endpoints and managing the actual elements of a call

Answer 43

Session Initiation Protocol

Question 44

a protocol that computer systems use to send event data logs to a central location for storage

Answer 44

syslog/rsyslog/syslog-ng

Question 45

Linux command for querying and displaying logs from journald, systemd's logging service

Answer 45

journalctl

Question 46

open source log collection tool and centralization tool that offers log processing features, including log enrichment (parsing, filtering, and conversion) and log forwarding

Answer 46

NXLog

Question 47

standard for monitoring network flow data allows you to monitor IP network traffic information as data packets enter or exit an interface.

Answer 47

Netflow

Question 48

provides a more comprehensive picture of network traffic, because it includes the full packet header, from which any field can be extracted

Answer 48

SFlow

Question 49

works with Cisco equipment To do so, collects data packets from across the network

Answer 49

IPFix

Question 50

used to monitor data traffic and analyze captured signals as they travel across communication channels

Answer 50

Protocol analyzer output

Question 51

automate, control, and secure administrative policies on laptops, smartphones, tablets, or any other device connected to an organization's network.

Answer 51

Mobile Device Management

Question 52

SOAR technique consists of a series of conditional steps to perform actions, such as data enrichment, threat containment, and sending notifications, automatically as part of the incident response or security operations process.

Answer 52

SOAR Runbook

Question 53

SOAR technique designed to help SOC teams respond to known threats because security breaches are not typically the result of unknown threats

Answer 53

Soar playbook

Question 54

the process by which organizations preserve potentially relevant information when litigation is pending or reasonably anticipated

Answer 54

Legal Hold

Question 55

the sequence or order in which the digital evidence is collected.

Answer 55

order of volatility

Question 56

A piece of evidence, such as text or a reference to a resource, that is submitted to support a response to a question.

Answer 56

Artifacts

Question 57

entitles your organization to review your vendor's work product and reporting which may include self-assessments, third-party audits and other, official documents detailing the sufficiency of internal systems and controls

Answer 57

right-to-audit clauses

Question 58

any government or governmental unit which has authority to regulate the sale or use of a Co-Development Product in any territory

Answer 58

Regulatory/jurisdiction

Question 59

A mathematical value created using a cryptographic algorithm that is assigned to data and later used to test the data to verify that the data has not changed

Answer 59

checksum

Question 60

form of digital investigation that attempts to find evidence in email, business communications and other data that could be used in litigation or criminal proceedings

Answer 60

e-discovery

Question 61

What are the six steps in the incident response process?

Answer 61

Preparation Detection Analysis Containment Eradication Recovery Lesson Learn

Question 62

A model standard describes malicious activity and enables intrusion analysis, threat hunting, and threat detection.

Answer 62

Diamond Model Intrusion Analysis

Question 63

Name the four diamond model intrusion analysis

Answer 63

Adversary , Capability , Infrastructure and Victim