Continuous Monitoring

Question 1

A hunt team finds the following in a large TXT record on their recursive DNS server. This is a sign of which type of compromise?

Da3KdlPgmUait{.-VBcRgvkD7f7s0?W#7,6LO/22Ba2ax74[VC)U0-,A#qmslQp3D7tw”52X[w/z?9M{r-ow7s{h/1xlrEl9KfOL5-fy”Rm]@x!FLUHLT\wPXFeH0km/8slCqj-yz\;Mme:a}”!DPum6Ag2DgvGE-B2[#’q’-D1st(/TQ}F&*“gp!-@n)CwH9rLsdDbxU#CmgebhibHx1q”ULe0h38MDJ&8XrEQf&wn&ySe{wA,5qdQ]C0KvnfKz-HIZ}le8G2j]swISKGhTKP;0k?:,-m6JU2)WKGt7:uVi(d#_7sx)H

Answer 1

An internal host is part of a botnet

( Explanation )

The Zeus botnet took advantage of the fact that most DNS outbound requests are allowed (through perimeter defenses) and rarely inspected. The botnet used non-human-readable (gibberish) in large TXT requests and responses for C2 (command and control) traffic.

Question 2

What can mitigate the risks of deploying patches?

Answer 2

A method for rolling back changes

Patch testing simply means pushing installs to less important production systems and waiting a set period of time for notification of catastrophic failure. Barring notification, patch deployment continues. In addition to testing the patches, organizations need to be able to recover quickly from unintended damage by backing out the patch

Question 3

What is a critical element of an NSM report that will be reviewed by a corporate board?

Answer 3

A short executive summary

Question 4

Which of the following tools would produce this type of output in a command-line terminal?

293 278.051467000 192.168.80.151 -> 192.168.80.145 TELNET 140 Telnet Data …

294 278.051480000 192.168.80.145 -> 192.168.80.151 TELNET 69 Telnet Data …

295 278.092498000 192.168.80.151 -> 192.168.80.145 TCP 66 telnet > 51029 [ACK] Seq=129 Ack=168 Win=15552 Len=0 TSval=85414173 TSecr=19626250

296 278.137446000 192.168.80.151 -> 192.168.80.145 TELNET 67 Telnet Data …[Malformed Packet]

Answer 4

Tshark

TShark is a command-line network traffic analysis tool, similar to a command-line Wireshark.

Question 5

When tasked with reviewing IDS alerts, what information should be kept in mind regarding the context of the data?

Answer 5

The only information available could be the packet that caused the alert

IDS alerts often retain the packet that caused the alert but not the traffic after that making reconstruction of the attack difficult without additional sources of data.

Question 6

How does a browser verify a server’s X.509 certificate?

Answer 6

Matching the certificate’s signature contents hash to the hash provided by the CA

The browser computes a hash based on the certificate’s signature contents. It then uses the signing CA’s public key to decrypt the digital signature generated by the CA, revealing the hash generated by the CA. Non-repudiation is proven if the hashes match: the certificate has not been changed (integrity), and the CA signed the certificate (authentication).

A CertificateVerify message is used in situation where both the server and the client are required to use certificates, and is used to verify the client’s cert. The certificate’s serial number is one of several fields that are part of the hash value, however, by itself the serial number cannot be used as verification because it too could be falsified. It is not possible for a browser to use the CA’s private key for any purpose (because only the CA will have access to its private key).

Question 7

Which attack vector are VACLs best-suited to detect?

Answer 7

Internal pivoting

VACLS (VLAN ACLs) provide basic firewall capabilities on layer-2 devices and can be a significant benefit to detecting (and preventing) internal pivoting by an attacker. Given the basic capabilities of VACLs they do not provide significant benefits towards detecting SQLi, rogue WAPs, or data exfiltration.

Question 8

Which of the following is a primary focus of threat intelligence?

Answer 8

Adversaries

Threat intelligence is the practice of seeking to understand various threat actors (adversaries) and their typical TTPs.

Question 9

An analyst is researching the tactics, techniques, and procedures (TTPs) of those who may be targeting their organization. The analyst is practicing which of the following?

Answer 9

Threat intelligence

Threat Intelligence is the practice of seeking to understand various threat actors and their typical TTPs.

Question 10

Analyze the screenshot below. How should this data be correlated to get a list of unknown devices or services?

Answer 10

Hardware and software inventory

The PRADS log is in CSV (Comma Separated Values), meaning You can open it directly in a spreadsheet, which is quite handy. It can be correlated against hardware and software inventory to show a list of unknown devices and services

Question 11

Which of the following features is provided by the free version of VirusTotal?

Answer 11

Checks to see if a website has a reputation for hosting malware

Though VirusTotal is primarily known simply for file analysis with respect to Antivirus, it has more capabilities than just that. One of the most important additional features is the URL scanning functionality.

Question 12

An attacker has performed reconnaissance against your organization and populated a text file with words associated with your company (see image). Which of the following is their most likely objective?

Answer 12

Discover web hosts via brute force

A recon wordlist can be used by the dnsrecon tool to perform a web host discovery. A recon wordlist is not associated with a Ddos attack or a DNS zone file transfer.

Question 13

Specific to NIDS; which of the following examples describes the technique of detecting malicious activity using analysis driven methodology?

Answer 13

Revealing an unusual user-agent and associated URI

( Explanation )
Revealing unusual user-agents / URIs is contextual in nature and requires analysis driven methodology. Hash values and directional-based is making use of signature matching (blacklisting) methodology Port scan discovery can be based on signature matching as well as anomaly based detection methods.

Question 14

What guideline recommended that patches be deployed less than 48 hours after their release?

Answer 14

CIS Critical Security Controls v5

The CIS Critical Security Controls version 5 recommended that patches be deployed within 48 hours of release.  This metric was typically met with denial and disagreement, and rarely reached acceptance.  Both the CSC version 6 and NIST SP 800-40 do not give specific guidelines for the amount of time between release and deployment.  The NIST SP 800-53 is used for Risk Management Framework, and does not contain information related to patch deployment metrics.

Question 15

Which of the following statements provides the cornerstone for designing a modern defensible network?

Answer 15

Compromise is inevitable

A modern cyber defense principle is the “presumption of compromise”; this means that, while prevention is important, detection is a must, detection must be proactive (e.g. hunt teams), and response is a regular occurrence.

Question 16

According to the “threat intelligence” model of risk calculation, what should be the primary factor in deciding which risks to remediate?

Answer 16

Whether a vulnerability can be easily exploited

In recent years, enterprise information/cyber security has started to pivot towards greater emphasis on threats. The emphasis is not to the exclusion of vulnerabilities, but it is fueled by the understanding that offense can and should inform defense. The particular vulnerabilities that should be prioritized, the way in which they can potentially be exploited, the likelihood of capable adversaries, these all are best informed by threat intelligence

Question 17

What tool could allow an attacker to remotely run an application on a host without pre-installing an agent or having physical access to the target?

Answer 17

psexec

PsExec is designed to meet such a need, albeit it’s intended purpose is non-malicious. Wevutil is the command-line approach to interfacing with Windows Event Viewer. Autoplay could be used to launch an application on a host if it is enabled and a person has physical access (e.g. via USB flash drive). Auditpol is the command-line interface to managing and reviewing which Event Ids are logged.

Question 18

Based on the highlighted data in the screenshot, what type of file would an analyst carve out of the original raw data?

Answer 18

An executable file

This shows the process of manually carving files from raw data exported from a pcap. They key to this image is the MZ shown in the ASCII side of the bless editor; MZ is the “magic number” that determine the file type - in this case a DOS EXE. The analyst should save the file as an exe and proceed with further analysis (e.g. run the exe through an AV tool).

Question 19

An administrator has enabled critical event logging on Windows 8.1 hosts. Which event will be logged in the hosts’ security event log?

Answer 19

The audit log was cleared

The default settings would log an event where the log cache was cleared; this can be verified via c:\auditpol.exe /get /category:*

Question 20

At which of the locations shown would a DMZ network TAP be placed?

Answer 20

A DMZ network tap would be placed at the entry/exit point of the DMZ

Question 21

A SCAP-validated vulnerability scanner must provide which feature?

Answer 21

CVE references

SCAP-validated scanners will provide CVE and CCE information for code-based and configuration-based vulnerabilities, respectively.

Question 22

Analyze the screenshot below. What will the system administrator detect?

Answer 22

Executables set to run at startup

Many malicious techniques and types of malware use Microsoft’s 32-bit SysWow compatibility features on 64-bit victim systems. Ironically, this often helps to hide from typical incident handing or forensic investigative procedures, which fail to look in the right places.

Question 23

During a TCP SYN scan of the network, how would an open port respond?

Answer 23

SYN/ACK

An open port would send a SYN/ACK response to a received SYN.

Question 24

What is the most commonly exploited security weakness?

Answer 24

Unpatched flaws

Unpatched flaws are the most commonly exploited security weakness.

Question 25

Which of the following devices or applications is the most appropriate for configuring application whitelisting?

Answer 25

Host-based Intrusion Prevention System Another significant source of valuable detects, the application whitelisting tool can be handled by a Host IPS. Network IDS, OS firewalls, and NAC don't provide this functionality.

Question 26

Within the framework of modern cyber defense, for which of the following does a hunt team search?

Answer 26

Evidence of compromise that might already exist An additional aspect of reorienting our organizations to be more focused on detection is the establishment of hunt teams. The idea of a hunt team is to have a team separate from that of traditional analysts. The primary purpose of this new class of analysts, known as the hunt team, is to go looking for evidence of compromise that might already exist.  Rather than waiting passively and hoping a sensor/log will be suitably positioned and tuned such that alerts are thrown, the hunt team goes looking for the compromise in the first place.

Question 27

What limitation does the PcapNg format present?

Answer 27

The lack of tools able to natively interpret the data PcapNg is the "next generation" format for pcap files; it is used natively by Wireshark; it is not handled by many other tools however. PcapNG uniquely provides insight into the packet drop count, interface and directional information. The snaplength size "limitation" is specific to tcpdump and may trivially be overcome using the -s0 switch.

Question 28

Analyze the diagram below. Which method would have detected this communication channel? For the purposes of the diagram, OUTBOUND is toward the Internet (left) and INBOUND is toward the internal network (right).

Answer 28

An IDS rule focused on encrypted traffic without a certificate exchange Monitoring outbound traffic for TLS certificate exchange would have detected the presence of either unencrypted traffic over 443/TCP or traffic that was encrypted with no prior certificate negotiation.

Question 29

Of the choices offered, which would be the most effective method for a forward proxy to block PDF files from being downloaded to client workstations?

Answer 29

Block if "Content-Type: application/pdf" is present in the HTTP header Beyond just blocking via URL and website categorization another approach to web content filtering is to block access based upon MIME or Content-Type.

Question 30

If a solution is implemented to detect Domain Generation Algorithms and prevent the result of their use, which is most likely to need whitelisting?

Answer 30

Content Delivery Network domain names For resiliency, malware often has an algorithmic way to determine future DNS host names without having to have a fully prepopulated list hardcoded. These algorithms are referred to as a Domain Generation Algorithms (DGA). One approach for combatting DGAs is entropy analysis of domain name requests in which randomly generated strings are identified and blocked. Many Content Delivery Networks' high entropy domain names would be flagged, disrupting access to legitimate sites. Consequently, CDNs must be whitelisted. Fast flux domains are a primary target of DGA analysis. Domain servers' security weaknesses are not addressed by DGA analysis. Hijacked domain names are not modified, so if they were not identified before the hijack by DGA analysis, they would not be identified after the hijack.

Question 31

Analyze the network flow visualization shown. What is the first step in investigating this situation?

Answer 31

Investigate what typical flows are for these hosts Occurrences on the network that appear atypical should be compared to a baseline to determine if they are normal

Question 32

A security analyst places a test record in an important production database. How can this help security?

Answer 32

IDS signatures can be written to detect that record leaving the network HoneyShares/HoneyFiles - These are simply shares and files meant to entice the adversary, but that are very closely monitored/alerted on any type of access.

Question 33

Which of the following scenarios would be prevented by a tuned Host Intrusion Prevention System installed on a user workstation?

Answer 33

Adobe Acrobat creating new registry entries An installed program that creates new registry entries is most likely to trip an IPS prevention. It's an unexpected event that the program would not ordinarily be expected to take. HIPS does help prevent (or log) connection attempts, like an attacker's pivot, but not if such attempts have been allowed for connections from Trusted sources or network segments. While opening a new Word file containing macros should be expected to trigger an IPS response, reopening the file would be an allowed routine action - tuning the IPS to allow it keeps routine business activity flowing. DNS requests are also allowed routine actions.

Question 34

When building a ruleset for the firewall, what rules should we be sure to include?

Answer 34

The block rules from the perimeter router The SI FW should double check all the filtering that is done by the border router

Question 35

The image provided shows an entire conversation. What should the analyst conclude from the conversation?

Answer 35

The SSL handshake was skipped This is unencrypted C2 traffic passed over port 443. In normal SSL traffic, immediately after the three-way handshake the client issues a Client Hello to begin negotiating encryption. However, in this case that first transmission (in frame 14) performs a POST in clear text instead of the Client Hello. Frames 14 and 15 are in the correct order. There is no indication of any file transfer, nor of an X.509 certificate (because the certificate negotiation was skipped).

Question 36

Which of the following can be used to verify if a particular stream of traffic contains allowed application data?

Answer 36

OpenAppID A recent development in the Application Inspection/Identification space is OpenAppId. Sourcefire/Cisco released OpenAppId at RSA 2014. The project seeks to allow an open source framework for identification of particular applications.

Question 37

How does a SIEM device help an organization's security posture?

Answer 37

By providing analysts with a tool to escalate from detection to response A SIEM improves an organization's ability to correlate and manage data collected from multiple sensors.  This in turn improves an organization's ability actually analyze, detect, and respond to significant events. 

Question 38

Analyze the screenshot. What conclusion can be drawn from the data shown?

Answer 38

The accounts 'backup' and 'sink' are both root accounts Accounts with the same userid in Linux/Unix are the same account just under a different name. In this case, 'backup' and 'sink' are both root accounts.

Question 39

Which user privilege can decrypt the data referenced in the image?

Answer 39

Debug programs The image shows LSA secrets in the Windows registry. LSA secrets facilitates non-interactive authentication by *service accounts; via storing the encrypted password(s) in the registry Any account with 'debug programs' user rights/priv can access and decrypt these passwords. *To be more specific, these are account passwords for services that are set to run by OS-level users (rather than Local System, Network Services, or Local Service type accounts).

Question 40

A team managing a large deployment of Windows 2012R2 servers desires to implement application whitelisting but is prohibited from moving forward with that objective at this time. What tool could they immediately leverage to provide basic application-based alerting?

Answer 40

Sysmon Microsoft's Sysinternals Sysmon is a great free tool that monitors application use (and more). EMET allows newer security controls (e.g. ASLR, DEP, and ROP mitigation) to be back-ported to legacy Microsoft OS's, such as XP and includes protections for some 3rd party apps, specifically Java and Adobe Acrobat. WSUS is a Microsoft provided patching console. SCCM is a Microsoft tool that can be used to push 3rd party patches.

Question 41

Which is a strength of the Windows Firewall with Advanced Security (WFAS) in its default configuration?

Answer 41

Ability to manage the local clients through GPO A strength of WFAS in its default configuration includes the ability to centrally manage the configuration via group policy. WFAS does not provide centralized logging, logging is disabled by default, and outbound filtering is turned off by default.

Question 42

___________ releases an annual Cost of a Breach report that allows for the cost of a breach to be estimated based on multiple factors such as industry or location

Answer 42

Ponemon Institute

Question 43

Which of the following is an example of a preventive control?

Answer 43

Segmenting a network into VLANs according to trust level Detective controls seek to monitor a network or host for an adverse event and alert, preventive controls seek to prevent the adverse event from occurring.

Question 44

Study the image. Which NSM data source type was carved from the packet capture?

Answer 44

Transaction Transaction data contains no content, only packet metadata such as IP addresses, ports, and bytes transferred. It is flow data plus some layer 7 content, like HTTP GETs. Alert data is composed of IDS alerts. Flow data is summary data, showing socket pairs, protocols, and bytes transferred - think NetFlow. Statistical data shows a numeric analysis of network traffic. String data is a sequence of printable characters. A tool like ngrep is typically used to extract string data from pcaps.

Question 45

How are the majority of compromises initially discovered?

Answer 45

Third party notification 70% of initial discoveries are reported by third parties.

Question 46

An analyst wants to discover new hosts on a specific, internal, IP range where the known systems are out-of-scope of any scanning. Which tool should they consider?

Answer 46

PRADS Of the tools listed, PRADS is the only one that is a true-passive tool. Nmap, the Nmap scripting engine (NSE), and WhatsUp offer some options to be less intrusive, however, they are all active scan tools at their core. Passive scanning is far safer than active scanning, relying on Pcap files or sniffing a live network. Read-only access is all that's required.

Question 47

What is a recommended practice to follow when performing active scanning?

Answer 47

Test scans before running on production system Always test scans before running on production system.  If available, It is much safer to initially scan development systems.  Ensure all active scanning occurs during an approved maintenance window.  Begin scanning a limited amount of systems, and gradually increase the scope.

Question 48

Which of the following objectives is a border router able to achieve?

Answer 48

Detect persistent connections over HTTP A border router can routinely be used to provide insight into persistent connections. Detecting anomalous traffic where common ports like HTTP, SMTP, or SSL are in use is unlikely because routers do not typically inspect packets at the application level where they could detect anomalous behavior. For the same reason, the router's lack of layer 7 visibility limits it from detecting or preventing client-side attacks.

Question 49

How can defenders identify potentially malicious outbound HTTPS traffic?

Answer 49

Track anomalies in the issuer fields of X.509 certs Many types of malware uses public key certificates, e.g. X.509, but skimp on details. Legitimate sites populate the X.509 Organization (-O) and Country (-C) fields but malware often skips these.

Question 50

Analyze the screenshot. What is unusual about the communication stream?

Answer 50

Server returns a binary when sent a parameter to a PHP file The server returns an exe when the request by the client is unspecific. This in combination with the host name, the GET string, and the exe, is an indication that this might be a malicious communication stream.

Question 51

A system administrator has completed a project to upgrade all hosts to Win8.1 and Win2012R2. Which attack vector have they automatically eliminated?

Answer 51

Plain text password harvesting from RAM Win8.1 and 2012R2 eliminate plain text passwords from RAM, the other attack vectors remain approachable by attackers.

Question 52

What hardware based solution will enable a NIDS sensor to capture malformed packets at full-duplex?

Answer 52

Tap A network tap will meet the need. A mirror-port will not forward malformed packets (or VLAN tags). A hub operates at half-duplex. Using a VM (hypervisor) is not a hardware based solution.

Question 53

Analyze the image. What action is taking place?

Answer 53

Establishing a HTTPS session The packet shows the TLS handshake taking place for an HTTPS session. Observe the image. From the information provided what can an analyst determine about the file?

Question 54

It was downloaded from the Internet

Answer 54

One interesting way to potentially identify the source of a file on Windows NTFS partitions is through the Zone.Identifier Alternate Data Stream (ADS). The point of the Zone.Identifier is to indicate the zone of trust from which the particular file was acquired. Zone.Id=3 indicates the file was downloaded from the Internet. The information provided will not tell if the file is signed or renamed. Depending upon where the file was copied from Zone.Identifier information may help identify what trust zone it was in (if the SMB source volume used NTFS). But in that case its value would not = 3.

Question 55

How can the process of building baseline configurations indirectly aid the efficiency of patch management?

Answer 55

Preventing unneeded software A baseline configuration has identified and determined the required and necessary components of a system and software; thereby enabling admins to remove unneeded software and reduce the scope of patch management. Baseline configurations are not related to application whitelisting, application signatures, or removing local admin access.

Question 56

A system administrator recorded the md5sum of all the files in /etc when the OS was installed, and compares them to the current hashes. Which of the following can she detect?

Answer 56

When new listening services are set to run on startup Recording a baseline configuration of /etc will let the administrator know when system configurations have changed.

Question 57

Which of the following methods camouflages a security breach as legitimate traffic?

Answer 57

Credential compromise Credential compromise allows the attacker to log into the network as an authorized user which helps to cover the tracks of the attack

Question 58

Why would the built in Administrator account on a Windows system be more susceptible to brute-force attacks?

Answer 58

Account lockout threshold is not set by default The built in administrator account on Windows systems does not have account lockout configured by default, meaning that password guessing can be automated without fear of the account locking.  This allows an attacker to systematically try every possible combination of passwords fairly quickly.  While this would cause a significant amount of logging, these logs can be cleared once administrator access is gained.  The built in administrator account is the one account that all attackers know is there, and has a standard, well-known RID.

Question 59

Which of the following is the recommended practice for using a baseline configuration?

Answer 59

Derive it from an industry-proven configuration Baseline configurations should be derived from industry-proven configuration, such as those provided by the Center for Internet Security. Vendor settings may sacrifice security in order to maintain vendor-specific functions, and so simply duplicating them is not recommended. Building a baseline configuration from scratch is not recommended. Enabling all possible security options will likely negatively impact system usability.

Question 60

Host discovery

Answer 60

Many SNMP-based monitoring tools (e.g. WhatsUp, MRTG, RRDTool, etc.) include network discovery nodes.

Question 61

On Windows Vista or newer hosts using the default auditpol.exe settings, which event will record both successes and failures?

Answer 61

Logon/Logoff: Network Policy Server Each of the above will, by default, log any "success" to the Event Viewer. Only a failure specific to Logon/Logoff: NPS will be logged when the default settings are in place.

Question 62

A security team has collected a list of malicious IP addresses, file artifacts, and attack signatures. How can they most effectively share this data with other organizations?

Answer 62

Compile them in open IOC format in an XML file IOCs, or Indicators of Compromise represent a much more formal approach to documenting artifacts associated with intrusions and activities. The main benefit of IOCs over the simple DWL are its ability to scale for multiple analysts. Further, IOCs are built for  information exchange, which allows for the easier sharing of intelligence

Question 63

Analyze the diagram below. The organization wishes to detect attacks from the wireless guest network against authenticated mobile users. Where should they place the IDS?

Answer 63

Between the firewall and the guest wireless router Another common location to situate a monitoring interface is where the firewall connects into the internal network. Like the DMZ sensor, this sensor would typically be configured to protect the internal network from external actors, which in this case is anyone not on the internal network.

Question 64

An incident responder suspects a file downloaded from a website infected a host. Which tool can the responder use to analyze the source website, perform behavioral analysis on the file, and leverage multiple AV engines to analyze the download?

Answer 64

VirusTotal VirusTotal enables the responder to submit the file for broad AV analysis by nearly five dozen AV scanners (including Malwarebytes). Behavioral analysis on VirusTotal is performed by nearly two dozen file characterization analyzers and datasets (including Cuckoo). The website may be submitted to VirusTotal for analysis by nearly 60 website and domain scanning engines and datasets (including Malwarebytes hpHosts). The other tools lack the ability to provide broad AV analysis that is VirusTotal's hallmark. Qualys Security and Compliance Suite contains no malware analysis capabilities - it provides numerous tools valuable for identifying vulnerabilities with SSL/TSL implementations, missing O/S and browser plug-in patches, and asset inventory. Cuckoo sandbox is a malware detonation device that scans files using behavioral analysis. Like several leading AV vendors, Malwarebytes Suite offers deep protection on a host thanks to deeply embedding itself gaining broad visibility into actions software may take.

Question 65

Analyze the provided image, which shows Windows Event IDs along the horizontal axis and the number of times each Event ID was seen on the vertical axis.  Which event would be most useful in long tail analysis?

Answer 65

5056 Long tail analysis is used to help find the signal in the noise by focusing on less common events, which are depicted further right on the graph.  Of the options the event 5056 would be the most useful during long tail analysis.

Question 66

Which NIDS methodology would be used to detect credit card numbers?

Answer 66

Signature matching Where an IDS is searching for strings, such as credit card numbers, (or hashes, names of executables, etc.) the methodology in use is based on signature matching.

Question 67

What insight can be provided by a web proxy looking at the MIME type in a file?

Answer 67

The type of file being downloaded One approach to web content filtering is to block access based upon MIME or Content-Type. When downloading content via HTTP, a Content- Type header is provided that identifies the type of file being delivered. Proxies can look for these headers to identify types of content the might warrant additional scrutiny (in say an automated dynamic analysis sandbox) or just get blocked without scrutiny.

Question 68

Observe the image. Clients have obtained EXEs from each other and from outside sources. A SOC analyst is tuning the IDS rule set to detect EXE files that downloaded from any source other than Software Distribution Server (10.10.10.201/24). On which sensor would she configure the following rule? alert tcp !10.10.10.201 any -> $CLIENT_NET any (msg:"ET POLICY PE EXE or DLL Windows file download"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:policy-violation; sid:5110420; rev:1;)3

Answer 68

Hyndman A predictable transfer of EXEs is a cornerstone defensible network concept. Core to this is detecting and, when possible, disallowing clients to receive executables from other clients. Clients should receive EXE files from an internal software distribution server. The shown snort rule, if implemented on the sensor called Hyndman, would detect client to client EXE transfers.

Question 69

Implementing which of the following would mitigate the most exploits?

Answer 69

Patch management The overwhelming majority of all exploits begin with abusing a known flaw that simply has not been patched, even though a patch was available. Patch management implies an ongoing practice. Network segmentation is a bit subjective and may not be related to implementing any security controls. HIDS is not a preventative measure. A baseline configuration is too subjective, it may have not been built for security and there is no indication it is an ongoing process (like patch management).

Question 70

Which of the following actions would be used to discover human readable string data within a pcap file?

Answer 70

Use ngrep to search for specific ASCII characters String data is a sequence of printable characters; ngrep can be used to search for strings such as "JOIN".

Question 71

Which of the following is a recommended use for a managed security service provider (MSSP)?

Answer 71

Providing twenty four hour coverage for IDS alerts A MSSP can be utilized for perimeter management, penetration & vulnerability testing. It should not be considered a replacement for the entire SOC.

Question 72

Analyze the diagram below. Where should the organization place an IPS in order to block the attack packet shown below? SRC: 10.222.0.90:4444/tcp -> DST: 10.100.0.101:80/tcp

Answer 72

C The IPS needs to have visibility into the packet flow in order to detect the attack. Position C is the only location through which the packet will traverse.

Question 73

An organization's mail server has crashed unexpectedly. The error logs indicate it received a malformed email message. Where should an analyst look for data that will help determine the exact cause?

Answer 73

Packet captures from a snort sensor on that network segment In addition to application logs, pcaps can help because they show the actual data that would have been passed to the application-layer.

Question 74

Analyze the image below. If a connection request is received on a Private interface for the Pidgin.exe application, what action will the firewall take?

Answer 74

It will be accepted and not logged Incoming packets for interfaces with the Public profile, for the application shown, will be allowed

Question 75

What data should be kept local on NSM sensors to prevent bandwidth overload issues?

Answer 75

Full packet captures Transferring large packet captures to a centralized server requires considerable bandwidth.

Question 76

Which attack phase is a hunt team focused on detecting?

Answer 76

Post-exploitation Post-exploitation activity is both more likely to cause actual damage, and, surprisingly to some, also generally an easier detect. We will explore some of the post-exploitation activity commonly employed by modern adversaries later. However, simply focusing on an adversary's attempts to persist and pivot pays huge defensive dividends.

Question 77

To help prevent MITM attacks against browser proxy autoconfiguration, what response should WPAD requests get?

Answer 77

A NULL response Adversaries have developed a means to co-opt this WPAD functionality by providing their own response the WPAD requests if we do not provide our own. Using this method, suitably positioned adversaries could launch a MITM attack against clients. Configuring WPAD DHCP/DNS/NetBIOS null responses if not actively being used is highly recommended.

Question 78

Analyze the screenshot below. What describes the expected behavior of the firewall log?

Answer 78

Nothing will get logged by Windows Firewall Another significant weakness, but one that is much easier to rectify is the poor logging configuration. By default logging allowed or even blocked connections is not enabled.

Question 79

On a network with outbound filtering in-place, what traffic would trigger an alert?

Answer 79

TCP/80 from database servers One would expect the following types of traffic to be seen on a network with outbound filtering in-place: TCP/80 - from Proxy TCP/443 - from Proxy UDP/53 - from DNS Servers  TCP/25 - from Mail Servers  UDP/123 - from NTP Servers Note that, by design, desktops/servers cannot talk directly out to the internet. While this might not be achievable, it serves as a strong goal to aim for.

Question 80

Which of the following is anomalous?

Answer 80

X.509 certificates that do not have the Organization field populated Many types of malware uses public key certificates, e.g. X.509, but skimp on details. Legitimate sites populate the X.509 Organization (-O) and Country (-C) fields but malware often skips these.

Question 81

Analyze the screenshot. What is the primary finding for this workstation?

Answer 81

It is missing patches The workstation needs its security patches installed first, then auto-updates should be enabled.

Question 82

Why are strings related to malicious activity likely to have high entropy?

Answer 82

Avoids signature detection Many types of malware and malware creation tools generate strings randomly. They do this to avoid signature detection: if the malware is called "evil.exe," it would be trivial to detect by pattern matching. High entropy entries are mostly used for entries that normally are in the clear, such as program names and DNS entries. Consequently, an attacker's identity is unlikely to be obscured by a high-entropy entry since such telltales are hidden deep within code and are often left there by accident. There are no international language differences that a high entropy string would excel at solving. Strings that may use high entropy names like certificate CNs and DNS entries are generally not encrypted in transit.

Question 83

A high volume of log data to be correlated and analyzed

Answer 83

Most organizations fail pretty miserably at perimeter-style detection, once things move internal detection becomes even less likely to have already been instrumented. This is made harder by the volume of data that needs to be correlated and analyzed.

Question 84

Which of the following makes servers typically easier to secure than mobile devices?

Answer 84

Servers don't typically contain client applications for end-users The primary distinguishing feature that make desktops more challenging than servers to secure is simple: users. Active users drastically change the security posture of a system. They want to install applications, access data/resources, and also provide a more obvious conduit for adversaries to introduce their malicious content.

Question 85

An analyst is testing the following input on their web server from the Internet. Which device would be the first to alert on the simulated attack, given the network diagram shown? "%27+or+%271%27%3D%271"

Answer 85

Web-app firewall The input, , is related to a SQL injection attack. A router and SI-firewall will not be able to detect this attack as they are not layer-7 aware. A web-app firewall is customized to be aware of these types of attacks and to prevent/detect them. The HIDS may provide aid towards this attack, however, they will not be the first to see a SQL injection attack given the servers areCorrect…

Question 86

Analyze the following packet details. Which method could have prevented this communication?

Answer 86

An NGFW which drops packets containing shell commands This is an interactive shell tunneled through ICMP. The NGFW with its application identification/inspection capabilities can be extremely beneficial. The most significant security boon comes from the ability to potentially identify non-conforming Layer 7 traffic.

Question 87

An attacker posts a malicious document on a social media site. When the document is downloaded and opened on the victim's device, it allows the device to be added to a botnet the attacker controls. This is an example of what type of attack?

Answer 87

Client-side attack A client side attack requires user interaction, in this case, the downloading and opening of the document. A service side attack uses a listening port to deliver an attack to the vulnerable device. A phishing attack refers to an attack sent by email.

Question 88

Why are service-side exploits traditionally only successful on servers and not desktops?

Answer 88

Firewall rules prevent externally initiated communication with desktop systems Firewalls are normally configured to deny inbound connections requests by default with exceptions made for listed servers and services. This would prevent an inbound request for communication to a desktop from being successful.

Question 89

What is the primary focus of continuous security monitoring?

Answer 89

Vulnerabilities and data at rest CSM is primarily vulnerability-focused and focuses on data at rest.

Question 90

Which of the following is a desired feature in an NSM frontend application?

Answer 90

Ability to view all applicable packets associated with the alert An NSM frontend application (e.g. Sguil, Snorby, Squert) that allows an easy pivot to view all packet data associated with an alert(s) is a desired feature. The other options do not describe use cases for an NSM frontend application.

Question 91

Debug Programs

Answer 91

The password for service accounts is stored within LSA Secrets (HKLM\Security\Policies\Secrets).  Any account with the Debug Programs user privilege can access and decrypt this data. Bypass Traverse Checking determines which users have permission to navigate to an object path in the NTFS file system or in the registry without being checked for Traverse Folder special access permission.  Log on as a Service is used to determines which service accounts can register a process as a service.  Replace a Process Level Token emables a user to start processes as another user if they know the victim user's credentials.

Question 92

Which of the below options is a benefit provided by a forward proxy?

Answer 92

provides a central place to filter web access from clients Forcing all communications through the proxy creates an incredibly useful choke point for both preventive and detective capabilities.