Book 3 Flashcards
Enlisted Information Warfare Specialist Command Specific (200 cards)
1
Q
Active Directory Users and Computers Definition
A
stores users and accounts
2
Q
Certificates Definition
A
Used with CAC, allows access to certain sites
3
Q
Event Viewer Definition
A
Monitor events on local computer such as logon, open applications, etc
4
Q
Computer Management Definition
A
Create local user, groups look at logs, shared folders
5
Q
Security Templates Definition
A
Security templates provide standard security settings to use as a model for your security policies. They help you troubleshoot computers whose security policies are not in compliance with policy or are unknown. Security templates are inactive until imported into a Group Policy object or the Security Configuration and Analysis snap-in to MMC.
6
Q
IP Security Policies Definition
A
Internet Protocol Security (IPSec) is a framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks, through the use of cryptographic security services. IPSec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. The Microsoft implementation of IPSec is based on standards developed by the Internet Engineering Task Force (IETF) IPSec working group.
7
Q
Describe Group Policy in Active Directory. (FIX)
A
Exchange Server, “New Distro Group”, “Add Members” Security Group (settings, file access) vs. Distro Group (mailing list)
a. Group Policy Applications for security
b. Group Policy applications to local, global, and universal security groups
c. Recommended security structure for group policy design
d. Use of the “No Over-ride” option for group policy
8
Q
Describe the importance of enforcing a strong password policy.
A
Given enough encrypted data, time, and computing power, attackers can compromise almost any cryptographic system. You can prevent such attackers from succeeding by making the task of cracking the password as difficult as possible. Two key strategies to accomplish this are to require users to set complex passwords and to require users to change their passwords periodically, so that attackers do not have sufficient time to crack the complex encryption code.
9
Q
Complex Passwords
A
You should set password policy to require complex passwords, which contain a combination of uppercase and lowercase letters, numbers, and symbols, and are typically a minimum of seven characters long or more for all accounts, including administrative accounts, such as local administrator, domain administrator, and enterprise administrator.
10
Q
Discuss the configuration of password policy through Group Policy, including, minimum password length, maximum password age, password history, length, minimum password age, and password complexity requirements.
A
NCDOC utilizes Active Directory Users and Computers (ADUC) which allows administrators to set the password policy for the entire command. NCDOC currently requires the use of 15 characters to include upper case, lower case, numbers and special characters.
11
Q
Define “Account Lockout Policy”.
A
Stays locked until manually unlocked by Systems. Three incorrect tries and your password “locks out” your account.
12
Q
Describe the issues surrounding an account lockout policy.
A
The main issue surrounding an account lockout policy is if your account is locked out after N61 working hours and you are deemed essential personnel, you will have to contact the BWC and have he or she call the duty I.T. to come in and unlock your account. If your account is locked out during working hours a coworker will have to submit a trouble ticket for you to have your account unlocked
13
Q
Discuss the configuration account lockout policy through Group Policy, including lockout threshold, lockout duration, and bad password count reset interval.
A
- The configuration account lockout policy is automatically carried out by Group Policy. If you enter the wrong password in 3 times your account will automatically be locked out and require a technician to manually unlock it.
- Lockout threshold refers to the number of failed sign-in attempts that will cause a user account to be locked.
Lockout duration refers determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it.
14
Q
Network redundancy
A
process through which additional or alternate instances of network devices, equipment and communication mediums are installed within network infrastructure. It is a method for ensuring network availability in case of a network device or path failure and unavailability. As such, it provides a means of network failover.
15
Q
File Servers
A
In computing, a fileserver is a computer attached to a network that has the primary purpose of providing a location for shared disk access, i.e. shared storage of computer files (such as documents, sound files, photographs, movies, images, databases, etc.) that can be accessed by the workstations.
16
Q
Exchange
A
Microsoft Exchange Server is a calendaring and mail server developed by Microsoft that runs exclusively on the Microsoft Windows Server product line
17
Q
Domain controllers
A
On Microsoft Servers, a domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within a Windows domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.
18
Q
Differential Backup:
A
Differential backups are completed nightly.
19
Q
Incremental Backup:
A
Not completed at NCDOC.
20
Q
Full Backup:
A
Weekly with the exception of SQL(Daily) and Exchange (2 times a week).
21
Q
Network media used at NCDOC:
Fiber optic and the type of associated connectors:
A
Fiber optic for classified
SC Duplex (Standard Connector x 2), ST (Straight tip), LC Duplex (Lucent Connector x 2), MTRJ (Mechanical Transfer Register Jack)
22
Q
Network media used at NCDOC:
Cat 6
A
Unclassified
23
Q
Network media used at NCDOC:
RJ45
A
Used for phones. An 8-pin/8-position plug or jack that is commonly used to connect computers onto Ethernet-based local area networks (LAN). Two wiring schemes–T568A and T568B–are used to terminate the twisted-pair cable onto the connector interface. RJ45 is the medium often used for unclassified use.
24
Q
What is the IEEE standard associated with PNAC?
A
802.1x
25
What layer does it work on?
Network
26
Explain how Persistent MAC Learning (Sticky MAC) works.
Persistent MAC learning, also known as sticky MAC, is a port security feature that enables an interface to retain dynamically learned MAC addresses when the switch is restarted or if the interface goes down and is brought back online.
27
What is an ISP?
Internet Service Provider. NCDOC ISP is COX
28
What is VPN?
Virtual Private Network
29
State the purpose of the following Enclaves (Non Attrib (COX))
Non Attrib (Cox) – Research and development
30
State the purpose of the following Enclaves Poison & Forensics
Investigate
31
State the purpose of the following Enclaves (SIPR)
Classified
32
State the purpose of the following Enclaves (NIPR)
Unclassified
33
How do you authenticate over VPN?
RSA Token
34
What is a STIG?
Security Technical Implementation Guide is a configuration standard consisting of cybersecurity requirements for a specific product. The use of STIGs enables a methodology for securing protocols within networks, servers, computers, and logical designs to enhance overall security.
35
Explain the purpose and location of COOP.
COOP planning is an effort to assure that the capability exists to continue essential agency functions across a wide range of potential emergencies. Washington DC
36
Describe the process for creating a PBI/PKE ticket.
a. AS&W create CER.
b. IH verifies the CER’s validity and generates a PBI or PKE in ITSM based on the exploit.
37
List the different types of Incident Report Record Messages and state the purpose of each
a. General
b. IP Resolution
c. DCO Open/Close
d. Ship’s Update
e. DINQ
f. Phishing w/ Attachment
38
Incident Handling Methodology Phases.
Post Incident Activity
Lessons learned
39
Incident Handling Methodology Phases.
Recovery
Restore to baseline
40
Incident Handling Methodology Phases.
Eradication
Re-provision asset, delete email from Exchange server
41
Incident Handling Methodology Phases
Containment
Remove media from network, disable account
42
Incident Handling Methodology Phases
Analysis
Log/Media/Malware RFI’s, PCAP
43
Incident Handling Methodology Phases
Preparation
Secure/Patch Network
44
Incident Handling Methodology Phases
Detection
IDS/IPS, Scans
45
Explain the information contained in CER Reports:
Early Indicator & Warning Report (EI&W)
Activity that could lead to further issues
46
Explain the information contained in CER Reports:
Intrusion Detection System (IDS)
Alerts received from IDS
47
Explain the information contained in CER Reports.
NSA/CSS Threat Operations Center (NTOC)
Activity seen around the GIG.
48
Define the three Mission Assurance Categories (MAC levels).
MAC 1(Vital)
Loss of primary mission capability (mission critical)
49
Define the three Mission Assurance Categories (MAC levels)
MAC 2 (Important)
Loss of secondary mission capability (redundancy/services
50
Define the three Mission Assurance Categories (MAC levels)
MAC 3 (Necessary)
Loss of End-User Access (workstation
51
Containment
the host(s) have been identified and need to be removed from the network, logically isolated, re-imaged or otherwise restricted
52
Incident Response Plan
This plan is provided as a tool to assist commands with detection, analysis, containment, eradication, and recovery from possible computer compromise during a Category 1 or 2 incident.
53
NCDOC Timeline for investigation updates
Update message on SIPR within 24 hours, next 24 hours: DINQ to ISIC, following 24 hours: go up chain of command, Report to DCOWO.
54
State the importance of containment measures/procedures.
Knowledge of the type of malware or exploit being employed on a host or user account that is compromised to determine the mitigation measures necessary.
55
Identify the difference in containment measures for Category 7 incidents compared to Category 2 Incidents.
Cat 2 must be mitigated faster because it grants unauthorized privileges.
56
Discuss what should be considered when determining the best method to eradicate a threat.
a. Type of system.
b. Type of malicious logic.
57
Explain why different types of incidents will have different eradication procedures.
Recovery of servers differs from recovery of workstations.
58
Describe several factors that should be considered during the recovery phase.
Whether to patch, wipe, image, reset accounts, etc.
59
List the steps necessary after receiving the final report from a Command.
a. Review target IP and source IP
b. Host affected seek required information updates
c. Antivirus updated within the last 7 days
d. Make ready for lead
e. Lead QCs
f. Ready for QC
g. QC closes or fixes ticket
60
List possible reasons a Navy command may be disconnected from the Department of Defense Information Network (DODIN).
Non-compliance, Non-Responsiveness, Outbreak (>30% of network affected)
61
Describe the following Cat Event:
DNS Beaconing
???
62
Describe the following Cat Event:
TOR/Proxy Routers
???
63
Describe the following Cat Event :
P2P
???
64
Describe the following Cat Event :
Unauthorized Software
???
65
Describe the following Cat Event :
Black Hole/IP Block violations – URL/IP list
???
66
Locate the status of an open ticket in ITSM.
Review status log.
67
Explain the difference between an Incident and an Event.
a. Event – An observable occurrence on a network (logins, open applications, etc.)
b. Incident – An observable occurrence on a network that’s malicious in nature.
68
Terms applying to Malware: Buffer Overflow
Overloads memory causing crashes
69
Terms applying to Malware: Worm
Self-replicating
70
Terms applying to Malware: Logic Bomb
Set to go off at a set time or after a set event
71
Terms applying to Malware: Spear Phishing
Social engineering
72
Terms applying to Malware: Trojan Horse
Hidden in other application
73
Terms applying to Malware: Denial of Service
Stops network usage
74
Terms applying to Malware: Root Kit
Grants Admin privileges
75
Explain the difference between a virus and a worm.
Virus requires a program to execute, worm is self-replicating.
76
Discuss the following virus propagation mechanisms.
a. Removable storage – USB
b. Email – Attachments
c. Instant Messaging – Links/URLs
d. Network – Worms
77
Describe the following virus infection vectors:
Polymorphism
a. Polymorphism – Changes characteristics to avoid detection
b. Metamorphism – Change their code to an equivalent one, but never remains constant.
c. Macro Virus – Embedded within scripts
d. Companion Virus – Virus which replaces a program and is executed when the user executes the program
e. Antivirus Deactivation – Disables the antivirus on the host.
78
Describe the following virus infection vectors:
Antivirus Deactivation
Disables the antivirus on the host.
78
Describe the following virus infection vectors:
Companion Virus
Virus which replaces a program and is executed when the user executes the program
78
Describe the following virus infection vectors:
Metamorphosis
Change their code to an equivalent one, but never remains constant.
78
Describe the following virus infection vectors:
Macro Virus
Embedded within scripts
79
Explain what occurs during a buffer overflow.
Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates.
80
Explain and define the following terms
a. Media-based Vulnerabilities – USB, External Hard Drive, etc.
b. Network Device Vulnerabilities – IDS, Routers, etc.
81
Describe the mission of the QC Cell.
Grade IH Technicians, Quality Control, Close out tickets, fix mistakes
82
Identify the information contained in each of the required fields of an ITSM ticket.
State the importance of the information. This may be done with the aid of ITSM.
Category (MANDATORY FIELD): The category field assigns a category to the incident IAW CJCSM 6510.01B Enclosure B Appendix A. Click on the dropdown arrow and select the appropriate category for the incident. Refer to the Table 3-1 to determine which category an incident will be assigned. Incident Status (MANDATORY FIELD): The incident status field offers four choices. All new tickets have “Investigating” selected as the default choice. The other three choices are only used when closing a ticket.
b. PLA (MANDATORY FIELD): The Plain Language Address (PLA) of the command can be selected by clicking on the dropdown arrow. The field next to the PLA is the COCOM for the selected PLA. This field is automatically filled in by NCD.
c. Assigned To (MANDATORY FIELD): This field assigns the ticket to a specific individual or group. Newly created tickets will be assigned to the Initial QC (IQC) queue for Mission Management QC. Mission Management (MM) personnel will perform IQC, and assign the ticket to the appropriate IH Journeyman (Lead)/Assistant of an IH Watch Cell, based on preferred contact time and equal distribution of tickets. Reference IH SOP-02-3 Appendix “N”.
d. Status (MANDATORY FIELD): Defines the current status of the NCD ticket.
e. Exploit (MANDATORY FIELD): This field is automatically filled out after the Exploit Name is selected.
f. Exploit Name (MANDATORY FIELD): Selecting the dropdown arrow will bring up a list of exploit categories. Further selecting a category will bring up a list of specific exploits for that category. Next to the exploit name field is the view mitigation button. This button will bring up a pop-up window that lists the mitigated actions that must be completed for that ticket prior to closure. Once an exploit name is selected the Exploit field and the Mitigated Actions field will be populated.
g. Name Set Related / Webmail Related? (MANDATORY FIELD): Denotes whether or not the reported activity may be related to previous activity attributed to name set actors. The original report should state if the activity is PNS.
83
***Draft a record message for a command using a report and the record message template. This may be done using a practice report without releasing the message.***
3.0 Locate the correct message template on the share drive.
3.1 Once the correct message template has been located, open the document, copy the message, and paste it into notepad for editing, review and transfer to the IH Journeyman and CTF 1020 BWC/ABWC. ***IMPORTANT*** No line of text can be longer than 69 characters.
3.2 Complete the message by filling in the following information in the message template:
3.2.1 Fill in the command’s PLA in the “To:” line. If you do not know the PLA you can verify it in Navy CIRT (Computer Incident Response Team) Database (NCD), Distributed Plain Language Verification System (DPVS) or the Standard Navy Distribution List (SNDL). DPVS can be located on SIPRNet in the Incident Handling Division folder.
3.2.2 Fill in the PLA for command’s ISIC. Again, if you are not sure of the PLA for the command’s ISIC, you can verify it in VRAM.
3.2.3 If necessary, fill in the PLA for the command’s Carrier Strike Group or Expeditionary Strike Group. This will be placed above the command’s ISIC.
3.2.4 Complete the subject line by adding the exploit and exploit name for the activity. This information can be found in the NCD ticket.
3.2.5 Complete REF D by adding the following information:
3.2.5.1 Ensure the proper reference type is selected. By default, it should be DOC. But if the activity was reported in a message, ensure that the reference type is changed to GENADMIN.
3.2.5.2 Insert the PLA of the originator of the report (e.g., for NCDOC CER’s insert NAVCYBERDEFOPSCOM SUFFOLK VA; for a NETWARCOM (NNWC) Initial Incident Report (IIR), insert COMNAVNETWARCOM SUFFOLK VA.)
3.2.5.3 Insert the date the report was produced in DDMMMYYYY format.
3.2.5.4 Insert the report number in the designated area.
3.2.6 If more than one REF is needed, add the information for the additional refs in new lines, starting with REF E.
3.2.7 At the end of the narrative (NARR) ensure the information for REF D (and any additional references) is complete and correct.
3.2.8 In paragraph 2 of the message body, add all pertinent information about the activity to include: Command PLA, NCD number, Navy Host IP, Navy Host Port, Date/Time of Activity (DDMMMYYYY/HHMMZ format), Non-DoD IP, Non-DoD Port, and Associated Activity.
3.2.9 For standard messages, insert the verbiage of the opening statement into paragraph 3 of the message body.
3.2.10 Once the message has been drafted it is required to be reviewed by the IH Apprentice who drafted to ensure accuracy.
84
***Review an open PBI/PKE ticket. Be able to state what actions the command would need to take to bring the ticket to closure.***
4.1 Start by opening the ticket and the final report, then go to the incident tab and open up the incident window for that ticket. Ensure each field is filled out as described below.
1) Attack Vector: When closing a ticket, select the correct option for identifying how the activity occurred
2) Why: When closing a ticket, select the options which correlate to the ticket by referring to Table 4-2. Although one option from each category can be selected, only one option from one category needs to be selected. Unsuccessful attempt tickets must be marked “N/A” for each category
3) Impact: Use Table 4-3 to determine what impact level will be selected. This will be based off of the man hours lost portion of the final report submitted by the command.
4) Action Taken: Use Table 4-4 for guidance on selecting the correct option while a ticket is in the process of closure.
5) Operational Impact: Operational impact should correspond with the MAC level of the affected host. For attempted access (CAT-3) and/or any NCD tickets where host(s) are unaffected, the operational impact will always remain Low in the NCD Ticket.
6) Incident Start Date: Remedy uses ZULU for the Incident Start Date, if the report does not list the time in ZULU, convert accordingly.
7) Incident Stop Date: Remedy uses ZULU for the Incident Stop Date, if the report does not list the time in ZULU, convert accordingly.
8) Additional Comments: Ensure the closing statement is added to the additional comments field. Refer to SOP OPS 02-5 Appendix B Enclosure 3 for information on writing closing statements.
9) Command Hours Lost: Refer to the command hours lost field of the final report to get this number. A minimum value of 1.00 must be entered.
10) Additional Comments: Ensure that the opening statement is here. The closing statement will also be placed in this field.
Once the Incident Tab has been completed, click “Save”, then “Close”. You are now ready to complete all fields under the Source IP Tab.
4.2 SOURCE IP TAB CLOSURE
Verify that all information was inserted into the source IP tab IAW Section 3.5. Once all of these fields have been completed, click “Save” and “Close” to ensure all information has been saved in the ticket. Now the IH Apprentice must complete all fields listed under the “Target IP” Tab.
4.3 TARGET IP TAB CLOSURE
Verify all information in the Target IP tab. Any information about an IP reported in a command’s final report must be updated in the tab. Any additional IP’s included in the final report must have new Target IP tabs added. When these fields are filled out, click on the “SAVE” button.
4.4 POC TAB CLOSUREOnce the POC Tab has been selected, there should be at least one entry in this field. Verify the POC on the final report form matches this entry. If the entry does not match, the POC listed on the final report will need to be added to this field.
To add a POC:
1) Select “Add/Edit POC” from the NCD Home page.
2) Insert the POC information provided. At a minimum, Last Name, First Name, Email, Phone Number, and PLA must be added.
3) Click “Save” to add POC to NCD.
4) Within the NCD ticket, select the POC tab and click on “Add POC”.
5) From the dropdown list on the right, scroll to the last name of the POC. Once the last name has been reached, select the first name of the POC.
6) Click “Save” and then “Close”.
4.5 Ticket CLOSURE
Once all Tabs have had the information added and updated, the main page of the NCD ticket can be prepared for closure.
Ensure that the ticket currently has no RFI’s pending resolution and the Action required is completed.
1) Draft a closing statement that describes the mitigated actions that the command conducted to remediate the issue. Guidance on closing statements can be found in SOP OPS 02-5 Appendix B Enclosure 3. The closing statement will then be placed into the “Status Log” and “Logs” fields, then click on the save button. Open the incident tab and place the closing statement into the “Additional Comments” field also, then save and close the incident tab. IAVM Status comments covers the affected box only, and the Anti-Virus statement must be verified current within 7 days.
2) Back on the main page of the ticket, section the appropriate “Category” that corresponds to the final results of the investigation.
3) Next, select the appropriate “Incident Status” for the closing of the ticket. The only statuses that can be selected for closing a ticket are “Explained Anomaly”, “Confirmed”, and “Unsuccessful Attempt”. A ticket can never be closed as “Investigating”.
4) Ensure all other fields on the page are correctly marked. After all fields are properly marked and filled in, select the “Ready For Lead” option in the “Status” field. Once this has been completed, click “Save” and the ticket will be reviewed by the Team Lead.
85
Create a PBI/PKE ticket.
For demonstration purposes – be able to create a PBI/PKE based off an internal NCDOC report (i.e. CER, CEL, IIR, etc.).
86
Define the purpose and intended target audience for the CJCSM 6510.01 series
This manual describes the Department of Defense (DoD) Cyber Incident Handling Program and specifies its major processes, implementation requirements, and related U.S. government interactions. The manual also applies to the Joint Staff and to Combatant Commands, Services, Defense agencies, DoD field activities, and joint and combatant activities.
87
Define the purpose and intended target audience for SECNAVINST 5239.19.
Establish Department of the Navy (DON) incident response policy consistent with reference (a) to align and integrate DON computer incident response and reporting requirements. This instruction applies to:
(1) All Commands, Components, and activities within the Department of the Navy.
(2) All DON owned, DON controlled, and DON-contractor owned information systems that receive, process, store, display, or transmit DOD information, regardless of mission assurance category, classification, or sensitivity.
88
Define the purpose and intended target audience for DTG 231605Z MAY 18.
This document designates Navy Cyber Defense Operations Command as the Computer Network Service Provider for the Navy.
89
***List and define the Incident Handling Categories. Provide examples of each. Define which categories are incident and what categories are events.***
a. Category 0: Training and Exercise (Incident/Event): Operations performed for training purposes and support for exercises.
b. Category 1: Root Level Intrusion (Incident): Unauthorized privileged access (administrative or root access) to an Information System (IS). Privileged access provides unrestricted access to the IS.
c. Category 2: User Level Intrusion (Incident): Unauthorized non-privileged access (user-level permissions) to an IS. Allows restricted access to the IS based on the privileges granted to the user.
d. Category 3: Unsuccessful Activity Attempt (Event): Deliberate attempts to gain unauthorized access to an IS that are defeated by normal defensive mechanisms. Attempt fails to gain access to the system (i.e., attacker attempt valid or potentially valid username and password combinations) and the activity cannot be characterized as exploratory scanning. This category includes reporting of quarantined malicious code. Note: The above CAT 3 explanation does not cover the “run-of-the-mill” virus that is defeated/deleted by Anti-Virus (AV) software. “Run-of-the-mill” viruses that are defeated/deleted by AV software are not reportable events or incidents and should not be annotated in JIMS. (This note refers to the point of view of a ship having malware being detected in real-time, quarantined and deleted. These events do not have to be reported to NCDOC.) Note: This category will only be used when closing a ticket.
e. Category 4: Denial of Service (Incident): Activity that denies, degrades, or disrupts normal functionality of an IS or DoD information network.
f. Category 5: Non-Compliance Activity (Poor Security) (Event): Activity that potentially exposes ISs to increased risk as a result of the action or inaction of authorized users. This includes administrative and user actions such as failure to apply security patches, connections across security domains, installation of vulnerable applications, and other breaches of existing DoD policy. Reporting of these events is critical for the gathering of useful effects-based metrics for commanders.
g. Category 6: Reconnaissance (Event): Activity that seeks to gather information used to characterize ISs, applications, DoD information networks, and users that may be useful in formulating an attack. This includes activity such as mapping DoD information networks, IS devices and applications, interconnectivity, and their users or reporting structure. This activity does not directly result in a compromise.
h. Category 7: Malicious Logic (Incident): Installation of software designed and/or deployed by adversaries with malicious intentions for the purpose of gaining access to resources or information without the consent or knowledge of the user. This ONLY includes malicious code that DOES NOT provide remote interactive control of the compromised IS. Malicious code that has allowed interactive access should be categorized as Category 1 or Category 2 incidents, not Category 7.
i. Category 8: Investigating (Event): Events that are potentially malicious or anomalous activity deemed suspicious and warrant, or are undergoing, further review. No event will be closed out as a Category 8. Note: NCDOC will not open tickets as Category 8.
j. Category 9: Explained Anomaly (Event): Suspicious events that after further investigation are determined to be non-malicious activity and do not fit the criteria for any other categories. This includes events such as IS malfunctions and false alarms. When reporting these events, the reason for which it cannot be otherwise categorized must be clearly specified. Note: This category will only be used when closing a ticket.
90
Define the purpose of the IM Trends cell. State the personnel that work in IM Trends.
Metric and Trending Analysis perform current, historical, and statistical trends and data analysis, for cyber incidents and events to assist in identifying incident trends
91
State the correlation between ITSM and JIMS.
Fields in bold replicate to JIMS every 15 minutes.
92
What is the minimum amount of information required to create an ITSM ticket?
Command (PLA), Date/time of Activity, Source and target IPs, Type of activity (Exploit)
93
Pull an IAV Compliance Report from VRAM for percentages.
1. Open browser and type in the address bar https://www.iava.navy.mil.
2. Automatically logs into your account
3. On the left-hand side click the link for IAVA Report
94
State the purpose of VRAM and who is responsible for it
The purpose of VRAM is to monitor IAVM compliance for the US Navy based on vulnerability scans uploaded to the site. SPAWAR is responsible for maintaining the site, but NCDOC is responsible for tracking compliance.
95
State where NCDOC obtains the information for their initial IAVA/B messages.
NCDOC obtains their information for IAVA/B MSG from the site below. Select the current year and the IAVA/B’s are order by most recent IAVA’s and then most recent IAVB’s. https://www.cybercom.mil/J3/IAVM/default.aspx
96
Locate IAVA/B messages in VRAM.
IAVA/B messages are located under the tab on the main page labeled "Cyber Directives" under the Workspace section
of the site. After selecting "Cyber Directives", select "IAVs" under Directive Type.
97
Find a primary Point of Contact (POC) in VRAM.
POCs for specific commands/PORs are located under the Administration section of the site, select either "System" or "Site" on the main page. After selecting either of these, search for the Command / Program of Record that you wish to find and select it. POCs are located in Box 6 (Site Users).
98
State how the Navy tracks IAVM Compliance.
The Navy tracks compliance through an honor system called VRAM.
99
How long does a Command or POR have to comply with an IAVA? IAVB
In VRAM, compliance dates are as follows:
IAVA – 21 Days
IAVB – 45 Days
100
Describe how vulnerabilities are added in VRAM.
Vulnerabilities are added one of two ways:
1. SPAWAR uploads the regular series IAVA/Bs every Thursday and they are updated and transmitted by the NCDOC VAAP Team.
2. VAAP manually adds the 5000 series IAVAs when they are released via SAILOR 2.1.
101
State how a command can become fully compliant in VRAM.
Realistically no command will be fully compliant in VRAM, but the possibility exists. You can become fully compliant by correctly patching every system for every IAV that applies to it, and uploading a scan to VRAM that reflects this
102
Define “SITE” and “SYSTEM” and explain the difference between them.
A "Site" is any Command or detachment that reports or can report in VRAM. A "System" is a Program of Record (POR). These are leased assets that are used by Sites
103
Describe NCDOC’s responsibility in the reporting process starting from USCYBERCOM.
Pre-Coordination through compliance using DISA’s web based tool, VMS.
104
List 3 websites on which you can review information for existing vulnerabilities
a. VRAM: https://vram.spawar.navy.(smil).mil
b. CYBERCOM IAVM: https://iavm.csd.disa.mil
c. SAILOR: https://sailor.nmci.navy.mil
105
How are IAVA/Bs released?
IAVA/Bs are released by the VAAP team using the VRAM mass e-mail functionality.
106
Demonstrate how to place a command in non-reporting status in VRAM.
Using the process earlier to access Command POCs, under Box 1 there is a drop-down menu labeled "Reporting
Status". This is how the status is physically changed, but there must be a reason to change it. (eg. Complete cutover to
NMCI, disestablishment of the command, ISIC / Superior reporting on behalf of the command) Along with the reason,
there is a message (Covered under OPS-02-6-1, Appendix C, Enclosure 1) that outlines the message that must be sent
by the requesting command / their superior via Naval message traffic to properly document the change.
107
Describe how commands can acknowledge vulnerabilities in VRAM.
Unless a command has a CA (Corporate Asset, meaning an owned asset such as NCDOC's network), there is no need for them to acknowledge any vulnerability in VRAM. This is the responsibility of the Systems under VRAM. If the
command did need to acknowledge because they possess a CA, they would utilize the "Cyber Directives" tab, using the "IAVs" button. They would then double click on any IAVA/B that says "Action Required" and Acknowledge in the tab that opens from there.
108
What is a mitigation plan and what are the two entities that have approving authority for them?
Mitigation plans are a plan submitted by the command in the event that the command is unable to patch their system in time for the delinquency date. These plans contain preventative actions (eg security doors, badge access, logical security like firewalls and ACLs, and whether the system is on SIPRnet or a completely separate network (not attached to the GIG)). They also include a future plan for the patching schedule and expected compliance dates. NCDOC has authority to approve any and all mitigation plans that fall on or below a 30 day window outside of the delinquency date, anything beyond that is the authority of the ODAA (Officer of Designated Approving Authority).
109
State which form is required to be with any piece of evidence before it is accepted. Describe why it is important for this form to be included.
Detailed account of what the item is, who owns it, serial numbers, and any other amplifying information that goes along with it to include everyone who has handled it. Provides legal foothold for prosecution
110
Describe the proper packing procedure for shipping SECRET hard drives or evidence
ONLY authorized carrier is USPS (DCS)—double-wrapped brown paper, two line address with no classification markings on the outer wrapper, only on the inner wrapper.
111
State what imaging a device means in terms of media forensics
Forensic images are acquired with software tool. Forensic image is not bootable and is an exact physical copy vice a clone which is a bootable form of evidence
112
State how the integrity of an image file is verified.
Hash-based verification ensures that a file has not been corrupted by comparing the file’s hash value to a previously calculated value (MD5—Message Digest Algorithm 5, SHA-1—NSA Secure Hash Algorithm)
113
What four hardware devices and three software programs can be uses to image media evidence?
a. Hardware:
-Falcon
-Talon
-Write Blocker
-Gizmo
b. Software:
-FTK Imager
-Helix
-Encase
114
State the purpose of a write-blocker, and describe its role in conducting analysis on evidence mediums
Central requirement for sound forensic examination of digital evidence is that the original evidence must not be modified.
115
List the following forms of memory from the most volatile to the least volatile and include the timeframe of volatility of each.
a. CD-ROMs and Printouts – decades
b. Discs – years
c. Floppies Disks and Backup Media - years
d. Main Memory – nanoseconds
e. Network State - milliseconds
f. Registers, Peripheral Memory and Caches – nanoseconds
g. Running processes – seconds
116
Display knowledge of a host’s registry, to include the ‘Big Three’, with location.
a. HKEY_LOCAL_MACHINE\Security
b. HKEY_LOCAL_MACHINE\Software
c. HKEY_LOCAL_MACHINE\System
117
Illustrate the difference between SCSI, IDE and SATA interface
a. IDE – oldest, 39 pins, 4 power prongs, rectangle shape, slow data transmission
b. SCSI – similar shape to parallel, faster, used on servers
c. SATA – newest since 2002, two slots data/power, fastest data transmission
118
Show where a user’s internet browsing history is stored.
Documents and Settings folder (temp files, cookies, etc.)
119
Discuss what virtual machines are and why they are important when conducting malware analysis.
A virtual machine is a software program implementation of a machine that executes a complete operating system and applications. Malicious files/actions cannot break out of virtual world if executed. *Isolates malware from the larger network & other systems*
120
Explain what hashing is and its importance.
Algorithm ran against file that verifies the integrity. MD5 is used by NCDOC.
121
Describe Chain of Custody and its importance.
Without proper chain of custody, you can’t prove that evidence has not been tampered with.
122
Describe the difference between unallocated and slack space.
a. Unallocated – Space on hard disk that potentially contains intact files that were created and then deleted. Data remains behind for discovery by forensics
b. Slack space – File system creates a cluster, but does not necessarily use entire fixed space that was allocated. File information from previous use is still available long after deletions and rewrites.
123
Describe the difference between wiping and formatting.
a. Format – deletes bookkeeping portion, does not delete actual files.
b. Wiping clearing or purging – All files are sanitized and are non-recoverable. Use multiple overwrites.
124
Describe the difference between imaging and cloning.
a. Image – recreates the files saved on the hard drive
b. Clone – bit for bit copy of the entire drive (bootable)
125
Describe the difference between a sector and a cluster.
a. Sector – Smallest physical storage unit on disk (512 bytes)
b. Cluster – Collection of multiple sectors. Space is reserved for data contents. *How data is stored
126
Describe what Alternate Data Streams are and what risks are associated with them.
ADS – Ability to fork file data into existing files without affecting functionality, size, or display – almost impossible to detect using command line or explorer.
127
Describe what “InPrivate” browsing is and how it affects forensics.
Keeps browsing history and personal information private on public terminals. Makes forensics more difficult
128
Explain the difference between Encrypting File System (EFS) and BitLocker.
EFS – Stores information on hard drive in encrypted format. Only affects specific folders/files. XP ONLY. Bitlocker – Encrypts entire drive that Windows and data files reside on.
129
Describe what cookies are and what purpose they serve.
Tracks users’ activity on web sites and saves preferences for faster loading.
130
Describe digital certificates and how they are used
Binds a pair of electronic keys that are used to sign and encrypt data
131
Explain the difference between software and hardware certificates
1. Software – Public and private key combination. Both can be moved
2. Hardware – Private keys NEVER leave, but public certificate can be exported.
132
Define what items need to be on a Chain of Custody form before evidence can be received by Media and Malware Analysis
For Media and Malware Analysis to take control of evidence the Chain of Custody must contain NCD,RFI, PLA, Classification, Serial Number, number of drives, and make/model.
133
Explain Data At Rest and its effect on media forensics
Data At Rest (DAR) is hardware encryption utility for hard drives. To be able to conduct media forensics the drive has to be imaged, decrypted and reimaged to create a readable working copy.
134
Explain how to identify a complete file download within packet capture.
Within a packet capture there is a field Size which indicates the expected size of the file. Once a file is carved out from a packet capture Strings can be ran which shows the current size of the file. Compare the current size to the expected size and if the sizes match there is a complete download. Also can check for "magic numbers" that indicate end of file for specific file types.
135
***What four reports are published by Media and Malware Analysis and what are their target audiences?***
Four report published are:
a. Forensic Summary Reports (FSR), target audience is NCDOC and the affected command if requested
b.Cyber Tactical Report (CTR) target audience is the Intelligence Community
c. Quick Look Report (QLR) target audience is the BWC/DCOWO and the affected command if requested
d.Network Activity Report (NAR) target audience is the Intelligence Community.
136
Define ECN and what it is used for.
Evidence Control Number (ECN) is the MMA internal tracking number for evidence.
137
Explain mitigation statements found within the BLUF Recommendations/Directions portion of a malware RFI.
BLUF Recommendations/Directions include Return to Baseline, See analysts’ comments, and awaiting additional information.Return to Baseline is recommended when a submitted malware sample has been identified as malicious and/or it is unauthorized software. See Analyst Comments is recommended when the malware sample has produced network indicators that can be used in countermeasure signatures. Awaiting Additional Information is recommended when the sample calls out to domain(s) and warrants further investigation by network analysts, the sample did not contain enough information or was an incomplete download.
138
***Define the concepts of the following with regards to IDS.***
1. Host based vs. Network based
a. Host based – software
b. Network based – monitors traffic on all devices on network
2. Signature based vs. Anomaly based
a. Signature based – compares packets against known malicious threats
b. Anomaly based – compares traffic against “normal” baseline
139
Discuss the limitations of using a signature based IDS system.
Cannot detect zero days, lag time between detection and implementation of signature, limited to signatures already deployed.
140
Discuss the limitations of using an anomaly based IDS system
Prone to false positives, based on the accuracy of the baseline.
141
Describe the following.
a. False Positive – Alert that turns out to be normal traffic
b. False Negative – Alert that was not seen but is actual malicious activity
142
State the difference between inline and span configurations.
a. Inline – filters/reads all information on network segment
b. Span – views all traffic being sent via span port. If device goes down, traffic still flows. Hawkeye sensors, passive.
143
Explain the difference between IDS and IPS
a. IDS – detects, passive, does not block
b. IPS – prevents, active, host/network/wireless/network behavior based, blocks
144
Explain the concept of “Defense in Depth”.
Defense in depth is the methodology of protect locally, defend globally - that as you move further down in the layers of security, you essentially harden that system to vulnerabilities.
145
Explain the function of an Intrusion Detection System and how its function differs from other network security devices.
Switches filter MAC addresses, Routers route based on IP address.
146
***Explain what type of networks are contained within the following enclaves.***
a. XNET –Legacy
b. IT21 – Ships
c. ONENET – Oversea Shore
d. BUMED – Medical Networks
147
***List the fleet NOCs and identify their geographic location***
a. UARNOC – Atlantic (Norfolk)
b. PRNOC – Pacific Rim (Hawaii)
c. ECRNOC – Europe Central Region (Naples)
d. IORNOC – Indian Ocean Region (Bahrain)
e. JRNOC – Japanese Region (Yokosuka)
148
Identify the Internet Registry associated with each of the following regions.
a. North America – ARIN
b. Europe – RIPE
c. Asia –APNIC
d. Latin America – LACNIC
e. Africa – AFNIC
149
Given packet capture data (PCAP) identify and describe the structure of the IP header, including the following fields.
a. Source port
b. Destination port
c. Data Field
a. IP header is 32 bits and includes Source IP, followed by Destination IP.
150
Describe the steps taken from when an event, such as malicious PDF file being detected is seen to when a CER is released
PDF Detected by IDS, IP Resolution, Alert Date/Time are annotated, Open-source research, Query system for sensor coverage, Netflow, Malware database, Request PCAP, Retrieve PCAP and perform forensic analysis, RFI complete, Add results to CER.
151
List the steps that are taken for NCDOC to block an emerging spear phishing campaign.
Depends on situation. User training/awareness and/or callback IP or Domain added to block list.
152
Describe the following:
a. Splunk: NCDOC SIEM
b. Hawkeye: NCDOC Tactical sensor (IDS).
c. Intrushield(McAfee)/Sourcefire: NCDOC IPS
d. JIRA: NCDOC report processing/tracking system.
153
***List and state the purpose of all report types generated by Current Intel (CI) Analysts.***
a. OCM- Operations Collection Management in JIRA. Every Internal and External report is analyzed and processed into
b. CERs- Cyber Event Reports, outline events and incidents on Navy networks
c. NCD Tickets- Navy CIRT Database, created and submitted to Incident Handling for Incidents and actionable events on Navy networks, record messages are generated and commands are notified.
154
Define and state the purpose of NTOC
Mission: To establish real-time global network awareness and threat characterization capabilities in order to forecast, alert, and attribute malicious activity and enable Computer Network Operations (CNO) in accordance with NSA/CSS authorities.
· Discover and report malicious behavior on networks of interest
· Monitor, characterize, and report network structures, changes, and configurations
· Analyze network intrusions and attribute activity to perpetrators
· Profile adversary computer network attacks and exploitations and assess threats
· Identify, enable and provide mitigation and response action options.
155
List 10 types of reports/alerts listed on the NTOC website.
a. Advisory
b. CAR
c. Email
d. IAD
e. ICD
f. Malware
g. PKI
h. DNS
i. MAR
j. PAR
156
How often is the NTOC webpage checked for reporting by Intel watch standers?
AT LEAST once per hour.
157
List 6 external agencies or branches from which Intel receives tippers or email reports.
a. USTRANSCOM
b. DEFENSE SECURITY SERVICE
c. CENTCOM
d. EUCOM
e. SOCOM
f. DEFENSE CYBER CRIME CENTER (DC3)
g. NCIS
h. PENTCIRT
i. US CERT
j. AFRICOM
k. ARMY CYBER/ACERT
l. USCYBERCOM
m. FAA
n. DISA
o. GNSC
p. COLS-NA
q. DEPARTMENT OF STATE
r. DEPARTMENT OF HOMELAND SECURITY
s. 1ST IO INTSUM
t. AUSTRALIAN DEFENSE FORCE CYBER INCIDENT REPORT (ADFCIRT)
u. CANADIAN FORCES NETWORK OPERATIONS CENTRE (CFNOC)
v. OFFICE SECRETARY OF DEFENSE (OSD)
w. NSA THREAT OPERATIONS CENTER (NTOC)
158
Define and state the purpose of a Cyber Alert (CA). Who directs a CA to be drafted?
A Cyber Alert will be issued to notify Navy commands of imminent or ongoing significant cyber threats with Navy-wide implications (several commands). Significant threats include but are not limited to:
a. Impending cyber-attacks against Navy/US govt networks.
b. Newly discovered adversary TTPs
c. Attacks targeting newly discovered or exploited vulnerabilities in Navy hardware, software or network components. (zero-days
159
What system is used to process reports? Describe the process used when processing the reports.
JIRA is used for report processing/tracking.
Create issue in JIRA: classification field, component (problem set), activity type, activity summary, and input all. Navy impact?? Commands involved?? Intel analysts note field (most important) be as detailed as indicators and submitted countermeasures possible to cut down rework of report. All numbers, indicators ran, actions taken etc.
160
Define the mission of N2 and how it supports the NCDOC mission.
Provide indications and warnings in support of NCDOC operations, and provide threat intelligence, staying “left of the boom”.
161
Discuss the two watch cells maintained by N2 and what the watch is responsible for in each cell.
The two watch cells are Current Intel and Fusion Intel. Fusion manages high side reporting and external RFIs, current Intel performs similar activity on SIPR.
162
What are the responsibilities of the Watch Lead?
a. Perform QC of Intelligence Watch products.
b. Receive pass down from the off going section.
c. Prepare brief slides.
d. Ensure proper training of UI watchstanders.
e. Ensure proper passing of information to the BWC and DCOWO.
163
Explain the purpose of contacting C10F N2 watchstanders regularly during the shift.
C10F maintains OPCON over NCDOC. By staying in contact with the watchstanders, we can maintain situational awareness on new activity. Also, prior to the CUB and OPS brief, it gives NCDOC’s CO a heads-up on any significant incidents not found by our Intel watch.
164
Describe the steps necessary to process a report.
Create issue in JIRA: classification field, component (problem set), activity type, activity summary, and input all. Navy impact?? Commands involved?? Intel analysts note field (most important) be as detailed as indicators and submitted countermeasures possible to cut down rework of report. All numbers, indicators ran, actions taken etc.
165
Explain the purpose of an External RFI (XRFI). Detail why the justification is critical. Provide one example.
To garner additional information or to request supplemental information on indicators within a specific report.
Submit for indicators, IDENTs (unmasking identity), follow up information.
166
Explain the types of data that is available on the NSAnet database.
NSAnet database contains reporting information, indicators, and actions that are logged on (similar to JIRA) NSAnet due to classification.
167
What types of reports should be processed on the NSAnet database.
Any report that cannot be logged on SIPR/JIRA due to the classification.
168
Define what the User Agent Search tool is used for and how it benefits the Intel Watch?
The User Agent search tool searches for specific user agents, found in PCAP headers. If a specific User agent is used (NOT generic such as firefox, chrom, IE), it can be quickly searched across the IDSs.
169
Define what Email Header Search is used for and how it benefits the Intel Watch.
This tool can search specific header information such as sender, recipient, subject, attachment/file name of specific emails. It is highly useful in detecting email phishing campaigns on Navy networks.
170
Define and describe the purpose of JIRA as an analyst tool.
JIRA is used for SIPR report processing. It allows analysts to track what reports have been completed, and document the indicators present and actions taken. This also allows for longer term analysis on adversary reporting, or for specific indicators.
171
Identify the current available data sources in JIRA.
The most common data sources in JIRA are CERs (Intel watch and Network Forensics), OCMs (Intel), and CRC (Countermeasure request Control).
172
Identify some of the benefits and limitations of using JIRA for analysis.
a. The benefits: long term analysis is possible, DCOWOs/BWCs can track analysts’ workflow, integration of watchfloor workflow (except IH NCDs).
b. Limitations: learning curve, JIRA can be overly complex for simple reports, can be difficult to search for specific items due to removal of SQL search capability (specific searches require highly technical JIRA experience)
173
Define and describe the purpose of Splunk as an analyst tool.
Splunk can quickly and easily search several data sources across multiple databases.
174
Identify the current available data sources in Splunk.
a. NIDS
b. Hawkeye: DNS, IPC, UserAgent, PKI, Portstats, Wolverine
c. NAVMED
d. Sentinel: HBSS, NMCI SIPR HBSS, Snort
e. Sourcefire
f. Strategic ACL
175
Identify some of the benefits and limitations of using Splunk for analysis.
Benefit: very easy to learn to use, searches can be very broad or very specific and still return results quickly.
Limits: Splunk isn’t real-time, it refreshes data periodically. The largest lag is seen with Hawkeye data. Difficult to see same-day activity.
176
Discuss the mission of OSRD in support of the Navy Cyber Operations Command (NCDOC) and its partners.
Conducts advanced internet-based research for DCO Indications & Warnings (I&W) in direct support of defense for Navy networks.
177
Where do OSR tasks originate from?
OSR Tasking can originate from anywhere, but primarily comes from the watch floor
178
Who are the customers of the OSRD?
OSR customers are primarily NCDOC, C10F, and FCC, U.S. Coast Guard.
179
Individually, describe what Internal and External Advisories are and who authorizes distribution outside of NCDOC.
a. Internal advisories are information that is beneficial to implementation of countermeasures at NCDOC, or for awareness of emerging threats.
b. External advisories are written on emerging threats that have a wide range of impact to the Fleet and other branches of the military. Release of external advisories is authorized by the N2 Department head, Deputy or a designated representative.
180
Explain why the OSR workstations do not have a hard drive.
OSR workstations do not have a hard drive to ensure they do not receive a persistent threat while navigating to malicious domains.
181
Explain what the OSRD OS is
The OSRD operating system is a customized version of Ubuntu designed to run out of RAM.
182
Explain what a non-attributable system is.
A non-attributable system is a computer that is unable to be tracked back to its source
183
Define the concepts of the following with regards to the McAfee NSM.
a. UDS – User Defined Signature (Signatures created by Countermeasures Personnel)
b. Vendor signature – (VDS) Signatures that are created and applied from the vendor (McAfee/Sourcefire)
c. Snort – another way to create signatures in the Manager. See limitations below.
184
Discuss the limitations of McAfee's implementation of Snort signatures.
a. NSM Provides limited snort rule capability. IP and Port variables are not available, and some pcre’s will completely break the managers and/or sensors.
185
Discuss what must be included when submitting a PCAP pull RFI.
a. IPs, Ports, timeframe, sensor that covers traffic.
186
Explain the procedures for Sentinel filter development:
a. Put in request for permanent filter.
b. For personal use, use Boolean logic with different variables to develop filter.
187
Define the concepts of the following with regards to testing custom Snort signatures against PCAP.
a. /home/ncdoc/scripts/snortreport: Provides a method to run custom snort rules against a timeframe of packet capture files on a sensor.
1. Includes files:
I. Snortreport.pl – perl script used to run custom rules.
II. Focused_default.conf – config for the snort report instance of snort.
III. Classification.config – allows alerts to be classified and prioritized.
IV. Focused.rules – rules to be tested.
b. /home/ncdoc/dev/test_rules: Proveds a method to test snort rules against user provided PCAP.
1. Includes files:
I. snort.conf – config for the testing instance of snort
II. classification.config – classifies and prioritizes alerts
III. test.rules – rules to be tested.
188
Discuss the requirements for placing an IDS signature into SIGTEST.
a. Add signature to ncdoc.rules and ncdoc-new.rules file and save in the location: P:\OperationsDirectorate\TANF\SCOUT\Hawkeye_Tactical_Sensors\Hawkeye_Admin\scripts\global_defaults\Change “LAST UPDATE OCCURRED ON” line with your initials and date.
b. Send out an Email before pushing out Signatures (send to IPS and CM distro)
c. Login to the Hawkeye (IDS) Manager and complete Signature addition
1. Open an SSH Client (Tunnelier)
2. Set the Host field to nhawkeye
3. Set the port field to 22
4. Sign in with personal account and password
5. Switch to NCDOC account
a. su ncdoc
b. Enter NCDOC password
6. For SIGTEST
a. Vi /home/ncdoc/manage/evt2pcap_v2.4.pl
b. Add the SID for the signature to the pipe separated list on the line beginning with “my $SIGSID_IGNORE”
c. Save and close the file.
d. Wait minimum of 24 hours.
e. Undo the above steps.
7. Secure FTP the ncdoc.rules file to /tmp on the Hawkeye IDS Manager.
a. Simply drag and drop the file from its location in “Local Files” (P:\Operations Directorate\TANF\SCOUT\Hawkeye_Tactical_Sensors\Hawkeye_Admin\scripts\global_defaults) to the /tmp folder in “Remote Files”.
b. If file already exists, go to the /tmp directory via cmd prompt and manually delete the existing copy of the file, then transfer the new one over.
8. Switch to NCDOC account on the command prompt.
a. Su – ncdoc
9. Change ownership of the rules files.
a. Sudo chown ncdoc:ncdoc /tmp/ncdoc.rules
10. Cd to /home/ncdoc/manage
11. Run the python script to populate the sid-msg.map file based off of the rules file, test the ncdoc.rules and sid-msg.map files for validity, move them into the /home/ncdoc/scripts/global_defaults directory, SCP both files to each sensor, and update the running rules config. The script will copy the updated rules and map files to the /etc/snort/external directory that is up, change the file ownership, and restart the running instance of Snort and barnyard2.
a. Python update_snort_rules.py –parallel –up –sensor all –osversion 5
12. Now we have to do it for the new version of snort.
13. Use the SFTP clinet to transfer the ncdoc-new.rules file to /tmp on the manager.
14. Rename the file ncdoc-new.rules to ncdoc.rules
a. Sudo mv /tmp/ncdoc-new.rules /tmp/ncdoc.rules
15. Change the ownership of the file
a. Sudo chown ncdoc:ncdoc /tmp/ncdoc.rules
b. Verify you are in /home/ncdoc/manage directory
16. Run the python script to populate the sid-msg.map file based off of the rules file, test the ncdoc.rules and sid-msg.map files for validity, move them into the /home/ncdoc/scripts/global_defaults directory, SCP both files to each sensor, and update the running rules config. The script will copy the updated rules and map files to the /etc/snort/external directory that is up, change the file ownership, and restart the running instance of Snort and barnyard2.
a. Python update_snort_rules.py –parallel –up –sensor all –osversion 6
17. After completing the update, monitor the sensor status page for “DOWN” IDS feeds.
18. If you applied a SIGTEST signature, go back after 24 hours and remove the SID from /home/ncdoc/manage/evt2pcap_v2.4.pl on the manager to enable PCAP capture.
189
Discuss how frequently an IP Block or DNS Black Hole Update Message is released.
Every Thursday.
190
Discuss what must be done when processing an IP/domain name unblock request.
Check with intel to see if IP or domain is still in use, check to see if the IP/domain has been blocked recently and for valid reasoning. Verify the domain no longer poses a threat to Navy Networks.
191
Identify the primary managers of the IP/DNS Block List .
Mrs. Zita Beck
192
Discuss what must be done if block/unblock request is denied
Document appropriate reasoning as to why.
193
Discuss what must be done before making any changes to the strategic sensor grid.
Documentation. Export signature set to appropriate file directory, send email to IPS team requesting permission to push signature set. Wait for response from IPS team, notify BWC of the push about to occur so he/she can send an email out to the NOCs. As soon as you receive email from IPS team granting permission, and BWC has sent out the email to the NOCS, you can push the new signature set.
194
Explain how to verify that a signature on the strategic sensor grid is set to block.
Pull up the NSM. Select the Policy tab. Select “IPS Policies” on the left hand side. Then select “Default Inline IPS” in the center of the screen and click “View/Edit”. Policy Editor will pop up, then you can search for specific signature. If a shield displays in the “Responses” tab, then the signature is set to block.
195
Outline the procedures for using the 'configuration update' tab after creating new signature on the strategic sensor grid.
Obsolete.
196
Discuss when access to wolverine/Email Header Search is authorized as well as the procedures for granting this access.
As soon as you qualify Countermeasures you are allowed access to Wolverine. You will be granted admin privileges in Hawkeye, where you can edit and add users. There, you can select a user and give them permissions to Wolverine.
197
Discuss what must be done when the Hawkeye Sensor Status page reflect that an IDS is down.
a. The only thing CM personnel are permitted to do is restart the IDS.
b. The following is the steps for that process.
c. Login to Hawkeye Manager
d. Ssh into appropriate sensor
e. Search for a running instance of snort and barnyard
Ps –elf | grep snort
f. If either are not running, run the following script to update the rules configuration (this will also restart snort and barnyard)
Sudo ./scripts/snort_update.sh
g. Search again for running instances of snort and barnyard.
h. If still down, search /var/log/messages file for rule errors.
Sudo grep –I fatal /var/log/messages
i. Correct lines with errors if any are found.
j. Document all work.
