Book: CH 1

Question 1

Assessment Methodology:

PTES

Penetration Testing Execution Standard

Answer 1

• Built around expectations of the attacker’s actions / how they operate

Question 2

Assessment Methodology:

OSSTMM

Open Source Security Testing Methodology Manual

Answer 2

• Built around expectations of the attacker’s actions / how they operate

Question 3

Security Testing Methodology:

Cyber Kill Chain

Answer 3

• Military concept of the structure of an attack
• Identify where the attacker is in their process so you can adapt your own response tactics.

Lockheed Martin adapted the military concept to the info security space

Question 4

Security Testing Methodology:

Attack Life Cycle

Answer 4

• Describes exactly how attackers have operated since the attacks started against computing infrastructure
• Rather than a theoretical exercise / military focus
• Recognizes that usually an attack is not 1-and-done, there is a loop that happens in the middle
• They use the compromised systems to launch additional attacks within the environment
• These attacks don’t happen quickly, it can take days or weeks to move to each of the phases
• These are usually organizations NOT individuals

Question 5

List The Phases of
The Cyber Kill Chain

(7 Phases)

aka: Phases of the Intrusion Kill Chain

Answer 5

Question 6

Phases of The Cyber Kill Chain:

Phase 1:
Reconnaissance

Answer 6

Identify target and potential points of attack

Question 7

Phases of The Cyber Kill Chain:

Phase 2:
Weaponization

Answer 7

• May create a custom piece of malware that is specific to the target
• May use common off-the-shelf (COTS) malware too

Question 8

Phases of The Cyber Kill Chain:

Phase 3: Delivery

Answer 8

How you get the weapon

Question 9

Phases of The Cyber Kill Chain:

Phase 4: Exploitation

Answer 9

• Could be when the mailicious software infects the victim’s system

Exploitation leads to installation

Question 10

Phases of The Cyber Kill Chain:

Phase 5: Installation

Answer 10

• The attacker will install additional software to maintain access to the system
• May setup remote access

Question 11

Phases of The Cyber Kill Chain:

Phase 6: Command & Control

Answer 11

• Gives attackers remote access to the infected system
• May involve additional software installation or sending directives to infected system

Also Seen As: C2 or C&C

Question 12

Phases of The Cyber Kill Chain:

Phase 7: Actions on Objective

Answer 12

• Attackers have goal objectives they are trying to achieve
• The attacker may try to get info or make the system perform actions (Example: DoS)

The attacker won’t stop until they achieve their objectives, so there’s a lot of activity in this phase

Question 13

Phases of The Attack Life Cycle:

Phase 2: Initial Compromise

Answer 13

Usually launches Phishing Attacks to gain access

Question 13

Phases of
Attack Life Cycle

Answer 13

Question 13

Phases of The Attack Life Cycle:

Phase 1: Initial Recon

Answer 13

Identifies victim and potential attack possibilities using open source intelligence and public sources

Example: social media

Question 14

Phases of The Attack Life Cycle:

Phase 3: Establish a Foothold

Answer 14

Once the system is compromised, make sure to retain access to get back in when needed

Question 15

Phases of The Attack Life Cycle:

Phase 4: Escalate Privileges

Answer 15

• Attacker needs admin privileges to move into the loop that happens
• as they keep moving & gathering additional systems and credentials

Question 16

Phases of The Attack Life Cycle:

Phase 5: Internal Recon

Answer 16

• Investigating connections within the system and with other systems in the network
• Trying to identify other credentials that are known in the system

Question 17

Phases of The Attack Life Cycle:

Phase 6: Move Laterally

Answer 17

• aka: East-West movement
• Attackers need to know what systems there are: servers, workstations

Question 18

Phases of The Attack Life Cycle:

Phase 7: Maintain Presence

Answer 18

• With every system the attacker gets access to, they need to maintain it
• Any malware that is allowing access needs to remain running

Question 19

Phases of The Attack Life Cycle:

Phase 8: Complete Mission

Answer 19

• Where data may be exfilitrated from the environment
• May not be a 1 time thing, they may continue to find additional targets in the environment

Question 20

Security Testing Methodology:

MITRE ATT&CK Framework

Answer 20

• Is a taxonomy of TTPs (techniques, tactics & procedures)
• Real world TTPs organized into categories
• Continually updates, no step-by-step instructions, only high-level descriptions of activities

Question 21

Stages of The
ATT&CK Framework

Answer 21

1. Reconnaissance
2. Resource Development
3. Initial Access
4. Execution
5. Persistence
6. Privilege Escalation
7. Defense Evasion
8. Credential Access
9. Discovery
10. Lateral Movement
11. Collection
12. Command & Control
13. Exfiltration
14. Impact

Question 22

Stages of The ATT&CK Framework:

Question 23

Methodology of Ethical Hacking

Answer 23

* Reproduce what real-life attackers would do * Info Security is not just protection or prevention. You need to be able to detect all of these attacker activities

Question 24

# **Ethical Hacking Methodology:** Reconnaissance & Footprinting

Answer 24

**Determine the size and scope of your test** * **Reconnaissance** - gather info about your target to understand the scope up front to help you narrow your actions so you don't do anything unethical * **Footprinting** - understanding the org's footprint by identifying network blocks, hosts, locations & people

Question 25

# **Ethical Hacking Methodology:** Gaining Access

Answer 25

* Many consider this to be the most important / interesting part of a pen test * Demonstrating where some services are potentially vulnerable by exploiting the service

Question 26

# **Ethical Hacking Methodology:** Scanning & Enumeration

Answer 26

* After network blocks are identified, you want to identify systems that are accessible within those network blocks * Identify services running on any available host, these will be used as entry points. * Exposed network services: list of all open ports and identify service & software running behind each open port * The more info gathered here the easier the next stage will be

Question 27

# **Ethical Hacking Methodology:** Maintaining Access

Answer 27

* Emulating common attack patterns * May need to install a rootkit, which gives backdoor access and obscure you actions and existence on the system. * **Persistence** - install software that reaches out to systems on the internet because inbound access is often blocked by a firewall. Outbound access is often allowed from the inside of a network in a completely unrestricted manner

Question 28

# **Ethical Hacking Methodology:** Covering Tracks

Answer 28

* Hide/delete all evidence of your access and continued access * Malware can ensure that your actions aren't logged or can misreport info to the system * Sometimes your actions to cover your tracks can leave evidence of your actions