Operations & Incident Response Flashcards

Question

Explain this command: tcpdump

Answer 1

* Captures packets, like a CLI version of WireShark * Can display packets on screen and/or write to a file * Included in most Linux distributions

Answer 2

* A suite of packet replay utilizies * can take (and edit) info from tcpdump, and replay it on the network * Usefuly for checking IPS signatures and firewall rules, testing IP Flow / NetFlow devices, stress testing, etc. * Open source

Answer 3

* "Data Definition" * Linux command to create and restore disk images * Creates a bit-by-bit copy of a drive or directory * Used by many forensic tools

Answer 4

* Copies information in system memory to the standard output stream * Many third-party tools can read a memory dump * Often used in conjunction with netcat, stunnel, openssl, etc., to send the memdump to another host * Useful for forensics

Answer 5

* A third-party utility for Windows * a universal hexadecimal editor * Edit disks, files, RAM, etc. * Includes data recovery features * Disk cloning * secure drive wipes * Many more features, useful for forensics

Answer 6

* disk imaging tool for Windows that can mount or image drives and perform utilities * wide third-party support to analyze these images * Can import other disk image formats * Useful for forensics, wide third-party support

Answer 7

* a graphical tool to perform digital forensics of hard drives, smartphones, image files, etc. * View and recover data from storage devices * Extract covers many data types, including: ○ downloaded files ○ browser history and cache ○ email messages ○ databases • Can potentially recover data from drives that have been re-formatted

Answer 8

* A type of pre-built toolkit for exploitations, useful to perform tests against your own systems * Build custom attacks. * Adds more tools as vulnerabilities are found

Answer 9

* Metasploit is a popular one; attacks known vulnerabilities with new ones being added all the time * SET (Social-Engineer Toolkit)

Answer 10

* National Institute of Standards and Technology * Special Publication 800-61 Revision 2 * Titled "Computer Security Incident Handling Guide"

Answer 11

* Preparation * Detection and Analysis * Containment, Eradication, and Recovery * Post-Incident Activity

Answer 12

* Tabletop - responders talking through and analyzing a hypothetical situation * Walkthrough - responders testing process and procedures, walking through each step, and identifying anything found out of place * Simulation - testing users and systems with a simulated event, such as a sending a phishing e-mail through your own systems and to your own users as a test.

Answer 13

* Continuity of Operations Planning * Made in preparation for disaster, so you know what to do * Outlines how to perform essential job functions during a systems outage * May include manual transactions, paper receipts, phone calls for transaction approvals, etc. * Must be well documented and tested before a problem occurs

Answer 14

* Documentation to help determine actions of an attacker * Developed by MITRE corp, which supports several U.S. government agencies * Assist identifying point of intrusion, understand methods used to move around, and identify potential security techniques and block future attacks

Answer 15

* Designed by U.S. intelligence community * A model to guide analysts in understanding intrusions * Applies scientific principles to intrusion analysis

Answer 16

• Four points of diamond are (clockwise from the top) ○ Adversary ○ Capability ○ Victim ○ Infrastructure

Answer 17

* A framework that outlines the 7 phases of a cyber attack: * Reconnaissance (gather intel) * Weaponization (build a deliverable payload) * Delivery (Send the weapon, such as an .exe over e-mail) * Exploit (execute code on victim's device) * Installation (malware is installed) * Command and Control (channel is created for remote access) * Actions on objectives (attacker carries out objectives)

Answer 18

* A dump file stores all contents of memory (usually just for a specific application) into a diagnostic file * Can be provided to developers for troubleshooting * In Windows Task Manager, just right-click the process and select "create dump file" * Some applications have their own processes for creating dump files

Answer 19

* Standard for message logging, used by diverse systems to create a consolidated log * Usually sent to a central logging server (SIEM) * Each log entry is labelled with a facility code and severity level

Answer 20

* Rocket-fast Syslog | * A syslog daemon

Answer 21

• A popular syslog daemon with additional filtering and storage options

Answer 22

* a syslog daemon | * Collection from many diverse log types and consolidate it on a single machine

Answer 23

* Every syslog entry is labelled with a facility code | * It indicates the program that created the log

Answer 24

* Linux system logs are stored in binary for optimization * But they are not human-readable * Journalctl provides tools to query the system journal, search, filter, and view as plain text

Answer 25

* Gathers traffic statistics from all traffic flows * This data is usually collected by "probes,” then sent and consolidated onto a central Netflow "collector" server * Very common, standard tool with a lot of support from vendors

Answer 26

* IP Flow Information Export * A newer, Netflow-based standard * Allows for customization of what data to collect, and to send to centralized server

Answer 27

* Sampled Flow * Similar to Netflow, but takes only a portion of the actual network traffic * It is therefore not technically a flow * The sample can still provide relatively accurate statistics * Usually embedded in infrastructure devices such as switches and routers, since it has low resource requirements

Answer 28

* A linear checklist of steps to perform * Useful for automation; the steps can be carried out automatically * Used in SOAR

Answer 29

* Like a runbook, but broader in process * allows for conditional steps and may contain multiple runbooks * Useful for automation of response with these processes * Used in SOAR

Answer 30

* Acquisition * Analysis * Reporting

Answer 31

* Electronically Stored Information | * Legal term for data that is held in a separate repository for legal purposes

Answer 32

* Different file systems store timestamps differently * In FAT, time is stored in local time * In NTFS, time is stored in GMT * Windows Registry and other OS settings may also influence time offsets (Daylight Savings Time, etc. * Understanding time offsets is important for Digital Forensics

Answer 33

* CPU registers and cache * Router table, ARP cache, process table, kernel statistics, memory * Temporary File Systems * Disk * Remote Logging and monitoring data * Physical configuration; network topology * Archival media

Answer 34

* Digital items left behind in sometimes less-than-obvious places, considered during data acquisition * May include: ○ log information ○ flash memory ○ prefetch cache files ○ Recycle Bin ○ browser bookmarks and logins

Answer 35

* Grants permission for you to know where the data is being held, how it is being accessed over the Internet, and what security features are in place to protect it * Can be added to a contract with cloud providers

Answer 36

* The gathering of data required by the legal process | * Does not generally involve analysis or make any consideration of intent

Answer 37

* Message Authentication Code (MAC) provides non-repudiation that can be verified between the two parties in communication * With a Digital Signature, the non-repudiation can be publicly verified using the public key