4.0 - Operations & Incident Response

Question 1

Explain this command:

traceroute

Answer 1

• determine the route a packet tackes to a destination

• maps the entire path

• In Unix/Linux: traceroute

• In Windows: tracert

Question 2

Explain this command:

nslookup

Answer 2

• Query a DNS server to look up names and IP addresses

• deprecated (use dig instead)

• Found in both Windows and Linux/Unix

Question 3

Explain this command:

dig

Answer 3

• Domain Information Groper

• replaced nslookup

• More advanced domain information

• Not included in Windows but can be installed

Question 4

Explain this command:

pathping

Answer 4

• Included in Windows NT and later

• combines ping and traceroute

• first builds a map via traceroute

• then measures each hop’s round trip time and packet loss

• takes a number of minutes to run

Question 5

Explain this command:

netstat

Answer 5

• Network Statistics

• -a shows all active connections

• -b shows binaries (in Windows)

• -n prevents resolving names; shows IP addresses only

• present in many different OSs

Question 6

Explain this command:

arp -a

Answer 6

• view local ARP table

Question 7

Command to view device’s routing table?

Answer 7

• Windows: route print

• Linux / Unix: netstat -r

Question 8

Explain this command:

curl

Answer 8

• “Client URL”

• Grabs raw data from web pages, FTP, emails, databases, etc.

Question 9

Explain this command:

hping

Answer 9

• A ping that can be customized to send almost anything

• Can modify all IP, TCP, UDP, and ICMP values

Question 10

Define

Nmap

Answer 10

• Network Mapper

• Port scan to find devices and identify open ports

• Discover OS without logging into device

• Scan services available, with name, version, and details

• NSE (Nmap Scripting Engine) provides extended capabilities via additional scripts

Question 11

Explain

theHarvester

Answer 11

• Command line tool for gathering OSINT

• Scarpes information from search engines

• Find associated IP addresses, e-mail addresses, names, titles, etc.

• DNS brute force assists in finding unknown hosts

Question 12

Explain

sn1per

Answer 12

• Combines multiple reconnaissance tools into a single framework

• Allows you to search a single query and receive a single output that combines various tools’ results

• including dnsenum, metasploit, nmap, theHarvester, and much more

• Can run in non-intrusive or very intrusive modes, and anything in-between

Question 13

Explain

scanless

Answer 13

• command line tool for running port scans from a different host (port scan proxy)

• allows your own device to not be detected as the source of the scan

• You specify the scan origination, and your IP is hidden as the scan source

Question 14

Define

dnsenum

Answer 14

• Enumerate DNS information

• view host and service information from DNS servers

• Find host names in Google

○ (more hosts can probably be found in the index than what is listed on a DNS server)

Question 15

Define

Nessus

Answer 15

• Industry leader in vulnerability scanning tools

• Extensive support; both free and commercial options

• Scans system, identifies known vulnerabilities, provides extensive reporting

• Graphic interface

Question 16

Define

Cuckoo

Answer 16

• A sandbox for malware

• test a file in a safe, virtualized sandbox environment

• Environment can be Windows, Linux, macOS, Android, etc.

• Tracks and trace activity of the executable you are running in it.

Question 17

Explain this command:

head

Answer 17

• like cat, but views only the first part / beginning of a file

• use -n to specify the number of lines

Question 18

Explain this command:

tail

Answer 18

• like cat, but views only the last part / ending of a file

• use -n to specify the number of lines

Question 19

Explain this command:

grep

Answer 19

• finds text in a file and displays all lines that contain it

• can search through multiple files at a time

Question 20

Explain this command:

chmod

Answer 20

• “Change Mode” of permissions on a file or folder

• r=read, w=write, e=execute

• permissions are displayed in order for owner (u), the group (g), others (o), or all (a)

Question 21

How are file/folder permissions displayed in CLI?

Answer 21

• if the first character is a d, it is a directory.

• if the first character is a -, it is a file

• the next set of three characters indicate user permissions.

• the following three characters indicate group permissions.

• the last three characters indicate permissions for all others.

• Ex: -rwe-r—- indicates a file, where a user as Read/WriteExecute, the group as read-only, and all others have no permissions.

Question 22

What are the octal notations for setting permissions?

Answer 22

7. read, write, and execute (rwx)
8. read and write (rw-)
9. read and execute (r-x)
10. read only (r–)
11. write and execute (-wx)
12. write only (-w-)
13. execute only (–x)
14. none (—)

Question 23

Explain this command:

logger

Answer 23

• adds entries to the system log

• either the local or a remote syslog file

Question 24

Explain

OpenSSL

Answer 24

• A library of utilities for SSL/TLS communication

• Create X.509 certificates

• Manage CSRs and CRLs

• Has crypto librarys to perform hashing functions, encryption/decryption

• Extensively used today

Question 25

Explain this command: tcpdump

Answer 25

• Captures packets, like a CLI version of WireShark • Can display packets on screen and/or write to a file • Included in most Linux distributions

Question 26

Explain this command: tcpreplay

Answer 26

• A suite of packet replay utilizies • can take (and edit) info from tcpdump, and replay it on the network • Usefuly for checking IPS signatures and firewall rules, testing IP Flow / NetFlow devices, stress testing, etc. • Open source

Question 27

Explain this command: dd

Answer 27

• "Data Definition" • Linux command to create and restore disk images • Creates a bit-by-bit copy of a drive or directory • Used by many forensic tools

Question 28

Explain this command: memdump

Answer 28

• Copies information in system memory to the standard output stream • Many third-party tools can read a memory dump • Often used in conjunction with netcat, stunnel, openssl, etc., to send the memdump to another host • Useful for forensics

Question 29

Define WinHex

Answer 29

• A third-party utility for Windows • a universal hexadecimal editor • Edit disks, files, RAM, etc. • Includes data recovery features • Disk cloning • secure drive wipes • Many more features, useful for forensics

Question 30

Explain FTK imager

Answer 30

• disk imaging tool for Windows that can mount or image drives and perform utilities • wide third-party support to analyze these images • Can import other disk image formats • Useful for forensics, wide third-party support

Question 31

Define Autopsy

Answer 31

• a graphical tool to perform digital forensics of hard drives, smartphones, image files, etc. • View and recover data from storage devices • Extract covers many data types, including: ○ downloaded files ○ browser history and cache ○ email messages ○ databases • Can potentially recover data from drives that have been re-formatted

Question 32

Explain Exploitation Framework

Answer 32

• A type of pre-built toolkit for exploitations, useful to perform tests against your own systems • Build custom attacks. • Adds more tools as vulnerabilities are found

Question 33

Name two Exploitation Framework tools

Answer 33

• Metasploit is a popular one; attacks known vulnerabilities with new ones being added all the time • SET (Social-Engineer Toolkit)

Question 34

Explain NIST SP800-61

Answer 34

• National Institute of Standards and Technology • Special Publication 800-61 Revision 2 • Titled "Computer Security Incident Handling Guide"

Question 35

What are the phases of a security incident lifecycle, according to NIST's Computer Security Incident Handling Guide?

Answer 35

• Preparation • Detection and Analysis • Containment, Eradication, and Recovery • Post-Incident Activity

Question 36

What are three types of Exercises?

Answer 36

• Tabletop - responders talking through and analyzing a hypothetical situation • Walkthrough - responders testing process and procedures, walking through each step, and identifying anything found out of place • Simulation - testing users and systems with a simulated event, such as a sending a phishing e-mail through your own systems and to your own users as a test.

Question 37

Define COOP

Answer 37

• Continuity of Operations Planning • Made in preparation for disaster, so you know what to do • Outlines how to perform essential job functions during a systems outage • May include manual transactions, paper receipts, phone calls for transaction approvals, etc. • Must be well documented and tested before a problem occurs

Question 38

Define MITRE ATT&CK Framework

Answer 38

• Documentation to help determine actions of an attacker • Developed by MITRE corp, which supports several U.S. government agencies • Assist identifying point of intrusion, understand methods used to move around, and identify potential security techniques and block future attacks

Question 39

Explain: Diamond Model of Intrusion Analysis

Answer 39

• Designed by U.S. intelligence community • A model to guide analysts in understanding intrusions • Applies scientific principles to intrusion analysis

Question 40

What are the four points of the Diamond Model of Intrusion Analysis?

Answer 40

• Four points of diamond are (clockwise from the top) ○ Adversary ○ Capability ○ Victim ○ Infrastructure

Question 41

Explain Cyber Kill Chain

Answer 41

• A framework that outlines the 7 phases of a cyber attack: • Reconnaissance (gather intel) • Weaponization (build a deliverable payload) • Delivery (Send the weapon, such as an .exe over e-mail) • Exploit (execute code on victim's device) • Installation (malware is installed) • Command and Control (channel is created for remote access) • Actions on objectives (attacker carries out objectives)

Question 42

Explain: Dump files

Answer 42

• A dump file stores all contents of memory (usually just for a specific application) into a diagnostic file • Can be provided to developers for troubleshooting • In Windows Task Manager, just right-click the process and select "create dump file" • Some applications have their own processes for creating dump files

Question 43

Explain: syslog

Answer 43

• Standard for message logging, used by diverse systems to create a consolidated log • Usually sent to a central logging server (SIEM) • Each log entry is labelled with a facility code and severity level

Question 44

Define rsyslog

Answer 44

• Rocket-fast Syslog • A syslog daemon

Question 45

Define syslog-ng

Answer 45

• A popular syslog daemon with additional filtering and storage options

Question 46

Define NXLog

Answer 46

• a syslog daemon • Collection from many diverse log types and consolidate it on a single machine

Question 47

Define facility code

Answer 47

• Every syslog entry is labelled with a facility code • It indicates the program that created the log

Question 48

Explain: journalctl

Answer 48

• Linux system logs are stored in binary for optimization • But they are not human-readable • Journalctl provides tools to query the system journal, search, filter, and view as plain text

Question 49

Explain: Netflow

Answer 49

• Gathers traffic statistics from all traffic flows • This data is usually collected by "probes,” then sent and consolidated onto a central Netflow "collector" server • Very common, standard tool with a lot of support from vendors

Question 50

Explain: IPFIX

Answer 50

• IP Flow Information Export • A newer, Netflow-based standard • Allows for customization of what data to collect, and to send to centralized server

Question 51

Explain: sFlow

Answer 51

• Sampled Flow • Similar to Netflow, but takes only a portion of the actual network traffic • It is therefore not technically a flow • The sample can still provide relatively accurate statistics • Usually embedded in infrastructure devices such as switches and routers, since it has low resource requirements

Question 52

Define Runbook

Answer 52

• A linear checklist of steps to perform • Useful for automation; the steps can be carried out automatically • Used in SOAR

Question 53

Define Playbook

Answer 53

• Like a runbook, but broader in process • allows for conditional steps and may contain multiple runbooks • Useful for automation of response with these processes • Used in SOAR

Question 54

What are the three phases of Digital Forensics described in RFC 3227?

Answer 54

• Acquisition • Analysis • Reporting

Question 55

Define ESI

Answer 55

• Electronically Stored Information • Legal term for data that is held in a separate repository for legal purposes

Question 56

How are timestamps recorded in an OS?

Answer 56

• Different file systems store timestamps differently • In FAT, time is stored in local time • In NTFS, time is stored in GMT • Windows Registry and other OS settings may also influence time offsets (Daylight Savings Time, etc. • Understanding time offsets is important for Digital Forensics

Question 57

List 7 types of data in order of volatility (Most to least)

Answer 57

• CPU registers and cache • Router table, ARP cache, process table, kernel statistics, memory • Temporary File Systems • Disk • Remote Logging and monitoring data • Physical configuration; network topology • Archival media

Question 58

Define and list examples of: Artifact

Answer 58

• Digital items left behind in sometimes less-than-obvious places, considered during data acquisition • May include: ○ log information ○ flash memory ○ prefetch cache files ○ Recycle Bin ○ browser bookmarks and logins

Question 59

Define Right-to-Audit Clause

Answer 59

• Grants permission for you to know where the data is being held, how it is being accessed over the Internet, and what security features are in place to protect it • Can be added to a contract with cloud providers

Question 60

Define E-Discovery

Answer 60

• The gathering of data required by the legal process • Does not generally involve analysis or make any consideration of intent

Question 61

What is the functional difference between MAC and Digital Signature?

Answer 61

• Message Authentication Code (MAC) provides non-repudiation that can be verified between the two parties in communication • With a Digital Signature, the non-repudiation can be publicly verified using the public key